- To withdraw bitcoins from an address, one might need two of the address’s three keys.
- Only the two firms involved were aware of this private interface.
New York-based couple Lichtenstein and his wife, Heather Morgan, have been charged with money laundering. There is a claim that they were attempting to pay out the profits from the Bitfinex hack of 2016 as per DOJ.
The crypto community was impacted hard by this breach. More than 120,000 Bitcoins were taken from the accounts of unsuspecting users. Bitfinex gave a 36 percent deal for all of its clients, regardless of whether or not they were affected by the hacking incident. Tether, Bitfinex’s stablecoin, ultimately made up for it in mid-2017. Even though they had no banks, Tether’s issuance began to skyrocket at this time. When the 2017 crypto boom popped, this was the trigger. But Lichtenstein and Morgan were not charged with hacking.
There is little doubt that Lichtenstein and Morgan are typical crypto individuals who believe they are entrepreneurial gurus. The Bitfinex hack, on the other hand, screams technical computer scientific genius rather than social engineering seeking insider knowledge.
A Flaw in the API
When Bitfinex first launched in 2016, users’ bitcoins were kept separated in their own multi-signature blockchain addresses. To withdraw bitcoins from an address, one might need two of the address’s three keys. Bitfinex had one, BitGo had one, and the customer had one.
Bitfinex was able to leverage an API provided by BitGo. Only the two firms involved were aware of this private interface. Bitfinex would use the secret API to send transactions to BitGo. It was okay to sign since BitGo has validated the transaction against its rules for that address before doing so.
As a result of a flaw in the API, one could establish global limitations, which applied to all client addresses without being alerted for human inspection. Somehow the hacker accessed an international limit-changing account on Bitfinex’s infrastructure and set the limit exceedingly high, and emptied all 2000 client addresses into a single address.