Bitfinex Hot Wallet Hack: Difference between revisions
(30 minutes. Confirmed information already integrated from Master The Crypto. Integrated information from Wikipedia. Integrated information from SiliconANGLE article on the breach. Started integrating information from the CoinTelegraph article.) |
(COMPLETE 30 minutes. Overall review and minor tweaks to the article. Completed a full prevention section for individuals, platforms, and regulators. Merged the information from the original prevention description. Filled in a basic technical details section and integrated data from the blockchain, which was uncovered from a Reddit post in the sources already. Added more information about the Reddit thread to the timeline. Improved consistency of casing throughout the article.) |
||
| Line 1: | Line 1: | ||
{{Case Study Under Construction}}{{Unattributed Sources}} | {{Case Study Under Construction}}{{Unattributed Sources}} | ||
[[File:Bitfinex.jpg|thumb|BitFinex Homepage | [[File:Bitfinex.jpg|thumb|BitFinex Logo/Homepage]]Bitfinex was the largest exchange by volume at this time. It stored the vast majority of funds in proper sold storage, and a relatively small amount was in a hot wallet, which was breached. The exchange absorbed the loss without impact to customers. | ||
| Line 14: | Line 13: | ||
Bitfinex, founded in 2012 and based in Hong Kong, operates as a leading cryptocurrency exchange offering various functions like bitcoin to fiat exchange, margin trading, and liquidity provision<ref name="masterthecrypto-2241" />. Despite being among the highest-volume exchanges globally, Bitfinex continues to operate and remains popular for its extensive trading options, customizable interface, low fees, and wide range of supported currencies and pairs<ref name="masterthecrypto-2241" />. Bitfinex provides a user-friendly trading platform. It requires KYC verification for certain services but offers basic access with just an email<ref name="masterthecrypto-2241" />. | Bitfinex, founded in 2012 and based in Hong Kong, operates as a leading cryptocurrency exchange offering various functions like bitcoin to fiat exchange, margin trading, and liquidity provision<ref name="masterthecrypto-2241" />. Despite being among the highest-volume exchanges globally, Bitfinex continues to operate and remains popular for its extensive trading options, customizable interface, low fees, and wide range of supported currencies and pairs<ref name="masterthecrypto-2241" />. Bitfinex provides a user-friendly trading platform. It requires KYC verification for certain services but offers basic access with just an email<ref name="masterthecrypto-2241" />. | ||
Bitfinex functions as a bitcoin to fiat exchange, a margin trading platform, a liquidity provider, and an OTC desk<ref name="cryptocompare-2240" /><ref name="cryptonews-2239" />. It provides features like shorting Bitcoin through margin trading, expanding financial positions<ref name="cryptocompare-2240" />. The exchange offers a wide range of trading pairs, high liquidity, and various trading options<ref name="cryptonews-2239" />. Additionally, the platform offers cryptocurrencies like Litecoin and Ethereum for trading, not just Bitcoin<ref name="cryptocompare-2240" />. The platform charges competitive trading fees based on trading volume and offers flexibility in deposit and withdrawal methods, including bank transfers and cryptocurrency transfers<ref name="cryptonews-2239" />. Deposits and withdrawals are conducted through bank transfers, with fees of 0.1% and a minimum of $20, while Bitcoin and Litecoin transactions are free of charge<ref name="cryptocompare-2240" />. | |||
== The Reality == | == The Reality == | ||
Bitfinex's trust and privacy are questioned due to its opaque operations and controversies surrounding its management and partnerships<ref name="masterthecrypto-2241" />. Bitfinex has faced criticism for its lack of transparency and connection to Tether (USDT), accused of manipulative activities<ref name="masterthecrypto-2241" />. | Bitfinex's trust and privacy are questioned due to its opaque operations and controversies surrounding its management and partnerships<ref name="masterthecrypto-2241" />. Bitfinex has faced criticism for its lack of transparency and connection to Tether (USDT), accused of manipulative activities<ref name="masterthecrypto-2241" />. | ||
