The coin was stolen 7,000 bitcoins, but the injury was Bitfinex's IEO?

In the morning of this morning, the recovery of the currency market in the past month ushered in a bad news: the official announcement of the currency security said that due to hacking, more than 7,000 bitcoins were stolen from the platform, and the loss exceeded $40 million.

Although the company announced that it will use platform funds to make up for user losses, the market still gives a pessimistic response in the short term. BNB fell more than 10% in half an hour, and the mainstream currencies such as Bitcoin fell.

Some analysts pointed out that the black swan incident that the currency security broke out this time has limited impact on ordinary investors, but it may make Bitfinex's IEO in trouble.

Beyond this, the endless stream of stolen exchanges has caused more and more investors to look forward to the arrival of centralized exchanges. The future pattern of the exchange is still variable.

01 coin security stolen

The history repeats itself, and the digital currency exchange currency has been looted by hackers.

In the morning of May 8, the company announced that the platform discovered a large-scale systematic attack in the early hours of the morning. The coin security wallet was stolen 7,000 bitcoins, worth about 40 million US dollars.

The currency security announcement shows that hackers use a combination of phishing and viruses to obtain a large number of user API keys and Google verification codes. In this way, the hacker completed the attack. The stolen 7,000 bitcoins accounted for 2% of the Bitcoin holdings of the Ministry of Finance.

"At present, it seems that the 7074 BTCs stolen from the coin security wallet have been temporarily stored by hackers in 20 major addresses, and have not spread further." Jeff, head of the Silicon Valley R&D Center of PeckShield, a blockchain security company, told a block. chain.

This means that the hacker has not yet completed the realization. After the theft, the company announced that it would use the platform's "SAFU Fund" to pay for all the stolen losses – the user did not have any losses. At the same time, the company announced that the platform will suspend the currency for one week.

The platform currency of the currency, BNB, still fell. Within half an hour after the news broke, the price of BNB fell by 10.6%.


In the morning of this morning, BNB fell sharply in a short time.

Bitcoin prices have also been significantly affected by the hacking incident.

According to CoinMarketCap data, from 7:34 am Beijing time today, BTC prices began to show a significant downward trend – within an hour, from $ 5954.54 to $ 5795.01, a drop of nearly 3%.

In addition to bitcoin, other mainstream digital currency prices have also experienced varying degrees of decline.

In fact, the money-for-money incident that the coin has suffered this time is not the first in the history of the digital currency exchange, nor will it be the last.

On July 4, 2018, the same time in Beijing time, Qian An also issued a notice saying that due to abnormal transactions, the platform will start temporary maintenance.

Since then, it has been reported that the currency security has been hacked, and the exchange wallet address has exceeded 7,000 BTC in two hours. Subsequently, the currency security carried out a rollback operation for the abnormal transaction, but denied the rumors that the platform encountered hacker money.

“In fact, almost all exchanges in the currency circle have experienced stolen money.” Exchange practitioner Ma Pu pointed out, “This is a tacit thing in the industry, because no exchange can do anything. ""

In 2014, Mt.Gox, the world's largest bitcoin exchange, was attacked by hacker money, 650,000 bitcoins were stolen, and the exchange went bankrupt. To this day, there are still investors who are defending their rights.

In March of this year, the DragonEx exchange announced that it had been hacked and would suspend all basic services such as transactions and replenishment. The analysis data of the decentralized vulnerability platform DVP shows that in this stolen incident, Long Net lost more than $5 million in assets.

Not just exchanges, almost all blockchain companies involved in digital currency business are plagued by hackers.

The IPO prospectus issued by mining company Bitcoin last year showed that the company had been hacked in 2017, and the $27 million digital currency was lost.

In the anonymous, decentralized, and unregulated digital currency world, hackers who have disappeared without a trace have been one of the biggest enemies of all blockchain companies.

02 reasons

Even if it has already become a head exchange in the industry, the currency security is still unable to get rid of the nightmare of hacking. How to avoid hacking and stealing money has become a problem for all blockchain practitioners to think about.

According to the announcement issued by the currency security, many blockchain security practitioners pointed out that the hackers in this incident may not have stolen the wallet private key of the currency, but only obtained the right to withdraw coins.

"The hacker should use the 'fishing' method to obtain the information of the user." Jeff said to a blockchain.

The so-called "fishing" refers to hackers in some way induce users to reveal their personal information.

The most common method is that the counterfeit exchange officially sends a spoofed email to the user, allowing the latter to open a forged exchange link and inducing users to fill in sensitive information such as accounts and passwords on the phishing website.

In addition, hackers can also induce users to download files containing Trojans and viruses to steal user information.

"In fact, users just need to avoid clicking on unfamiliar links, do not download unfamiliar files at will, look for the official website, you can prevent hacker fishing," Jeff said.

But the phishing operations of many hackers are still unpredictable. Not only ordinary users, even the internal staff of the exchange, have been "successful fishing" by hackers.


After the theft of the Dragon Net in March this year, the blockchain security enterprise dimension reduction security laboratory found that a customer service staff of Longwang had obtained a program installation package at a stranger before the platform was hacked. The program has a backdoor bundle – the hacker can use the back door to gain internal employee rights and penetrate the intranet to obtain the private key of the Dragon Wall.

