Bitfinex Hot Wallet Hack

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Revision as of 17:03, 14 May 2024 by Azoundria (talk | contribs) (COMPLETE 30 minutes. Overall review and minor tweaks to the article. Completed a full prevention section for individuals, platforms, and regulators. Merged the information from the original prevention description. Filled in a basic technical details section and integrated data from the blockchain, which was uncovered from a Reddit post in the sources already. Added more information about the Reddit thread to the timeline. Improved consistency of casing throughout the article.)
Jump to navigation Jump to search

Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

BitFinex Logo/Homepage

Bitfinex was the largest exchange by volume at this time. It stored the vast majority of funds in proper sold storage, and a relatively small amount was in a hot wallet, which was breached. The exchange absorbed the loss without impact to customers.



This exchange or platform is based in Hong Kong, or the incident targeted people primarily in Hong Kong.[1][2][3][4][5][6]

About BitFinex

Bitfinex, a cryptocurrency exchange owned by iFinex Inc and registered in the British Virgin Islands, was founded in 2012 as a peer-to-peer Bitcoin exchange and later expanded to support other cryptocurrencies[7]. Offering high-volume trading and various products including spot and derivatives trading, margin funding, and over-the-counter markets, Bitfinex quickly became one of the first professional platforms in cryptocurrency trading[7].

Bitfinex, founded in 2012 and based in Hong Kong, operates as a leading cryptocurrency exchange offering various functions like bitcoin to fiat exchange, margin trading, and liquidity provision[8]. Despite being among the highest-volume exchanges globally, Bitfinex continues to operate and remains popular for its extensive trading options, customizable interface, low fees, and wide range of supported currencies and pairs[8]. Bitfinex provides a user-friendly trading platform. It requires KYC verification for certain services but offers basic access with just an email[8].

Bitfinex functions as a bitcoin to fiat exchange, a margin trading platform, a liquidity provider, and an OTC desk[9][10]. It provides features like shorting Bitcoin through margin trading, expanding financial positions[9]. The exchange offers a wide range of trading pairs, high liquidity, and various trading options[10]. Additionally, the platform offers cryptocurrencies like Litecoin and Ethereum for trading, not just Bitcoin[9]. The platform charges competitive trading fees based on trading volume and offers flexibility in deposit and withdrawal methods, including bank transfers and cryptocurrency transfers[10]. Deposits and withdrawals are conducted through bank transfers, with fees of 0.1% and a minimum of $20, while Bitcoin and Litecoin transactions are free of charge[9].

The Reality

Bitfinex's trust and privacy are questioned due to its opaque operations and controversies surrounding its management and partnerships[8]. Bitfinex has faced criticism for its lack of transparency and connection to Tether (USDT), accused of manipulative activities[8].

What Happened

Bitfinex experienced a theft of over 1,400 bitcoins from their hot wallet in May 2015.

Key Event Timeline - Bitfinex Hot Wallet Hack
Date Event Description
May 22nd, 2015 4:32:16 AM MDT Reddit Discussion Started A thread is started in the Bitcoin subreddit about the attack[2]. The total amount of the loss is revealed to be 1,459 bitcoin, and multiple bitcoin wallet addresses associated with BitFinex and the attacker are revealed[2]. Users comment on the situation, discussing potential security vulnerabilities, the ongoing hack, and the implications for Bitfinex users[2]. A lively discussion touches on topics like the nature of cold wallets, the risk of theft, and the role of human error in security breaches[2].
May 22nd, 2015 5:40:20 AM MDT CoinTelegraph Article Published CoinTelegraph reports that BitFinex's hot wallet was hacked, resulting in the potential loss of over 1,500 bitcoins, equivalent to approximately $330,000 USD at the time[1]. Despite the breach, BitFinex assured its users that trading was not affected and confirmed that a new hot wallet had been generated to address the issue. The company urged users to refrain from depositing funds into old addresses and reassured them that their accounts would not be affected, with the entire loss to be absorbed by the exchange. While the Reddit Bitcoin community speculated on the destination of the stolen coins, BitFinex's handling of the situation raised questions about the security of cryptocurrency exchanges[1].
May 22nd, 2015 5:49:00 AM MDT Twitter Post About Incident BitFinex tweets on Twitter about the breach[11]. This links to their announcement on their website[12] and recommends that users do not deposit funds to previous deposit addresses[11].
May 24th, 2015 5:12:54 PM MDT SiliconAngle Article SiliconANGLE reports that Bitfinex, a Hong Kong-based Bitcoin exchange operated by iFinex Inc. (Bvi), experienced a hack resulting in the theft of approximately 1474 BTC from its hot wallet, constituting about 0.5% of the company's total held bitcoins[13]. Following the breach, Bitfinex urged users to suspend bitcoin deposits until the issue was resolved. Despite the incident, the exchange assured customers that over 99.5% of users' BTC deposits were kept in secure multisig wallets[13]. Reddit users estimated the amount stolen, and Bitfinex announced plans to create a new hot wallet and absorb the costs of the hack to ensure customers remain unaffected[13]. The exchange, ranked as the second-largest by volume, behind OKCoin, vowed to enhance its security measures[13].