== What Happened == | == What Happened == | ||
| Line 34: | Line 26: | ||
!Description | !Description | ||
|- | |- | ||
|May 22nd, 2015 | |May 22nd, 2015 4:32:16 AM MDT | ||
| | |Reddit Discussion Started | ||
| | |A thread is started in the Bitcoin subreddit about the attack<ref name="reddit-3020" />. The total amount of the loss is revealed to be 1,459 bitcoin, and multiple bitcoin wallet addresses associated with BitFinex and the attacker are revealed<ref name="reddit-3020" />. Users comment on the situation, discussing potential security vulnerabilities, the ongoing hack, and the implications for Bitfinex users<ref name="reddit-3020" />. A lively discussion touches on topics like the nature of cold wallets, the risk of theft, and the role of human error in security breaches<ref name="reddit-3020" />. | ||
|- | |- | ||
|May 22nd, 2015 5:40:20 AM MDT | |May 22nd, 2015 5:40:20 AM MDT | ||
| Line 52: | Line 44: | ||
== Technical Details == | == Technical Details == | ||
Bitfinex used a wallet infrastructure which consisted of separate hot wallets (which were considered intermediate wallets and still intended to be of high security) and cold wallets. In May of 2015, a successful attack was undertaken against Bitfinex's intermediate/hot wallets and over 1,400 bitcoin were transferred to a wallet set up by the attacker. | |||
=== Mechanisms Of Breach === | |||
The exact security setup and mechanism of Bitfinex's intermediate wallets and how they were breached is not widely available. | |||
=== Blockchain Wallets Affected === | |||
Information about the wallets used by the Bitfinex platform was posted on Reddit<ref name="reddit-3020" />. | |||
Hacker Blockchain Address:<ref name="blockchaindotcom-3021" /> | |||
Bitfinex Intermediate Wallet:<ref>[https://blockchain.info/address/39ngTt6DWQRUbzjmx6ucxz7pPvQcm52CL3 BitFinex Intermediate Wallet - Blockchain.info Explorer] (Accessed May 14, 2024)</ref> | |||
Bitfinex Cold Wallets:<ref>[https://blockchain.info/address/3Q9ovFSZ77r4UPfDNdCyJqaQznmzxWxDGU BitFinex Cold Storage Wallet 1 - Blockchain.info Explorer] (Accessed May 14, 2024)</ref><ref>[https://blockchain.info/address/39coweGgC8CPZ6hYL1BBEfc1zqbSfHsprW BitFinex Cold Storage Wallet 2 - Blockchain.info Explorer] (Accessed May 14, 2024)</ref><blockquote>Total bitcoins of Bitfinex in Cold wallet(Found now): 115000+116849=231849BTC | |||
Total bitcoins lost to today hack(up to now 12:22PM GMT): 1474BTC | |||
Percentage of lost: 1474/231849 = 0.635%</blockquote> | |||
=== Laundering Of Funds === | |||
"Reddit user gowithbtc tracked an estimated 1474 BTC (approximately $356 thousand USD) funneled away from Bitfinex in approximately eight hours." | "Reddit user gowithbtc tracked an estimated 1474 BTC (approximately $356 thousand USD) funneled away from Bitfinex in approximately eight hours." | ||
| Line 68: | Line 79: | ||
== Immediate Reactions == | == Immediate Reactions == | ||
Bitfinex reacted to the hack by promptly issuing an urgent message to its customers, advising them to cease depositing cryptocurrency and suspend bitcoin deposits until the potential compromise was resolved<ref name="siliconangle-3019" />. The exchange acknowledged that although the majority of users' BTC deposits were kept in secure multisig wallets, the small remaining amount in coins in their hot wallet was vulnerable to attack<ref name="siliconangle-3019" />. Bitfinex assured its customers that the incident, while unfortunate, would be fully absorbed by the company. Additionally, the exchange announced plans to create a new hot wallet and reassured customers that their funds would remain unaffected.<ref name="siliconangle-3019" /> | Bitfinex reacted to the hack by promptly issuing an urgent message to its customers, advising them to cease depositing cryptocurrency and suspend bitcoin deposits until the potential compromise was resolved<ref name="siliconangle-3019" />. The exchange acknowledged that although the majority of users' BTC deposits were kept in secure multisig wallets, the small remaining amount in coins in their hot wallet was vulnerable to attack<ref name="siliconangle-3019" />. Bitfinex assured its customers that the incident, while unfortunate, would be fully absorbed by the company. Additionally, the exchange announced plans to create a new hot wallet and reassured customers that their funds would remain unaffected.<ref name="siliconangle-3019" /> | ||
