Centralised Exchanges Are Terrible At Holding Your Money: A Timeline of Catastrophes English

中文

This blog post was published before LocalEthereum became LocalCryptos.

One of the primary advantages of cryptocurrency over traditional currency is its elimination of third-party risk. Instead of trusting an entity to keep record of your balance — which is a simplified version of how traditional banking works — blockchains use an immutable public transaction ledger which is constantly audited using cryptographic proofs.

The awesome result of this is that it is mathematically impossible for anybody to revoke, transfer or destroy your cryptocurrency without access to your private key. As long as you keep that long string of text safe (your private key) — by storing it on a piece of paper, in a hardware wallet, or even in a tucked-away text file on your secure computer — you can be confident that your cryptocurrency is safe. You’re trusting the maths and the gigantic network of computers auditing the blockchain around the clock; you don’t need to trust a third-party.

This advantage exists for all cryptocurrencies, including Bitcoin and Ethereum, but it doesn’t apply when you choose to not hold on to your keys.

When you deposit or purchase cryptocurrency on a centralized exchange, you don’t hold the private key to those cryptocurrencies; instead, you’re trusting the exchange, in the same way that you trust your bank, to hold on to and keep an accurate record of your balance(s).

When you keep your cryptocurrency on a centralised exchange, you’re missing out on the security benefits of cryptocurrency. Instead, your deposits have a significant chance of being lost or stolen because of the compounding risks associated with centralised exchanges:

Centralised exchanges are often the subject of major heists. Because of the irreversible nature of cryptocurrency, it’s very attractive to cyber-criminals. Billions of dollars worth of cryptocurrencies have been stolen from centralized exchanges. Centralised exchanges are often the subject of major accidents. As there are still many untapped commercial opportunities in the crypto-economy, there is a constant inflow of technologically-inexperienced entrepreneurs attempting to capitalise on the new technology. There have been many cases of centralized exchanges losing millions of dollars due to fatal, simple mistakes. Deposits are rarely insured. In most countries around the world, all bank accounts are insured by the government. The same regulations do not exist for cryptocurrencies, and furthermore insurers generally steer clear from cryptocurrency because of its common association with mismanagement and theft.

While any of these threats alone should be enough to make you think twice before trusting a centralized exchange, these risks together is a recipe for disaster.

In the very first paragraph of the original Bitcoin whitepaper, Satoshi Nakamoto explained that by enabling peer-to-peer payments, people would no longer need to trust a financial intermediary.

A purely peer-to-peer version of electronic cash would allow online payments to be sent directly from one party to another without going through a financial institution.

And yet today, somewhat ironically, most of the risk we face still stems from trusting third parties. We see headlines about centralized exchanges making terrible mistakes that cost customers millions of dollars over and over, and yet people continue to risk their deposits in these unreliable organisations — likely because, until the introduction of peer-to-peer alternatives like LocalEthereum and EtherDelta, centralized exchanges were the only viable choice.

Vitalik Buterin, the creator of Ethereum, made a similar point in 2014 while remembering the early days of developing the concept of a decentralized programming language:

I was acutely aware that many of the major problems still plaguing the Bitcoin ecosystem, including fraudulent services, unreliable exchanges, and an often surprising lack of security, were not caused by Bitcoin’s unique property of decentralization; rather, these issues are a result of the fact that there was still great centralization left, in places where it could potentially quite easily be removed.

It is now a well-known fact that centralized exchanges tend to be extremely unreliable. But if you still don’t believe us, below is a timeline of some of the many catastrophes caused by centralized exchanges. It should serve as a reminder of the many times centralized exchanges have proven themselves to be terrible at holding your money.

Note: This timeline contains some information that is sourced from speculation and/or rumours. In those cases, we’re not making allegations against the companies; we are merely recounting and aggregating speculations made by others. Although best efforts were made to ensure the information contained in this post is accurate, please contact us if you feel any portion is misleading or inaccurate.

