Today cryptocurrency exchange Bitfinex proudly announced on Medium that the U.S. government has returned 27.66270285 bitcoin lost in an August 2016 security breach.
This sounds like great news for the exchange, but the announcement leaves out a very important detail. In the 2016 hack, 119,756 bitcoin were stolen, worth about $72 million at the time. This means only 0.023 percent of the exchange’s lost bitcoin have been returned. That percentage looks a little better if we’re comparing U.S. dollars. The bitcoin retrieved is currently worth about $104,730 (at time of writing), or 0.145 percent of the 2016 loss in USD. Bitfinex did not say how or where U.S. enforcement retrieved the bitcoin.
According to its Medium post, the Hong Kong-based Bitfinex has been working with “international law enforcement” since the 2016 attack. In November 2018, the exchange got word that the U.S. government had tracked down some bitcoin believed to have come from the breach. Bitfinex’s CFO, Giancarlo Devasini, also used the post as an opportunity to “extend an open invitation to the hackers, or anyone harboring information pertaining to the breach, to make contact in whichever medium they feel most secure with, to finally resolve the situation in a mutually beneficial manner”—the only real acknowledgement that not all bitcoin from the breach have been returned.
Funds recovered by the government will be given to Recovery Right Token (RRT) holders, which Bitfinex created after the breach to replace its BFX tokens. All Bitfinex cryptocurrency holders experienced a “generalized loss percentage of 36.07 percent” immediately following the security breach.
Back in 2016, Bitfinex used a three-key arrangement to keep its customers’ funds safe. Two of the keys were held by Bitfinex, one online and one offline, while wallet provider BitGo kept the third to cosign transactions. At the time, BitGo reported “no evidence” of its servers getting hacked.
Today, Bitfinex offers an array of security measures, including both two-factor authentication, the use of a physical security key, and advanced API key permissions, along with some account monitoring tools. The exchange claims to store the vast majority of its funds in cold wallets, with “approximately 0.5 percent” kept in hot wallets for ready use. At the time of the breach, the Commodity Futures Trading Commission had essentially aimed to prohibit Bitfinex from holding funds in cold wallets, as one critical Imgur post pointed out.
The loss of bitcoin in the August 2016 Bitfinex security breach was, at the time, dwarfed only by the Mt. Gox collapse roughly two years earlier. Then, about 850,000 bitcoin were stolen from the infamous exchange. When Canadian exchange QuadrigaCX went dark earlier this month, more than $190 million worth of customers’ funds disappeared. Still, a missing 119,728.337 bitcoin is nothing to sniff at.