Summary
In August 2016 the exchange Bitfinex lost about 119,754 bitcoin (around $71 million then, billions later) in one of crypto's largest hacks. Bitfinex used a multi-signature custody setup with BitGo, meant so that no single compromised key could move funds, but the per-wallet withdrawal controls were not enforced as designed, and the attacker pushed through more than 2,000 fraudulent transfers out of customer hot wallets. The case became famous years later: in 2022 the US DOJ arrested Ilya Lichtenstein and Heather "Razzlekhan" Morgan for laundering the proceeds and seized 94,636 BTC (then about $3.6 billion), the largest financial seizure in its history, and Lichtenstein later admitted he was the original hacker. It is a lesson in custody design, server-side policy enforcement, and the long memory of the blockchain.
How it happened
On paper, Bitfinex had done the responsible thing. Rather than pool customer funds, it used a multisig arrangement with the custody firm BitGo: each customer's bitcoin sat in its own wallet that needed two of three keys to move, with Bitfinex holding two keys and BitGo the third. The intended safety net was that BitGo, as the independent third signer, would refuse to co-sign withdrawals that broke pre-set per-wallet limits.
That net was never wired up. To satisfy a US regulator's view on segregated customer funds (the CFTC had just fined Bitfinex $75,000 and pushed it toward per-customer wallets), Bitfinex is understood to have configured the setup so that BitGo would co-sign transactions without enforcing those withdrawal limits. So when the attacker compromised Bitfinex's own infrastructure and obtained its two private keys, they could submit transaction after transaction, and BitGo's system dutifully co-signed all of them. More than 2,000 unauthorised transfers drained customer hot wallets. The multisig that should have stopped it did nothing, because the policy it was supposed to enforce had been switched off where it mattered.
The damage
The stolen 119,754 BTC was worth about $71 million in 2016 and would be worth billions at later prices. Bitfinex made the unusual choice to spread the loss across all of its customers, imposing a roughly 36% haircut on every account and issuing IOU tokens that it later repaid in full, an approach that kept the exchange alive. The story's second act made it legendary: in 2022 the US Department of Justice arrested Ilya Lichtenstein and his wife, the rapper and influencer Heather "Razzlekhan" Morgan, for laundering the proceeds, and seized 94,636 of the stolen bitcoin, then about $3.6 billion and the largest financial seizure in DOJ history. The forensic break was not magic: investigators followed laundered funds to a Walmart gift card redeemed under Morgan's own name and decrypted a cloud file holding the wallet keys. Lichtenstein pleaded guilty in 2023 and admitted he was the original hacker; the couple were sentenced in 2024 (Lichtenstein to five years, Morgan to eighteen months), and by then the government's recovery tied to the hack had grown to about $10 billion as bitcoin appreciated.
Why Bitfinex still matters
Bitfinex is two lessons in one. The first is about custody: a multisig is only as strong as the policy enforced behind it. A scheme that auto-co-signs without checking limits is single-signature with extra steps and a false sense of safety. The durable controls are to keep the overwhelming majority of funds in cold storage, size hot wallets to operational need, enforce withdrawal limits and approvals on the server side where a client cannot bypass them, and segregate signing keys across people and systems. The second lesson is for attackers: a blockchain is pseudonymous, not anonymous. The stolen coins sat traceable on-chain for six years until forensic analysis and an off-chain identity slip unwound the laundering, producing the largest seizure ever. The same key-theft theme reached its grim peak in the Bybit hack nearly a decade later.
How to fix it
- Freeze withdrawals and rotate all signing keys and API credentials the moment anomalous transfers are detected.
- Enforce and re-test withdrawal limits, allowlists, and multi-party approval on the server side, not just in the client.
- Trace stolen funds on-chain and work with exchanges and law enforcement to flag and freeze them.
- Move remaining funds to fresh, hardware-backed cold storage under a rebuilt signing policy.
How to avoid it
- Keep the overwhelming majority of funds in cold storage; size hot wallets to operational need only.
- Enforce multi-signature and withdrawal policy (limits, allowlists, velocity checks, approvals) on the backend, where the client cannot bypass it.
- Segregate signing keys across people and systems so no single compromise can authorize large transfers.
- Monitor for anomalous withdrawal patterns and require step-up approval for large or new destinations.
- Independently audit custody and authorization logic; a multisig that does not enforce its own limits is single-sig with extra steps.
References
- https://en.wikipedia.org/wiki/2016_Bitfinex_hack
- https://www.chainalysis.com/blog/bitfinex-hack-plea-july-2023/
- https://www.trmlabs.com/resources/blog/ilya-lichtenstein-sentenced-for-role-in-bitfinex-hack-in-razzlekhan-case-as-government-recovers-about-10-billion-in-stolen-funds
- https://time.com/6146749/cryptocurrency-laundering-bitfinex-hack/
Related vulnerabilities
All Web3 →- CRITICALWEB3-PHEMEX-2025
On January 23, 2025, exchange Phemex lost about $85M (early estimates started near $29M before rising) after attackers drained hot wallets across roughly 11-16 blockchains in a synchronized series of more than 125 transactions consistent with a compromised set of hot-wallet private keys; Phemex said the affected signing devices were identified and isolated, pointing to compromised signing infrastructure rather than an on-chain contract flaw. The attacker prioritized high-value tokens and swapped freezable assets into non-freezable ones before any freezes could land. Cold wallets stayed secure and Phemex covered the losses, resuming operations within days under Fireblocks MPC custody with keys split across distributed nodes. Flow-of-funds tracing (Merkle Science) and on-chain analysts (ZachXBT, Arkham), later supported by the FBI, attributed the theft to North Korea's Lazarus Group: on February 22, 2025 the attackers consolidated proceeds from the subsequent Bybit hack into the existing Phemex hacker address, retroactively linking the two incidents on-chain. Stolen funds were laundered via Tornado Cash and not recovered.
