Bitfinex’s CTO Paolo Ardoino has dismissed claims by hacking group Fsociety, that allege a breach of the cryptocurrency exchange’s database.
Ardoino deemed the claims “fake” and emphasized that no ransom request was made through official channels such as bug bounty programs, customer support tickets, emails, or social media platforms.
Bitfinex Clarifies Misinformation Surrounding Alleged Data Breach
It was fake. https://t.co/tJLfzclsQj
— Paolo Ardoino 🍐 (@paoloardoino) May 6, 2024
The misinformation about Bitfinex’s alleged data breach began circulating on social media on Saturday, apparently triggered by a tweet from Alice of Shinoji Research. Alice claimed that Bitfinex had fallen victim to a large-scale data breach, echoing the assertions of hacking group FSociety on April 26.
The tweet, since deleted, gained traction after being picked up by Walter Bloomberg, a prominent breaking news account with a substantial following. Walter Bloomberg tweeted, citing Shinoji Research, that Bitfinex’s data, comprising 2.5 Terabytes of information and personal details of 400,000 users, had been hacked.
Alice of Shinoji Research later corrected the record, acknowledging their premature assertion.
Removed the original BFX hack post as I’m not able to edit it. What appears to have happened is this “Flocker” group curated a list of BitFinex logins from other breaches.
They then made the site look like a ransom demand for a major breach.
— Alice (e/nya)🐈⬛ (@Alice_comfy) May 4, 2024
“Removed the original BFX [Bitfinex] hack post as I’m not able to edit it,” Alice stated.
“What appears to have happened is that this ‘Flocker’ group curated a list of Bitfinex logins from other breaches. They then made the site look like a ransom demand for a major breach.”
Ardoino clarified that Bitfinex does not store plaintext passwords or 2FA secrets in clear text, further diminishing the credibility of the alleged breach. Out of the purported 22,500 records of emails and passwords leaked by Fsociety, only 5,000 matched with Bitfinex users.
Everyone panicking for a potential database breach on bitfinex.
Tldr: seems fake.The alleged hackers have posted 2 mega links with sample data contains 22.5k records of email and passwords.
– we don’t store plaintext passwords, nor 2FA secrets in clear text.
– only 5k of 22.5k…— Paolo Ardoino 🍐 (@paoloardoino) May 4, 2024
Ardoino suggested that the hackers likely gathered data from various other crypto-related data breaches, exploiting the common practice of users utilizing the same login credentials across multiple platforms. Ardoino further stated,
“As I said on Saturday, Bitfinex’s user database was not breached. We spent the weekend reviewing all internal data to avoid leaving any stone unturned. We concluded that the claim was fake, as suspected from the beginning.”
Bitfinex Refutes Claims of Data Breach by Fsociety
Fsociety, inspired by the fictional hacking group from the television series “Mr. Robot,” asserted on its dark web homepage on April 26 that it had successfully breached several entities, including Bitfinex, Rutgers University, consulting firm SBC Global, and a misspelled reference to Coinmama.
Despite Fsoceity’s claims, none of the alleged victims, including Bitfinex, have acknowledged experiencing a significant data breach or engaging in ransom payment. Ardoino highlighted that Bitfinex never received direct communication from the hacking group and questioned the legitimacy of Fsociety’s assertions.
Here a message from a security researcher (that instead of panicking, trying to dig a bit more into it).
“I believe I start to understand what is happening and why they are sending these messages claiming you were hacked.
The message in the screenshot in the ticket came from a… pic.twitter.com/YjwG2eeXw2— Paolo Ardoino 🍐 (@paoloardoino) May 4, 2024
Moreover, Ardoino shared insights from a security researcher suggesting that Fsociety’s motive may have fabricated the claim of breaching Bitfinex to promote its ransomware tools—the tool to which it purportedly sells access for a subscription fee and a commission on stolen profits.
According to the researcher, such claims generate buzz and serve as advertisements for the tool’s effectiveness, enticing others to purchase it for potential exploitation. Ardoino questioned the rationale behind such actions, wondering if FSOCIETY had successfully breached Bitfinex.
Despite the allegations, Ardoino assured users that Bitfinex would diligently investigate the situation. As of now, no breach has been detected, and all user funds remain secure.
Bitfinex’s history includes a notable hacking incident in 2016, during which over 95,000 Bitcoins were compromised. Two individuals, including the self-professed crypto rapper Razzlekhan, pleaded guilty to money laundering charges related to the hack and forfeited the stolen bitcoin to authorities.