Letter #86: Bitcoin and the Story of Antifragility #5 - Big Losses at Bitfinex
Read now to learn how custodying your Bitcoin with a cryptocurrency exchange can never be totally safe, no matter the level of security the exchange offers.
Lonny was frantic. He was searching for a clue on his phone and in his email, but was coming up empty. Bitfinex customer support was no help either and the representative was basically ignoring him. His Bitcoin were missing and he had no idea why and no one to help him.
Granted, it was only about 20 Bitcoin. He was starting to hear chatter on Reddit about people who had lost a lost more. But he had put his life savings into Bitcoin, and he needed them back. Who had taken them? And how had they possibly managed to take Bitcoin from so many people at once? He may never know the truth.
The above account is a fictionalized dramatization that is loosely based on the reported events surrounding the Bitfinex hack of 2016. As such, it should not be taken as factual.
The Bitcoin blockchain is extremely secure. Tens of thousands of powerful machines are constantly working to protect the network from double spends and other attacks. Public-key cryptography ensures that illicitly moving funds from one Bitcoin wallet to another is essentially impossible unless the corresponding private key is obtained by a hacker. And the irreversibility of Bitcoin transactions ensures that no one can roll back your Bitcoin transfer after it has been confirmed on the blockchain.
However, Bitcoin’s robust security can at times be a double-edged sword, usually as a result of user error. For example, the private key protecting your Bitcoin is only as safe as you keep it. And if someone steals your private key and moves your Bitcoin out of your wallet, no force on earth can cancel the transaction and put them back.
History has provided a host of powerful examples on why protecting your Bitcoin is of paramount importance, and the Bitfinex hack in 2016 definitely qualifies. Users and outsiders alike were stunned when Bitfinex took down its website, halted trading and withdrawals, and announced that nearly 120,000 Bitcoin had been stolen directly from customer accounts. It was the largest Bitcoin theft since the Mt. Gox hack, and the community was experiencing severe déjà vu due to the similarities between the two events.
In an ironic twist of fate, Bitfinex had recently removed customers’ funds from pooled depositories into segregated multisig wallets in an attempt to prevent hacks like the one that happened shortly thereafter. But, as we already discussed, Bitcoin are only as safe as the holder keeps them, and Bitfinex’s configuration was apparently not up to the task.
What’s In A Multisig?
The vast majority of Bitcoin wallets are singlesig, meaning that only one private key is associated with and can sign transactions for each wallet. Multisig wallets though allow for multiple private keys to be associated with a single Bitcoin wallet, and a quorum of keys (for example, 2-of-3 or 3-of-5 private keys) is required in order to sign a transaction and send it across the blockchain. Multisig wallets are often considered safer than singlesig wallets because multisigs can eliminate a single point of failure. In other words, someone has to steal multiple keys from you instead of one in order to steal your Bitcoin. Your holdings are also better protected from total loss if you misplace a private key since other private keys are still available with which to sign a Bitcoin transaction.
In 2016, Bitfinex appears to have established multisig wallets for which the company held two of the three available private keys, while entrusting the third and final key to Bitgo, a company specializing in custody of digital assets. To Bitfinex’s credit, sources claimed that the company held one of the two private keys it custodied in cold storage. However, I find their choice to not allow customers to custody one of the private keys themselves (at least those who felt adept enough to do so) interesting to say the least, as it could have further decreased hackers’ ability to acquire a sufficient number of keys. Although that may not have made a difference in the 2016 hack since insiders claim that the keys in cold storage weren’t compromised during the hack, leading outsiders to speculate that the keys Bitfinex kept online were accessed and that Bitgo then used the keys it held to sign off on all the transactions the hackers initiated.
A Happy Ending?
Perhaps all is not lost for the customers affected by the Bitfinex hack. Early last week, the United States Department of Justice announced that around 80% of the Bitcoin stolen in the hack had been seized and a husband-wife duo was being charged with laundering the funds through a variety of transfers, coinjoins, asset purchases, and other means.
The married couple in question appears to have kept the private keys securing the stolen Bitcoin online in a cloud storage account. While their choice to keep the private keys online was almost assuredly crucial to the government’s ability to recover the stolen Bitcoin, it also serves as a reminder that those of us who haven’t obtained Bitcoin through illicit means should keep our private keys secured offline. After all, if the hackers can obtain Bitfinex’s online private keys, and the government can obtain the hackers’ online private keys, why should your private keys be safe if you choose to keep them online?
Read the next article in this series:
Shady companies that will take away your hard-earned money the first chance they get.
That’s what most content creators in the Bitcoin and Crypto spaces offer their communities in exchange for the *free* content they promote in newsletters, on talk shows, on social media, and anywhere else they can peddle their wares.
YOU DESERVE BETTER.
You deserve quality Bitcoin education that isn’t driven by a need to sell you something that will leave you worse off. You deserve thoughtful analyses of Bitcoin basics and current events that leave out the biases that permeate affiliate-driven content platforms. You deserve a community that puts you first, no matter what.
We’ve built the HiFi Bitcoin community together as a place where quality Bitcoin education comes without any hidden agenda. A place where you come first, always.
If you believe that Bitcoin education should be available to everyone without bias and without ulterior motives, I ask you to please consider supporting me and the work I’m doing for the Bitcoin community through a premium membership. Every contribution increases my ability to cut through the noise and find the truth about Bitcoin with you.
A Special Bonus For Premium Members
In my new book, The Ultimate Pocket Bitcoin Glossary, I walk you through 30 of the most important terms you need to understand in order to get ahead in your Bitcoin journey. My hope is that it can be used to educate yourself about Bitcoin and as a quick reference when you’re trying to help others understand why you’ve chosen to purse a passion for Bitcoin.
Ready to read it yourself?
Premium subscribers of The HiFi Bitcoin Letters receive access to The Ultimate Pocket Bitcoin Glossary at no extra charge:
Free subscribers and non-subscribers can purchase The Ultimate Pocket Bitcoin Glossary, without the commitment of subscribership, in the HiFi Bitcoin Shop, as a PDF:
Wish You Could Easily Take The Podcast With You?
Can’t Get Enough Bitcoin In Your Life? Follow Me On Social Media:
🙋🏽♂️Did you enjoy this edition of The HiFi Bitcoin Letters?
This 3-question survey is your chance to tell me how I can improve the newsletter for you.
This is not financial advice. This newsletter and related content are for informational purposes only. Cryptocurrencies and digital assets can be risky. Always do your own research before making any sort of investment.