Mike Caldwell, a 35-year-old software engineer, holds a 25 Bitcoin token at his shop. (Rick Bowmer, AP, file)
Hong Kong - It seemed bitcoin exchange Bitfinex was doing all the right things. In the end, that didn’t stop hackers from stealing $65m (R867m).
The latest in a long list of attacks on the digital currency since its birth in 2009 has been particularly vexing for the bitcoin community.
Not only was Bitfinex the largest exchange for US dollar transactions, but the hack highlights that the industry hasn’t figured out critical security, despite years of learning from mistakes and making improvements to its infrastructure.
Even as the incident has triggered calls for audits in certain parts of the industry, experts don’t anticipate the investigations will unearth new ways of radically strengthening protection.
What’s more telling, they say, is that the community’s willingness to vilify targets while shrugging off the need for industry-wide solutions is a sign it’s doomed to happen again.
“There is a long tradition of blaming the victim in the bitcoin community,” said Emin Gun Sirer, a Cornell University computer science professor who researches the currency.
“But when you have a six-year long history of near-continuous key theft, at some point, we have to stop shirking off the responsibility.”
The fallout has been widespread. Bitfinex imposed a levy on customers to cover the lost $65m, taking 36% of everyone’s assets whether they had been hit by the hackers or not. The price of bitcoin also plunged on news of the hack, slashing the value of the digital currency well beyond Bitfinex.
Collectively, investors have lost about $1.2bn (R16bn) since the attack, according data from Coindesk.
That’s not to say bitcoin security hasn’t come far, through the efforts of thousands who work and volunteer to improve the digital currency.
Since Mt. Gox - at one time the world’s largest exchange - was hacked for $450m (R6bn) in early 2014, most venues have adopted tough security measures, including segregated client accounts, external audits of systems and two-factor authentication for securing logins.
Another step forward has been multi-signature security, which essentially splits the private keys attached to every bitcoin into several copies and hides them in multiple locations.
The technology requires a sign-off from a majority of the copies (for example, two out of three) before the bitcoin can be moved again. That forces hackers to breach multiple systems before they can get access to funds.
Bitfinex made use of the technology and, as suggested by security experts, stored copies offline and with a third party, its security partner BitGo.