Amidst tightening regulations, the latest hack of the Bitfinex Bitcoin exchange has highlighted ongoing difficulties for the sector. Bourn Collier, associate, and Oliver Yaros, senior associate at Mayer Brown International LLP, explore.

A few years ago media reports in Britain drew attention to the unfortunate plight of James Howells, a Welsh IT worker who had mined 7,500 Bitcoins using a laptop in 2009, only to lose the private key four years later (and with it, access to the valuable Bitcoins), when he unwittingly disposed of the hard disk on which the private key was saved. In digital currency parlance, Howells had changed his holding of the 64-character private key from a “hot wallet” on an internet-connected device, to “cold storage” – on a disk no longer connected to the internet (and buried under five feet of landfill).

In the years since, the digital currency landscape has changed dramatically, with individuals no longer mining Bitcoins directly (mining pools with superior processing power now dominate) but rather purchasing Bitcoins from willing sellers, typically via specialist online exchanges, such as Hong Kong-based Bitfinex and the now shuttered Mt Gox.

Bitfinex was one of the first Bitcoin exchanges to incorporate cold storage for its operations and this was regarded favourably by customers – they would have the convenience of having their private key easily accessible when transacting in Bitcoin via the online exchange, but the private key was not held in an online wallet, making it less likely to be hacked.

Bitfinex was also able to develop further applications of cold storage when it offered customers a “Margin Trading” feature, which allowed customers (including retail customers) to borrow in US dollars and Bitcoins from other Bitfinex users (through the Bitfinex platform) in addition to simple exchange trading of Bitcoins for fiat currencies (including US dollars and euros).

US regulatory scrutiny

Bitfinex ran into difficulty with this structure since trading on a margined basis falls within the jurisdiction of the US Commodity Futures Trading Commission (CFTC), under sections 4(a) and 4(d) of the US Commodity Exchange Act (CEA) and in June 2016, following an investigation, Bitfinex settled proceedings brought by the CFTC for executing financed retail commodity transactions outside of a regulated trading venue (off-exchange) and for failing to register as a “Futures Commission Merchant” under the CEA (In re BFXNA INC. d/b/a Bitfinex, Order Instituting Proceedings CFTC Docket No. 16-19 (June 2, 2016)).

A key feature of the CFTC’s reasoning was that Bitfinex’s transactions did not fall within the certain exceptions under the CEA, in particular that Bitfinex’s margin trading transactions did not result in “actual delivery” of Bitcoins – rather Bitfinex held the Bitcoins in an omnibus wallet account and held private keys in cold storage.

The multisig solution

By the time of the June settlement, Bitfinex changed its operations to hold customer Bitcoin balances in individual online wallets maintained by a third party wallet provider and which were individually enumerated (identifiable to the customer).

Such wallets are multi-signature – each wallet had three private keys – one regular embedded private key, along with two additional private keys (one held by the user and the other stored on the wallet server). To approve any transaction, at least two of the three keys are required.

Multi-signature (or “multisig”) wallets were written about favourably in 2014 by Vitalik Buterin, the founder and developer of the Etherum platform, and other exchanges adopted the standard to positive feedback. Of note was that the delivery of the private keys to authorise the transaction is spread between three entities, in theory making it harder for the keys to be compromised and used to approve unauthorised transactions.

Breach of the multisig wallets

In early August it was reported that Bitfinex had suffered a substantial breach of its systems and the multisig authorisation mechanism had been overridden by hackers who were able to appropriate 119,756 Bitcoins (of estimated value $65 million). The loss was the largest by a Bitcoin exchange since the collapse of Mt Gox in 2014 and represented a significant proportion of the total Bitcoins held by Bitfinex. It has been suggested that losses were concentrated amongst particular customers as specific wallets were breached.

In addition to customer losses, news of the theft led to a substantial decline in the exchange price of Bitcoin, the re-emergence of doubts as to the viability of Bitcoin and, for the affected Bitfinex customers, uncertainty as to their recourse to recover stolen funds.

A Bitcoin bail-in?

The exchange price of Bitcoin appears to have stabilised, particularly as it has been reported that the Bitcoin protocol (in particular the Blockchain distributed ledger on which Bitcoin operates) was not affected by the hack.

Unusually for an exchange, the Bitfinex team has proposed a haircut of approximately 36% on the balances of all customers, even those whose wallets were not subject of the hack. Those whose wallets were affected may be issued with a redeemable token which may also be exchanged for shares in the parent company of Bitfinex. For many Bitcoin enthusiasts this is an odd outcome given the cryptocurrency’s original design to be self-regulating and free of oversight.

Will some affected customers take court action against Bitinfex to recover their losses? It would be surprising if none of them are tempted to do so. But they would face considerable challenges, including the relatively uncharted territory of how the courts might analyse the legal landscape of Bitcoin generally and react to particular issues, such as the Bitinfex decision to share the losses between all its customers, not just those whose accounts were hacked. Any major customer challenge could of course result in Bitinfex folding altogether.

Increasing regulation and permissioned ledgers

Thefts from Bitcoin exchanges are one of a number of risks which regulators in several key jurisdictions are concerned with and further regulation is anticipated.

In July, the European Commission published proposals for the extension of Customer Due Diligence, licensing and registration requirements to virtual currency exchange platforms and custodian wallet provider businesses by 2017 (when the Fourth Anti-Money Laundering Directive, as amended, will need to be brought into effect by Member States). This could, in effect, establish a similar regime as introduced in the State of New York by the US Department of Financial Services, (called the “BitLicense”), which has attracted criticism, amongst other things, for the time and cost which firms must undergo to successfully apply for the BitLicense.

In a related step, in July, the European Union adopted the Network and Information Security Directive which will require European member states to introduce by May 2018 a set of minimum cybersecurity standards for network and information systems maintained by operators of essential services (including those supporting banking and financial market infrastructures) and digital service providers (such as those providing online marketplaces). All these bodies will be required to take appropriate measures to prevent and minimise the impact of incidents affecting their network and information systems, with a view to ensuring the continuity of their services, and will be obliged to notify the authorities where security breaches occur.

Finally, beyond Bitcoin and exchange platforms, global banks and developers have had success in developing and testing private (or “permissioned”) distributed ledger platforms to perform a variety of banking functions. For instance, it was announced that the distributed ledger of Ripple Labs had been used to conduct the first real time cross-border payment between financial institutions using a distributed ledger.