On August 2, 2016, Hong Kong-based bitcoin exchange Bitfinex was the latest target of hackers who stole 119,756 bitcoins, for a total loss of approximately $72 million at that time. Some are estimating it to be as high as $80,000,000. The Bitfinex hack was notable both because Bitfinex is one of the “biggest Bitcoin exchanges in the world” and because it sent bitcoin prices tumbling more than 20%. The exchange notified its customers of the hack in a press release on August 2, stating that they were suspending all trading, and halting “all digital token deposits to and withdrawals from Bitfinex” until further notice. Additional phishing attempts of Bitfinex users continued through August 5, 2016, where users received emails from fake Bitfinex accounts that contained a virus in the email attachment. Intriguingly, and as we discussed in an earlier post, Bitfinex was recently fined $75,000 by the U.S. Commodity Futures Trading Commission (CFTC) for operating an illegal exchange and permitting “users to borrow funds from other users on the platform in order to trade bitcoins on a leveraged, margined, or financed basis.” Bitfinex’s failure to appropriately segregate funds ended up creating some of the current confusion that may have required Bitfinex to “bail in” all its customers to share in the losses. By not creating appropriate safeguards for users borrowing bitcoin from other users, Bitfinex may not have known itself who lost what in the hack.
On August 6, 2016, Bitfinex announced that it would “generalize losses across all accounts” meaning that each customer would face a loss of 36.067% of their bitcoins stored on the platform. However, Bitfinex also announced that it would compensate customers by providing each of them a “new token…equal to the amount of their discrete loss” which are transferable on the blockchain. And, it stated it was talking to its investors to see if it could raise capital to compensate customers in the alternative. Finally, on August 7, 2016, Bitfinex began bringing the exchange back online by enabling a “read-only” version of the website. It also required several changes with which customers would have to comply: (1) Users will be required to reset their password; (2) Users will be required to reset their 2FA, if applicable; (3) Clef was disabled for all accounts and users will be required to re-enroll entirely; and (4) all API keys have been revoked and new API keys will be re-enabled at a later date, likely 48 hours. The platform is not yet fully functional.
The Bitfinex hack raises new questions for the digital currency. As with other bitcoin hacks, it raises concerns about security. But the magnitude of this hack raises an interesting question as to how to compensate users for losses and how to apportion those losses. Instead of simply permitting those individuals whose accounts were hacked to suffer all losses, or pledging to make all individuals whole, Bitfinex took an unusual approach in spreading the loss to all of its customers, and taking none on itself. Compare this reaction to that of Bitstamp, a rival bitcoin exchange, that was hacked in January 2015. Unlike Bitfinex, Bitstamp not only shut down its exchange, but it promised that “[a]ll bitcoin held with us prior to the temporary suspension of services…are completely safe and will be honored in full. We are currently investigating and will reimburse all legitimate deposits to old wallet addresses affected by the breach after the suspension.” Not only that, Bitstamp made a pledge to provide customers with free commission fees for a week after the hack. In all fairness, Bitstamp’s hack was of a much smaller magnitude, only $5 million, but it could have also identified the hack much more quickly.
Whether or not Bitfinex’s action was legally permissible is already being discussed extensively online, and will likely continue as customers who do not believe they were hacked, or that their bitcoin was essentially taken from them unfairly, file lawsuits in court. In essence, Bitfinex decided to provide its customers with debt securities, or IOUs for bitcoin, but failed to assign any interest to those IOUs, permitting Bitfinex to profit from any gains in bitcoin on the exchange in the interim, while forcing all customers to bear the loss that its security breach caused. We may never know who was able to hack into the self-described “most secure Bitcoin exchange” out there, but it is now clear that Bitfinex was not as secure as advertised, and its customers are facing a tough reality check in which all of them are paying for Bitfinex’s failed security policies.