Mt. Gox auditor account breach (2011)

In March 2011, Mt. Gox was sold to Mark Karpelès (a.k.a. MagicalTux). One of the conditions of the sale was that a portion of revenue was to be remitted to the exchange’s original owner, and to audit this revenue the original owner was permitted an account with administrator access.

The original owner’s administrator account, however, was stolen (how this happened still remains a mystery). In June, the stolen administrator privileges were used to transfer an enormous quantity of Bitcoin to an attacker’s account, and a huge sum of Bitcoin was dumped on the open market The gigantic ask order caused an immediate flash crash, wiping out the entire order book and allowing orders to execute at less than 1¢.

During the flash crash, the attackers used their own accounts to purchase the extremely cheap Bitcoin and then withdrew it. Other traders unassociated with the attackers also capitalised on the flash crash by purchasing the cheap Bitcoin.

The scale of the hack is not officially known; some estimates put the theft at 500,000 BTC while others put the losses at 2,500 BTC.

Mt. Gox ended up reversing the trades and claims to have fully reimbursed all customers affected by the hack. After the attack, the exchange shut down for several days.

Bitomat accidental wallet erase (2011)

Bitomat was the first Bitcoin exchange to offer support for the Polish currency Zloty. It launched the world’s first BTC/PLN market in 2011.

In July 2011, Bitomat routinely rebooted one of its Amazon-hosted servers and in the process accidentally destroyed a huge sum of Bitcoins. Due to not maintaining a back up of its Bitcoin wallet, the exchange inadvertently lost access to 17,000 BTC.

Bitcoin7 hack (2011)

Bitcoin7 was one of the lesser-known Bitcoin exchanges at the time, launching in June 2011.

On October 5, 2011, the exchange suffered a massive breach by an unknown entity. The website was quickly replaced with a message stating that an intrusion included all of their Bitcoin wallets and their entire user database. Approximately 11,000 BTC was stolen from the exchange, never to be seen again.

Bitcoin7 shut down permanently following the incident.

Mt. Gox invalid address incident (2011)

In October 2011, only a few months after the Mt. Gox auditor account hack, the exchange accidentally sent 2,609 BTC to a number of invalid addresses. As no private key could ever be assigned to the addresses, the Bitcoins were effectively lost forever.

Mt. Gox fully reimbursed its customers after the incident.

Bitcoinica heists (2012)

In March 2012, the cloud hosting company Linode suffered a major breach. A vulnerability in the hosting provider’s customer support portal was exploited to obtain administrator access to a number of its servers.

The attacker(s) targeted Linode accounts that had references to “bitcoin”. Once they gained root access to the servers, they transferred out everything they could find. Of the services targeted, Bitcoin trading platform Bitcoinica was the hardest hit.

Bitcoinica said it lost 43,554 BTC in the theft and pomised to reimburse its customers.

Bitcoinica heist #2

Only two months had passed since Bitcoinica reported its first robbery, when it became the apparent target of a second major hack.

On May 12, 2012, attackers took control of an e-mail address that was associated with Bitcoinica’s Rackspace server. Using the stolen e-mail account, they were able to gain entry into Bitcoinica’s server and, once again, steal everything they could find on the server. This time, the Bitcoinica reported that attackers made off with the platform’s user database as well as 18,547 BTC.

Four users of the exchange filed a complaint in a San Francisco court asking for $460,000 from the company, alleging that Bitcoinica neglected the safety of its customers’ deposits, and would not honor legitimate withdrawal requests.

Later that year, the Polish Bitcoin exchange BitMarket.eu discovered that it had lost 19,980 BTC of customer deposits, which were stored on a Bitcoinica account. Reportedly, BitMarket.eu’s customers were completely unaware that their funds were stored on Bitcoinica in the first place.

Bitcoinica heist #3

Unsurprisingly, Bitcoinica was the subject of a third major heist in a third and apparently unrelated attack. On July 13, 2012, Bitcoinica said that an attacker gained unauthorized access to its Mt. Gox account. Using the stolen credentials, they were able to withdraw 40,000 BTC and a further US$40,000.

