The hackers had been inside the Bitfinex servers for weeks before attempting the heist. They’d watched users on the cryptocurrency exchange buy and sell Bitcoins. They’d studied the commands that controlled the security system. It was as if they were hiding in an air duct above a bank’s vault, watching as tellers meticulously moved cash in and out, looking for vulnerabilities.
They weren’t after Bitcoins, exactly. Bitcoins only exist as entries in a database maintained by computers around the world. What they needed were the private keys: cryptographic passwords that would allow them to unlock the coins and move them. Once they found the keys, they struck. At 10:26 a.m. on Aug. 2, 2016, the hackers raised the exchange’s daily withdrawal limit from 2,500 Bitcoins to 1 million, more than enough to empty out the whole vault. Then, using the private keys, they started broadcasting instructions to transfer Bitfinex’s Bitcoins to addresses they controlled on the blockchain. Over the next 3 hours and 51 minutes, the hackers stole 119,754 coins—more than half the holdings of what was then one of the world’s largest cryptocurrency exchanges.