You might have seen the many screaming headlines about the digital currency bitcoin “plunging” or “plummeting” after a major exchange was hacked. Indeed, the price of bitcoin fell as much as 16% on Tuesday, hitting a low of $512, but it has since rebounded back up to $590. The bitcoin exchange that was hacked, Bitfinex, may not be as lucky.
Hackers stole nearly 120,000 bitcoins from Bitfinex, which is based in Hong Kong and is the largest bitcoin exchange in the world by USD volume. (The next largest bitcoin exchanges are itBit, Coinbase, and btc-e.) The coins amounted to about $65 million at the time of theft. Bitfinex had seen just over $400 million worth of trading volume in the past 30 days, putting it first among the many bitcoin exchanges out there now.
Bitfinex halted all trading and said in a statement that it is “continuing to investigate the hack and cooperating with authorities and the top blockchain analytic companies in the space to track the stolen bitcoins.” But it’s unlikely it can ever get the stolen coins back; the problem with a bitcoin transaction is that it’s irreversible. One user on Reddit posted after the hack, “My entire life savings for last 12 years are/were in btc balance on bitfinex… Looks like I could be financially ruined.”
Ironically, the hack potentially could have been avoided if Bitfinex had been securing customer coins using “cold storage.” It is ironic because the currency’s entire raison d’etre is to be digital money, and yet it is most securely protected using the physical, offline world.
To explain: Bitcoin transactions have to be made using multiple private “keys.” A key is simply a string of numbers and letters that are specific to one user. When you want to buy or sell bitcoins, you typically need to type in more than one of your keys to authenticate the transaction. “Cold storage” does not actually refer to literally storing your bitcoins offline (you can’t store them anywhere, since they are not tangible) but to keeping one or more of your “keys” offline, written somewhere not connected to the Web in any way.
Not so long ago, if someone wanted to go rob a bank, they had to go into the bank in person. But as Darin Stanchfield, CEO of bitcoin hardware wallet maker KeepKey, says, “These systems are all online now. So it’s not just bitcoin, every system has these vulnerabilities.”
In the case of bitcoin, you can choose how many different keys you have, and if an attacker can hack into a connected computer, then it doesn’t matter if you have two keys or six. Put simply, the hacked machine is already communicating with the other machines that have keys, so a hacker can easily see where else to attack to get the other keys. Unless you have a key saved or written somewhere off the grid, in “cold storage,” which simply means stored somewhere in the physical world, somewhere the Internet can’t see it.
KeepKey sells a simple $99 fob that communicates with the Internet, receiving a private key when you’d like to make a transaction. It’s the same concept as companies that issue fobs to access work e-mail remotely. Without the physical fob, the transaction won’t go through.
KeepKey says that in the last 24 hours after the Bitfinex hack, it sold more than double its daily sales average in cold-storage fobs.
Alternate forms of cold storage for a bitcoin key could be: on a notepad in your apartment; on a piece of paper in your wallet (a “paper bitcoin wallet”); written on some other physical item; on a USB drive (though those have their own security issues and can be dirty with viruses); or online, but in some other encrypted format where the encryption key is saved offline.
Bitfinex did originally use the cold storage method. But after the U.S. Commodity Futures Trading Commission (CFTC) charged it with facilitating illegal off-exchange commodities trading, Bitfinex settled in June and paid a $75,000 fine. As part of the settlement, Bitfinex switched its security system to “segregated multi-sig” (multi-signature, where keys are divided up among multiple owners to mitigate risk) wallets protected by an outside security provider, BitGo. Lo and behold, two months later, it got hacked.
Under the new Bitfinex security system, BitGo held one key for every account, and Bitfinex held the other two. When hackers withdrew the stolen funds from Bitfinex, BitGo auto-approved the withdrawal of the 120,000 coins. That shouldn’t have happened, but Bitfinex has taken blame for the hack and insisted BitGo was not at fault. BitGo also cleared itself on Twitter, but one Reddit user charged that BitGo, “is selling a false sense of security.”
BitGo sent Yahoo Finance this statement about its involvement: “The protection of our customers’ systems is our top priority. We are working with Bitfinex and law enforcement to investigate and swiftly resolve this matter. Based on the investigation thus far, there is no indication that BitGo servers have been compromised. We will maintain close contact with our customers and provide updates as appropriate.”
As we directly notified our customers earlier today, our investigation has found no evidence of a breach to any BitGo servers.
— BitGo (@BitGo) August 2, 2016
Many in the bitcoin community have blamed the CFTC for the hack—a narrative that appeals to bitcoin people for obvious reasons, because many are ideologically anti-regulation, and the idea that U.S. regulation, enforced by people who may not understand the digital currency world so well, actually caused a hack, helps the notion that regulation is hurting this industry.
In a blog post, the folks at the nonprofit advocacy group Coin Center say that the CFTC is not to blame for the Bitfinex hack. It also says multi-sig, the method Bitfinex switched to from cold storage, isn’t to blame either. “Cold storage and multi-sig are just different security models. The relative security of one or the other is entirely dependent on how they are implemented,” writes Coin Center’s head of research Peter Van Valkenburgh. “I could put keys to a pooled wallet on a USB drive and hide it in my five-year-old niece’s dollhouse. That storage is cold (the dollhouse doesn’t have Wi-Fi) but it’s also a terrible idea. Also, I could create a multi-sig wallet and hand all of the multi-sig keys to my niece. This is also a really lousy plan, but neither scenario tells us about the relative safety of one security technology vs the other—only the implementation.”
That all may be true, but it doesn’t mean Bitfinex’s implementation was strong.
It’s still being hotly debated who exactly is to blame—the CFTC, BitGo, Bitfinex, or some combination. But after a hack of this magnitude, it’s hard to understand why any bitcoin exchange site would use any other security method than cold storage.
This was hardly the first bitcoin hack in a long time. Attacks and hacks happen in the bitcoin world every few months on varying scales. Last year, bitcoin exchanges Cryptsy, Kraken, and OkCoin were all hit by distributed denial-of-service (DDoS) attacks. In June, the decentralized DAO network, which runs on the Ethereum blockchain, was hacked, losing $50 million worth of ether coin. In July, the Slovenian exchange Bitstamp was hacked for $5 million.
But the Bitfinex hack represented the largest loss of coins since Mt. Gox.
Bitfinex may not get the chance to fix up its security. After a theft of $460 million in 2014, the leading bitcoin exchange Mt. Gox shut down for good.
Bitfinex might be able to stay in business, but the challenge could be more about retaining customer confidence than logistical. “There’s no way those funds are recoverable unless they actually catch the attacker, so they might have to shut down,” says Stanchfield. “I think you’ll see Bitfinex users disperse, and even out among the other exchanges, and that’ll be a good thing. Because you have to avoid the Too Big to Fail problem.”
Daniel Roberts is a writer at Yahoo Finance, covering sports business and technology. Follow him on Twitter at @readDanwrite.