BitFinex continued operating their trading platform throughout the incident<ref name=":0">[https://twitter.com/stanmarion/status/601717952229019648 Stanislas Marion - "@bitfinex why haven't you halted trading until the matter is resolved ?" - Twitter] (Accessed Apr 19, 2024)</ref>. | BitFinex continued operating their trading platform throughout the incident<ref name=":0">[https://twitter.com/stanmarion/status/601717952229019648 Stanislas Marion - "@bitfinex why haven't you halted trading until the matter is resolved ?" - Twitter] (Accessed Apr 19, 2024)</ref>. Bitfinex notified users of the breach on their website, requesting that users not deposit to the previously used deposit addresses<ref name="bitfinextwitter-3017" /><ref name="bitfinexarchive-3018" />. | ||
=== Announcement On Website === | === Announcement On Website === | ||
Bitfinex shared an announcement about the breach on their website<ref name="bitfinexarchive-3018" /> and spread word through Twitter<ref name="bitfinextwitter-3017" />.<blockquote>Dear Customer although we keep over 99.5% of users' BTC deposits in secure multisig wallets, the small remaining amount in coins in our hot wallet are theoretically vulnerable to attack. We believe that our hot wallet keys might have been compromised and ask that all of our customer cease depositing cryptocurrency to old deposits addresses. We are in the process of creating a new hot wallet and will advise within the next few hours. Although this incident is unfortunate, its scale is small and will be fully absorbed by the company. Thanks a lot for your patience and comprehension. Bitfinex Team</blockquote> | |||
| Line 86: | Line 97: | ||
=== Community Reactions === | === Community Reactions === | ||
The wider community responded to the Bitfinex hack with concern and interest<ref name="siliconangle-3019" />. Reddit users actively discussed and speculated on the extent of the hack, with some attempting to track the amount of bitcoins stolen. The incident drew attention to the security vulnerabilities of cryptocurrency exchanges and prompted discussions about the importance of robust security measures in the industry. Additionally, the hack added to the growing number of reported hacks against Bitcoin exchanges in 2015, contributing to a sense of caution among cryptocurrency users and investors<ref name="siliconangle-3019" /> | The wider community responded to the Bitfinex hack with concern and interest<ref name="siliconangle-3019" />. Reddit users actively discussed and speculated on the extent of the hack, with some attempting to track the amount of bitcoins stolen. The incident drew attention to the security vulnerabilities of cryptocurrency exchanges and prompted discussions about the importance of robust security measures in the industry. Additionally, the hack added to the growing number of reported hacks against Bitcoin exchanges in 2015, contributing to a sense of caution among cryptocurrency users and investors<ref name="siliconangle-3019" /> | ||
TBD - Add information from <ref name="reddit-3020" />. | |||
== Ultimate Outcome == | == Ultimate Outcome == | ||
| Line 102: | Line 115: | ||
"Although this incident is unfortunate, its scale is small and will be fully absorbed by the company. Thanks a lot for your patience and comprehension." | "Although this incident is unfortunate, its scale is small and will be fully absorbed by the company. Thanks a lot for your patience and comprehension." | ||
== Ongoing Developments == | == Ongoing Developments == | ||
Bitfinex continues to operate as one of the largest global exchanges<ref>[https://www.bitfinex.com/ BitFinex Homepage] (Accessed May 14, 2024)</ref>. | |||
== | == Individual Prevention Policies == | ||
In this case, there were no customer losses. | In this case, there were no customer losses. {{Prevention:Individuals:No Individual Funds Lost}} | ||
{{Prevention:Individuals:Avoid Third Party Custodians}} | |||
{{Prevention:Individuals: | |||
{{Prevention:Individuals:End}} | {{Prevention:Individuals:End}} | ||
== Platform Prevention Policies == | == Platform Prevention Policies == | ||
{{Prevention:Platforms: | Greater security can be obtained by storing more funds in offline multi-signature storage, and signing specific transactions for larger withdrawals. | ||
{{Prevention:Platforms:Implement Multi-Signature}} | |||
