The Aftermath of the Bitfinex Hack

DCP_evergreen8

In our August 9 blog post, we discussed the Bitfinex hack that rattled the bitcoin markets and raised serious questions about the security of bitcoin wallets and allocating risk in this new age of cyber theft.  Through a simple phishing email that contained a virus, hackers were able to gain access to customers’ Bitfinex accounts and steal millions of dollars’ worth of bitcoin.  However, instead of first determining whose accounts in particular had been hacked and how much had been stolen, Bitfinex allocated all of the losses across the board to all of its customers.  Since being victimized by the hack, Bitfinex has taken a number of steps to regain its customers’ trust and provide reimbursement for the more than $70 million theft occurred.  It remains to be seen whether Bitfinex will ever fully recover customers’ trust from the hack, but Bitfinex’s security updates could provide a model for the rest of the industry to prevent these hacks from occurring in the future.  

On August 10, 2016, Bitfinex announced that it had added “additional platform and infrastructure security checks; regenerated all encrypted services, including wallets, security tokens, and passwords; moved funds to multisig cold storage; re-evaluated all third-party integrations; performed a comprehensive system audit in order to identify vulnerabilities; and, rebuild our entire platform on new infrastructure.”

On August 17, 2016, Bitfinex announced that one critical failure in its platform was a security breach of its partner BitGo’s segregated multi-signature wallet solution which kept bitcoin in hot wallets as opposed to cold storage.  In response, Bitfinex suspended use of the BitGo hot wallet solution and reverted to using multi-signature cold storage instead.  In fact, there is an active debate percolating in the industry regarding cold storage replacing hot wallets to avoid future hacks as a whole.

In the same press release, Bitfinex attempted to rebut claims peppering internet blogs that Bitfinex did not plan to make its customers whole, stating again that all Bitfinex users were subjected to loss allocation, including employees and principals at Bitfinex, but that the exchange planned to make customers whole by issuing Bitfinex tokens (BFX) that would be redeemed for either $USD, or equity in another venture at a later date.  In the past month, Bitfinex has started to make good on its promise to customers by partnering with BnkToTheFuture, an online investment platform that created a Special Purpose Vehicle (an “SPV”) for Bitfinex users who lost money in the hack.  Under the SPV.  qualified BFX token holders can contribute their tokens in exchange for an equity interest in iFinex, Bitfinex’s parent, or redeem them for $1 per BFX token, more than what they are trading for on the iFinex platform.  Bitfinex announced a second SPV – BFXTrust – formed by Alistair Milne for certain verified non-US Bitfinex users to convert their BFX tokens in a similar manner.

While these are viewed by some as  positive steps, the legal ramifications of Bitfinex’s across the board loss allocation is still unknown.  As Fortune Magazine reported in mid-August, Bitfinex’s loss allocation is on shaky legal ground that may indeed go against Bitfinex’s terms of service, which guarantee that the bitcoins customers held in their wallets “belong to and are owned by you.”   In addition, because regulators may see Bitfinex’s token solution as  somewhere between a security and a bond, they  may require U.S. security and bond licenses that Bitfinex does not have for the tokens.  But, as Fortune reports, Bitfinex is banking on customers’ ultimate desire to recoup their losses instead of pursuing legal avenues that could force the exchange into liquidation and put even more assets at risk.  Bitfinex’s best shot at preventing legal action may lie in their ability to convince customers that they will get the value of their bitcoin back, because customers may want to prevent a situation which forces the liquidation of the exchange, and the subsequent freezing of their remaining assets.

What is clear is that Bitfinex appears to have  made its site’s security and customer satisfaction a priority, and states that it has already redeemed over 1% of its customers’ BFX tokens,.  We’ll continue to follow this story as it develops.