WASHINGTON — While it's unclear who robbed the Hong Kong bitcoin exchange Bitfinex, stealing $72 million worth of the cryptocurrency, some have already decided U.S. regulators are at least partly to blame.
Critics point to a Commodity Futures Trading Commission action against Bitfinex earlier this summer that they argue made the firm more vulnerable to the Tuesday night attack.
"Bitfinex had settled with the CFTC just two months ago, which forced them to end their practice of stashing coins away securely offline," tweeted Leo Weese, a digital currency advocate in Hong Kong. "Instead, they had to 'deliver' coins daily between Bitcoin accounts assigned to each user. Tell me again how regulation 'protects' you."
The situation is complex and turns on whether the CFTC inadvertently pushed Bitfinex to adopt a weaker security system than it had been using. If so, the story is a stark reminder of how legacy regulatory models are an awkward fit for emerging technologies. However, several security experts said the way the exchange chose to use the new system was significantly flawed. In any event, the debacle seems likely to draw more regulatory scrutiny to the nascent cryptocurrency industry.
In June, the CFTC fined Bitfinex $75,000 for facilitating margin trading without being registered as a futures commission merchant. But the agency gave Bitfinex a way out, saying it had to register "unless the entity offering the transactions — such as Bitfinex — can establish that actual delivery of the bitcoins results within 28 days."
Last year, Bitfinex, possibly aware of the CFTC's investigation, began changing how it handled bitcoin so that it could effectively exchange them, thus avoiding the need to register.
Instead of keeping customers' funds in so-called cold storage, where the private keys are kept offline, it moved to multisignature bitcoin wallet provider BitGo. In a June 4, 2015, blog post, nearly a year before the fine, the company promised "complete segregation of all customer bitcoins" as a result of the technology.
Critics argue Bitfinex opened itself up to attack when it switched over to BitGo. The CFTC declined to comment and BitGo could not be reached.
Bitfinex denied the order contributed to the hack.
"This is a security issue, not a regulatory one," Stuart Hoegner, the company's general counsel, said in a statement to American Banker. "The CFTC is not the proximate cause of the security vulnerability."
Making the attack more ominous is the fact that multisignature is generally considered safe. Under that system, two or more private keys must sign a transaction in order to release funds from a bitcoin wallet. A wallet could be programmed to send money only if at least two of three keys signed off, for example, with one key controlled by the user, one by an exchange and one by a third party. Or a wallet could require three of five keys, with one stored on a phone, one printed out and locked in a safe, another stored on a thumb drive hidden in a sock drawer, and so on.
The idea is that bad actors would have to breach multiple machines in different locations to transact on one user's behalf.
"You know in the movies you see these nuclear weapon silos that require two keys and two independent people to turn the keys so you can launch the missile only when both people agree? Multisig is a similar situation," said Emin Gun Sirer, associate professor at Cornell University and co-director of the Initiative for Cryptocurrencies and Smart Contracts.
It remains unclear how hackers compromised the system.
"The question that we have to ask ourselves," said Jerry Brito, the executive director of Coin Center, a Washington think tank and advocacy group, "is what did the attacker do and who had the keys?"
Possibly in response to the CFTC's investigation, Bitfinex switched to holding its funds in multisignature accounts for each of its registered users — making the breach a question of protecting private keys, which are random-seeming strings of letters and numbers required for a user to access wallet funds.
"Does that introduce a vulnerability?" Brito said. "Not necessarily. It changes the attack surface."
Multisignature technology, he said, is only as strong as the way it is enforced. If Bitfinex, for instance, could access the keys held by BitGo too easily, this would create an opening for hackers.
Multisig "can be as safe as cold storage," Brito said. But it is not "magic pixie dust."
According to Sirer, multisig per se did not fail in this case; the exchange's specific implementation of it did. Bitfinex had set its controls to require two out of three parties to sign a transaction. However, Sirer explained, one entity had effective control, if not possession, of both keys — since Bitfinex would sign a transaction and instruct BitGo to sign the same one.
Indeed, Bitfinex's terms of service as of July 28 suggest BitGo played a passive role.
"BitGo holds one private key for each Multi-Signature Wallet and uses those keys to sign transactions as directed by Bitfinex," according to the document, which is cached on Google. "Unless compelled by an arbitrator or otherwise required by applicable law, BitGo will only use a private key to sign a Multi-Signature Wallet transaction that is first signed by Bitfinex." (The document goes on to tell users they can instruct BitGo to stop signing transactions should they have a dispute with the exchange.)
For some in the legal and regulatory community, this hack underscores the risks created by the vague regulatory landscape digital currency firms operate in.
"There isn't a unified regulatory regime for virtual currency companies," said Lauren Giles, a partner at Alston & Bird who specializes in virtual currency. "That means there are regulatory holes there."
Though Bitfinex has to comply with data security standards, it is not as closely watched as more regulated entities like banks or money transmitters, said Carol Van Cleef, a partner at Manatt, Phelps & Phillips.
"Not being a licensed money transmitter [or a futures commission merchant under the CFTC] meant that they had nobody who was looking over and making sure that they had a good data security program in place," Van Cleef said. Instead, she said, in a regulatory no man's land, "we rely largely on a process of enforcement actions after the fact."
Some maintain regulators are keeping an attentive eye on virtual currency. They "aren't looking the other way and not being thoughtful and focused on this already," said David Treat, the global managing director on blockchain for financial services at Accenture.
Either way, significant hacks have the potential to bring more financial regulators to the table — like the Consumer Financial Protection Bureau, which has so far only dipped its toes in these waters.
"We've been waiting for a point of inflection here where the impact of an event is sufficient enough to the consumers that the CFPB decides to step in," said Van Cleef.