mrb's blog

Timeline of Bitfinex exchange theft

Keywords: bitcoin theft security hack

A prominent Bitcoin exchange, Bitfinex, was hacked. The thief stole 119 756 BTC which were valued $72M USD at the time. Bitfinex is the exchange with the world’s largest volume traded on the BTC/USD pair.1

Inspired by my timeline of the MtGox hack of June 2011, here is one for the Bitfinex hack. I will keep it updated as the situation progresses.

02 August 2016

Between 08:54 and 12:18 UTC: The theft takes place over a period of 3 hours 24 minutes without anybody noticing anything. It starts in Bitcoin blocks 423297, 423298, and 423299 which contain transactions stealing the largest amount of Bitfinex’s bitcoins, and the theft goes on until at least block 423318, as the exchange later finds out. The hacker methodically started draining the largest addresses first, moving to smaller ones over time.

18:06:28 UTC (Reddit timestamp): About 9 hours after the start of the theft, Zane Tackett, Director of Community & Product Development at Bitfinex announces on /r/Bitcoin that they “discovered a security breach that requires [them] to halt all trading on Bitfinex, as well as halt all digital token deposits to and withdrawals from Bitfinex.” At this very minute Bitcoin is trading around 605 USD.

18:07:53 UTC: One minute later Tackett also announces the breach on /r/btc.

20:40:37 UTC: Anonymous Reddit account blahbitcoinredditor posts P2SH usage statistics that indicate the loss could be over 100k BTC. So far market panic has been limited compared to what is about to come: at this very minute Bitcoin is trading around 565 USD (-7% since the moment the breach was announced).

22:26 UTC: dooglus posts an (incomplete) list of transactions that he thinks belong to the hacker and represent 84 022 BTC total. They were confirmed in blocks 423297, 423298, and 423299.

Around 22:30 UTC: Bitcoin is now at 540 USD (-11%).

22:37:38 UTC: Tackett discloses the amount of coins lost: “I can confirm that the loss from the hack stands at 119,756btc” and reposts this information in other Reddit threads over the next few minutes.

Around 23:00 UTC: Bitcoin hits a low of about 460 USD (-24%), then begins to recover.

03 August 2016

Around 01:30 UTC: Bitcoin started recovering and is at approximately 550 USD (-9%). It will continue to recover relatively stably over the next 24 hours.

13:46:41 UTC: Reddit account rekcahxfb (bfxhacker in reverse) is created. Some initially thought he was the Bitfinex hacker, however there is no evidence he is connected to the hack.

13:49:56 UTC: rekcahxfb posts on Reddit he wants to give away 1000 BTC. He signs the message with the Bitcoin private key holding the coins to prove he owns these coins: 1BfxSuxJqXuizBbTcP238JZY9DT4eqvzJG. However, tracing the source of funds flowing to this address reveals that he is not connected to the hack.2

13:58:35 UTC: rekcahxfb announces the giveaway on Bitcointalk (where his account was created 3 minutes earlier).

15:48:15 UTC: In Reddit thread “If you were the thief(s), what would your next steps be and how would you liquidate?”, rekcahxfb writes:

rekcahxfb's deleted comment

However shortly afterwards he deletes this post. Penroze took a screenshot before it was deleted.

Around 16:00 UTC: Tackett is notified of the giveaway but replies “Yes, we have no reason to believe it is legitimate.”

18:11:29 UTC: Apparently rekcahxfb wants to chat. He says he hangs out on bitcoincore.slack.com. His slack accounts lists his email as ethereumdefense@yandex.com and his timezone as UTC+10. This may or may not indicate he is from Russia (Yandex, Vladivostok Time.)

23:30 UTC: Bitfinex posts a status update: “We are currently in an ongoing process of restoring limited functionality in a secure environment, with full functionality coming afterwards in progressive stages. The first step is bringing the site online and allowing users to login and view the state of their accounts. Note that initially trading, deposits, withdrawals, and other core site functionality will be disabled.

To accommodate the relaunch, all withdrawals, open orders, and open funding offers will be canceled. Furthermore, in order to compute losses for relevant parties, settlement must occur in the affected accounts. Margin positions for all pairs will be settled and closed using the following prices, representing the midpoint of the bid and ask on August 2, 2016 at 18:00:00 UTC:

BTCUSD: 604.06000000
ETHUSD: 10.19050000
ETHBTC: 0.01689900
ETCUSD: 2.83700000
ETCBTC: 0.00471495
LTCUSD: 3.75180000
LTCBTC: 0.00621295

Further announcements about the next steps of the relaunch will be posted as progress is made. All significant changes to feature availability will be announced in advance. We will strive to keep you as informed as we can.”

04 August 2016

Around 02:45 UTC: Bitcoin flirts with 600 USD, completing its recovery to pre-hack levels. It will remain around 580–600 USD over the next few days.

06 August 2016

15:51 UTC: Bitfinex posts an interim update announcing customers will end up losing 36.067% of their funds (because the stolen BTC represents 36.067% of all of Bitfinex’s assets: USD, other cryptocurrencies, etc): “Following the theft on August 2nd, the Bitfinex team has been working tirelessly towards bringing the platform back online in a secure and controlled manner. We have finalized the accounting of losses incurred and are currently coordinating strategic plans for compensating customers.