{{Prevention:Platforms:Regular Audit Procedures}} | |||
{{Prevention:Platforms:Establish Industry Insurance Fund}} | |||
{{Prevention:Platforms:End}} | {{Prevention:Platforms:End}} | ||
== Regulatory Prevention Policies == | == Regulatory Prevention Policies == | ||
{{Prevention:Regulators: | {{Prevention:Regulators:Platform Security Assessments}} | ||
{{Prevention:Regulators:Establish Industry Insurance Fund}} | |||
{{Prevention:Regulators:End}} | {{Prevention:Regulators:End}} | ||
| Line 140: | Line 157: | ||
<ref name="bitfinextwitter-3017">[https://twitter.com/bitfinex/status/601716397497065473 BitFinex - "Urgent Action Required: Don't deposit to old BTC addresses. New addresses are online and updates will follow soon." - Twitter] (Accessed Sep 12, 2021)</ref> | <ref name="bitfinextwitter-3017">[https://twitter.com/bitfinex/status/601716397497065473 BitFinex - "Urgent Action Required: Don't deposit to old BTC addresses. New addresses are online and updates will follow soon." - Twitter] (Accessed Sep 12, 2021)</ref> | ||
<ref name="bitfinexarchive-3018">[https://web.archive.org/web/20160306151326/https://www.bitfinex.com/pages/announcements?id=35 Urgent action required - BitFinex Announcements Archive March 6th, 2016 8:13:26 AM MST] (Sep 12, 2021)</ref> | <ref name="bitfinexarchive-3018">[https://web.archive.org/web/20160306151326/https://www.bitfinex.com/pages/announcements?id=35 Urgent action required - BitFinex Announcements Archive March 6th, 2016 8:13:26 AM MST] (Sep 12, 2021)</ref> | ||
<ref name="reddit-3020">[https:// | <ref name="reddit-3020">[https://old.reddit.com/r/Bitcoin/comments/36v29t/bitfinex_hack2252015_1459_bitcoins_lost/ Bitfinex hack(22/5/2015): 1459 bitcoins lost - Reddit] (Sep 12, 2021)</ref> | ||
<ref name="blockchaindotcom-3021">[https://www.blockchain.com/btc/address/17owg8RWb73qfE5HeQk6gg6RAgEUfxPXks Address | <ref name="blockchaindotcom-3021">[https://www.blockchain.com/btc/address/17owg8RWb73qfE5HeQk6gg6RAgEUfxPXks Hacker Blockchain Address - Blockchain.com Explorer] (Sep 12, 2021)</ref> | ||
</references> | </references> | ||
Revision as of 17:03, 14 May 2024
Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
Bitfinex was the largest exchange by volume at this time. It stored the vast majority of funds in proper sold storage, and a relatively small amount was in a hot wallet, which was breached. The exchange absorbed the loss without impact to customers.
This exchange or platform is based in Hong Kong, or the incident targeted people primarily in Hong Kong.[1][2][3][4][5][6]
About BitFinex
Bitfinex, a cryptocurrency exchange owned by iFinex Inc and registered in the British Virgin Islands, was founded in 2012 as a peer-to-peer Bitcoin exchange and later expanded to support other cryptocurrencies[7]. Offering high-volume trading and various products including spot and derivatives trading, margin funding, and over-the-counter markets, Bitfinex quickly became one of the first professional platforms in cryptocurrency trading[7].
Bitfinex, founded in 2012 and based in Hong Kong, operates as a leading cryptocurrency exchange offering various functions like bitcoin to fiat exchange, margin trading, and liquidity provision[8]. Despite being among the highest-volume exchanges globally, Bitfinex continues to operate and remains popular for its extensive trading options, customizable interface, low fees, and wide range of supported currencies and pairs[8]. Bitfinex provides a user-friendly trading platform. It requires KYC verification for certain services but offers basic access with just an email[8].
Bitfinex functions as a bitcoin to fiat exchange, a margin trading platform, a liquidity provider, and an OTC desk[9][10]. It provides features like shorting Bitcoin through margin trading, expanding financial positions[9]. The exchange offers a wide range of trading pairs, high liquidity, and various trading options[10]. Additionally, the platform offers cryptocurrencies like Litecoin and Ethereum for trading, not just Bitcoin[9]. The platform charges competitive trading fees based on trading volume and offers flexibility in deposit and withdrawal methods, including bank transfers and cryptocurrency transfers[10]. Deposits and withdrawals are conducted through bank transfers, with fees of 0.1% and a minimum of $20, while Bitcoin and Litecoin transactions are free of charge[9].