In the weeks after the incident, a number of well-known figures in the Bitcoin community speculated that Zhou Tong, the seventeen-year-old founder of Bitcoinica, was likely behind the series of thefts. The allegations came after an e-mail address associated with Zhou Tong was found to be associated with the reported theft of Bitcoinica’s Mt. Gox account.

In response, Zhou Tong said that his “previous business associate” Chen Jianhai was the hacker. According to Zhou Tong (a.k.a. Ryan Zhou), his mysterious multi-millionaire friend miraculously admitted to stealing from Bitcoinica and promised to return the stolen Bitcoin “under the condition that Bitcoinica will no longer pursue the case”. Of course, most people believe that Chen Jianhai either doesn’t exist or is a scapegoat, and that Zhou Tong was the thief all along.

BTC-e Liberty Reserve hack (2012)

On July 31, 2012, the Liberty Reserve account belonging to BTC-e was stolen. An attacker used the Liberty Reserve API credentials credit their account with multiple massive “fake” USD deposits, and subsequently bought huge sums of Bitcoin on the exchange’s BTC/USD market. The extremely large buy orders caused a temporary spike in the market.

The attacker was quick to withdraw the Bitcoins, but was unable to withdraw the full sum. Official estimates put the scope of the theft at 4,500 BTC.

BTC-e reimbursed its customers and reversed the trades after the incident.

BitFloor hack (2012)

In September 2012, a hacker gained access to an unencrypted backup of Bitfloor’s wallets, which included its “cold storage” wallet (Bitcoin address private keys that were meant to be protected by being kept offline).

Last night, a few of our servers were compromised. As a result, the attacker gained accesses to an unencrypted backup of the wallet keys (the actual keys live in an encrypted area). Using these keys they were able to transfer the coins. This attack took the vast majority of the coins BitFloor was holding on hand.

Approximately 24,000 BTC were stolen and have never been returned. BitFloor briefly shut down after the incident, and later returned with the promise of repaying its creditors over time. Only some creditors were eventually repaid.

Vircurex hack (2013)

Vircurex was a popular cryptocurrency exchange that had markets in several “alt-coins”, including Terracoin, Litcoin, Namecoin, Devcoin, Terracoin and others. In May 2013, an attacker stole 1,454 BTC as well as large quantities of lesser-known cryptocurrencies Litecoin and Terracoin.

The exchange became insolvent in 2014 after subsequent hacks.

Bitcash.cz hack (2013)

In November 2013, the Czech Bitcoin exchange Bitcash.cz reported that it was the target of a heist. 484 BTC was stolen by an unknown attacker.

Mt. Gox collapse (2014)

Mt. Gox was still the world’s largest Bitcoin exchange, even though it had already been victim to a previous public heist. In early 2014, the exchange collapsed in what is still considered to be the greatest Bitcoin scandal of all time.

On February 7, 2014, Mt. Gox announced that all Bitcoin withdrawals had been temporarily halted as it had stumbled across a serious “technical issue”. In a press release, they initially explained that they had detected unusual transaction activity on its Bitcoin wallets and had initiated a technical investigation weeks earlier. Officially, the company stated that it had uncovered a bug in the Bitcoin client API that caused “issues with the way that Bitcoin withdrawals are processed”.

The company stated that “transaction malleability” was the cause of a vulnerability that wasn’t limited to Mt. Gox or Bitcoin, and that the developers of the core Bitcoin client needed to change the software to resolve the issue.

The problem we have identified is not limited to MtGox, and affects all transactions where Bitcoins are being sent to a third party. We believe that the changes required for addressing this issue will be positive over the long term for the whole community. As a result we took the necessary action of suspending bitcoin withdrawals until this technical issue has been resolved.

Nowhere in the initial press release did they say that they were the subject of a massive theft. It was not until an internal company memo was leaked on the web on February 23, titled Mt. Gox Situation: Crisis Strategy Draft, that the truth of a massive breach was revealed. The internal document, apparently created by executives of the exchange including Mark Karpelès himself, outlined the details of a major theft, and a strategy to continue the exchange while keeping the theft a secret.

