4 Unanswered Questions About the Bitfinex Hack

Even after high-profile arrests, we don't have the full story behind the $4.6 billion crypto heist.

AccessTimeIconFeb 9, 2022 at 7:56 p.m. UTC
Updated May 11, 2023 at 3:36 p.m. UTC
AccessTimeIconFeb 9, 2022 at 7:56 p.m. UTCUpdated May 11, 2023 at 3:36 p.m. UTCLayer 2
AccessTimeIconFeb 9, 2022 at 7:56 p.m. UTCUpdated May 11, 2023 at 3:36 p.m. UTCLayer 2

Yesterday we got stunning news of the arrest of a New York couple, Ilya “Dutch” Lichtenstein and Heather R. Morgan, for their alleged role in attempting to launder bitcoin now worth a staggering $4.6 billion. That bitcoin was stolen from the global exchange Bitfinex in August 2016, and in the half-decade since then, there has been little additional insight into the attack.

That long silence (along with what we’ll call some more lyrical factors) drove intense fascination with yesterday’s news. But as much as we learned, there’s still a great deal we don’t know, including dangling questions that could lead down a much deeper rabbit hole. Some of the most important unknowns involve the hack itself, the business fallout of the hack and the alleged launderers’ own puzzling behavior during the period they’re accused of trying to wash the stolen BTC.

This article is excerpted from The Node, CoinDesk's daily roundup of the most pivotal stories in blockchain and crypto news. You can subscribe to get the full newsletter here.

As you might expect, grappling with unanswered questions involves some speculation. I’ve done my best to highlight where that speculation appears, but we’re off the map here in general, so take what follows largely as a series of hypotheticals and thought experiments.

How did the initial hack happen?

A crucial but easily overlooked element of yesterday’s charges is that they don't allege that Lichtenstein and Morgan were responsible for the initial hack of Bitfinex. The charges don’t offer any specific theory about how they came into possession of the private keys controlling the coins. One possibility is that the couple purchased the BTC from the initial hacker(s) at a discount. Another is that they were merely acting as agents for the hacker(s), though that’s less likely given their direct control of the keys.

There is, however, some circumstantial reason to believe that the couple could have been involved in the hack itself and the Department of Justice just didn’t have quite enough evidence to charge them with more than money laundering.

The most intriguing (though again entirely circumstantial) evidence is that Morgan appears to have been outright obsessed with “social engineering,” a type of hacking that focuses on compromising people instead of code. In one lengthy presentation given at the event series NYC Salon, she described methods of deception and intimidation that she had used in real-world exercises to influence individuals and gain access to spaces and organizations.

That is particularly intriguing given the nature of the original hack, which involved compromising multisignature protections that went through security provider BitGo. In CoinDesk’s reporting at the time, Michael McSweeney wrote that “in order to withdraw such a large amount of funds, BitGo would likely have had to sign off on those transactions,” because of a multisignature security layer implemented for Bitfinex users. That raises the possibility that social engineering was involved in the hack.

It has been noted that Morgan interviewed Matt Parrella, a former chief compliance officer at BitGo, for a 2020 Forbes column titled, amazingly, “Experts share tips on how to protect your business from cybercriminals.” That’s a serious eyebrow-raiser, but it may not mean much given that Parrella was only briefly employed at BitGo in 2019 and 2020.

Why would crypto-literate criminals store private keys in the cloud?

One of the really bizarre things revealed in yesterday’s charging documents is that authorities claim they were able to seize the stolen BTC after accessing private keys that Lichtenstein/Morgan had stored in a cloud service. Keeping private keys offline at all times is one of the most fundamental security tenets of crypto management, and it’s implausible that someone undertaking to launder crypto on such a huge scale wouldn’t be well aware of that.

There are a few non-conspiratorial ways to understand the keys being stored online. Most importantly, the keys were themselves encrypted, which you can at least imagine someone rationalizing as secure.

Crypto researcher Eric Wall further suggested that despite claims in the charging documents, the keys may not have been decrypted by law enforcement. Instead, the keys may have been handed over by the culprits when confronted. That could also explain why a large portion of the stolen coins was moved on Feb. 1. Perhaps the accused launderers were demonstrating that the keys worked before handing their booty over to the feds.

