What happens when hacked crypto gets hacked again? How did the Bitfinex funds the government secured find their way back into the blockchain maze?

Table of Contents

  • Here we go again…

  • A digital heist gone full circle

  • Tracking the trail

  • Inside job or security lapse

Here we go again…

In a surprising turn of events, a U.S. government-controlled crypto wallet holding over $20 million in seized digital assets made an unexpected move across the blockchain on Oct. 24.

The wallet, linked to the notorious 2016 Bitfinex hack, had remained inactive for months—until yesterday. Within minutes, blockchain analysts at Arkham Intelligence flagged the unusual transfers, raising questions about a potential security breach.

𝗨𝗣𝗗𝗔𝗧𝗘: 𝗨𝗦 𝗚𝗼𝘃𝗲𝗿𝗻𝗺𝗲𝗻𝘁 𝗹𝗶𝗻𝗸𝗲𝗱 𝗮𝗱𝗱𝗿𝗲𝘀𝘀 𝗮𝗽𝗽𝗲𝗮𝗿𝘀 𝘁𝗼 𝗵𝗮𝘃𝗲 𝗯𝗲𝗲𝗻 𝗰𝗼𝗺𝗽𝗿𝗼𝗺𝗶𝘀𝗲𝗱 𝗳𝗼𝗿 $𝟮𝟬𝗠.$20M in USDC, USDT, aUSDC and ETH has been suspiciously moved from a USG-linked address 0xc9E6E51C7dA9FF1198fdC5b3369EfeDA9b19C34c to… pic.twitter.com/UXn1atE1Wx

— Arkham (@ArkhamIntel) October 24, 2024

Let’s rewind. Back in 2016, the crypto exchange Bitfinex was hit by a major hack, resulting in the theft of a large quantity of Bitcoin (BTC). 

After a lengthy investigation, authorities eventually tracked down the stolen assets, leading to the arrests of Ilya Lichtenstein and Heather Morgan.

Yet, the story doesn’t end there. This recent activity has once again brought the Bitfinex hack back into the spotlight, with over $20 million in seized funds apparently slipping out of government control.

What happened to these assets, and why are analysts calling it a “likely theft”? Here’s what we know so far about this mysterious transfer of millions in stablecoins and Ethereum (ETH), the wallets involved, and how it might have occurred right under the government’s nose.

A digital heist gone full circle

To unravel the mystery of the missing millions, let’s go back to where it all began: the Bitfinex hack of 2016. At the time, Bitfinex was one of the world’s largest crypto exchanges, holding vast amounts of Bitcoin for its users.

On an otherwise typical August day, the platform suffered a massive breach, allowing hackers to make off with approximately 120,000 Bitcoin—valued at about $72 million then but worth over $8 billion today, marking one of the largest heists in crypto history.

The story took an unexpected turn in 2022 when U.S. authorities tracked down two suspects: a New York couple, Ilya Lichtenstein and Heather Morgan. 

While Morgan’s alter-ego as a rapper and social media figure attracted attention, the real shock came with authorities’ retrieval of a substantial portion of the stolen assets. 

These assets were then secured in government-controlled wallets, marking the largest digital asset confiscation in the Department of Justice’s history.

Yet, on Oct. 24, another twist emerged when $20 million in crypto assets—funds tied to the original Bitfinex hack—mysteriously moved out of one of these secure wallets. 

Blockchain analysts at Arkham Intelligence noticed the unusual activity within minutes, raising alarms over what appeared to be a possible theft.

This wallet, labeled “0x348” and just five days old, became the holding point for a mix of stablecoins and Ethereum. 

From there, the assets dispersed through smaller transactions and were routed to various other wallets, likely as part of a broader strategy to obscure the original source and destination.

Tracking the trail

The movement began with large withdrawals from a popular DeFi platform, Aave (AAVE). Initially, around $1.1 million in Tether (USDT) and $5.5 million in USD Coin (USDC) were withdrawn. 

Shortly after, the largest portion — about $13.7 million in USDC, a token representing USDC deposits in Aave — was also pulled out.

These amounts and $446,000 in ETH were funneled into a new wallet labeled “0x348,” an address with no prior transaction history, raising immediate suspicions about its sudden involvement in handling seized funds.

From there, the complexity grew. The individual behind these transfers used an exchange aggregator called 1inch (1INCH), a platform that finds the best rates across multiple exchanges, to convert stablecoins into Ethereum, a deliberate effort to cover tracks, as Ethereum’s fluidity on-chain makes it easier to split and move funds in smaller amounts.

Pieces of Ethereum, each roughly $40,000, began trickling into deposit addresses associated with major exchanges, including Binance — flagged by ZachXBT as potentially suspicious. 

funds are going to instantly exchanges looks nefarious

— ZachXBT (@zachxbt) October 24, 2024

Although Binance itself wasn’t directly involved, these “nested exchanges” depend on Binance for liquidity, effectively concealing the funds within Binance’s larger network.

This technique, often used for laundering, allows substantial crypto sums to be “washed” and quietly reintroduced into circulation, avoiding detection on main exchanges.

Inside job or security lapse

When $20 million in crypto slips out of a government-controlled wallet, speculation is inevitable. Was this an inside job involving someone with access to private keys? Or did an external party exploit a vulnerability in the government’s crypto storage system?

One theory suggests an insider breach. Crypto wallets rely entirely on the security of their private keys. If these keys were compromised — whether through phishing, hacking, social engineering, or by an insider with direct access — it could explain how such a large sum was moved swiftly and covertly.

Historically, private keys have been the Achilles’ heel of crypto wallets. Control of the keys means control over the assets, and this incident’s orchestrated transfers to specific wallets, exchange aggregators, and nested exchanges hint at a knowledgeable player familiar with crypto transactions and laundering tactics.

Another possibility is a lapse in the government’s security protocols for storing digital assets. 

Traditional financial institutions often use multi-layered security for high-value assets, such as multi-signature wallets (requiring multiple transaction approvals) or offline hardware wallets. 

While it’s unclear what protocols the U.S. government applies to seized digital assets, any failure in multi-signature processes or custodial storage could expose funds.

According to Arkham Intelligence, these wallets were dormant for nearly eight months before the sudden movement, raising questions about what might have triggered the transfer after such a long period of inactivity.

ALERT: US GOVERNMENT JUST PULLED $5.4M OUT OF AAVEThis is their first activity on this address in 8 months. pic.twitter.com/zwxDWQmm9B

— Arkham (@ArkhamIntel) October 24, 2024

Finally, there’s the chance of external hackers targeting the wallet remotely. This would likely involve exploiting known vulnerabilities within DeFi platforms like Aave or weaknesses in the wallet’s own security. 

Advanced hacking methods could allow hackers to intercept or control wallets remotely, though these would require sophisticated planning and technical skill.

For now, we wait as investigators work to recover the funds and establish stronger standards to protect both government assets and the broader crypto ecosystem from similar breaches in the future.