As Israel arrests hackers with military training over the Bitfinex hack, CT talks with cybersecurity experts about the infamous cyber attack.
One of the most prominent crypto cybercrimes in recent years took a dramatic turn on June 23, when two Israeli brothers were arrested in connection with the 2016 Bitfinex hack and other crypto-related phishing attacks.
Just shy of 120,000 Bitcoin (BTC) were stolen in the attack back in 2016, an amount initially worth $72 million, though after Bitcoin’s meteoric rise in the summer of 2019, the value of the stolen funds now amount to around $1.4 billion. Speaking to Finance Magnates, an Israeli police spokesperson said that Eli and Assaf Gigi bagged tens of millions of dollars from their activities. The product of a police raid, the arrests also located a cryptocurrency wallet containing a much smaller sum than the pair are alleged to have stolen.
According to the spokesperson, the duo lured in their victims by creating clone versions of major online crypto exchanges and wallet providers and shared links to them through both Telegram groups and other cryptocurrency-related communities. The Gigi brothers also stand accused of the Bitfinex hack, which also involved identity theft and compromising of several users’ accounts.
The arrests mark the second time the Bitfinex hack has been brought back into the open in the past few weeks. On June 7, Cointelegraph reported that $1.5 million of the funds stolen in the hack had been moved from the hackers’ personal wallets to an unknown address. Anneka Dew confirmed that the transfers were not related to any current company operations, The Next Web reports. The shifting of the funds was brought to light by crypto transaction tracker Wale-alert.io, which posted:
One of the most headline-grabbing aspects of the arrest was the announcement that Eli Gigi, the elder of the two brothers, had received specialist training from an elite technological unit of the Israel Defence Forces (IDF). While it is all too easy to cast a sinister shadow over the hack, cybersecurity experts believe that such attacks can be carried out with a far more rudimentary level of education and some self-taught skills. Hartej Sawhney, co-founder of Zokyo Labs, a digital product and cybersecurity agency and co-founder of Las Vegas-based smart contract auditing firm Hosho, told Cointelegraph via email that military training would not be necessary for cybercrime in the current environment:
“You don't need ‘military training’ to conduct cybercrime on today’s centralized exchanges. Most recently we have seen hackers gain access to databases holding users’ access tokens and steal their funds. Even as AT&T is being sued for $240 million dollars by Michael Terpin, we continue to see a very large number of sim jackings via social engineering methods. From sim-swapping, phishing, key-logger attacks, crypto jacking, there's an array of low hanging fruit for hackers currently to go after.”
Igor Kotsiuba, a researcher and cybersecurity expert at Cyberdesk, told Cointelegraph that certain hacks could theoretically be carried out with information obtained in school:
“The most prevalent attacks in the crypto world today are DDoS and phishing. Capabilities for man-in-the-middle or DDoS can be obtained in school, after classes with friends, so elite military school is more than enough for that.”
Sawhney also commented on techniques popular among hackers at the moment, many of which are also about stealing user data:
“‘Clipboard hijackers’ are becoming common on wallets and exchanges, operating in the clipboard and replacing copied wallet data with one of the hackers in the midst of transferring Bitcoin. Hackers are still leveraging Slack bots in which they try to convince users to click a notification and type their private key.”
Although hacks are common in the crypto world, their activities naturally bring on repercussions from law authorities. According to Kotsiuba, although it is an uphill battle, a number of taskforces and transnational organizations exist and are continually improving their ability to crack down on cybercrime around the world:
“Europol and another transnational LE Agencies and unions, and their dedicated cyber tasks forces today have enough tools and instruments to track and do rigorous investigations and keep all the indicators forensic ready. Basically, they can’t track all the movement’s even within special fraud technics and wait for the moment when crypto to meet real assets world. It is usually slow and takes some time, also it involves different jurisdictions. Behind the eastern borders of EU we have less cooperative law enforcement thus more attractive territories for crypto criminals, but they are becoming fully integrated in EU law enforcement landscape (i.e. Ukraine, Georgia).”
Although tracking down cyber criminals is one thing, Sawhney believes that taskforces and companies alike need to get into the hacker’s mindset to prevent cyber attacks from happening altogether: “In order to fight cybercrime and maximize cyberdefense, taskforces and companies need to learn to approach things from a hacker perspective, not an information security perspective. Ethical hacking should be part of any organization's cybersecurity strategy, as there is no better way to test the security level of IT systems.”
Although hackers in this day and age do not actually need specialized military training in order to carry out cybercrimes, Kotsiuba said that professionally trained state actors can and do operate online. For Kotsiuba, these actors have their work cut out for them thanks to the growing trend for cooperation and digital awareness in an increasingly globalized world:
“As it is seen now, in the era of open source investigations and effective private, public partnership, and socially networked world, even professional spy can be sloppy enough to be caught. Crypto assets are made to be converted in a point of time, correctly saying, they are stolen to be converted. Most of the jurisdictions require identification of a trader or customer.”
Despite the growing legal framework to prevent cybercrimes, Sawhney said that the onus is on exchanges and wallet providers themselves to carry out security checks and to continue to decentralize:
“It is imperative that exchanges and wallet providers conduct penetration testing regularly, ideally every-time code changes. Companies need to engage with third-party ethical hackers to conduct red teaming, social engineering, code reviews, data leak monitoring, VAPT, managed bug bounties, and webservice + database assessments. As long as centralized exchanges lack transparency, conduct custody, and refuse to proof of solvency and proof of legitimate trading volumes, the attacks from hackers will only get worse.”
Origins of the hack
When Bitfinex first announced the hack in August 2016, it was the largest dollar-based exchange for Bitcoin in the world, and the $72 million theft was the second-biggest security compromise in the history of cryptocurrency.
In the days following the hack, Bitfinex offered a handsome reward for either the return of the funds or for information that could lead to them being located. Director of Community and Product Development Zane Tackett announced the exact amount on the Bitcoin subreddit: “5% of recovery and for information leading to recovery (but no bounty if no recovery); if multiple persons lead to recovery, share pro rata.”
Left reeling in the wake of the hack, Bitfinex did not initially know how to deal with the financial loss and the consequent wave of angered customers. After reporting the incident to law enforcement, Reuters reported that the company turned to “top blockchain analytic companies” to track the stolen coins. The hack did not just affect the reputation of Bitfinex alone. With the fatal $387 million hack that killed off MyCoin the previous year, Hong Kong’s Bitcoin market came to be known by its scandals rather than its successes.
The president of the Hong Kong Bitcoin Association, Leonhard Weese, told Reuters that, despite the huge amounts of funds that are often stolen in hacks involving cryptocurrency, having to transfer in so many small pieces often means the payoff for the crime is far smaller: “For an attacker, the cost-benefit strategy is quite easy: How much is in the pot and how likely is it that I’m getting the pot?”
On Aug. 3, 2016, Bitfinex announced a controversial effort for the loss to be “socialized” among its existing customers. Many clients were outraged by the initiative, which would have allegedly resulted in a 36% loss for every account holder. Bitfinex announced that customers would be given “BFX tokens” that could be redeemed on the exchange or be converted into company shares.
At the time, Bitfinex sought to reassure users alarmed by the news of heavy losses being spread across all accounts, stating that numbers quoted in the media were widely overestimated and that the actual figures would be different than the publicly disclosed amount: “The numbers being quoted are erroneous as nothing has been decided as of yet and we are still in the process of settling positions and balances.”
Unsurprisingly, people were not reassured. One of the crypto community’s most vocal members, Cornell University professor and co-founder of IC3 Emin Gun Sirer, tweeted: “Spoke to a lawyer, there is no way Bitfinex's ‘loss socialization’ plan holds up in court. This is going to be...interesting.”
A number of lawyers specializing in securities and financial technology cast aspersions at the time about the legality of Bitfinex’s recovery measures. Ryan Straus, United States-based lawyer at Fenwick & West, said that imposing the company’s losses on unhacked accounts was a breach of Bitfinex’s terms of service. Zach Zweihorn, a securities and trade law specialist at DavisPolk, also told Reuters that the BFX tokens being offered as compensation could also present a problem for the exchange. Zweihorn observed that the tokens, since they were described as redeemable, would put them something between a bond and a security, meaning that Bitfinex would require a U.S. licence that it did not, at the time, possess.
Despite his criticism that the Bitfinex attempt to spread its losses was most probably not legally sound, Sirer suggested a solution that he believed would not break Bitcoin’s irreversibility when dealing with strangers, yet allow someone to take back funds stolen in the event of a hack:
“You can then use your recovery key to undo the hack — you have 24 hours to notice and launch the recovery and get back all the funds. Notice that you cannot fool a merchant with this trick and revert a real transaction. All you can do is take back your own money from someone who is trying to steal it.”
U.S. recovers small amount
The exchange reported that just short of 27.7 Bitcoin were returned. Customers who had taken the option to convert their BFX tokens into company stock also received Recovery Right Tokens (RRT). Bitfinex reported that, having received some of the stolen coins, they had been converted into U.S. dollars and paid to RTT holders.
As per the post, Bitfinex was first informed by the U.S. government that it had accessed the funds believed to be proceeds from the 2016 hack in November 2018.