Bitfinex Hot Wallet Hack

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Revision as of 17:00, 25 April 2024 by Azoundria (talk | contribs) (30 minutes. Confirmed information already integrated from Master The Crypto. Integrated information from Wikipedia. Integrated information from SiliconANGLE article on the breach. Started integrating information from the CoinTelegraph article.)
Jump to navigation Jump to search

Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

BitFinex Homepage/Logo

Bitfinex was the largest exchange by volume at this time. It stored the vast majority of funds in proper sold storage, and a relatively small amount was in a hot wallet, which was breached.

The exchange absorbed the loss without impact to customers.


This exchange or platform is based in Hong Kong, or the incident targeted people primarily in Hong Kong.[1][2][3][4][5][6]

About BitFinex

Bitfinex, a cryptocurrency exchange owned by iFinex Inc and registered in the British Virgin Islands, was founded in 2012 as a peer-to-peer Bitcoin exchange and later expanded to support other cryptocurrencies[7]. Offering high-volume trading and various products including spot and derivatives trading, margin funding, and over-the-counter markets, Bitfinex quickly became one of the first professional platforms in cryptocurrency trading[7].

Bitfinex, founded in 2012 and based in Hong Kong, operates as a leading cryptocurrency exchange offering various functions like bitcoin to fiat exchange, margin trading, and liquidity provision[8]. Despite being among the highest-volume exchanges globally, Bitfinex continues to operate and remains popular for its extensive trading options, customizable interface, low fees, and wide range of supported currencies and pairs[8]. Bitfinex provides a user-friendly trading platform. It requires KYC verification for certain services but offers basic access with just an email[8].

BitFinex functions as a bitcoin to fiat exchange, a margin trading platform, a liquidity provider, and an OTC desk[9][10]. It provides features like shorting Bitcoin through margin trading, expanding financial positions[9]. The exchange offers a wide range of trading pairs, high liquidity, and various trading options[10]. Additionally, the platform offers cryptocurrencies like Litecoin and Ethereum for trading, not just Bitcoin[9]. The platform charges competitive trading fees based on trading volume and offers flexibility in deposit and withdrawal methods, including bank transfers and cryptocurrency transfers[10]. Deposits and withdrawals are conducted through bank transfers, with fees of 0.1% and a minimum of $20, while Bitcoin and Litecoin transactions are free of charge[9].

The Reality

Bitfinex's trust and privacy are questioned due to its opaque operations and controversies surrounding its management and partnerships[8]. Bitfinex has faced criticism for its lack of transparency and connection to Tether (USDT), accused of manipulative activities[8].

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

Bitfinex experienced a theft of over 1,400 bitcoins from their hot wallet in May 2015.

Key Event Timeline - Bitfinex Hot Wallet Hack
Date Event Description
May 22nd, 2015 Main Event Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.
May 22nd, 2015 5:40:20 AM MDT CoinTelegraph Article Published CoinTelegraph reports that BitFinex's hot wallet was hacked, resulting in the potential loss of over 1,500 bitcoins, equivalent to approximately $330,000 USD at the time[1]. Despite the breach, BitFinex assured its users that trading was not affected and confirmed that a new hot wallet had been generated to address the issue. The company urged users to refrain from depositing funds into old addresses and reassured them that their accounts would not be affected, with the entire loss to be absorbed by the exchange. While the Reddit Bitcoin community speculated on the destination of the stolen coins, BitFinex's handling of the situation raised questions about the security of cryptocurrency exchanges[1].
May 22nd, 2015 5:49:00 AM MDT Twitter Post About Incident BitFinex tweets on Twitter about the breach[11]. This links to their announcement on their website[12] and recommends that users do not deposit funds to previous deposit addresses[11].
May 24th, 2015 5:12:54 PM MDT SiliconAngle Article SiliconANGLE reports that Bitfinex, a Hong Kong-based Bitcoin exchange operated by iFinex Inc. (Bvi), experienced a hack resulting in the theft of approximately 1474 BTC from its hot wallet, constituting about 0.5% of the company's total held bitcoins[13]. Following the breach, Bitfinex urged users to suspend bitcoin deposits until the issue was resolved. Despite the incident, the exchange assured customers that over 99.5% of users' BTC deposits were kept in secure multisig wallets[13]. Reddit users estimated the amount stolen, and Bitfinex announced plans to create a new hot wallet and absorb the costs of the hack to ensure customers remain unaffected[13]. The exchange, ranked as the second-largest by volume, behind OKCoin, vowed to enhance its security measures[13].