The Reality
Bitfinex's trust and privacy are questioned due to its opaque operations and controversies surrounding its management and partnerships[8]. Bitfinex has faced criticism for its lack of transparency and connection to Tether (USDT), accused of manipulative activities[8].
What Happened
Bitfinex experienced a theft of over 1,400 bitcoins from their hot wallet in May 2015.
| Date | Event | Description |
|---|---|---|
| May 22nd, 2015 4:32:16 AM MDT | Reddit Discussion Started | A thread is started in the Bitcoin subreddit about the attack[2]. The total amount of the loss is revealed to be 1,459 bitcoin, and multiple bitcoin wallet addresses associated with BitFinex and the attacker are revealed[2]. Users comment on the situation, discussing potential security vulnerabilities, the ongoing hack, and the implications for Bitfinex users[2]. A lively discussion touches on topics like the nature of cold wallets, the risk of theft, and the role of human error in security breaches[2]. |
| May 22nd, 2015 5:40:20 AM MDT | CoinTelegraph Article Published | CoinTelegraph reports that BitFinex's hot wallet was hacked, resulting in the potential loss of over 1,500 bitcoins, equivalent to approximately $330,000 USD at the time[1]. Despite the breach, BitFinex assured its users that trading was not affected and confirmed that a new hot wallet had been generated to address the issue. The company urged users to refrain from depositing funds into old addresses and reassured them that their accounts would not be affected, with the entire loss to be absorbed by the exchange. While the Reddit Bitcoin community speculated on the destination of the stolen coins, BitFinex's handling of the situation raised questions about the security of cryptocurrency exchanges[1]. |
| May 22nd, 2015 5:49:00 AM MDT | Twitter Post About Incident | BitFinex tweets on Twitter about the breach[11]. This links to their announcement on their website[12] and recommends that users do not deposit funds to previous deposit addresses[11]. |
| May 24th, 2015 5:12:54 PM MDT | SiliconAngle Article | SiliconANGLE reports that Bitfinex, a Hong Kong-based Bitcoin exchange operated by iFinex Inc. (Bvi), experienced a hack resulting in the theft of approximately 1474 BTC from its hot wallet, constituting about 0.5% of the company's total held bitcoins[13]. Following the breach, Bitfinex urged users to suspend bitcoin deposits until the issue was resolved. Despite the incident, the exchange assured customers that over 99.5% of users' BTC deposits were kept in secure multisig wallets[13]. Reddit users estimated the amount stolen, and Bitfinex announced plans to create a new hot wallet and absorb the costs of the hack to ensure customers remain unaffected[13]. The exchange, ranked as the second-largest by volume, behind OKCoin, vowed to enhance its security measures[13]. |
Technical Details
Bitfinex used a wallet infrastructure which consisted of separate hot wallets (which were considered intermediate wallets and still intended to be of high security) and cold wallets. In May of 2015, a successful attack was undertaken against Bitfinex's intermediate/hot wallets and over 1,400 bitcoin were transferred to a wallet set up by the attacker.
Mechanisms Of Breach
The exact security setup and mechanism of Bitfinex's intermediate wallets and how they were breached is not widely available.
Blockchain Wallets Affected
Information about the wallets used by the Bitfinex platform was posted on Reddit[2].
Hacker Blockchain Address:[3]
Bitfinex Intermediate Wallet:[14]
Bitfinex Cold Wallets:[15][16]
Total bitcoins of Bitfinex in Cold wallet(Found now): 115000+116849=231849BTC
Total bitcoins lost to today hack(up to now 12:22PM GMT): 1474BTC
Percentage of lost: 1474/231849 = 0.635%
Laundering Of Funds
"Reddit user gowithbtc tracked an estimated 1474 BTC (approximately $356 thousand USD) funneled away from Bitfinex in approximately eight hours."
Total Amount Lost
Amounts publicly reported have been as varied as 1,400 BTC[17], 1,459 BTC[2], 1,474 BTC[13], 1,500 BTC, and over 1,500 BTC.
The market price estimates for the value taken have been $356,000 USD or $400,000 USD.
"In May 2015, 1500 bitcoins were stolen during a hack."
