Earlier today, Bitfinex announced a security breach requiring them to halt all trading, deposits, and withdrawals on the Hong Kong-based bitcoin exchange.
Founded in 2012, Bitfinex has offices in Europe, Hong Kong, and the United States. It has been one of the world's leading bitcoin exchanges, with deep liquidity in the U.S. dollar/bitcoin currency pair. The company was one of the first to launch ETC trading soon after the hard fork of Ethereum last week, followed by ETCBTC and ETCUSD margin trading the next day.
The company revealed the breach at 2:16pm EST, “we know that some of our users have had their bitcoins stolen.” Bitfinex Director of Community & Product Development, Zane Tackett, confirmed on Reddit that “the loss from the hack stands at 119,756btc.”
Tackett confirmed that “No fiat was stolen, only btc.” He also said “other currencies were not affected,” although users are unable to trade, deposit or withdraw during the halting period.
“We are undertaking a review to determine which users have been affected by the breach. While we conduct this initial investigation and secure our environment, bitfinex.com will be taken down and the maintenance page will be left up.”
Bitfinex uses BitGo wallets to store customer bitcoins. “Even if you didn't set one up it's what we used to store your btc”, Tackett states in his post. Bitfinex and BitGo partnered in June, allowing the exchange to provide “individual multi-signature wallets for each customer,” according to announcements from both companies at the time.
“Bitfinex uses a unique set of keys for each user, and separates each user’s funds on the public blockchain,” Bitgo stated at the time. “This powerful combination of BitGo’s multi-sig technology with Bitfinex’s exchange mitigates most of the shared pool security risks while simultaneously enabling users to verify their individual holdings on the blockchain.”
According to Tackett, all Bitfinex customers have their own BitGo wallet, and therefore there was no hot or cold wallet used by the exchange. “We have one key, bitgo has one key, and one key is kept in cold storage,” he verified.
“We haven't had a hot/cold wallet setup since the bitgo implementation. Instead each user has their own wallet with limits on how much it can withdrawal as well as a global limit. We're still investigating how they were able to compromise this setup.”
- Zane Tackett, Bitfinex Director of Community & Product Development
Respondents to Tacketts post were concerned about BitGo themselves. “It doesn't look like they were compromised,” Tackett replied. “I don't believe our back-up keys were compromised but the investigation is still ongoing on how exactly we were compromised.”
While BitGo has insurance against bitcoin theft, from XL Group insurance companies, it does not cover Bitfinex. Tackett confirmed on Reddit that this breach is not insured. “We will look at various options to address customer losses later in the investigation,” Bitfinex said in their announcement.
In addition, the company announced that any affected accounts with open margin positions may need to be settled at the current market prices as of 18:00 UTC. “Only positions directly affected from the theft will be settled,” Tackett confirmed.
This is not the first time Bitfinex has been hacked, having suffered a breach in May 2015. At that time, over 99.5% of deposits were held in secure multisig wallets, with the rest stored in a hot wallet that was compromised.
Bitfinex has also been prone to downtime lately. Following scheduled maintenance on June 17, which only lasted one hour, the company revealed problems on June 20. Trading was paused while the company investigated an "infrastructure issue" which they said "does not involve funds or system security."
Before trading resumed, however, the company announced “networking issues within our new datacenter.” After over six hours of downtime, trading resume, but it did not stay live for long. Five hours later, the site was offline again. The downtime on June 21 lasted approximately four hours.
“We are not confident in the network stability of our datacenter so we have elected to take trading down for the time being.”
The networking issues continued when customers in North America complained of not being able to access the site on July 1. The company acknowledged internet routing and connection issues, stopping users from North America from accessing their site. The Bitfinex website was temporarily taken down again last week, for approximately three hours during the Ethereum forking event.
Bitfinex claims to be doing everything it can to resolve this latest breach. “The theft is being reported to—and we are co-operating with—law enforcement,” the company states.