Case StudyMay 2025 · 5 min read

The Bitfinex Hack: $72M Stolen, $3.6B Recovered, 6 Years Later

How blockchain forensics traced a peel chain across 2,000 wallets — and caught the launderers in a Walmart bag.

On August 2, 2016, hackers exploited Bitfinex's multi-signature wallet system and walked away with 119,754 BTC — worth $72 million at the time. The funds sat mostly dormant for years. Then, in 2022, blockchain investigators finally traced the full laundering trail and the DOJ seized $3.6 billion of it — the largest ever. What they found was a masterclass in on-chain forensics.

The laundering playbook

Ilya Lichtenstein and Heather Morgan didn't cash out quickly. They spent six years attempting to layer the funds through a technique called a peel chain — one of the most common BTC laundering patterns and one of the most traceable.

01
Peel chain fragmentation

The 119,754 BTC was split across thousands of wallets. Each wallet received funds and forwarded most to the next, "peeling off" small amounts at each hop. The result: a 2,000-node transaction graph that took analysts months to map.

02
Conversion to Monero

Some funds were converted to Monero (XMR) — a privacy coin designed to be untraceable. This is where the trail genuinely went cold for investigators. Converting back out of Monero created fresh, unlinked BTC.

03
Darknet markets & gift cards

Small amounts were cycled through darknet markets and converted to Walmart gift cards — classic layering to create distance from the original theft.

04
Failed DEX mixing

Attempts were made to use AlphaBay and decentralized exchanges to further obscure origin. Investigators identified these hops through address clustering — wallets that transact together frequently are likely controlled by the same entity.

How they were caught

The breakthrough came from a cloud storage account. Investigators found an encrypted file on Lichtenstein's cloud drive that contained the private keys to the original Bitfinex hack wallets — essentially a self-incriminating ledger of every address in the chain.

Despite years of layering, the BTC trail was never fully broken. Every address Lichtenstein controlled was eventually mapped through on-chain analysis — peel chains leave a visible fingerprint because the forwarding pattern is statistically identifiable even across thousands of hops.

What this looks like in ClearChain

Pattern observedClearChain signal
2,000+ single-use wallets forwarding >95% of fundsRapid fund movement + high-risk counterparty
Interaction with known darknet market addressesHigh-risk counterparty (+10 pts)
Wallets on OFAC SDN list (post-designation)OFAC/SDN match (+40 pts) → CRITICAL
Volume anomaly on fresh wallets moving large BTCVolume anomaly (+5 pts)
The lesson from Bitfinex: peel chains look complex but are mathematically traceable. The forwarding pattern — wallet receives, immediately sends 95%+ to one new address — is a fingerprint. ClearChain's Investigation Mode lets you follow exactly these hops visually.
Check a wallet now
Free OFAC screening, risk scoring, and on-chain analysis in seconds.
RUN ANALYSIS →
More from Intel
Case Study
Silk Road: How the FBI Traced $1B in "Anonymous" Bitcoin
Case Study
Tornado Cash: The $7B Mixer That Got Sanctioned
Case Study
The Lazarus Group: $3B in Crypto, Stolen by North Korea