For several weeks MtGox customers have been affected by bitcoin withdrawal issues that compounded on themselves. Publicly, MtGox declared that “transaction malleability” caused the system to be subject to theft, and that something needed to be done by the core devs to fix it. Gox’s own workaround solution was criticized, and eventually a fix was provided by Blockchain.info. The truth, it turns out, is that the damage had already been done. At this point 744,408 BTC are missing due to malleability-related theft which went unnoticed for several years. The cold storage has been wiped out due to a leak in the hot wallet.

The leaked document went on to reveal that “MtGox can go bankrupt at any moment, and certainly deserves to”, but it explained that a theft “on this scale” would irreversibly damage public perception of Bitcoin and “could put it back 5~10 years, and cause governments to react swiftly and harshly”.

The memo outlined a corporate strategy to rebrand the business, re-open the exchange and repay the stolen coins from its profits over the long-term. Essentially, the memo unveiled a devious plan to cover up the half-a-billion-dollar theft and attempt to continue business as usual.

The stolen 744,408 BTC amounted to roughly 6 percent of all Bitcoins in circulation at the time: an estimated value of more than US$450 million. In an attacjed balance sheet, it was shown that the company owed a staggering 624,408 BTC and at least US$55 million to customers, yet only had 2,000 BTC in its possession.

One day before the leaked document began to circulate Bitcoin forums and chat rooms, Mark Karpelès resigned from the Bitcoin Foundation and deleted all of the posts from Mt. Gox’s Twitter account. A few days later after the news broke, the company filed for bankruptcy protection in Tokyo and officially reported that it had lost an estimated $473 million in Bitcoin and fiat currencies.

Mark Karpelès was arrested in Japan in August 2015 and charged with embezzlement and data manipulation, in relation to an unrelated Mt. Gox incident that pre-dated the exchange’s collapse. A Tokyo police spokesperson said he was suspected of accessing the exchange’s computer system in February 2013 — one year before the exchange collapsed — to inflate his personal account by more than US$1 million. He was released on ¥10 million (~US$100,000) bail in 2016.

The company is still undergoing continued bankruptcy proceedings. Mark Karpelès is prohibited from leaving Japan.

Poloniex hack (2014)

In March 2014, the cryptocurrency exchange Poloniex — which remains one of the most popular alt-coin exchanges today — lost 12.3% of its total Bitcoins in an attack.

Due to a vulnerability in the way that Poloniex processed customer withdrawals, an attacker was able to steal a large number of Bitcoins from Poloniex’s wallet. The attacker discovered that if they placed several withdrawals all in practically the same instant, they would get processed at the same time, even though the customers’ balance would become negative.

Instead of taking on the losses as a company, the exchange decided to issue a mandatory haircut of 12.3% to its customers’ balances. Tristan D’Agosta, founder of Poloniex, suggested that this was the only way that bitcoins could be distributed fairly among affected users.

If I did not make this adjustment, people would most likely withdraw all their BTC as soon as possible in order to make sure they weren’t left in that remaining 12.3%.

MintPal hack and scam (2014)

MintPal was once one of the most popular cryptocurrency exchanges for altcoins such as Dogecoin, VeriCoin and Litecoin.

On 13 July, 2014, the exchange announced it was the victim of a theft. The attacker managed to get away with 8 million VeriCoins from the exchange’s wallet, worth US$1.8 million at the time.

The developers of VeriCoin were quick to deploy a fork to return the stolen funds back to the exchange. Unfortunately, that was only the very beginning of MintPal’s problems.

Later that month, it was reported that MintPal had changed hands after being acquired by Moopay. The CEO of Moopay, Alex Green, wrote of the acquisition in a length blog post:

I […] tentatively reached out to their management and let them know that we were interested in opening up talks in regards to an acquisition, if it was something they were interested in. After a number of conversations with the current management of MintPal we reached an agreement that both parties were comfortable with, and are just waiting on the paperwork to be signed (which will be happening this week).