- CRITICALWEB3-PLAYDAPP-2024
Between February 9 and 12, 2024, the South Korean crypto gaming and NFT platform PlayDapp was exploited twice for about $290M after a privileged-key compromise. Around January 16, 2024 the attacker spear-phished the PLA token deployer with a domain-spoofed email whose attachment installed a remote-access tool, giving control of the deployer's machine and its private key. PLA used a custom MinterRole/Ownable mint-permission pattern, so the attacker called addMinter(address) (method ID 0x983b2d56) on the PLA contract (0x3a4f40631a4f906c2BaD353Ed06De7A5D3fCb430) to authorize their own address as an authorized minter, then minted over 200 million PLA (~$36.5M) on February 9 and a further 1.59 billion PLA (~$253.9M) on February 12. PlayDapp's $1M return offer was ignored; PLA trading was suspended and exchanges worked to freeze funds, with most of the inflated supply effectively unsellable due to thin liquidity.
- CRITICALWEB3-ORBITCHAIN-2024
On December 31, 2023 (reported January 1, 2024), the Orbit Chain cross-chain bridge lost about $81.5 million when the attacker gained signing control over a majority of validators (analysts cite 7 of 10) and authorized withdrawals from the Ethereum-side vault, draining roughly 30M USDT, 10M USDC, 10M DAI, about 9,500 ETH and 231 WBTC across five transactions to fresh wallets, plus a further transaction disabling the bridge. The root cause was validator private-key/credential compromise enabling improper authorization, not a smart-contract logic flaw; the attack wallet was funded via Tornado Cash. A later statement from developer Ozys alleged that a departing security lead had arbitrarily weakened the firewall policy in November 2023 before leaving without handover, which Ozys treats as the leading access hypothesis, though the causal link remains unproven. The methodical transaction pattern led analysts and South Korean authorities to suspect North Korea's Lazarus Group, but attribution was not formally confirmed. Funds were later laundered via Tornado Cash and not recovered.
- CRITICALWEB3-POLONIEX-2023
On November 10, 2023, the Justin Sun-linked exchange Poloniex lost roughly $120 million (estimates ranged $114 to $126 million) after attackers compromised a hot-wallet private key and swept tokens to attacker-controlled wallets. The drain hit a hot wallet labeled 'Poloniex 4,' with automated bots executing hundreds of unauthorized transactions that emptied multiple assets in just over an hour, a pattern indicating the signing key itself was in attacker hands rather than any contract bug. The exact intrusion path was not disclosed, but single-key-controlled hot wallets with inadequate signing thresholds let one compromised key authorize the mass outflow. Analysts including Elliptic attributed the theft to North Korea's Lazarus Group based on the attack methodology and a laundering signature of splitting token types across addresses before consolidating, and Justin Sun publicly linked the perpetrators to Lazarus. Poloniex offered a white-hat bounty for the funds' return; the attacker began moving funds (including ETH to Tornado Cash) and the bulk was not recovered, though Sun said losses would be reimbursed.
- CRITICALWEB3-MIXIN-NETWORK-2023
On September 23, 2023, Mixin Network lost about $200M (roughly $95M ETH, $24M BTC and $24M USDT among other assets) after attackers breached the database of the network's third-party cloud service provider, which held Mixin's deposit-address and hot-wallet private keys in a recoverable manner. With the database compromised, the attacker reconstructed the private keys and signed outbound transactions directly, sweeping over 11,400 deposit wallets from highest to lowest balance across more than 10,000 transactions; stolen USDT was swapped to roughly 23.5M DAI to break traceability. The weak link was the upstream cloud database acting as a single point of failure with recoverable keys, rather than a smart-contract bug or a direct private-key theft from Mixin itself (the provider is widely inferred to be Google Cloud but was never officially confirmed). Mixin engaged Google and SlowMist to investigate, suspended deposits and withdrawals, offered a $20M bounty, and announced a plan to reimburse 50% of affected user assets with the remainder issued as debt/bond tokens. The bulk of the funds was laundered and not recovered.
- CRITICALWEB3-COINEX-2023
On September 12, 2023, exchange CoinEx lost an estimated $54 to $70 million after attackers compromised its hot-wallet private keys, exploiting lax single-key hot-wallet security. CoinEx's own assessment preliminarily identified leakage of the hot-wallet private key as the cause; wallets controlled by a single key are especially exposed to phishing and malware, the favored access vectors of the attributed actor, and once the key leaked the attacker swept assets directly. The theft was attributed to North Korea's Lazarus Group: one of the CoinEx attacker addresses was reused from the Stake.com hack (FBI-confirmed Lazarus) and funds were bridged via infrastructure previously used by Lazarus, with the linkage confirmed by Elliptic, CertiK, SlowMist, ZachXBT and overlapping addresses tying CoinEx, Stake.com and Alphapo together. CoinEx absorbed the loss and fully reimbursed affected users without diluting its CET token, restoring full operations over the following months.