Coin Metric: A deeper analysis of the largest Bitcoin exchange hacks
Re-examining four of the Largest Bitcoin Hacks, the report conducted by Antoine Le Calvez and the Coin Metrics Team.
When crypto-asset exchanges get hacked and large money amounts get stolen, news tends to spread fairly quickly. However, articles tend to focus largely on the monetary amount stolen, but rarely explore the deeper consequences and fallout resulting from these shocks.
In this feature, we use both on-chain and market data to analyze four of the largest Bitcoin exchange hacks and look at the deep consequences of each, both positive and negative.
The Bitcoinica hack was one of the most influential hacks of all-time. Bitcoinica launched in September 2011 and was a Bitcoin trading platform created by Zhou Tong, a teenager at the time. It quickly gained attracted deposits from many prominent community members. In late 2011, Zhou Tong sold Bitcoinica to Intersango (a UK-based exchange) but stayed involved as CEO and lead developer.
From March to July 2012, Bitcoinica suffered a series of catastrophic incidents:
1) Mar. 12th: Linode compromise, lost more than 45k BTC ($214)
In March 2012, Bitcoinica’s servers were hosted by Linode. A Linode web portal was compromised by someone that explicitly looked for customers showing any signs of Bitcoin activity. Bitcoinica’s server was therefore targeted and its wallet emptied out.
Zhou Tong quickly publicized the theft, even publishing the hacker’s transactions. The theft was made possible by the use of an unencrypted wallet.
2) May 11th: Hot wallet theft, lost more than 18.5k BTC ($92)
A few weeks after the Linode compromise, another 18.5k BTC was stolen by Zhou Tong. He promptly disclosed the theft, along with the transaction’s hash. The publicly known cause was the exploit of an email server that escalated into an exploit of the exchange’s hot wallet. Zhou Tong took control quickly enough to avoid the theft of Bitcoinica’s Mt. Gox API key, which could have led to another 15k BTC being stolen (Bitcoinica held BTC on Mt. Gox in order to fill orders).
3) Jul. 13th: Mt. Gox API key exploit, lost 40k BTC and $40k
Following a leak of Bitcoinica’s source code, its old Mt. Gox API key was revealed and used as a password to a LastPass account which contained the new Mt. Gox API key. Someone took advantage of this and stole 40k BTC and $40k out of Bitcoinica’s Mt. Gox account (the maximum daily withdrawal possible).
Source: Coin Metrics Reference Rates
Overall, 102,101 BTC and $40k of user funds were stolen from Bitcoinica. Roger Ver was probably one of the largest creditors, having held 24,841 BTC on Bitcoinica prior to July 2012. Bitcoin’s price was largely unaffected by all of the hacks and even rallied following the Mt. Gox API key exploit. Unfortunately for its creditors, the downfall of Mt. Gox tied up 64,673 of Bitcoinica’s BTC in bankruptcy proceedings that are still ongoing to this day.
On the positive side of things, the publication of Bitcoinica’s source code inspired many new entrepreneurs. Most notably, Bitfinex’s early codebase was directly issued from Bitcoinica’s.
When speaking about Bitcoin exchange hacks, one has to mention Mt. Gox, created by Jeb McCaleb (who then went on to help create Ripple and Stellar). It was one of the first fiat on-ramps and quickly gained the majority of fiat inflows into Bitcoin from 2010 to 2013. It was later purchased and operated by Mark Karpelès. From its inception to its death, Mt. Gox went through a series of hacks that went largely unidentified eventually culminating in its collapse in 2014.
Following its catastrophic collapse in early 2014, the public finally learned the scale of its mismanagement. An excellent analysis by Kim Nilsson, using Mt. Gox proprietary data, shed more light on how BTC was siphoned off Mt. Gox.
The following excerpt is from the transitional period between Jeb McCaleb and Mark Karpelès, when the first major Mt. Gox hack occurred in March of 2011.
79,956 BTC (worth around $70k) was stolen from Mt. Gox’s wallet in March 2011 after the server hosting the wallet was hacked. None of this BTC has ever moved since, so it is unknown whether the thief still has the address’ private key.
Later, in September 2011, someone got access to Mt. Gox’s hot wallet file which contained keys that held BTC at the time, and also unused keys that would end up as deposit addresses afterward. Over time, the thief slowly withdrew money from the wallet, undetected by inexistent wallet monitoring. As the thief’s wallet was a copy of Mt. Gox’s, some of the thief’s spending was interpreted as deposits by the Mt. Gox system further muddying the traces of the thefts.
By 2013, there was no BTC left to be stolen, and Mt. Gox was fully insolvent (apart from 200k BTC held in cold storage, now at the center of bankruptcy proceedings). It wasn’t until February of 2014 that the public fully knew about the hacks when Mt. Gox halted withdrawals. The price of Bitcoin subsequently crashed.
Source: Coin Metrics Reference Rates
Mt. Gox’s insolvency had a major impact on Bitcoin. Suspicious trading behavior attributable to Mt. Gox occurred during the late 2013 price run-up leading some to think the incredible rise of Bitcoin’s price at the time was not entirely natural, and its collapse durably depressed Bitcoin’s price. It took slightly more than 3 years for Bitcoin to reach another all-time high.
Mt. Gox was also the introduction to Bitcoin for many in the mainstream crowd. The stigma associated with Bitcoin due to Mt. Gox is still very strong to this day that many can only imagine what Bitcoin’s current public image would be.
As Mt. Gox concentrated most of Bitcoin’s trading for years, its disappearance left the field open for many competitors. Since then, no other exchange has dominated the Bitcoin exchange market share as much as Mt. Gox at its peak. It also highlighted the need for exchanges to monitor their Bitcoin holdings on a constant basis, something even Bitcoinica managed to do.