Technical Details

"Reddit user gowithbtc tracked an estimated 1474 BTC (approximately $356 thousand USD) funneled away from Bitfinex in approximately eight hours."

Total Amount Lost

Amounts publicly reported have been as varied as 1,400 BTC[14], 1,459 BTC[2], 1,474 BTC[13], 1,500 BTC, and over 1,500 BTC.

The market price estimates for the value taken have been $356,000 USD or $400,000 USD.

"In May 2015, 1500 bitcoins were stolen during a hack."

"Bitfinex los[t] 1,500 bitcoin, worth $400,000 at the time, when its hot wallets, connected directly to the internet, are hacked."

"Following the hack, Reddit user gowithbtc tracked an estimated 1474 BTC (approximately $356 thousand USD) funneled away from Bitfinex in approximately eight hours."

The total amount lost has been estimated at $356,000 USD.

Immediate Reactions

Bitfinex reacted to the hack by promptly issuing an urgent message to its customers, advising them to cease depositing cryptocurrency and suspend bitcoin deposits until the potential compromise was resolved[13]. The exchange acknowledged that although the majority of users' BTC deposits were kept in secure multisig wallets, the small remaining amount in coins in their hot wallet was vulnerable to attack[13]. Bitfinex assured its customers that the incident, while unfortunate, would be fully absorbed by the company. Additionally, the exchange announced plans to create a new hot wallet and reassured customers that their funds would remain unaffected.[13]

BitFinex continued operating their trading platform throughout the incident[15]. BitFinex notified users of the breach on their website, requesting that users not deposit to the previously used deposit addresses[11][12].

Announcement On Website

BitFinex shared an announcement about the breach on their website[12] and spread word through Twitter[11].

Dear Customer although we keep over 99.5% of users' BTC deposits in secure multisig wallets, the small remaining amount in coins in our hot wallet are theoretically vulnerable to attack. We believe that our hot wallet keys might have been compromised and ask that all of our customer cease depositing cryptocurrency to old deposits addresses. We are in the process of creating a new hot wallet and will advise within the next few hours. Although this incident is unfortunate, its scale is small and will be fully absorbed by the company. Thanks a lot for your patience and comprehension. Bitfinex Team


"BitFinex’s hot wallet has been compromised. The hack may have resulted in the loss of only 0.5% of the total funds." "The amount represents 0.06 percent of the company’s total holdings."[14]

"BitFinex' Director of Community and Product Development, Zane Tackett, told Cointelegraph that "trading was not affected" and confirmed that the Bitcoin address posted in the article below does indeed belong to the culprit. He also said they have generated a new hot wallet "using a spare-machine designed especially for scenarios like this.""

"Don't deposit to old BTC addresses. New addresses are online and updates will follow soon."

Community Reactions

The wider community responded to the Bitfinex hack with concern and interest[13]. Reddit users actively discussed and speculated on the extent of the hack, with some attempting to track the amount of bitcoins stolen. The incident drew attention to the security vulnerabilities of cryptocurrency exchanges and prompted discussions about the importance of robust security measures in the industry. Additionally, the hack added to the growing number of reported hacks against Bitcoin exchanges in 2015, contributing to a sense of caution among cryptocurrency users and investors[13]

Ultimate Outcome

Following this and other hacking incidents, Bitfinex has strengthened its security measures and compensated users for their losses[10]. Bitfinex has moved from a hot wallet cold wallet set up to segregating customer funds where each user has access to their own wallet which they can review on the blockchain[9]. Bitfinex now prioritizes user security with features like 2FA, IP monitoring, and cold storage for funds[10].

