← Back to Hack Archive

Bitfinex Hack

August 2, 2016$72 millionExchange Security BreachBitcoin

The Story

On August 2, 2016, Bitfinex, one of the world's largest cryptocurrency exchanges at the time, announced that it had suffered a major security breach. Hackers had stolen approximately 119,756 Bitcoin, valued at around $72 million at the time of the theft (worth billions at today's prices).

The breach sent shockwaves through the cryptocurrency community and caused an immediate 20% drop in Bitcoin's price. To handle the losses, Bitfinex made the controversial decision to "socialize" the losses among all its users, reducing every customer's balance by 36%, regardless of whether they held Bitcoin. In exchange, customers received BFX tokens representing Bitfinex's debt to them.

Remarkably, Bitfinex eventually made good on its promise and repaid all affected users by April 2017. The case took an unexpected turn in February 2022, when the U.S. Department of Justice announced it had recovered $3.6 billion worth of the stolen Bitcoin and arrested two individuals in connection with laundering the proceeds.

Technical Analysis

The Bitfinex hack exploited vulnerabilities in the exchange's multi-signature wallet system. Following the notorious Mt. Gox collapse, Bitfinex had partnered with BitGo to implement a multi-signature security system meant to provide additional security:

  • Each user's funds were stored in segregated wallets
  • Each wallet required 2-of-3 signatures to move funds
  • Keys were distributed between Bitfinex (2 keys) and BitGo (1 key)

While the exact details of the breach were never fully disclosed, the attacker was somehow able to:

  1. Compromise Bitfinex's key management system
  2. Obtain the necessary signatures to authorize withdrawals
  3. Bypass BitGo's security measures that should have flagged the suspicious transactions

Unlike most smart contract hacks, this was primarily a breach of the exchange's security systems rather than an exploitation of blockchain code vulnerabilities.

Lessons Learned

  1. Even multi-signature security systems can be compromised if implemented or managed improperly
  2. Exchanges should implement transaction volume limits and anomaly detection
  3. Cold storage should be used for the majority of funds, with hot wallets containing only what's needed for daily operations
  4. Security audit trails and logging are essential for all critical operations
  5. Proper key management practices and secure hardware storage are fundamental