Fraud , Payments Fraud

Bitcoin Hack Highlights Cryptocurrency Challenges

Bitfinex of Hong Kong Lost $69 Million
Bitcoin Hack Highlights Cryptocurrency Challenges

The theft of $69 million worth of bitcoins from a Hong Kong-based exchange highlights the continuing challenges around keeping large quantities of digital currency out of the reach of hackers.

See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach

Bitfinex, one of the largest U.S. dollar bitcoin exchanges, said on Aug. 2 that it lost 119,756 bitcoins after its platform was hacked. Law enforcement has been contacted, the company said in a statement.

Bitcoin's market rate dropped 20 percent following Bitfinex's announcement, although it has since bounced back to about $580. The company's losses amounted to approximately $69 million, according to exchange rates on Aug. 4.

Bitcoin is a virtual currency that is exchanged using peer-to-peer software. Transactions are verified by computers contributing data to a cryptographic ledger known as the blockchain, which is increasingly being explored by the finance industry for broader applications.

Zane Tackett, Bitfinex director of community and product development, writes on Reddit that the company is evaluating its options for addressing customer losses.

"At this time we don't have any details that we can share on this, nor have we made any decisions regarding this," Tackett writes. "We'll continue to push out updates on this as information becomes available."

Tackett refuted a suggestion that the theft might have been an inside job, but he did not share details how the exchange was compromised.

"We have a pretty small team and most of us have been here for a while," he writes. "We also have strict permission limits for who has access to what. Furthermore, I've been on the phone with our entire team and am nearly 100 percent certain that nobody on our team did this."

Bitfinex says in a status update that it is trying to restore limited functionality that will allow customers to view their accounts. However, bitcoin trading will remain suspended.

Notice from Bitfinex posted online

Second Largest Loss

Bitfinex's losses are the second largest behind Mt. Gox, the Tokyo-based bitcoin marketplace that collapsed in February 2014. The exchange lost 850,000 bitcoins, worth about $474 million, but later found 200,000 of those bitcoins (see Bitcoin Trading Website Goes Dark).

Mt. Gox blamed the loss on a security issue called transaction malleability. But Japanese prosecutors charged CEO Mark Karpeles in September 2015 with embezzlement for allegedly transferring some funds from the exchange into accounts he controlled. It remains unknown who stole the majority of the bitcoins, and Mt. Gox is still in liquidation proceedings.

In June, hackers stole $55 million worth of ether, another digital currency, in an attack against an experimental investment fund called the Decentralized Autonomous Organization (see $55 Million in Digital Currency Stolen from Investment Fund). Ether developers made a software modification to the virtual currency's code that froze the funds.

Despite numerous exchange hacks and scammers, supporters of digital currencies have remained largely positive about the potential to revolutionize what they contend is an antiquated financial system.

But security breaches are a reminder of the vulnerabilities of cryptocurrency technologies, writes Peter Van Valkenburgh, director of research at the Washington-based Coin Center, which is a digital currency advocacy group.

"Every hack is also an opportunity to learn and grow resilient: Let's make sure we don't learn the wrong lessons this time around by drawing hasty conclusions," he writes.

Tough to Secure

A bitcoin is actually just a secret number. To transfer a bitcoin, a person must verify a planned transaction with a private encryption key. But if the private key is stolen, the attacker can steal the bitcoin.

Because all bitcoin transactions are recorded in the public blockchain, it is possible to follow the movement of stolen coins. Bitcoins are transferred between 34-character alphanumeric addresses, which appear in the blockchain.

Bitcoin addresses don't reveal information about who controls the funds. But stolen funds are often difficult to convert to fiat currency. Exchanges usually have strict identification requirements for account holders to comply with anti-money laundering regulations. Suddenly cashing out a large quantity of stolen bitcoins at a reputable exchange from a closely watched bitcoin address is unfeasible.

Bitcoin marketplaces employ a variety of methods to protect their vaults and the private keys for the bitcoins. But the companies are highly attractive targets because stolen bitcoins can be nearly impossible to recover. Unlike bank wire transfers, bitcoin transactions are irreversible.

Raising the level of security around bitcoins invariably makes the virtual currency more cumbersome to access, which is why exchanges must make difficult trade-offs.

"There is a balance between security and convenience," says Antony Lewis, a Singapore-based adviser on blockchain technology. "Customers say they want security, but their behavior suggests they prefer convenience. Exchanges who cater to this and put private keys on online machines put themselves at a higher risk of attack."


About the Author

Jeremy Kirk

Jeremy Kirk

Managing Editor, Security and Technology, ISMG

Jeremy Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.




Around the Network