The CEO promised to make security the new focus of MintPay in order to restore faith in the exchange:

Our first action to take regarding MintPal, is to beef up the security, make a number of performance tweaks; do a formal audit and review of operational procedures,

However, in an abrupt announcement in October of that year (only a few months later), Alex Green announced that Moopay would be filing for bankruptcy and would immediately cease all operations. Without warning, the MintPal exchange shut down and stopped processing withdrawals.

When pressed about the exchange and the customer funds that were trapped in it, Alex Green explained that Moopay had “no control” over MintPal, despite public record to the contrary. Claiming that the company had passed the exchange over to new management, Green informed Moopay employees that MintPal was no longer their problem.

It was not long before a former employee of Moopay publicly accused Alex Green of stealing 3,700 BTC from the exchange. In fact, Alex Green turned out to be just an alias; the scammer’s true name was revealed as Ryan Kennedy.

What happened to MintPal is the equivalent of a nuclear bomb being dropped on a City, and a two-man hazard crew consisting of Mike and Ferdous are now in charge of the cleanup – and attempting to follow the trail of a 3700BTC transaction from MintPal, which is now accused of being lodged into a personal account of Ryan Kennedy.

In 2017, Ryan Kennedy (a.k.a. Alex Green) was charged by U.K. police with fraud and money laundering offences. The charges followed a three-year investigation into the sophisticated scam.

[Kennedy] has been charged with a number of offences under the Fraud Act 2006 and Proceeds of Crime Act 2002. It is alleged the offences were committed between January – December in 2014. This included the theft of bitcoins to a value in excess of £1 million, that were then spent on a luxury lifestyle.

At the time the charges were laid, Ryan Kennedy was already serving an 11-year prison sentence after being convicted of rape in 2016.

BTER hack #1 (2014)

In August 2014, the Chinese cryptocurrency exchange BTER tweeted that 50 million NXT — worth roughly US$1.6 million at the time — had been stolen.

Initially, a BTER representative suggested that the exchange would contact the NXT development team and request for a rollback of the blockchain. However, the organisation in charge of NXT development confirmed that a significant majority of its users opposed the idea. The rollback effort was later abandoned by the exchange.

Bitfinex alleged order book spoofing (2014)

The term “spoofing” has long been used to describe a common market manipulation strategy whereby a trader creates orders without the intention of letting them execute. That may sound a little confusing, but it’s a relatively simple technique: as soon as the price moves towards the fake bids and offers, they are suddenly withdrawn. These “fake” orders are designed to give others the impression of substantial supply and demand and the false liquidity can cause dramatic price swings as traders and bots are tricked into placing big market orders that cannot actually be fulfilled without significantly moving the price.

In the United States, the practice of “spoofing” became explicitly illegal after it was discovered as the root cause of the high-profile 2010 U.S. stock market flash crash.

Bitfinex is alleged to have employed a different type of “spoofing” however. In a post titled Fake It Till You Make It: When Bitfinex themselves used to spoof their entire orderbook, published October 2017, allegations surfaced about how Bitfinex cloned bids and offers from other exchanges and ran an internal arbitrage bot on their own markets to give a false impression of liquidity.

The alleged scheme worked like this:

In 2014, soon after the exchange first went live, Bitfinex employed a unique arbitrage bot with the goal of making its markets appear more liquid. The Bitfinex arbitrage bot was programmed to copy orders from other exchanges including Mt. Gox and Bitstamp, and display them on Bitfinex’s order book as if they were made on their own markets.

As soon as these imported orders were hit on Bitfinex, their arbitrage bot quickly ran to the source exchange and executed the same trade over there. To the average trader using Bitfinex at the time, everything seemed normal. At face value, the strategy doesn’t sound very malicious or dangerous; although the practice was clearly deceptive, the orders were still being executed in the end so it didn’t seem to matter… except when that wasn’t the case.

Big problems arose when the arbitrage bot became even slightly out of sync, which happened often during times of high volatility. When Bitfinex displayed imported orders that no longer existed at their source, their arbitrate bot couldn’t execute them and so tragedy struck.

