As one of the older exchanges in operation today, Bitfinex has experienced a number of hacks with the first major hack taking place in May, 2015. On this occasion a hacker was able to obtain 1500 Bitcoin from a hot wallet controlled by the exchange, the lost funds were quickly reimbursed by the exchange. However, a later attack proved to be more problematic as a hacker was able to circumvent security on the platform and access up to 119,756 Bitcoin, which were worth an approximate $72m at the time.
The hacker was able exploit a vulnerability in the multi signature system Bitfinex employed alongside Bitcoin wallet provider Bitgo and in response to the theft, the exchange chose to issue BFX tokens which were to be redeemed by its customers at a later date. Each BFX token was worth $1 and was awarded in the same amount lost by each investor. Since issuing the tokens, Bitfinex has purchased them all back and completed their purchases in April, 2017.
As a result of these hacks, Bitfinex has stepped up its security and currently, 99.5% of client funds are stored offline in a cold storage system that employs a multisignature function that is geographically distributed across multiple secure locations.
Client accounts are secured by using 2FA and U2F, in addition to PGP email encryption. Accounts are also monitored and strengthened by using a number of advanced verification tools that cover account activity. These include:
- The analysis of saved login data to root out unusual activity.
- The use of an intelligent system that detects IP address changes and prevents session hijacking.
- Email notifications that report logins and include a link to instantly freeze your account if you suspect malicious activity.
- Limiting access to your account based on IP address.
Bitfinex also chooses to closely monitor withdrawals in order to help stave off attacks; the platform’s security system currently monitors withdrawals by IP address and other behavioural patterns that trigger manual inspection on withdrawals that appear to be unusual. Customers can also whitelist an address to ensure that withdrawals can only be sent to that particular location. Bitfinex also claims that it uses a withdrawal confirmation step that is immune to malicious browser malware.