It’s also worth remembering that the BTC in question was worth about $70 million at the time of the hack. It ballooned to multiple billions over the course of five years, possibly outpacing the culprits’ ability to upgrade their security practices.

Why were these secret billionaires so extremely online?

Unfortunately, we have to talk about Razzlekhan, Morgan’s strange and cringey rap persona. Morgan flooded TikTok and YouTube with weird influence-bait, including a lot of rapping, while also writing business and tech content for Forbes’ perennially sketchy contributor network. Lichtenstein published at least one Medium post about crypto and posted about crypto on Twitter. This content – some of which was set to private after the arrests – is just one thread of an extensive web presence by Morgan and, to a much lesser extent, Lichtenstein.

The question is simply – why? Most of that activity took place after the pair were in control of a bitcoin fortune. Why would you be clout-chasing online if you had that much money? (Morgan was likely making less than $100 for each Forbes contribution.)

In the end, we can only speculate. But the answer likely involves very personal impulses, particularly the desire for recognition and respect. It seems clear Morgan and Lichtenstein wanted to be seen as serious (if creative and weird) businesspeople.

For instance, the two represented themselves as partners at Demandpath, a putative investment fund focused on “distributed systems, cloud platforms and data-driven AI (artificial intelligence).” I haven’t yet unearthed information about their investments, and so the whole thing may have been a bit of a LARP – as “angel investing” often is in crypto. Morgan also represented herself as CEO of an email marketing company called Salesfolk.

What’s most incredible is that Morgan didn’t stop posting even when the walls were closing in. In court on Tuesday, the defense counsel reportedly said the defendants had known they were under investigation since November. But on Feb. 2, just one week before her arrest, Morgan posted about a business-to-business sales article she was working on for the magazine Inc. Perhaps knowledge of the investigation nudged Morgan to double down on a business that could actually make money, because monitoring rendered their BTC exceedingly dangerous to move.

It is worth noting that Morgan’s online presence appears to be distorting perceptions of the case. Her rapping and interest in social engineering make her an intriguing suspect. But in a pretrial hearing yesterday, a New York judge set bail for Ilya Lichtenstein at $5 million, but bail for Morgan at only $3 million, which may suggest the court believes Lichtenstein bears more responsibility and faces tougher consequences than Morgan does.

How does this connect back to Bitfinex?

The original Bitfinex hack occurred in early August 2016. Here’s CoinDesk’s contemporaneous report on the events. The hack, and especially Bitfinex’s efforts to recover from it, have spawned a raft of conspiracy theories and speculation often involving suspicions of possible malfeasance by Bitfinex and its associates.

After the hack, Bitfinex made a radical move, imposing the losses on its users in the form of a roughly 36% “haircut” on balances. Those who got the haircut were in return given “Recovery Rights Tokens” with the ticker BFX. These tokens were fully repaid and redeemed by April 4, 2017. The official narrative was that Bitfinex increased trading volume at the time and quickly earned back the money it had lost in the hack.

See also: A Bridge Called Tether | Opinion

But the BFX token was denominated and paid back in USD, not BTC. Bitcoin roughly doubled in price between the hack and the repayment, and so all things being equal, Bitfinex users lost money even after their BFX tokens were redeemed.

But that’s not all: As commentators pointed out at the time, the BFX token helped reduce Bitfinex’s liabilities even further. Some holders, lacking confidence in Bitfinex’s ability to repay, dumped the token on the market for as little as 49 cents on the dollar – and the exchange acknowledged buying back tokens at market value, meaning it got an even further discount against the liability of the stolen BTC.

That, combined with the fact that the hack involved compromising multisignature security, has spawned considerable speculation that the hack may have been an “inside job.” Watchdogs like Bitfinex’d have speculated that the hack was connected to the later discovery of shortfalls at Bitfinex sister operation Tether, and that the haircut and BFX token may have helped paper over other problems at the exchange. I have yet to see any airtight evidence of this, but Morgan and Lichtenstein’s trial might offer new revelations about those strange maneuvers.


Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.


Disclosure

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

David Z. Morris

David Z. Morris was CoinDesk's Chief Insights Columnist. He holds Bitcoin, Ethereum, and small amounts of other crypto assets.