The results were catastrophically similar to traditional “spoofing”: traders were duped into placing market orders that looked like they could be fulfilled easily, but in reality quickly fell through like quicksand to land at a much worse price. This was likely the cause of the series of flash crashes that occurred in 2014-2015, where the price of Bitcoin on Bitfinex dropped significantly while the same markets on other exchanges hardly moved an inch.

796 hack (2015)

Some time in January 2015, a Chinese cryptocurrency futures exchange named “796” was hacked. At the time, 796 was one of the largest futures exchange in China.

Although the details of the hack are somewhat unknown, the consensus is that an attacker managed to replace customers’ withdrawal addresses with their own address to steal 1,000 BTC.

Bitstamp hack (2015)

In, January 2015, Bitstamp announced that some of its operational wallets were breached. Upon discovering the hack, the exchange temporary suspended trading to conduct an internal investigation. 19,000 BTC was stolen in the theft.

It was later uncovered that cybercriminals had been soliciting Bitstamp employees with phishing e-mails in a bid to execute malicious code on their computers. The attackers were able to successfully compromise one of the machines on the Bitstamp’s private network by duping a staff member into opening a virus-tainted Microsoft Word document.

LocalBitcoins hack (2015)

In Janurary 2015, LocalBitcoins — a centralized over-the-counter Bitcoin trading platform — was hacked and an intruder was able to steal an estimated 17 BTC from customer wallets.

The theft was very small compared to other heists, as only a small number of user accounts with Bitcoin balances had been compromised. LocalBitcoins said of the incident:

The attacker used that LiveChat access to spread some kind of Windows executable, which probably was some new kind of keylogger software which is not yet detected by virus protection mechanisms. If the user got that executable installed, with some social engineering, the attacker managed to get access to different accounts of those victims.

Seven months earlier, in May 2014, the site was hacked in an unrelated attack. By social engineering the service’s hosting provider into granting them root access, the attacker had approximately 40 minutes of full administrative access to LocalBitcoin’s central server. The encrypted volume of LocalBitcoin’s server was not mounted to the server at the time, and couldn’t have been without the correct passphrase. No data was known to have been compromised.

BTER hack #2 (2015)

On February 15, 2015, the Chinese cryptocurrency exchange BTER announced that an attacker had managed to steal from its cold wallet. The attack came less than one year after ~US$1.6 million was stolen from the exchange.

The exchange claimed that it had lost 7,170 BTC to a thief. The company stated on social media that it was working with law enforcement officials on the matter.

KipCoin hack (2015)

On February 17, 2015, just two days after the BTER hack, another Chinese exchange was hacked. KipCoin, a relatively unpopular Chinese Bitcoin exchange, announced on social media that the attack began when a hacker gained access to their Linode hosting provider account in mid-2014.

Using the stolen Linode credentials, the attacker was able to gain root access to KipCoin’s server and drain its wallet. More than 3,000 BTC was stolen. The exchange says it is working with law enforcement in an effort to recover the stolen Bitcoins.

Bitfinex hack #1 (2015)

In May 2015, the popular exchange Bitfinex was hacked. An attacker managed to gain access to Bitfinex’s “hot wallet” and intercept a large number of deposits.

A spokesperson for the exchange confirmed that 1,581 BTC was stolen from Bitfinex and transferred to an external Bitcoin address. The stolen funds were reimbursed by Bitfinex.

Cryptsy hack (2016)

In Janurary 2016, the cryptocurrency exchange Cryptsy announced it was hacked.

The hack, however, occurred more than a year earlier. The announcement was made following months of withdrawal complaints, nasty rumors and wild speculations. In the meantime, the exchange was busy trying to cover everything up by channelling the money it was earning back into its clients’ wallets to quietly replace the losses.

The decision was made to pull from our profits to fill these wallets back up over time, thus attempting to avert complete closure of the website at that time.

According to reports, a hacker named “Lucky7Coin” had managed to insert a Trojan horse malware into the source code of the wallet used by Cryptsy. This enabled them to siphon cryptocurrencies from the exchange over time. The losses amounted to 13,000 BTC and 300,000 LTC, worth US$10 million at the time.

