Bitfinex Bitcoin Hack: What We Know and What We Don’t Know

Yesterday, more than $60 million worth of Bitcoin was stolen from Bitfinex, one of the world's largest digital currency exchanges. 24 hours later, the incident is still shrouded in mystery.

However, it is clear that the impact of this incident is absolutely far-reaching.

The Bitfinex theft is the largest loss of Bitcoin since the infamous Mt. Gox theft in Japan in 2014, when 744,408 BTC (worth $350 million) were lost, leading to the collapse of Mt. Gox.

At press time, the 119,756 BTC stolen is worth approximately $66 million, or 18% of the Mt. Gox incident.

Given the scale of this incident, it has caused confusion and frustration among market traders and observers since it was announced.

People close to Bitfinex have largely avoided commenting on whether the 119,756 BTC is all that was stolen. Bitfinex itself has not released any results about its ongoing internal investigation.

Here’s what we know and don’t know so far:

What we know is

Multi-signature accounts affected

The source of the breach appears to lie in Bitfinex’s account structure and its use of bitcoin wallet provider BitGo as an additional layer of security for customer transactions.

In 2015, Bitfinex and BitGo announced that they would jointly create a wallet system that uses multi-signature wallets, where the keys to these wallets are provided to each customer to manage risk.

The exchange announced at the time:

“The era of merging user bitcoins and all the associated security risks is over.”

As the quote goes, the two companies sought to find an alternative to the standard procedure then used by the exchange, which saw customer funds commingled into larger offline wallets, linked to ‘hot’ wallets to meet greater liquidity needs.

Instead, every Bitfinex user has a set of keys created on the platform, using two of the three keys in a permutation, with Bitfinex holding two of the keys (including one offline key) and BitGo using the third key to co-sign transactions.

To withdraw so much money from Bitfinex, BitGo would have had to sign off on the transactions.

Bitfinex users suffered heavy losses

While the exact toll on individual users is unclear, signs suggest a significant subset of the bitcoin trading community was affected.

In the hours after news of the theft emerged, community members took to Twitter and Reddit to report that their accounts had been empty.

Some users expressed anger that their accounts were stolen despite security measures such as two-factor authentication, where a secondary device such as a mobile phone provides an extra layer of encryption.

On the other hand, funds transferred to the exchange after the attack are said to be safe, but the exchange has not yet released information on when and how withdrawals will be made.

Bitcoin price drops sharply

The most direct impact of the Bitfinex attack was on the price of Bitcoin. After the news of the attack was released, the price of Bitcoin began to plummet.

Prices fell nearly 20%, reaching as low as $480 before recovering.

At press time, bitcoin is trading at around $552, according to the CoinDesk Bitcoin USD Price Index, up nearly $70 from yesterday.

Bitfinex remains offline

Currently, Bitfinex is still offline.

Bitfinex’s statement said the company was looking to get back online so users could check their balances and determine if their accounts had been drained.

What we don't know

Whose responsibility is it?

Because of the amount of money involved, many in the community have begun looking for a scapegoat.

One obvious target is Bitfinex itself, which controls two of the three private keys needed to withdraw funds from multi-signature accounts. Some question whether the weaknesses of BitGo's model were also exposed in this incident.

Yesterday, BitGo said via social media that they had conducted an internal investigation and found no evidence of a vulnerability on their side.

Despite their assurances, some observers have blamed BitGo’s ‘blind signature’ service for the withdrawal of nearly 120,000 BTC, wondering why there were no underlying counter-measures for a fund movement of this magnitude.

The 30-day Bitcoin transaction volume is only 600,000 BTC, and the transaction volume transferred by this attack reached one-sixth of the monthly volume.

When will legal funds be available?

One common issue facing users is the status of deposits not denominated in Bitcoin. Since the attack was first revealed, Bitfinex has said that only Bitcoin holdings were affected.

Several customers are taking to social media to ask when they will be able to access or withdraw their funds.

However, answers may be coming soon. Bitfinex representative Zane Tackett, who has been responding via social media, said more information will be released soon.

Are other exchanges affected?

Other market observers were quick to speculate whether the incident would also affect other exchanges that use Bitfinex as a source of liquidity.

It is known that Bitfinex does offer an API and that it was used by other exchanges at one point, although the primary end market appears to be brokers and traders.

This problem was first seen in the Bitstamp hack in early 2015, when the exchange, merchants, and ATM providers connected to the exchange all suffered significant damage.

It was not immediately clear if any smaller exchanges were affected.

Kraken and Bitstamp exchanges said they implemented BitGo’s multi-signature technology differently than Bitfinex.

Vasja Zupan, head of business development at Bitstamp, said:

“At this point I can say that BitGo’s multi-signature technology as implemented by Bitstamp is fundamentally different from what Bitfinex uses.”

Kraken CEO Jesse Powell said via email that while he could not provide detailed information about the exchange’s security measures, he said “we are very confident in our security configuration.”

Is BitGo’s business model at risk?

Regardless of how BItGo is viewed as wrong, it may lose the public opinion war.

The news indicates that BitGo’s business model is mainly based on charging corporate clients for its services, and Bitcoin exchanges are the company’s main target market.

A representative of a major exchange said the incident raised questions about the multi-signature model and that further deployment of this model may be delayed due to the vulnerability.

However, the exchange’s statement regarding the feasibility of BItGo’s implementation suggests that at least some of the service’s customers do not want to make any changes, at least for now.

Is the CFTC to blame?

Bitfinex settled with the U.S. Commodity Futures Trading Commission (CFTC) earlier this year over alleged trading irregularities, paying $75,000 while neither admitting nor denying the allegations.

On this issue, the CFTC said at the time that the exchange held private keys for bitcoins linked to user funds that were linked to margin trading. The agency believed that these bitcoins were not actually "delivered" to users after they were purchased, but remained under the control of Bitfinex.

Since the Bitfinex hack, some critics have pointed out that the language of the CFTC settlement created ideal conditions for theft because it prohibits Bitfinex from cold storing user funds.

However, advocacy group Coin Center disputed the CFTC’s claim that it was to blame, arguing that multi-sig is just one of many security measures and is as susceptible to vulnerabilities or failures as any other.

Press materials from last year also indicate that Bitfinex’s relationship with BItGo predates the CFTC’s investigation.