The US$4.5 billion Bitfinex hack – five things you should know

The hack of the Hong-Kong based crypto-exchange Bitfinex has been described as the “heist of the century”. Where a crypto-asset is in play in litigation, in particular as a potential target for enforcement, parties should be prepared to think creatively about ways to establish how secure that crypto-asset is, and whether it requires better protection.

The hack of the Hong-Kong based crypto-exchange Bitfinex has been described as the "heist of the century". In total, over 120,000 bitcoin (valued at US$4.5 billion at current prices) was stolen in a series of unauthorised transfers from Bitfinex users' wallets in August 2016. 

In February, the U.S. Department of Justice (DoJ) made an apparent breakthrough in seizing more than US$3.6 billion worth of bitcoin - the proceeds of the Bitfinex hack. The stolen bitcoin is claimed to have been traced to a New York-based couple, Heather Morgan and Ilya "Dutch" Lichtenstein who have both been arrested and charged with money laundering offences. At the time of writing neither had entered a plea. Lichtenstein has been remanded pending trial and Morgan granted a bond bail for the sum of $3 billion. They are not alleged to have been the actual perpetrators of the Bitfinex hack.

The case has generated headlines both because of the high value of the bitcoin recovered and the idiosyncratic lifestyle of Morgan, who has produced a substantial catalogue of rap songs on social media platforms under the moniker "Razzlekhan". In doing so, Morgan described herself as "the crocodile of Wall Street" and "like Genghis Khan, but with more pizzazz".

Aside from the garish headlines, however, the case stands as an example of a high-profile cryptocurrency theft, a tracing exercise and a subsequent enforcement action. It will be of considerable interest to the asset-tracing and enforcement community, but also raises lessons for anyone with an interest in crypto-assets. Here are five key takeaways from the case so far.

You really can trace on the blockchain (or, at least, your expert can)

From the court filings available so far, it is clear that the DoJ was successful in a complex "follow the money" exercise, which involved tracking transfers across multiple different cryptocurrencies through 'dark web' institutions, and following the use of computer programmes to automate large numbers of simultaneous transactions.

In doing so, the DoJ appears to have made use of specialist forensic blockchain analytics providers. Whilst a relatively new discipline, at least from the perspective of many court systems, this has established itself into a substantial industry, involving sophisticated practitioners (some of whom are increasingly familiar with appearing as experts in litigation), and its own established methodologies (or tracing "heuristics").

Expert blockchain analysts are able to take advantage of one of the inherent features of the blockchain; it constitutes a publicly available record of every transaction ever made. It is therefore possible to apply specialist software to a known transfer (e.g. the transfers out of the Bitfinex wallets following the hack in 2016) and map out subsequent movements (including sub-divisions) of that crypto-asset.

When faced with sophisticated fraudsters and/or money launderers, the tracing exercise is likely to encounter mechanics and tactics designed to obscure the ultimate destination of the crypto-assets. The DoJ's seizure of the proceeds of the hack in question, however, shows that current tracing methodologies can be up to the task.

Tracing is good, but identifying wallet holders can be the silver bullet

Bitcoin and most other blockchain-based cryptocurrencies present difficulties but also opportunities for anyone trying to trace transactions. The blockchain is entirely publicly available. As a consequence, any transaction ever can be seen by anyone.

However, as with many cryptocurrencies, bitcoin's users are anonymous. Bitcoin users interact through numerical wallet IDs, meaning that even where payments can be traced to a given wallet, the difficulty remains in identifying the real person behind that wallet.

Details are still emerging on how the DoJ alleges the relevant wallets are connected to Morgan and Lichtenstein. However, we do know that included among the organisations against which the DoJ was able to get a subpoena was Lichtenstein's email provider: that provider also offered cloud storage services, and Lichtenstein's cloud account included a single list of over 2,000 wallet IDs and the private keys to access these wallets. Private keys are essential to operating bitcoin wallets and are long alpha-numeric chains, too complex to be committed to memory – if a user loses them, or forgets them, they will be unable to access the wallet. The DoJ's statement points to it having uncovered Lichtenstein’s "master list" of this information.