In the same month, Cryptsy claimed that it had become insolvent as a result of the hack.

Cointrader hack (2016)

In March 2016, the Canadian Bitcoin exchange Cointrader announced that it was shutting down following a hack.

The scope of the attack was not revealed, but it was likely small compared to other exchange heists; Cointrader was relatively unknown and had seen very little volume in previous months.

Gatecoin hack (2016)

In May 2016, the Hong Kong cryptocurrency exchange Gatecoin was hacked. The hack first began on May 9th and continued over three days.

Last night Asia time, we suspected a potential leak on our hot wallets. Therefore, we decided to shut down the exchange and ports in order to minimise further potential losses, and we are conducting a full forensic investigation to identify the root of the issue.

Initially, the exchange’s CEO indicated that he was not clear on the amount of funds stolen, but noted that “[the numbers] are big”. Although the exact figure was never official revealed, the exchange said that it had lost as much as 185,000 ETH and 250 BTC.

Bitfinex hack #2 (2016)

In August 2016, over $72 million worth of Bitcoin was stolen from Bitfinex in what marked its second major theft, and the second-largest centralized exchange heist in history.

Bitfinex, which is based in Hong Kong, was the world’s largest dollar-based exchange for Bitcoin, and is known to have the deepest liquidity in the BTC/USD currency pair — although a lot of that liquidity is rumoured to be from “spoofed” bids and asks in a heavily-manipulated order book.

Bitfinex said that 120,000 BTC was stolen from its users’ accounts, worth more than US$65 million at the time. A representative of the exchange told reporters that Bitfinex had not yet decided how to address the losses.

Blame for the hack was immediately pointed at BitGo, a blockchain security company contracted by Bitfinex. In 2015, BitGo and Bitfinex had developed a complex 2-of-3 key management system to provide each customer with a multi-signature Bitcoin wallet, whereby two keys were held by Bitfinex — one of which was meant to be kept offline — and the third key was held by BitGo.

After the hack, BitcoinTalk owner “theymos” described BitGo as selling “a false sense of security”. It was speculated that “[Bitfinex was] actually trading in cold storage for 100% hot storage”, referring to the switch-over from Bitfinex’s previous storage setup to the BitGo multi-signature arrangement. Following the hack, Bitfinex re-implemented their original cold storage procedures and suspended the use of the BitGo segregated multi-signature wallet solution.

What came next surprised everybody: Instead of taking on the losses as a company, Bitfinex decided to subtract 36% from each of its customers holdings, and issue “BFX tokens” as a replacement for the lost funds. They said that the “BFX tokens” could be redeemed by the exchange or converted to shares in its parent company iFinex.

However, there was problem with that: according to legal experts, Bitfinex made it clear in their Terms of Service that the company had no legal right to access customer funds without their permission. An excerpt from Bitfinex’s Terms of Service at the time stated:

Notwithstanding the distribution of the private keys and subject to any valid liens, encumbrances, and pending settlements, all bitcoins in your Multi-Signature Wallets belong to and are owned by you. You may, at any time, withdraw bitcoins from your Multi-Signature Wallet to the extent that they are not encumbered by any Liens.

Ryan Straus, a Fenwick & West lawyer who advises financial technology companies on regulation and co-authored the U.S. chapter of a book on Bitcoin law, confirmed that “imposing losses on customers who were not hacked appears to go against the company’s terms of service”.

“I feel like I was robbed,” one investor who had a five-figure U.S. dollar amount on the platform told Reuters. “Basically they took customers’ funds in order to try to stay afloat.”

On April 3, 2017 — eight months after the attack — Bitfinex started allowing users to cash outstanding BFX tokens out for their full value of $1 per token.

QuadrigaCX smart contract accident (2017)

In June 2017, the biggest cryptocurrency exchange in Canada made a programmer’s mistake that ended up costing the company approximately US$15 million in ether.