Technical Details

Bitfinex used a wallet infrastructure which consisted of separate hot wallets (which were considered intermediate wallets and still intended to be of high security) and cold wallets. In May of 2015, a successful attack was undertaken against Bitfinex's intermediate/hot wallets and over 1,400 bitcoin were transferred to a wallet set up by the attacker.

Mechanisms Of Breach

The exact security setup and mechanism of Bitfinex's intermediate wallets and how they were breached is not widely available.

Blockchain Wallets Affected

Information about the wallets used by the Bitfinex platform was posted on Reddit[2].

Hacker Blockchain Address:[3]

Bitfinex Intermediate Wallet:[14]

Bitfinex Cold Wallets:[15][16]

Total bitcoins of Bitfinex in Cold wallet(Found now): 115000+116849=231849BTC

Total bitcoins lost to today hack(up to now 12:22PM GMT): 1474BTC

Percentage of lost: 1474/231849 = 0.635%

Laundering Of Funds

"Reddit user gowithbtc tracked an estimated 1474 BTC (approximately $356 thousand USD) funneled away from Bitfinex in approximately eight hours."

Total Amount Lost

Amounts publicly reported have been as varied as 1,400 BTC[17], 1,459 BTC[2], 1,474 BTC[13], 1,500 BTC, and over 1,500 BTC.

The market price estimates for the value taken have been $356,000 USD or $400,000 USD.

"In May 2015, 1500 bitcoins were stolen during a hack."

"Bitfinex los[t] 1,500 bitcoin, worth $400,000 at the time, when its hot wallets, connected directly to the internet, are hacked."

"Following the hack, Reddit user gowithbtc tracked an estimated 1474 BTC (approximately $356 thousand USD) funneled away from Bitfinex in approximately eight hours."

The total amount lost has been estimated at $356,000 USD.

Immediate Reactions

Bitfinex reacted to the hack by promptly issuing an urgent message to its customers, advising them to cease depositing cryptocurrency and suspend bitcoin deposits until the potential compromise was resolved[13]. The exchange acknowledged that although the majority of users' BTC deposits were kept in secure multisig wallets, the small remaining amount in coins in their hot wallet was vulnerable to attack[13]. Bitfinex assured its customers that the incident, while unfortunate, would be fully absorbed by the company. Additionally, the exchange announced plans to create a new hot wallet and reassured customers that their funds would remain unaffected.[13]

BitFinex continued operating their trading platform throughout the incident[18]. Bitfinex notified users of the breach on their website, requesting that users not deposit to the previously used deposit addresses[11][12].

Announcement On Website

Bitfinex shared an announcement about the breach on their website[12] and spread word through Twitter[11].

Dear Customer although we keep over 99.5% of users' BTC deposits in secure multisig wallets, the small remaining amount in coins in our hot wallet are theoretically vulnerable to attack. We believe that our hot wallet keys might have been compromised and ask that all of our customer cease depositing cryptocurrency to old deposits addresses. We are in the process of creating a new hot wallet and will advise within the next few hours. Although this incident is unfortunate, its scale is small and will be fully absorbed by the company. Thanks a lot for your patience and comprehension. Bitfinex Team


"BitFinex’s hot wallet has been compromised. The hack may have resulted in the loss of only 0.5% of the total funds." "The amount represents 0.06 percent of the company’s total holdings."[17]

"BitFinex' Director of Community and Product Development, Zane Tackett, told Cointelegraph that "trading was not affected" and confirmed that the Bitcoin address posted in the article below does indeed belong to the culprit. He also said they have generated a new hot wallet "using a spare-machine designed especially for scenarios like this.""

"Don't deposit to old BTC addresses. New addresses are online and updates will follow soon."

Community Reactions

The wider community responded to the Bitfinex hack with concern and interest[13]. Reddit users actively discussed and speculated on the extent of the hack, with some attempting to track the amount of bitcoins stolen. The incident drew attention to the security vulnerabilities of cryptocurrency exchanges and prompted discussions about the importance of robust security measures in the industry. Additionally, the hack added to the growing number of reported hacks against Bitcoin exchanges in 2015, contributing to a sense of caution among cryptocurrency users and investors[13]

TBD - Add information from [2].

Ultimate Outcome

Following this and other hacking incidents, Bitfinex has strengthened its security measures and compensated users for their losses[10]. Bitfinex has moved from a hot wallet cold wallet set up to segregating customer funds where each user has access to their own wallet which they can review on the blockchain[9]. Bitfinex now prioritizes user security with features like 2FA, IP monitoring, and cold storage for funds[10].

"Bitfinex indicates it will absorb the losses." "Although this incident is unfortunate, its scale is small and will be fully absorbed by the company. Thanks a lot for your patience and comprehension."

The incident was included in a list put together by Kyle Gibson[17] and BitcoinExchangeGuide[19].

The exchange has suffered security breaches and legal issues, including a lawsuit from the State of New York in 2019[8].

