Bitfinex — 119,756 BTC theft

What happened

On 2 August 2016 Bitfinex, a Hong Kong-based cryptocurrency exchange that was at the time one of the world’s largest by trading volume, disclosed that attackers had made 1,946 unauthorised transactions from customer wallets, removing 119,756 BTC — approximately $72 million at the time of theft. Every transaction drew from segregated multi-signature wallets that Bitfinex operated in partnership with custody provider BitGo, with each wallet nominally requiring multiple signing keys to authorise any withdrawal.

Bitfinex disclosed the breach publicly on the day of discovery and halted all trading and withdrawals. Unable to cover the loss from its own reserves, the exchange applied a universal 36% “haircut” to every customer account regardless of whether that account had been directly affected. In exchange, customers received a newly minted “BFX” token representing their claim on the missing value. Over the following year Bitfinex bought back BFX tokens using exchange revenue, redeeming them at par by April 2017.

For six years the stolen Bitcoin sat in addresses controlled by the attacker, barely touched. Its dollar value, a function of Bitcoin’s price trajectory, ballooned from $72 million at the time of theft to roughly $4.5 billion at the late 2021 peak. In February 2022 the US Department of Justice arrested Ilya Lichtenstein, 34, and his wife Heather Morgan, 31, in Manhattan. Federal agents seized approximately 94,000 BTC — then worth $3.6 billion — in what the DOJ described as the largest financial seizure in its history. In August 2023 both defendants pleaded guilty. Lichtenstein was sentenced to five years in prison in May 2024 for the underlying hack; Morgan received 18 months for money-laundering conspiracy.

How it worked

Bitfinex had adopted a novel wallet architecture at the time. Rather than holding funds in exchange-controlled cold storage, it had outsourced custody to a model built around BitGo’s multi-signature API. In the intended design, any withdrawal above a threshold required sign-off from both Bitfinex-held keys and BitGo’s independent signing service — meaning no single party could move funds unilaterally. It was a genuinely security-forward model for 2016.

The attack broke that model at the Bitfinex side of the integration. The attacker obtained access to Bitfinex’s internal systems — the specific intrusion vector was never publicly confirmed — and manipulated the withdrawal-authorisation flow to bypass BitGo’s co-signing requirement for individual transactions. By submitting each transaction below the threshold that would trigger enhanced review, and by batching them across a large number of customer wallet addresses, the attacker was able to drain the wallets through nearly two thousand separate, individually small-looking transfers that aggregated to 119,756 BTC.

BitGo’s own systems were not compromised; the failure was in how Bitfinex’s integration was configured and how authorisation decisions were implemented on the Bitfinex side. The exact mechanism — whether through administrator credential theft, API key abuse, or another access vector — was not disclosed by Bitfinex, and no technical post-mortem was ever published.

The laundering operation that followed was sophisticated for its era. Lichtenstein used a combination of darknet market deposits, chain-hopping across Bitcoin and other cryptocurrencies, privacy-coin conversion, and multiple layers of intermediate addresses to obscure the trail. However, the blockchain’s permanent and public record of every transaction ultimately defeated the strategy: blockchain forensics firms, particularly Chainalysis, were able to reconstruct the laundering path and connect the funds to Lichtenstein’s own accounts years later. The specific break came when federal agents identified that some of the stolen BTC had been moved to an exchange account that Lichtenstein had accessed using identifiable credentials.

Timeline

• 2 August 2016 — 1,946 unauthorised transactions drain 119,756 BTC from Bitfinex customer wallets. Bitfinex halts trading.
• 3–4 August 2016 — Bitfinex announces the 36% universal haircut and the BFX token mechanism.
• April 2017 — Bitfinex completes the buyback of all BFX tokens at par; customers made whole on paper.
• 2021 — Stolen BTC value peaks at approximately $4.5 billion as Bitcoin approaches $68,000.
• 7 February 2022 — DOJ arrests Ilya Lichtenstein and Heather Morgan in New York. Agents simultaneously seize approximately 94,000 BTC ($3.6 billion), the largest US government financial seizure on record.
• August 2023 — Both defendants plead guilty. Lichtenstein admits to the hack itself; Morgan admits to money-laundering conspiracy.
• May 2024 — Lichtenstein sentenced to five years; Morgan sentenced to 18 months.
• 2024 onwards — Recovered funds subject to Bitfinex creditor repayment process.

What defenders should learn

The Bitfinex architecture was ahead of its time in one respect — outsourcing custody to a multi-signature scheme was a more sophisticated model than the pure exchange-held hot wallet that had been the industry norm through the Mt. Gox era. The failure was not in choosing multi-signature; it was in implementing it in a way that allowed the operator to unilaterally bypass co-signing. An authorisation system is only as strong as its least-controllable bypass path. If any single party can route around a multi-party approval requirement by manipulating the integration layer, the multi-party protection is illusory.

The universal-haircut socialisation model is worth examining separately. Bitfinex’s decision to spread the loss across all customers, rather than ring-fencing it to the directly affected wallets, was controversial but preserved the exchange as a going concern. The BFX token redemption — completed ahead of schedule — is cited as a model for exchange-level loss recovery. The lesson for exchange operators is less about the ethics of loss socialisation and more about having a pre-planned response framework for a major theft: Bitfinex’s ability to implement the BFX scheme quickly, and to communicate it clearly, materially reduced the panic that might otherwise have destroyed the exchange entirely.

The laundering investigation provides a more recent lesson. Lichtenstein and Morgan are widely regarded as sophisticated and well-resourced operators. They used darknet markets, chain-hopping, and privacy coins. They waited years before making significant moves. None of it was enough. The Bitcoin blockchain’s permanent ledger, combined with the improving forensic capability of blockchain analytics firms, meant that every hop in the laundering chain was eventually traceable. For threat actors who steal cryptocurrency at scale, the message is clear: time does not clean blockchain evidence. The longer the stolen funds sit, the more forensic tooling improves around them.

For regulators and exchanges, the case confirmed that blockchain analytics-based law enforcement is operationally effective at multi-year timescales. The question for defenders is not whether tracing is possible — the Bitfinex case proved it is — but whether exchanges hold sufficient forensic detail about their own transaction authorisation systems to support an investigation that may begin years after the theft.