While routinely sweeping ether deposits into an Ethereum—Ethereum Classic “splitter contract”, a QuadrigaCX programmer made an error. The programmer called a function in the splitter smart contract with a corrupted transaction data payload, which was the result of failing to prefix a certain value with 0x (which is necessary to indicate a string is hex-encoded). The smart contract was unable to execute correctly because of the error, and the ETH became trapped forever.

The mistake caused the permanent loss of 67,316 ETH. QuadrigaCX paid for the mistake out of its profits; its customers were not affected.

Bithumb hack (2017)

In July 2017, a major hack occurred on the South Korean cryptocurrency exchange Bithumb. At the time, Bithumb was one of the top five largest ether and Bitcoin cryptocurrency exchanges.

Bithumb said that the attacker stole a cache of user information off the personal computer of an employee. The data included the names, e-mail addresses and phone numbers of more than 31,000 customers.

The stolen customer information was then used to facilitate sophisticated spear-phishing attacks in an effort to drain customers’ balances on the exchange. The hackers were able to make off with billions of South Korean won.

Bithumb said in a statement that they would reimburse victims of the data leak with 100,000 won (~US$87) per person. More than one hundred Bithumb customers later filed a complaint against Bithumb with the National Police Agency’s cybercrime report center.

BTC-e collapse (2017)

BTC-e was one of the largest and longest running cryptocurrency exchanges until it was shut down in July, 2017.

On July 26, 2017, a U.S. Department of Justice press release confirmed the arrest of Alexander Vinnik and the seizure of the Bulgaria-based BTC-e exchange. The U.S. grand jury indictment revealed BTC-e to be the destination of stolen funds from Mt. Gox, Bitcoinica, Bitfloor and others.

SAN FRANCISCO – A grand jury in the Northern District of California has indicted a Russian national and an organization he allegedly operated, BTC-e, for operating an unlicensed money service business, money laundering, and related crimes.

The U.S. government alleges that the exchange helped to launder more than US$4 billion worth of ill-gotten money.

As to Vinnik, the indictment alleges that he received funds from the infamous computer intrusion or “hack” of Mt. Gox – an earlier digital currency exchange that eventually failed, in part due to losses attributable to hacking. The indictment alleges that Vinnik obtained funds from the hack of Mt. Gox and laundered those funds through various online exchanges, including his own BTC-e and a now defunct digital currency exchange, Tradehill, based in San Francisco, California. The indictment alleges that by moving funds through BTC-e, Vinnik sought to conceal and disguise his connection with the proceeds from the hacking of Mt. Gox and the resulting investigation.

Before it was shut down, the exchange’s operators had been long known to keep an extraordinarily low profile, so much so that until news of Vinnik’s arrest broke, the identity of anyone behind the exchange was unknown.

According to the U.S. Department of Justice, Alexander Vinnik — who is purported to be the founder of BTC-e — developed a customer base that was “heavily reliant on criminals, including by not requiring users to validate their identity, obscuring and anonymizing transactions and source of funds, and by lacking any anti-money laundering processes.”

Alexander Vinnik was arrested in Greece and has been extradited to the U.S. to face charges that carry a maximum prison sentence of 55 years. He denies the allegations, claiming he was merely a technical consultant to BTC-e and not its operator.

OKEx incident (2017)

In August 2017, a number of users reported suspicious activity on their accounts on the Chinese trading platform OKEx, which is a subsidiary of OKCoin.

At least ten customers of OKEx alleged that more than 600 BTC was stolen from their collective accounts at around the same time. One user said that they noticed that their OKEx account was logged in to from an unknown German IP address.

OKEx responded by denying that the exchange was hacked, blaming the affected users for failing to secure their accounts with two-factor authentication. They said on Twitter:

No. OKEx was NOT being hacked. Yet several users got password stolen. That’s why we issued a reminder for all uses to properly protect their password and a guideline on google 2FA.

According to OKEx, the numerous reports of similar thefts that occurred at around the same time were coincidental, and it was all the users’ fault. In total, the OKEx attacks resulted in a reported loss of 600 BTC.