"Bitfinex los[t] 1,500 bitcoin, worth $400,000 at the time, when its hot wallets, connected directly to the internet, are hacked."
"Following the hack, Reddit user gowithbtc tracked an estimated 1474 BTC (approximately $356 thousand USD) funneled away from Bitfinex in approximately eight hours."
The total amount lost has been estimated at $356,000 USD.
Immediate Reactions
Bitfinex reacted to the hack by promptly issuing an urgent message to its customers, advising them to cease depositing cryptocurrency and suspend bitcoin deposits until the potential compromise was resolved[13]. The exchange acknowledged that although the majority of users' BTC deposits were kept in secure multisig wallets, the small remaining amount in coins in their hot wallet was vulnerable to attack[13]. Bitfinex assured its customers that the incident, while unfortunate, would be fully absorbed by the company. Additionally, the exchange announced plans to create a new hot wallet and reassured customers that their funds would remain unaffected.[13]
BitFinex continued operating their trading platform throughout the incident[18]. Bitfinex notified users of the breach on their website, requesting that users not deposit to the previously used deposit addresses[11][12].
Announcement On Website
Bitfinex shared an announcement about the breach on their website[12] and spread word through Twitter[11].
Dear Customer although we keep over 99.5% of users' BTC deposits in secure multisig wallets, the small remaining amount in coins in our hot wallet are theoretically vulnerable to attack. We believe that our hot wallet keys might have been compromised and ask that all of our customer cease depositing cryptocurrency to old deposits addresses. We are in the process of creating a new hot wallet and will advise within the next few hours. Although this incident is unfortunate, its scale is small and will be fully absorbed by the company. Thanks a lot for your patience and comprehension. Bitfinex Team
"BitFinex’s hot wallet has been compromised. The hack may have resulted in the loss of only 0.5% of the total funds." "The amount represents 0.06 percent of the company’s total holdings."[17]
"BitFinex' Director of Community and Product Development, Zane Tackett, told Cointelegraph that "trading was not affected" and confirmed that the Bitcoin address posted in the article below does indeed belong to the culprit. He also said they have generated a new hot wallet "using a spare-machine designed especially for scenarios like this.""
"Don't deposit to old BTC addresses. New addresses are online and updates will follow soon."
Community Reactions
The wider community responded to the Bitfinex hack with concern and interest[13]. Reddit users actively discussed and speculated on the extent of the hack, with some attempting to track the amount of bitcoins stolen. The incident drew attention to the security vulnerabilities of cryptocurrency exchanges and prompted discussions about the importance of robust security measures in the industry. Additionally, the hack added to the growing number of reported hacks against Bitcoin exchanges in 2015, contributing to a sense of caution among cryptocurrency users and investors[13]
TBD - Add information from [2].
Ultimate Outcome
Following this and other hacking incidents, Bitfinex has strengthened its security measures and compensated users for their losses[10]. Bitfinex has moved from a hot wallet cold wallet set up to segregating customer funds where each user has access to their own wallet which they can review on the blockchain[9]. Bitfinex now prioritizes user security with features like 2FA, IP monitoring, and cold storage for funds[10].
"Bitfinex indicates it will absorb the losses." "Although this incident is unfortunate, its scale is small and will be fully absorbed by the company. Thanks a lot for your patience and comprehension."
The incident was included in a list put together by Kyle Gibson[17] and BitcoinExchangeGuide[19].
The exchange has suffered security breaches and legal issues, including a lawsuit from the State of New York in 2019[8].
Despite this security breach and a later fine imposed by the U.S. Commodity Futures Trading Commission in 2016, Bitfinex remains a significant player in the cryptocurrency exchange market[7].
Total Amount Recovered
Bitfinex continued operating their trading platform throughout the incident[18] and repeatedly indicated that they would cover the loss for users[17]. Bitfinex ultimately strengthened their security measures and compensated users for their losses[10].
"Although this incident is unfortunate, its scale is small and will be fully absorbed by the company. Thanks a lot for your patience and comprehension."
Ongoing Developments
Bitfinex continues to operate as one of the largest global exchanges[20].
Individual Prevention Policies
In this case, there were no customer losses. This case does not appear to have resulted in a loss to any individual.
