Popular Hong Kong-based cryptocurrency exchange Bitfinex has suffered a security breach that resulted in the theft of millions’ worth of Bitcoin.
119,756 BTC, to be exact, which amounts to some $77 million – or did, before news of the hack spread and resulted in a 20 percent drop of the price of Bitcoin.
Bitfinex still doesn’t know how the attack was pulled off, and is collaborating with law enforcement on the investigation into what happened. In the meantime, they halted all trading on, digital deposits to and withdrawals from the exchange.
“As we account for individualized customer losses, we may need to settle open margin positions, associated financing, and/or collateral affected by the breach,” they explained in a note posted on the exchange’s website and the exchange’s service status page to inform the public about the details of the breach.
“Any settlements will be at the current market prices as of 18:00 UTC [on August 2, 2016]. We are taking this necessary accounting step to normalize account balances with the objective of resuming operations. We will look at various options to address customer losses later in the investigation. While we are halting all operations at this time, we can confirm that the breach was limited to bitcoin wallets; the other digital tokens traded on Bitfinex are unaffected.”
Community and product development director Zane Tackett took to Reddit to offer more insight. Among the things he shared are that:
- They still haven’t solidified their plans for relaunching the site
- Only Bitcoins were stolen
- They’ve already received a lot of reports of different people claiming to be the hacker
- The attacker managed to bypass 2FA to access individual wallets
- Limits in place to restrict the amount of BTC that could be signed for a withdrawal have also been bypassed, but they don’t know how
It was the customers who first noticed that something was amiss, as they saw funds drained from their wallets. Bitfinex uses BitGo wallets – segregated, multi-signature wallets – so it’s unclear how the attackers managed to access them. BitGo says that they have “found no evidence of a breach to any BitGo servers.”
All this seems to point towards the breach being the work of an insider, but Tackett says that they are “quite positive with a high degree of certainty that it was not an inside job.”
He said that they will be providing an update on the situation on Wednesday.