Thieves steal $72m from Hong Kong Bitcoin exchange

It got bit

It’s all gone wrong in Hong Kong as about $72 million worth of Bitcoin was stolen from the Bitfinex exchange platform.

Nearly 120,000 units have been pilfered making it the second-biggest security breach ever of such an exchange. Bitfinex is one of the largest exchanges for Bitcoin, and according to Reuters is known in the digital currency community for having a platform that has deep liquidity in the US dollar/Bitcoin currency pair.

Zane Tackett, director of community and product development for Bitfinex, told Reuters that 119,756 Bitcoin had been stolen from users’ accounts and that the exchange had not yet decided how to address customer losses.

“The bitcoin was stolen from users’ segregated wallets,” he says.

Tackett adds that the breach did not “expose any weaknesses in the security of a blockchain”.

To put the event into perspective, the volume stolen equates to about 0.75% of all Bitcoin in circulation.

Due to the theft, Reuters states Bitcoin plunged just over 23% on Tuesday [2 August]. Today [3 August], it was up 1% at $545.20 on the BitStamp platform.

Bitfinex suspended trading yesterday (2 August) after it discovered the breach. On its website, Bitfinex says: “We discovered a security breach that requires us to halt all trading on Bitfinex, as well as halt all digital token deposits to and withdrawals from Bitfinex.”

The incident is being investigated and updates will be posted as and when they happen. No one knows yet whether it was an inside job or hackers gaining access via external systems.

The worst Bitcoin theft was at MtGox, a Tokyo-based exchange that was forced to file for bankruptcy in early 2014 after hackers stole around $650 million worth of customers’ Bitcoins.

UPDATE 8 August 2016

The latest update on the Bitfinex website says: “We are beginning the process of bringing the platform online in a controlled and secure way. Currently the site is available on a read-only basis as we continue to work towards enabling full functionality. This means that users will be able to log into their accounts but trading, depositing, and withdrawing will remain disabled at this time.”

The company adds: “Full platform functionality will come online in progressive steps in the coming days. Withdrawing, depositing and exchange trading will come online first, with margin trading (for non-US customers) to resume sometime after that. Further announcements will be made when the schedule for turning on those features is finalized.”

Bitfinex also has to look for new funding to compensate its customers.

The firm says: “Due to the indiscriminate nature of the attack, we have decided to generalize losses across all accounts. Upon logging into the platform, customers will see that they have experienced a generalized loss percentage of 36.067%.

“In order to compensate our customers, we are planning on issuing a new token on the Omni protocol (shortcode “BFX”) to each customer equal to the amount of their discrete loss. Tokens will be given without release or waiver and will be transferable on the blockchain. The BFX tokens will remain outstanding until repaid in full by Bitfinex or exchanged for shares of iFinex Inc.”

“We are also actively talking with potential investors. Raising capital is one strategy we are considering for making our customers whole. These discussions are at an early stage and will take time.”

UPDATE 18 August 2016

Bitfinex says the “exact attack vector is as yet unknown”. But it has employed Ledger Labs to identify “certain areas in our architecture that can be improved”.

Bitfinex says: “The key security breach, which allowed the amount of bitcoins released by BitGo to be increased without BitGo realizing it or alerting us, has been squarely addressed.”

The firm adds: “We would like to address some stories that have circulated online stating that management has contributed no property to compensating our customers. This is false. Management has committed all reserves of the business with a view to making our customers whole. Moreover, any principals and employees of the business with any property on Bitfinex were subject to the loss allocation. In point of fact, two out of the top ten BFX token-holders are in our management team. We assure everyone that we feel the loss acutely, both as a company and as individual customers.”

“However, we need to be clear that we have also, after committing those resources, held back certain amounts to pay our forensic investigators, to hire auditors and other advisors to work through these issues, to build our systems so that this security breach does not happen again, and for other contingent liabilities – all of which takes time and money.”

UPDATE 23 August 2016