"Bitfinex indicates it will absorb the losses." "Although this incident is unfortunate, its scale is small and will be fully absorbed by the company. Thanks a lot for your patience and comprehension."

The incident was included in a list put together by Kyle Gibson[14] and BitcoinExchangeGuide[16].

The exchange has suffered security breaches and legal issues, including a lawsuit from the State of New York in 2019[8].

Despite this security breach and a later fine imposed by the U.S. Commodity Futures Trading Commission in 2016, Bitfinex remains a significant player in the cryptocurrency exchange market[7].

Total Amount Recovered

Bitfinex continued operating their trading platform throughout the incident[15] and repeatedly indicated that they would cover the loss for users[14]. Bitfinex ultimately strengthened their security measures and compensated users for their losses[10].

"Although this incident is unfortunate, its scale is small and will be fully absorbed by the company. Thanks a lot for your patience and comprehension."

There do not appear to have been any funds recovered in this case.

Ongoing Developments

What parts of this case are still remaining to be concluded?

General Prevention Policies

In this case, there were no customer losses.

Greater security can be obtained by storing more funds in offline multi-signature storage, and signing specific transactions for larger withdrawals.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. 1.0 1.1 1.2 BitFinex's Hot Wallet Hacked, More Than 1,500 Bitcoins Stolen [UPDATE] - CoinTelegraph (Sep 12, 2021)
  2. 2.0 2.1 Bitfinex hack(22/5/2015): 1459 bitcoins lost - Reddit (Sep 12, 2021)
  3. Address: 17owg8RWb73qfE5HeQk6gg6RAgEUfxPXks - Blockchain Explorer (Sep 12, 2021)
  4. https://bitcoinmagazine.com/articles/bitfinex-hot-wallets-hacked-1400-bitcoin-may-stolen-1432326539/
  5. https://bitcoinmagazine.com/articles/warning-signs-timeline-tether-and-bitfinex-events/
  6. https://www.hackread.com/bitcoin-exchange-bitfinex-hot-wallet-hacked/
  7. 7.0 7.1 7.2 Bitfinex - Wikipedia (Aug 6, 2021)
  8. 8.0 8.1 8.2 8.3 8.4 8.5 Bitfinex Exchange: User Review Guide - Master The Crypto (Aug 7, 2021)
  9. 9.0 9.1 9.2 9.3 9.4 Bitfinex Exchange Reviews, Live Markets, Guides, Bitcoin charts - CryptoCompare (Aug 7, 2021)
  10. 10.0 10.1 10.2 10.3 10.4 10.5 Bitfinex Review (2021) - Is It Trustworthy? - CryptoNews (Accessed Aug 7, 2021)
  11. 11.0 11.1 11.2 11.3 BitFinex - "Urgent Action Required: Don't deposit to old BTC addresses. New addresses are online and updates will follow soon." - Twitter (Accessed Sep 12, 2021)
  12. 12.0 12.1 12.2 Urgent action required - BitFinex Announcements Archive March 6th, 2016 8:13:26 AM MST (Sep 12, 2021)
  13. 13.0 13.1 13.2 13.3 13.4 13.5 13.6 13.7 13.8 13.9 Bitfinex Bitcoin exchange hot wallet hacked, estimated 1474 BTC stolen - SiliconANGLE (Sep 12, 2021)
  14. 14.0 14.1 14.2 14.3 100 Crypto Thefts: A Timeline of Hacks, Glitches, Exit Scams, and other Lost Cryptocurrency Incidents - Kyle Gibson (Accessed Jan 25, 2020)
  15. 15.0 15.1 Stanislas Marion - "@bitfinex why haven't you halted trading until the matter is resolved ?" - Twitter (Accessed Apr 19, 2024)
  16. Bitcoin Scams and Cryptocurrency Hacks List - BitcoinExchangeGuide.com (Accessed Mar 5, 2020)

Cite error: <ref> tag with name "bbc-15" defined in <references> is not used in prior text.
Cite error: <ref> tag with name "cointelegraph-2238" defined in <references> is not used in prior text.

Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Bitfinex_Hot_Wallet_Hack&oldid=5709"