Revisiting the 2016 Bitfinex Hack
Most people haven’t thought about the 2016 Bitfinex hack in awhile, but since those 119,756 Bitcoins (worth roughly $78,000,000 at the time) were stolen their value has skyrocketed: in fact, the 2016 Bitfinex hack would have a current value of almost $4,000,000,000 (01/22/2021). Pretty astounding.
What Happened in 2016?
Probably the main reason no one discusses the 2016 hack anymore is because no one, besides a few insiders who remain silent, knows what happened on that fateful day. But here’s a summary.
At 1802 UTC, August 2nd, 2016, Bitfinex freezes its trading engine and announces that it has suffered a breach. They stay down for 4–5 days.
In this interim, conversations between BitGo, Bitfinex’s custodian for its cryptocurrencies, and Bitfinex, begin to break down, with both sides claiming that responsibility lies with the other. BitGo states that the losses are no fault of theirs, saying that Bitfinex’s wallet setup is “unique.”
The explanation doesn’t go further, and meanwhile, Bitfinex executives and insiders blame BitGo for the issues.
Nothing comes of this, other than the knowledge that a mutli-sig wallet requiring 2/3 keys for verification is, somehow, compromised.
In fact, at one point, when a trader asks Phil Potter, CSO of Bitfinex at the time, if there’s a specific person he should reach out to with information at the FBI or some other law enforcement agency, Phil Potter says, “I don’t know because I’m not handling that, but if you had a particular piece of information, that would be useful, you could certainly send it to us, or to our general counsel, or to whatever.”
On August 6th, Bitfinex announces they have devised a solution to the hack… sorta: all customers receive a 36% haircut (besides Coinbase) and become signees to IVAs (individual voluntary agreements). In place of these losses they are to receive Bitfinex tokens, but despite being IVAs, customers “sign no waiver.” Congratulations, you invented tokenized debt and possibly some unregistered tokenized securities (to be fair, Ripple did it first!).
Bitfinex struggles to get customers to turn the tokens in for eventual redemption and/or equity (on a 1–$1 basis — sound familiar?) in the beginning, at one point bringing their CFO, Giancarlo Devasini into Whalepool, one of the larger trading groups in 2016, to urge large stakeholders to back Bitfinex. Publicly, Devasini speaks of “a lot of investment funds” and “Chinese investors” who are looking to buy shares of Bitfinex from customers.
And it works. I mean, I think it works? No one really knows.
There’s a lot of questions to ask from a lot of perspectives here:
- How did the Bitfinex hack occur?
- Were BFX tokens unregistered securities with possible unwilling participants?
- Who were these eager Chinese investors?
- How many of the tokens were purchased by BFX themselves?
- How many of the tokens were purchased below par value by BFX?
- Why was there no resolution between Bitfinex and BitGo?
- For how long was Bitfinex insolvent?
I already understand that many of these questions won’t be answered, but, when you’re discussing a major security breach, usually what’s desired is transparency. Instead, as usual, Bitfinex provides opaque unclarity.
A Tether Tie-In
At the time of the hack, Tether (a sister company of Bitfinex, under the iFinex umbrella) is mainly trading on Bitfinex and at a mere marketcap of ~$6,950,000. It is a niche tool for a niche marketplace.
A year later it has a marketcap of ~$300,000,000 and is used heavily by any and all non-fiat exchanges. Six months later its marketcap has blossomed to a resounding ~$2.5 billion.
Moving Along
Needless to say, neither Bitfinex nor Tether are ever audited for anything. No one hears anymore updates. No investigations, besides one’s looking directly into Bitfinex for <<other things>>, are ever confirmed or denied.
In 2019, a few Bitcoins are returned to Bitfinex, becoming a brief cause célèbre:
Lastly, in 2020, Bitfinex offers a reward no hacker would be likely to take:
Stay skeptical, friends
PS If you’re looking for a take from around the time of the hack, MrJozza has an excellent summary here: