Bitstamp, the world’s foremost bitcoin exchange, has admitted that a hacker has stolen just under 19,000 bitcoins, with a value approaching $5 million.
written by Brandon Hurst
The incident occurred over a number of hours starting on Sunday, January 4. It appears that the hacker was able to compromise Bitstamp’s hot wallet, emptying bitcoins from it in tranches of a few hundred or thousand at a time. Thanks to the transparency of the protocol, the whole episode can be seen on the blockchain.
Initially, Bitstamp continued to allow trading but warned customers with an email not to try using their existing deposit addresses, because transactions to these locations could not be honoured. ‘Today our transaction processing server detected problems with our hot wallet and stopped processing withdrawals. You should STOP SENDING bitcoin deposits to your Bitstamp account IMMEDIATELY as private keys of your deposit address may be lost. Your bitcoins already deposited with us are stored in a cold wallet and can not be affected.’
On January 6 it closed the site altogether, which remains the situation. The following message appeared on Bitstamp’s front page:
‘We have temporarily suspended Bitstamp services. Bitstamp customers can rest assured that their bitcoins held with us prior to temporary suspension of services on January 5th (at 9am UTC) are completely safe and will be honored in full.
‘On January 4th, some of Bitstamp’s operational wallets were compromised, resulting in a loss of less than 19,000 BTC. Upon learning of the breach, we immediately notified all customers that they should no longer make deposits to previously issued bitcoin deposit addresses. To repeat, customers should NOT make any deposits to previously issued bitcoin deposit addresses. As an additional security measure, we suspended our systems while we fully investigate the incident and actively engage with law enforcement officials.
‘This breach represents a small fraction of Bitstamp’s total bitcoin reserves, the overwhelming majority of which are held in secure offline cold storage systems. We would like to reassure all Bitstamp customers that their balances held prior to our temporary suspension of services will not be affected and will be honored in full.’
The theft of almost 19,000 bitcoins is one of huge significance, but not, it appears, catastrophic. Bitstamp has apparently learned from the mistakes of the past, and from other exchanges that were rather more complacent, and only keeps a small fraction of its reserves in its hot wallet for active trading. Bitstamp CEO Nejc Kodric tweeted: ‘To restate: the bulk of our bitcoin are in cold storage, and remain completely safe.’ A look at Bitstamp’s cold wallet gives reason for confidence. Some 135,000 BTC are safe and sound. Nevertheless, 19,000 BTC represents around an eighth of their total reserves.
It seems that the hacker waited for the most opportune moment to carry out their crime. The weekend showed unusually high trading volumes, as traders panic-sold their coins. The price of bitcoin briefly touched the previous all-time high ($266, though that was on Mt Gox) and even dipped below it. Many people were sending coins to the exchange to cash them out at this point, and it would have been the perfect time to empty Bitstamp’s hot wallet.
Not another Gox
Although the Bitstamp hack has overtones of another Mt Gox, and bitcoiners are already comparing it to bitcoin’s most infamous moment, this is an altogether different case.
For starters, Bitstamp learned from Gox’s errors and has kept most of its coins safely offline; as Kodric states, there is enough to cover the losses – assuming that none are recovered from the hacker through legal means or via negotiations. (In past hacks of significant magnitude, the hacker has sometimes been paid off, returning the bulk of the funds for a smaller payment and assurances they won’t be pursued any further.)
Secondly, this was a single hack. With Mt Gox, there were months of warnings. Fiat withdrawals were delayed for weeks, with the effect that the price of BTC on Gox rose significantly above the market price: users were buying more than selling because they couldn’t get their money back out to their bank accounts. It was far easier to use Gox to buy bitcoins than sell them. It’s likely that Gox was running a fractional reserve because it had been leaking for months or even years.
So when Gox lost its 850,000 bitcoins (later revised down to 650,000 as 200,000 were later ‘found’), it very likely happened over a long period of time, and the coins disappeared into the network gradually. In fact, many were probably sold on Gox itself and the money can no longer be traced. With Bitstamp, the coins are sat there in their new address, proof of exactly what happened when.
Mt Gox’s demise was a shock that reverberated through the bitcoin markets and ecosystem. To be ‘Goxxed’ has passed into the crypto vernacular as a term for being scammed or robbed. Bitstamp’s moment of infamy has not reached anything like such lows.
What is particularly interesting is that the market has not reacted at all to the theft. After a sharp turn downwards over the weekend, bitcoin stabilised at around $270, and has remained there since. The thought of 19,000 BTC hanging over the market hasn’t given traders the jitters.
There could be a number of explanations for this. Stealing 19,000 BTC is one thing; selling them is another. That address will now be closely watched, and the coins within it tracked. If they are cashed out anywhere, there is a very good chance the seller can be traced. Neither is it easy to wash that amount of funds; mixers are only so much good, and they require similarly large sums for funds to be mixed with. So it may be that the stolen coins sit there for a long time.
More significantly, the hack happened at the end of a period of frenzied trading, which saw bitcoin’s price crash into the $260 range. Panic had gripped the market – and this at the end of a year-long bear market which saw the price drop by 75 percent. In short, almost anyone who had been planning to sell presumably already had. If this was the capitulation that many traders expected, no more bad news – at least on the relatively modest scale as the Bitstamp hack – would prompt them to sell.
Current indications are that Bitstamp will bounce back from this unfortunate episode – smarting to the tune of $5 million, perhaps, but still alive and thriving. A year ago, bitcoin exchanges were in a very different state.
Bitcoin.de recently passed an audit with flying colours, with balances fully verified by an independent auditing firm.