We intend to come online within 24-48 hours with limited platform functionality. Additional announcements will be made as we progressively enable more platform features and return to full operations. We appreciate that our customers and the public want this handled quickly, but it needs to be done a way in which all assets are secure and immune from vulnerabilities. Every resource is being leveraged to make that happen in a safe and optimal way.

As disclosed in earlier announcements, all withdrawals, open orders, and open funding offers have been canceled and all financed positions have been settled. Exact settlement prices were published on August 3rd.

After much thought, analysis, and consultation, we have arrived at the conclusion that losses must be generalized across all accounts and assets. This is the closest approximation to what would happen in a liquidation context. Upon logging into the platform, customers will see that they have experienced a generalized loss percentage of 36.067%. In a later announcement we will explain in full detail the methodology used to compute these losses.

We are actively discussing various strategic options with numerous potential investors as part of our strategy to fully compensate our customers. Such discussions, however, are in early stages and will likely take time to play out. In the meantime, In place of the loss in each wallet, we are crediting a token labeled BFX to record each customer’s discrete losses. Tokens will be distributed without release or waiver. The BFX tokens will remain outstanding until redeemed in full by Bitfinex or possibly exchanged—upon the creditor’s request and Bitfinex’s acceptance—for shares of iFinex Inc. We are still sorting out many details on this; we will post further updates in the coming days.

Thank you for your continued patience and for the many generous offers of support that we have received over the last several days. Notwithstanding this attack, we continue to believe in the possibilities associated with bitcoin. We will continue to update our customers and the public as and when we can.”

07 August 2016

02:13 UTC: Tackett provides a complete list of all transactions stealing from Bitfinex’s addresses.

23:55 UTC: Bitfinex announces they are about to relaunch the site: “We are beginning the process of bringing the platform online in a controlled and secure way. Currently the site is available on a read-only basis as we continue to work towards enabling full functionality. This means that users will be able to log into their accounts but trading, depositing, and withdrawing will remain disabled at this time.

Please be aware of the following changes required by the ongoing platform recovery:

  • Users will be required to reset their password.
  • Users will be required to reset their 2FA, if applicable.
  • Clef has been disabled for all accounts. We have reset our security keys with Clef, requiring users to re-enroll.
  • All API keys have been revoked. The creation of new API keys will be re-enabled within the next 48 hours.

Please take this time to log in and review your account and balances, taking note of the adjustments caused by the closing of open margin positions and the application of the Extraordinary Loss Adjustment. The loss adjustment is represented by your balance in “BFX” tokens which are priced at 1.00 USD until we are able to allow trading of that token, likely within the next week. The trading of BFX tokens may be restricted for US customers.

Full platform functionality will come online in progressive steps in the coming days. Withdrawing, depositing and exchange trading will come online first, with margin trading (for non-US customers) to resume sometime after that. Further announcements will be made when the schedule for turning on those features is finalized. Once again, we thank you for your patience.”

10 August 2016

14:01 UTC: Bitfinex announces they will resume trading: “Today, August 10th, 2016, at 16:00:00 UTC we will be enabling additional platform features as we continue to restore service after the incident on August 2nd. Exchange trading will be enabled for all currencies and pairs, while deposits and withdrawals will be enabled for BTC, ETC, ETH, and USD – with LTC and Tether to follow shortly thereafter. Exchange trading will also be enabled for the BFX token on pairs BFXUSD and BFXBTC. We are working on tokenizing BFX via the Omni Layer to allow withdrawals for the BFX token, but we are still working out some protocol level details. Please note that U.S. residents will only be able to sell—not buy—BFX tokens at this time. Terms for the BFX token are available here. Requirements for token transfers are here. Parameters for assigning Margin Trading will be re-enabled for non-U.S. residents later this week.

In the past week, we have taken significant steps to ensure that we can restore service in a secure environment. We have added additional platform and infrastructure security checks; regenerated all encrypted services, including wallets, security tokens, and passwords; moved funds to multisig cold storage; re-evaluated all third-party integrations; performed a comprehensive system audit in order to identify vulnerabilities; and, rebuilt our entire platform on new infrastructure.

Please note that we have invalidated all deposit addresses that were generated before August 9 19:00:00 UTC for all cryptocurrencies except Tether USDT. Please do not deposit to these older addresses as this will cause substantial delay in deposit processing. All deposit addresses now shown on the site or generated by the API are the new addresses. Please be sure to use these new deposit addresses when depositing cryptocurrencies.

We are aware that many questions remain and we intend to discuss the theft, the distribution of losses, and our recovery plan in follow-up announcements. We are trying to be as transparent as we can be while we continue to try to make the best of a terrible situation. We regret the loss that took place, but we continue to remain confident in Bitcoin, the trading community, and our plan to compensate our customers. As always, we remain open to constructive commentary and suggestions from all sides.”

03 April 2017

Bitfinex announces they will in a few hours be redeeming 100% of all currently issued and outstanding BFX tokens. This would mark full recovery from the hack.

  1. As of 03 August 2013, according to Bitcoinity the BTC/USD volume traded in the last 6 months on Bitfinex is 4 390 841 BTC. For comparison the no. 2 exchange by BTC/USD volume is CoinsBank (previously known as BIT-X) with 2 756 787 BTC.

  2. Most of the coins come from 1Hy1rceh2EaKnAQhGZocTFUGnKFFD3mNG5 and this address contained funds since 30 July 2016, preceding the Bitfinex hack. Also, none of the sources belong to Bitfinex (P2SH addresses start with 3 instead of 1.)

Comments