Despite this security breach and a later fine imposed by the U.S. Commodity Futures Trading Commission in 2016, Bitfinex remains a significant player in the cryptocurrency exchange market[7].

Total Amount Recovered

Bitfinex continued operating their trading platform throughout the incident[18] and repeatedly indicated that they would cover the loss for users[17]. Bitfinex ultimately strengthened their security measures and compensated users for their losses[10].

"Although this incident is unfortunate, its scale is small and will be fully absorbed by the company. Thanks a lot for your patience and comprehension."

Ongoing Developments

Bitfinex continues to operate as one of the largest global exchanges[20].

Individual Prevention Policies

In this case, there were no customer losses. This case does not appear to have resulted in a loss to any individual.

When using any third party custodial platform (such as for trading), it is important to verify that the platform has a full backing of all assets, and that assets have been secured in a proper multi-signature wallet held by several trusted and trained individuals. If this can't be validated, then users should avoid using that platform. Unfortunately, most centralized platforms today still do not provide the level of transparency and third party validation which would be necessary to ensure that assets have been kept secure and properly backed. Therefore, the most effective strategy at present remains to learn proper self custody practices and avoid using any third party custodial platforms whenever possible.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Greater security can be obtained by storing more funds in offline multi-signature storage, and signing specific transactions for larger withdrawals.

All wallets, minting functions, and critical infrastructure should be implemented with a multi-signature requirement, with a recommended minimum of 3 signatures required. This means that making important changes or approving spending will require the keys held by at least 3 separate individuals within the organization to approve. The multi-signature should be implemented at the lowest layer possible, all key holders should have security training, and all key holders should be empowered and encouraged to exercise diligence.

All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.

Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.

Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. 1.0 1.1 1.2 BitFinex's Hot Wallet Hacked, More Than 1,500 Bitcoins Stolen [UPDATE] - CoinTelegraph (Sep 12, 2021)
  2. 2.0 2.1 2.2 2.3 2.4 2.5 2.6 2.7 Bitfinex hack(22/5/2015): 1459 bitcoins lost - Reddit (Sep 12, 2021)
  3. 3.0 3.1 Hacker Blockchain Address - Blockchain.com Explorer (Sep 12, 2021)
  4. https://bitcoinmagazine.com/articles/bitfinex-hot-wallets-hacked-1400-bitcoin-may-stolen-1432326539/
  5. https://bitcoinmagazine.com/articles/warning-signs-timeline-tether-and-bitfinex-events/
  6. https://www.hackread.com/bitcoin-exchange-bitfinex-hot-wallet-hacked/
  7. 7.0 7.1 7.2 Bitfinex - Wikipedia (Aug 6, 2021)
  8. 8.0 8.1 8.2 8.3 8.4 8.5 Bitfinex Exchange: User Review Guide - Master The Crypto (Aug 7, 2021)
  9. 9.0 9.1 9.2 9.3 9.4 Bitfinex Exchange Reviews, Live Markets, Guides, Bitcoin charts - CryptoCompare (Aug 7, 2021)
  10. 10.0 10.1 10.2 10.3 10.4 10.5 Bitfinex Review (2021) - Is It Trustworthy? - CryptoNews (Accessed Aug 7, 2021)
  11. 11.0 11.1 11.2 11.3 BitFinex - "Urgent Action Required: Don't deposit to old BTC addresses. New addresses are online and updates will follow soon." - Twitter (Accessed Sep 12, 2021)
  12. 12.0 12.1 12.2 Urgent action required - BitFinex Announcements Archive March 6th, 2016 8:13:26 AM MST (Sep 12, 2021)
  13. 13.0 13.1 13.2 13.3 13.4 13.5 13.6 13.7 13.8 13.9 Bitfinex Bitcoin exchange hot wallet hacked, estimated 1474 BTC stolen - SiliconANGLE (Sep 12, 2021)
  14. BitFinex Intermediate Wallet - Blockchain.info Explorer (Accessed May 14, 2024)
  15. BitFinex Cold Storage Wallet 1 - Blockchain.info Explorer (Accessed May 14, 2024)
  16. BitFinex Cold Storage Wallet 2 - Blockchain.info Explorer (Accessed May 14, 2024)
  17. 17.0 17.1 17.2 17.3 100 Crypto Thefts: A Timeline of Hacks, Glitches, Exit Scams, and other Lost Cryptocurrency Incidents - Kyle Gibson (Accessed Jan 25, 2020)
  18. 18.0 18.1 Stanislas Marion - "@bitfinex why haven't you halted trading until the matter is resolved ?" - Twitter (Accessed Apr 19, 2024)
  19. Bitcoin Scams and Cryptocurrency Hacks List - BitcoinExchangeGuide.com (Accessed Mar 5, 2020)
  20. BitFinex Homepage (Accessed May 14, 2024)

Cite error: <ref> tag with name "bbc-15" defined in <references> is not used in prior text.
Cite error: <ref> tag with name "cointelegraph-2238" defined in <references> is not used in prior text.

Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Bitfinex_Hot_Wallet_Hack&oldid=5887"