Bitcoin Exchange Bitfinex Says It Was Hacked, Roughly $60M Stolen

An anonymous reader quotes a report from Reuters: Hong Kong-based digital currency exchange Bitfinex said late on Tuesday it has suspended trading on its exchange after it discovered a security breach, according to a company statement on its website. The company said it has also suspended deposits and withdrawals of digital currencies from the exchange. "We are investigating the breach to determine what happened, but we know that some of our users have had their bitcoins stolen," the company said. "We are undertaking a review to determine which users have been affected by the breach. While we conduct this initial investigation and secure our environment, bitfinex.com will be taken down and the maintenance page will be left up." The company said it has reported the theft to law enforcement. It said it has not yet determined the value of digital currencies stolen from customer accounts. CoinDesk reports that the company confirmed roughly 120,000 BTC (more than $60 million) has been stolen via social media. "In response, bitcoin prices fell to $560.16 by 19:30 UTC, $530 by 23:30 and $480 at press time, CoinDesk USD Bitcoin Price Index (BPI) data reveals," reports CoinDesk. "This price was roughly 20% lower than the day's opening of $607.37 and 27% below the high of $658.28 reached on Saturday, July 30th, when the digital currency began pushing lower."

Seriously? Are people this stupid?

[bobbied]

YET ANOTHER exchange get's taken to the cleaners and looses scads of other folk's coin? Fools and their money are too soon parted.

For Pete's sake folks, DON'T keep your coin on deposit on some exchange, either buy something or convert it back into cash because *all* digital currency things are hacking magnets... And what do you think the hackers do with your coins when they steal them? Why they convert them to cash or buy something ASAP...

Would you keep your money in a bank if they kept getting robbed and YOU where the one who lost? Or if you kept gold coins in their vault and it kept getting broken into would you keep your coins there? No way. So why keep your BitCoin someplace where somebody else provides the security and YOU take the risk? Keep them on your own devices OFF LINE, until you need to use them.

Re: Seriously? Are people this stupid?

[St.Creed]

I have one like that right now! And for additional security, the paper backup is watermarked and uses special inks to prove validity to other people. I can even exchange them directly with everyone and they give me goods in exchange.

Bitcoin has sure come a long way!

Re:We were hacked, honest

[JustAnotherOldGuy]

I feel like I've heard this story before, from other BitCoin exchanges. I'm sure these guys are super honest and trustworthy, though.

Bitcoin exchanges seem to be hacked on a regular basis. Whether it's a genuine hack or insider funny-business hardly matters at this point. The take-away is that Bitcoin exchanges just aren't a safe place to keep your virtual money, which means there doesn't seem to be a safe place to store virtual money.

Yes yes, I know, "but banks get robbed every day!" the Bitcoin enthusiasts will say.

And that's true, but when a bank gets robbed you don't lose your money. This, to me, is what keeps me away from doing anything with Bitcoin (or any other virtual currency, for that matter). Go ahead, rob my bank. I won't lose any money. When Bitcoin reaches that level of security, then I'll consider it as a viable medium of exchange.

Re:We were hacked, honest

[chris2net23]

I've never lost any BitCoins. People are just stupid. Stop handing your BitCoins over to third parties. This isn't an issue with BitCoins. It's an issue with stupid. I store my BitCoins on *MY* computer. Not someone else's computer. I have some control over the level of security I wish to maintain. Now I don't run Apple's OS X or Microsoft's Windows OS so it's not like I am taking a big risk here. It's not that you can't compromise GNU/Linux... but the reality is I don't install random software on my computer either. I stick to which has been evaluated by the experts and is properly or semi-properly maintained.

Prepare schadenfreude generator!

[Applehu+Akbar]

Let's all hope this was ransomware proceeds.

Re:We were hacked, honest

[Kjella]

Bitcoin exchanges seem to be hacked on a regular basis. Whether it's a genuine hack or insider funny-business hardly matters at this point. The take-away is that Bitcoin exchanges just aren't a safe place to keep your virtual money, which means there doesn't seem to be a safe place to store virtual money.

Since we're already using wallet analogies, would you walk around with your life's savings in your wallet? Do you expect all stores to stop handling cash because you got mugged in a back alley or tricked by a pickpocket? Money you have on exchanges is like money you've taken to the marketplace, it's where you can spend them but you also run a risk of losing them. If you want a secure wallet, create a cold storage wallet and burn it to a CD and put it in a bank vault, then you'll have the security of a bank vault. Just make sure that if you ever need it you access it from a secure device, for example a live CD like Tails to transfer as much as needed to a "hot" wallet. Like putting money in the real wallet we once used to have.

Probably happens for real money, too

[thisisauniqueid]

This probably happens all the time in real banks, given how antiquated their IT systems are. You just don't hear about it, because the bank doesn't want to undermine your confidence, and can ask the Federal Reserve to bail them out. Not so with Bitcoin.

Growing pains of a new technology

[golodh]

I'm happy to hear that yet another piece of "alternative", "stick-it-to-The-Man" payment infrastructure has been burgled. Really.

It injects a much needed note of caution and realism into the dream of technologically focused, realism-challenged (and therefore irresponsible) amateur social engineers.

You see, a large part of the appeal of bitcoin comes from its aura of "under the radar", "the authorities need never find out" financial transactions.

This holds an attraction for several groups, of which two are problematic: outright criminals and their "lets-dodge-the-system" libertarian cousins.

I believe that outright criminals like the possibility of doing financial transactions without giving out your real name. Think "dark net" transactions involving in cybercrime services, malware, botnet control, stolen data, stolen credentials, drugs, weapons, etc. Think suppliers in "Silk Road" transactions.

I think that "lets-dodge-the-system" libertarians, who often figure as end-users of illegal goods and services are attracted to the possibility of doing "under the radar" financial transactions for the same reason: their real name can be kept undisclosed. In part they're happy to purchase illegal goods, in part they're ideologically motivated (as in "we need to grow alternative economy that's outside "government" or "system" control because all government is bad and "the system" is designed to screw us over").

For the first group (criminals) I believe it serves as a useful deterrent, or at least a risk and a complication.

For the second group it serves as a salutary reminder that their fellow citizens are at least as reprehensible as "the government" and just as capable of screwing them over as any "institution". After all, the institutions we have have evolved over several centuries, if not millennia, to strike a balance between freedom, safeguards, responsibility, accountability and free-for-all banditry. Something that starry-eyed, technology fixated "bash-the-system" enthusiasts will only appreciate if hammered home by personal or close-to-personal experience.

Where and how new technologies like bitcoin should fit into our society remains to be seen (and experimentally determined). However, our existing institutions have very real merits and safeguards that have evolved because of human nature itself. Such safeguards (which we all too often take for granted) are lacking from new technological developments and are just as important as the basic functionality. A reminder of which can only be positive.

Re:Growing pains of a new technology

[AmiMoJo]

The really easy fix is for the exchange to have insurance. If they don't have insurance, don't do business with them.

Re:Not even risk, loss virtually guaranteed with B

[Donwulff]

Or, if you were really concerned, you could just Google it: https://eprint.iacr.org/2016/167.pdf
"Broken SHA256: For a broken SHA256, meaningful
collisions or pre-images suggest that new transactions
should not be accepted. However, as we saw in Sec-
tion 4.3, unless a broken hash results in majority power,
an adversary cannot alter historical blocks or transactions.
The same can be said for hard-coding known public keys
with unspent outputs: even if the adversary gets a differ-
ent key that hashes to the same value, deriving the private
key should be infeasible if the signature scheme is still
strong. The plans for SHA256 thus seem to be more pru-
dent than necessary, but since they necessitate a hard fork,
rehashing the entire blockchain to add new checkpoints
or hardcoding public keys can only increase the security
of the transition period, but perhaps at a cost of efficiency."

A little plain-english translation would also be, that BitCoin and other cryptocurrencies (As well as, arguably, the security of every credit card in your pocket and bank transaction and online login and...) doesn't rely on the hash being "unbreakable", it just relies on it being non-trivial, and barring a general quntum computer, we know it to be non-trivial. In fact, the credit-card in your pocket is more vulnerable to single hash being broken, and the whole working principle of BitCoin (mining) is "cracking SHA-2".

The threat-model for BitCoin isn't that the hash will be broken, but that it will become significantly easier for one party; this is a special case of the general majority-hashing-power threat, where the "adversary" covertly through subterfuge or technology obtains majority hashing power. This in fact has happened before (Multiple times at least if you include Satoshi Nakamoto himself) and the world didn't come to an end.

This is not to say that I'm a BitCoin enthusiast, or even that I'm saying it's unbreakable, I'm just saying it's far more complicated and also analyzed, at least by other people than the BitCoin core developers, than a simple "OMGZORZS they gonna crack da hash!!!!111" :)

Re:We were hacked, honest

[horza]

Not just the Greeks but people lost their money in Iceland and Cyprus. People get their accounts hacked, card cloned, etc, all the time. Credit card fraud is way more than Bitcoin, and that cost just gets passed onto the bank customer (ie you).

It's amazing that people like JustAnotherOldGuy think banks are still safe. In the UK, anybody that has any sense spreads their money amongst multiple banks keeping under £75,000 (the amount guaranteed by the government) in each one.

For under $1000 I wouldn't even keep a backup more effort than a USB stick.

Phillip.

Re:We were hacked, honest

[horza]

If the bank gets robbed, the insurance replaces your money. You pay for this in bank fees. Nothing to stop somebody starting a Bitcoin insurance, so your money will be as safe as in a bank. That way you get the security without all the extortionate transfer fees.

Phillip.