A bitcoin exchange that once prided itself on storing its customers' money more safely than the competition was taken for more than $60 million worth of the virtual currency on Tuesday, the second largest theft of bitcoin ever.
The theft rocked the bitcoin community and sent the currency's price plummeting. Not only was the hacked bitcoin exchange, Bitfinex, one of the largest in the business, but it used a much-vaunted technology called "multi-signature wallets" to store user funds that the company once flaunted as being "superior" to the competition.
That failure has some bitcoin users turning to the digital equivalent of stuffing cash under their mattresses.
Instead of traditional "cold storage," when bitcoins are pooled and stored on a drive not connected to the internet, Bitfinex partnered with Palo Alto-based company BitGo to offer online, multi-signature wallets to users. In this set-up, every Bitfinex user is assigned their own wallet with three cryptographic keys—one held by Bitfinex, one by BitGo, and one in cold storage under Bitfinex's control. To move funds from a user's wallet, two keys (one from each company) must approve the transaction. If BitGo is unavailable, Bitfinex can use its cold storage key.
Bitfinex's support page, which now only displays a message alerting users to the hack, previously stated that this method was more secure than cold storage, since "attackers are required to compromise both institutions before getting funds." The problem is, BitGo tweeted on Tuesday that it had not been hacked, suggesting the problem lies with Bitfinex and its keys.
"No company is immune, and the bigger the target, the more complex hacking attempts can get"
So, what happened? Nobody really knows yet, but speculation has ranged from hackers-for-hire to an inside job. Since BitGo claims it wasn't hacked, only a few scenarios seem plausible. Either a hacker gained control of Bitfinex's regular key and its key in cold storage, or hacked both Bitfinex and BitGo (and BitGo just hasn't noticed yet), or parties inside both companies colluded to release the funds.
Users on Reddit noted that Bitfinex did actually use cold storage previously, and blamed the US Commodity Futures Trading Commission for a 2015 move to multi-signature wallets, which allowed for the hack. In a June settlement, the CFTC knocked the exchange for not actually "delivering" the coins that users traded, since the company stored all its coins in pooled wallets that it controlled. However, Bitfinex and BitGo's partnership began about a year before the CFTC ruling.
Neither BitGo nor Bitfinex have responded to Motherboard's request for comment.
Either way, bitcoin users are pissed off—mostly because this keeps happening. Again and again, major bitcoin exchanges have been hit by hacks that, while damaging the to the companies themselves, ultimately hurt regular folks. Whether the culprit is a mysterious hacker or an executive who decided to broke bad doesn't matter much to someone who just lost their savings.
In response, commenters on Reddit are advocating that users store their funds inside wallets on their own computers instead of on websites like Bitfinex, the idea being that these types of websites—with pools of tens of millions of dollars just sitting there—are inevitably going to be hacked. If the coins are stored online, as in Bitfinex's case, it only makes the massive prize an even more attractive target.
"While it can be comforting to think, 'I keep my bitcoin with Company', in reality, you're simply adding your money to an already large jackpot for hackers," Reddit user "bitjson" wrote in one highly-rated post. "No company is immune, and the bigger the target, the more complex hacking attempts can get."
You can't store the "Internet of Money" on an internet connected computer!
— Nicholas Weaver (@ncweaver) August 2, 2016
For even more security, since, theoretically, anything connected to the internet can eventually be hacked, other users are promoting their own use of individual cold storage—storing one's coins on a device that is never connected to the internet, perhaps except to move coins—and encouraging others to do the same. This is the security equivalent to stuffing all of your cash into a safe in your bedroom, instead of depositing it in a bank.
It's unclear whether anybody will get their money back, or who (if anyone) will ultimately be blamed. With all of this uncertainty, some fans of a 21st century cryptographic currency are bound to act a bit like paranoid grandparents and taking their finances off the grid.