This is a novel way of connecting wallets to an individual user, and although civil litigants will not always have access to the same tools as prosecuting authorities, the courts in England & Wales, Hong Kong, Singapore and other jurisdictions are able to make orders requiring third parties to provide such information to litigants in certain circumstances.

With that in mind, the combination of (i) the inherent need that bitcoin users face to keep a record of their private keys; (ii) the fact anyone engaged in complex laundering will have hundreds, if not thousands, of keys to record; and (iii) the need to keep those details safe, raises interesting new angles for civil litigants when considered which third parties may have access to information connecting wallet IDs to wallet holders.

System updates are loading in Asia Pacific

Cryptocurrency has become more prevalent, not only in the west but also across the world. With cryptocurrency-based crime hitting an all-time high in 2021, and illicit addresses receiving US$14 billion – up almost 80 percent from 2020,  courts in Asia Pacific are seeing a gradual increase of claims involving cryptocurrency misappropriation and recovery. To address this growing trend, the courts in Hong Kong and Singapore have begun granting interim injunctions to freeze wallets to prevent dissipation of traceable assets.

In Hong Kong, the court in Yan Yu Ying v Leung Wing Hei [2021] HKCFI 3160 granted an interim  proprietary injunction over 999.9900261 bitcoins in October 2021 which were the subject of a misappropriation claim. Meanwhile, the high court in Singapore in CLM V CLN and ors [2022] SGHC 46 granted its first reported freezing injunction against "persons unknown" in Singapore for S$9.6 million worth of cryptocurrency assets stolen from the plaintiff. The injunctions in both cases worked towards preventing the purported perpetrators from dealing with misappropriated monies pending substantive determination of the matters. The contexts in which the interim relief was granted in the two jurisdictions however, varied.

In Yan Yu Ying, the defendant had been acquitted of charges of fraud and money laundering in parallel criminal proceedings by successfully relying on messages exchanged between himself and the plaintiff to support his defence that there was a swap agreement between the parties providing for the legitimate transfer of the subject Bitcoin.

Following the defendant's acquittal, the plaintiff obtained expert evidence which sought to show that those messages could have been forged, and relied on this evidence to justify her interim-interim relief application in the civil proceedings. Recognising the technical complexity of the matter, the Hong Kong court ruled that an urgent temporary stopgap measure was appropriate for preserving the bitcoin on the balance of fairness.

Unlike in Yan Yu Ying where the defendant was identifiable, the plaintiff in CLM V CLN had named the defendants as "any person or entity who carried out, participated in or assisted in the theft of the plaintiff's cryptocurrency assets on or around Jan 8, 2021, save for the provision of cryptocurrency hosting or trading facilities". This was owing to the fact that the plaintiff had disclosed his safe combination in the presence of several individuals, which might have created an opportunity for a suspected theft of the plaintiff’s "recovery seeds" from the safe.

"Recovery seeds" are lists of words in specific order for users to recover their wallets in the event that their devices are lost, destroyed or corrupted, the access to which in this case allowed the plaintiff's cryptocurrency to be stolen. Based on the specific fact pattern, the court was of the view that it had the jurisdiction to grant interim orders against unidentified persons on condition that the description of such persons unknown is sufficiently certain to identify those who are included and those who are not.

These recent cases show not only the variety of formats in which interim injunctions can be obtained to freeze misappropriated cryptocurrency, but also expand the pool of case law which the courts can utilize moving forward  to provide remedies against crypto-fraud.

 Assets of astonishing volatility

When the Bitfinex hack took place, the value of the stolen bitcoin was around US$72 million. At the time of the DOJ's seizure that value stood at around US$4.5 billion, an increase of 7,000 percent in a six-year period. However, this has not been a smooth rise; between December 2017 and January 2019 bitcoin lost almost 80 percent of its value, before later recovering to an all-time high. This is indicative of what has, so far, been an integral part of bitcoin and other cryptocurrencies; extreme volatility.

Volatile assets per se, are not a new phenomenon for those involved in asset tracing and enforcement work, but volatility to the extent shown in the Bitfinex case is extremely rare. It also raises unique issues when it comes to attempting to preserve potential cryptocurrency assets under the regimes available to litigants in England & Wales, Hong Kong and Singapore, where any applicant for a freezing order must undertake to compensate the respondent for any losses caused by the freezing order in the event that it is later held that it should not have been granted.  If the potential changes in the value of bitcoin are enormous, so too are the potential losses that could be caused by the freezing order and therefore the potential exposure on the undertaking in damages.