When using any third party custodial platform (such as for trading), it is important to verify that the platform has a full backing of all assets, and that assets have been secured in a proper multi-signature wallet held by several trusted and trained individuals. If this can't be validated, then users should avoid using that platform. Unfortunately, most centralized platforms today still do not provide the level of transparency and third party validation which would be necessary to ensure that assets have been kept secure and properly backed. Therefore, the most effective strategy at present remains to learn proper self custody practices and avoid using any third party custodial platforms whenever possible.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Greater security can be obtained by storing more funds in offline multi-signature storage, and signing specific transactions for larger withdrawals.
All wallets, minting functions, and critical infrastructure should be implemented with a multi-signature requirement, with a recommended minimum of 3 signatures required. This means that making important changes or approving spending will require the keys held by at least 3 separate individuals within the organization to approve. The multi-signature should be implemented at the lowest layer possible, all key holders should have security training, and all key holders should be empowered and encouraged to exercise diligence.
All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.
Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.
Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ 1.0 1.1 1.2 BitFinex's Hot Wallet Hacked, More Than 1,500 Bitcoins Stolen [UPDATE] - CoinTelegraph (Sep 12, 2021)
- ↑ 2.0 2.1 2.2 2.3 2.4 2.5 2.6 2.7 Bitfinex hack(22/5/2015): 1459 bitcoins lost - Reddit (Sep 12, 2021)
- ↑ 3.0 3.1 Hacker Blockchain Address - Blockchain.com Explorer (Sep 12, 2021)
- ↑ https://bitcoinmagazine.com/articles/bitfinex-hot-wallets-hacked-1400-bitcoin-may-stolen-1432326539/
- ↑ https://bitcoinmagazine.com/articles/warning-signs-timeline-tether-and-bitfinex-events/
- ↑ https://www.hackread.com/bitcoin-exchange-bitfinex-hot-wallet-hacked/
- ↑ 7.0 7.1 7.2 Bitfinex - Wikipedia (Aug 6, 2021)
- ↑ 8.0 8.1 8.2 8.3 8.4 8.5 Bitfinex Exchange: User Review Guide - Master The Crypto (Aug 7, 2021)
- ↑ 9.0 9.1 9.2 9.3 9.4 Bitfinex Exchange Reviews, Live Markets, Guides, Bitcoin charts - CryptoCompare (Aug 7, 2021)
- ↑ 10.0 10.1 10.2 10.3 10.4 10.5 Bitfinex Review (2021) - Is It Trustworthy? - CryptoNews (Accessed Aug 7, 2021)
- ↑ 11.0 11.1 11.2 11.3 BitFinex - "Urgent Action Required: Don't deposit to old BTC addresses. New addresses are online and updates will follow soon." - Twitter (Accessed Sep 12, 2021)
- ↑ 12.0 12.1 12.2 Urgent action required - BitFinex Announcements Archive March 6th, 2016 8:13:26 AM MST (Sep 12, 2021)
- ↑ 13.0 13.1 13.2 13.3 13.4 13.5 13.6 13.7 13.8 13.9 Bitfinex Bitcoin exchange hot wallet hacked, estimated 1474 BTC stolen - SiliconANGLE (Sep 12, 2021)
- ↑ BitFinex Intermediate Wallet - Blockchain.info Explorer (Accessed May 14, 2024)
- ↑ BitFinex Cold Storage Wallet 1 - Blockchain.info Explorer (Accessed May 14, 2024)
- ↑ BitFinex Cold Storage Wallet 2 - Blockchain.info Explorer (Accessed May 14, 2024)
- ↑ 17.0 17.1 17.2 17.3 100 Crypto Thefts: A Timeline of Hacks, Glitches, Exit Scams, and other Lost Cryptocurrency Incidents - Kyle Gibson (Accessed Jan 25, 2020)
- ↑ 18.0 18.1 Stanislas Marion - "@bitfinex why haven't you halted trading until the matter is resolved ?" - Twitter (Accessed Apr 19, 2024)
- ↑ Bitcoin Scams and Cryptocurrency Hacks List - BitcoinExchangeGuide.com (Accessed Mar 5, 2020)
- ↑ BitFinex Homepage (Accessed May 14, 2024)
Cite error: <ref> tag with name "bbc-15" defined in <references> is not used in prior text.
Cite error: <ref> tag with name "cointelegraph-2238" defined in <references> is not used in prior text.