Born from Bitcoinica’s ashes, Bitfinex grew over time as it added more currencies and features to become one of the largest and more influential exchanges of today. It is estimated that Bitfinex had at least 225k BTC under custody on August 1st, 2016, just prior to its largest hack.
On August 2nd, 2016, 119,756 of these BTC were stolen. They were jointly custodied by BitGo and Bitfinex in 2 out of 3 multi-sig addresses (meaning 2 out of 3 keys have to sign a withdrawal transaction) where BitGo held one key and Bitfinex the others. While the details are still unclear, Bitfinex’s BitGo API key was compromised. Due to the lack of checks on how much BTC could be withdrawn in a given time window, very large amounts of BTC were stolen.
At the time the news revealed, there was uncertainty about the amount involved. However, it was possible to get a very accurate estimate using on-chain analysis.
BitGo uses special addresses, known as P2SH (pay-to-script-hash), which enable complex multi-signature setups and are well-suited to custody large amounts of BTC. The thief elected to withdraw the heist money to non-P2SH addresses. The specialized website p2sh.info (now txstats.com) tracked the number of BTC stored in P2SH addresses and reflected this large movement a few blocks after they happened, which made it the first source of the existence and size of the breach.
At the time of the hack, the price of Bitcoin dropped more than $200 but it recovered quickly after 3 months.
Source: Coin Metrics Reference Rates
Bitfinex’s hack is unique inasmuch the exchange survived despite losing 36% of its reserves (on a USD basis). The firm even managed to thrive afterward, generating $730M in profit over 2017-2018.
Instead of electing to go into a very long and complex bankruptcy procedure (as highlighted by the Bitcoinica and Mt. Gox cases), Bitfinex management decided to use financial engineering to get out of the hole created by the breach. Each account received a 36.067% reduction in all balances (even though only BTC was stolen) and was credited with an amount of BFX tokens. Bitfinex would either buy back BFX at a ratio of 1 BFX per dollar lost or convert for shares in iFinex Inc, the BVI registered company behind Bitfinex.
Creditors electing to convert their BFX for iFinex Inc shares would also receive Recovery Right Tokens (RRT) allowing them to get exposure to any recovered heist funds once all BFX had been bought back or converted for shares. Any RRT held would give rights to $1 in heist funds recovered. And an open market allowing trading of BFX and RRT tokens was created on Bitfinex allowing creditors to sell their BFX and therefore enable market-based pricing of each token.
At first, BFX traded at 38 cents on the dollar and RRT at 20 cents on the dollar. BFX trading ended in April 2017 close to par when all tokens were either redemption or converted to iFinex Inc shares. RRT still trades to this day at 2.9 cents on the dollar.
All BFX tokens were redeemed or converted to iFinex Inc shares. The use of the BFX token allowed Bitfinex to survive this otherwise critical event and even became a profitable trade for creditors that converted their BFX to iFinex Inc shares, as the entity distributed over $500M in dividends in the 2 years that followed.
Bitfinex also used a similar idea to get past the seizure of $850M deposited at payment processor Crypto Capital to raise $1B by selling 1B Unus Sed Leo (LEO) tokens, which each LEO token gives exposure to any recovery of funds from the heist. Any money left after redemption of RRT tokens, legal and other fees, will go towards buying LEO on the open market.
To this day, only 28 BTC have been recovered from this heist.
The last hack was Binance, an exchange that went on to dominate altcoin trading from late 2017 onward. Binance attracted many retail traders and amassed considerable Bitcoin and altcoin reserves.
On May 8th, 2019, a 7,000 BTC withdrawal from its hot wallet was triggered. Hackers supposedly broke into many retail accounts via various methods and managed to fool Binance’s hot wallet system into processing such a large withdrawal. While the details of how the hackers managed to pull off this heist are sparse, a theory has emerged over time as to how hackers managed to withdraw large amounts of BTC.
Binance lists many exchange pairs (601 active pairs as of writing), the majority of which are illiquid, and therefore cannot support large trades. Hackers can exploit these pairs to concentrate funds from many hacked accounts into fewer ones.
Over time and through various methods, hackers acquired two types of Binance accounts, including trade-only API keys (used to send trades from unsuspecting accounts) and full accounts (authorized to withdraw large amounts of BTC).
The hackers placed buy orders at very high prices on illiquid pairs from accounts authorized to withdraw large amounts of BTC and used many hacked API keys to exhaust the order book of that pair all at once, filling all the buy orders and reaching the orders the hackers placed on the withdrawal accounts. Then, a large percentage of hacked funds were sent to the right accounts for withdrawals.
Bitcoin’s price did not get impacted but rallied shortly thereafter.
Source: Coin Metrics Reference Rates
A prior initiative called SAFU (Secure Asset Fund for Users) was launched in August 2018 and allowed Binance to avoid insolvency following the theft. They were saving 10% of trading fees in a separate, cold, wallet to handle exactly this kind of situation.
Beginning with the Bitcoinica hacking of a single server to the highly complex and well-orchestrated Binance hack, the constant duel between exchanges and whoever wants to steal their reserves has intensified.
Despite the millions in stolen funds and the many victims of these hacks, each stands as an important milestone in the maturation of an asset and asset class, providing many lessons for future market participants:
- Bitcoinica allowed new exchanges to be born via its open codebase
- Mt. Gox’s implosion pushed Bitcoin into the mainstream, resulting in a more fragmented but industrious spot market and granted long-term enthusiasts low Bitcoin prices for many years
- Bitfinex’s hack and subsequent recovery via financial engineering might have been the idea behind many exchange tokens
- Binance’s recent hack showed the usefulness of self-insurance as well as the increased sophistication of hackers
- Ledger Warning Its Users About Youtube Phishing Scams