In the view of Xu Bin, founder of InVault, a digital asset custodian platform, the stolen money may be related to the internal privilege of being attacked by hackers.

"According to the analysis of the currency security announcement, I think the hacker should not get the private key of the wallet, but at least get some internal authority." Xu Bin said, "In a short period of time, more than 7,000 bitcoins are taken away, and the hacker is likely to have already smashed it." Lost the currency control system of the currency."

"Or another possibility, the hacker is very familiar with the risk control strategy of the currency security, can bypass the risk control system and steal the platform assets." Xu Bin said, "So this hacker is either very powerful or lurking. For a long time, only the last blow."

According to the announcement issued by the currency security, the key to the success of hacking money is to obtain information such as the user's API key and Google verification code. In the past cases of theft of the exchange, the API has always been a hardest hit.

"The API key is a character, sometimes in the user's device. Once the user device is compromised, the hacker may get the key and pick up the user's assets." Jeff said, "So, for the exchange, The API has always been the place where security issues are most likely to arise."

This view has also been recognized by Xu Bin. In his view, most of the head exchange's private key management systems are very powerful. Therefore, the relatively weak API link will often become a key attack part of hackers.

Faced with an endless stream of exchange security incidents, many blockchain practitioners believe that if an exchange wants to avoid similar problems, it must make changes in two ways.

First of all, it is to strengthen the review.

“The platform needs manual review for unusual behaviors such as large amounts of money, new currency, new currency, and frequent coin withdrawals,” said Jeff.

Second, the exchange should also strengthen user education to help users improve their safety awareness.

"I personally suggest that users can also keep infrequently traded assets in their personal wallets, rather than long-term deposits on the exchange." Xu Bin said.

03 accidentally injured Bitfinex?

Since April this year, the long-lost currency market has suddenly ushered in a small wave of bull markets. Bitcoin has risen from $4,000 in early April and broke through $6,000 yesterday.

However, the sudden theft of the currency, but the investor's heart once again cast a shadow. Conspiracy theories have also emerged very quickly. Some investors have questioned that the so-called "hacking and stealing coins" is just a "message" released by the exchange and other platforms and short-sellers.

However, the follow-up performance of the market is not as expected by many people.

After the currency piracy incident, a series of digital currencies including Bitcoin had fallen. But soon, the mainstream currency quickly stopped falling. As of press time, the currency price of mainstream currencies such as Bitcoin is close to the price before the coin-breaking event.

“Although the currency piracy incident has caused the currency market to fall for a short time, the overall sentiment of investors is still optimistic, and the market performance seems to be astounding.” Liang Dong, director of the Zhongxingcun IoT blockchain laboratory, is on a blockchain. Said.

However, the onlookers who are keen on eating melons still find the biggest victims of this incident.


"This time the currency was stolen, the most injured may be another exchange – Bitfinex." Neil, a digital currency analyst at the Great White Shark Trading Community, told a blockchain.

After the hacker money incident, the currency security announcement issued: "In this week, the recharge and withdrawal of the (coin security platform) will be suspended."

In other words, within a week, the currency does not allow users to withdraw coins.

At the same time, Bitfinex is launching its own IEO project, plans to raise $1 billion to issue the platform currency LEO. Currently LEO is in the private placement phase, and the private placement period is until May 10, 2019.

“Coin’s announced that it would suspend the withdrawal of the currency at this time, which will inevitably result in some funds being unable to purchase LEO,” Neil said.

At the same time, the theft of the industry's head exchange currency has also caused some investors to worry. People’s voices about decentralized exchanges have also become stronger.

“In a centralized exchange, user assets are managed by the exchange. Once the exchange is hacked, the user will lose assets.” Mapu said, “but in the decentralized exchange, users can pass private The key to keep your own assets, you don't have to pay for the platform's mistakes."

In the decentralized exchange, the exchange is unable to guard against self-stealing. Even if the hacker obtains the wallet private key of the exchange, it steals the platform assets of the exchange, such as income, etc., rather than user assets.

But Jeff does not fully endorse this view. In recent years, many exchanges have been hacked, all related to the theft of API information. "If the user's API key is obtained by a hacker, whether it is a centralized exchange or a decentralized exchange, the user's assets cannot be avoided," he said.

However, Jeff also acknowledges that centralised exchanges have greater security risks than decentralized exchanges.

“The problem with centralized exchanges is that each exchange has a large collection of assets, and it’s more likely to be concentrated and stolen,” Jeff said.

On decentralized exchanges, it is difficult for hackers to steal large amounts of assets at once because digital currency is scattered among every user.

"The two exchanges have their own advantages and disadvantages, and in the future, the two types of exchanges are bound to coexist for a long time." Mao Pu finally concluded.

In the world of blockchains, hackers are like ghosts, and they don't miss any exploitable exploits.

This is not the first time the exchange has been stolen, nor will it be the last.

Security issues are already a test of all centralized exchanges, blockchain companies, and currency holders.

* Some of the respondents in the text are pseudonyms.

Text | Ratchet Pizza

Source | A blockchain