Whilst a new issue for the courts, one recent English case (Toma v Murray [2020] EWHC 2295) saw a proprietary injunction over bitcoin refused on the basis that bitcoin's volatility meant that the applicant was unable to make good on the potential claims under the undertaking in damages. High profile examples of volatility such as the price of bitcoin during the Bitfinex recovery may reinforce that view. The high price of bitcoins (or other cryptocurrencies) may however tilt the balance of convenience the other way.

In Yan Yu Ying, the plaintiff was able to leverage the high value of bitcoins to argue she would not be adequately compensated in damages if the dispute was eventually resolved in her favour, especially in circumstances where the defendant has indicated difficulty in footing his legal expenses for senior counsel without the subject bitcoins.

These cases must be viewed in the context of their own facts, but they still stand as a cautionary tale for practitioners and should encourage creative thinking by litigants and their advisers whenever attempts are being made to freeze volatile crypto-assets.

Keeping bitcoin safe

The Bitfinex hack presents a stark lesson in the reality of crypto-assets: they are inherently vulnerable to a unique form of devaluation, hacking.

There are various way for a bitcoin (or other cryptocurrency) user to protect the security of their bitcoin. At the most extreme end, bitcoin can be stored entirely offline on a secure hard-drive – a so-called "cold" wallet. That provides maximum protection against a cyber-attack (although it does create the risk of physical theft of the hard-drive) at the sacrifice of liquidity – to trade the bitcoin, the wallet must be connected to the internet.

Bitcoin held through exchanges are significantly less secure. Exchanges will often split the bitcoin they hold across cold wallets and so-called "hot" wallets – wallets permanently connected to the internet and therefore necessarily at risk of being hacked. Furthermore, the most common way to hold a wallet through an exchange is on a "custodial" basis, where the exchange operates and controls a single wallet or set of wallets for its clients with its clients essentially being allocated bitcoin within that wallet. The consequence of that custodial approach is that a hack on the custodial wallet amounts to a hack against all the users, which is what happened to Bitfinex.

There are ways to protect against the security risks of on-exchange hot wallets, for example by requiring multiple private keys (e.g. one held by the exchange and one held by the user) to operate a wallet. Bitfinex employed these types of measures, but still suffered a hack on its custodial wallets. The effect was a 30 percent write-down across all of its users.

In short, it is far from the case that all bitcoin is equally secure. Where a crypto-asset is in play in litigation, in particular as a potential target for enforcement, parties should be prepared to think creatively about ways to establish how secure that crypto-asset is, and whether it requires better protection. 

A party benefited by a freezing order that encompasses a crypto-asset should be prepared to, at least, raise questions on the details of any bitcoin wallet (e.g. it is "cold", "hot", "custodial", "multi-sig") and potentially to consider seeking more specific relief directed at requiring the respondent to the freezing order to improve the level of protection applied to that asset.

A case to watch

At Hogan Lovells, we will be watching the progress of this case closely and expect it to continue to raise lessons for how litigants in civil proceedings across the globe trace, monitor, protect, and enforce over crypto-assets. This is already an area where our team are practicing at the forefront and we would be delighted to discuss our experience in more detail.

If you would be interested to hear more analysis of this case, or about our expertise more generally, please contact any of the team members listed.



Authored by (London) Richard Lewis, James Wise, Rufus Dobson; (Singapore) Khushaal Ved, Nicole Lim; (Hong Kong) Byron Phillips, Hazel Law, and Nigel Sharman.


This website is operated by Hogan Lovells International LLP, whose registered office is at Atlantic House, Holborn Viaduct, London, EC1A 2FG. For further details of Hogan Lovells International LLP and the international legal practice that comprises Hogan Lovells International LLP, Hogan Lovells US LLP and their affiliated businesses ("Hogan Lovells"), please see our Legal Notices page. © 2024 Hogan Lovells.

Attorney advertising. Prior results do not guarantee a similar outcome.