NEW YORK (Reuters) - When hackers penetrated a secure authentication system at a bitcoin exchange called Bitfinex earlier this month, they stole about $70 million worth of the virtual currency.
The cyber theft -- the second largest by an exchange since hackers took roughly $350 million in bitcoins at Tokyo’s MtGox exchange in early 2014 -- is hardly a rare occurrence in the emerging world of crypto-currencies.
New data disclosed to Reuters shows a third of bitcoin trading platforms have been hacked, and nearly half have closed in the half dozen years since they burst on the scene.
This rising risk for bitcoin holders is compounded by the fact there is no depositor’s insurance to absorb the loss, even though many exchanges act like virtual banks.
Not only does that approach cast the cyber security risk in stark relief, but it also exposes the fact that bitcoin investors have little choice but to do business with under-capitalized exchanges that may not have the capital buffer to absorb these losses the way a traditional and regulated bank or exchange would.
“There is a general sense in the bitcoin community that any centralized repository is at risk,” said a U.S.-based professional trader who lost about $1,000 in bitcoins when Bitfinex was hacked. He declined to be named for this article.
“So when investing, you always have that expectation at the back of your head. I lost a small amount compared to the others, but I know of traders who lost millions of dollars worth of bitcoins,” the trader said.
The security challenge for the bitcoin world does not appear to be letting up, according to experts in the currency.
“I am skeptical there’s going to be any technological silver bullet that’s going to solve security breach problems. No technology, crypto-currency, or financial mechanism can be made safe from hacks,” said Tyler Moore, assistant professor of cyber security at the University of Tulsa’s Tandy School of Computer Science who will soon publish the new research on the vulnerability of bitcoin exchanges.
His study, funded by the U.S. Department of Homeland Security and shared with Reuters, shows that since bitcoin’s creation in 2009 to March 2015, 33 percent of all bitcoin exchanges operational during that period were hacked. The figure represents one of the first estimates of the extent of security breaches in the bitcoin world.
In contrast, data from the Privacy Rights Clearinghouse, a non-profit organization, showed that of the 6,000 operational U.S. banks, only 67 banks experienced a publicly-disclosed data breach between 2009 and 2015. That’s roughly 1 percent of U.S. banks.
Among the world’s stock exchanges, however, security breaches are much higher, with hackers attracted to the large pools of cash moving in and out of these trading venues. The latest survey of 46 securities exchanges released three years ago by the International Organization of Securities Commissions and World Federation of Exchanges found that more than half had experienced a cyber attack.
Moore collaborated on the research with Nicolas Christin, associate research professor at Carnegie Mellon University and Janos Szurdi, a Ph.D. student also at Carnegie.
In 2013, Moore and Christin wrote a research paper on security risks surrounding bitcoin exchanges when Moore was still a professor at Southern Methodist University. That research entitled “Beware of the Middleman: Empirical Analysis of Bitcoin Exchange Risk” was peer-reviewed and presented at the 17th International Financial Cryptography and Data Security Conference in Okinawa, Japan in 2013.
In the most recent study, the rate of closure for bitcoin exchanges in Moore’s research edged up to 48 percent among those operating from 2009 to March 2015. Hacking did not necessarily trigger the closure in each case.
“A 48 percent closure is not acceptable, but not surprising given that bitcoin is a new technology,” said Richard Johnson, vice president of market structure and technology at Greenwich Associates. Johnson has written reports on risk and security issues in the crypto-currency world.
Profitability is a big problem for bitcoin exchanges, with many of them unable to generate enough volume to keep afloat.
Bitcoin exchanges overall could be launched for as low as $100,000 up to $1 million, said Erik Voorhees, founder and chief executive officer of digital currency exchange ShapeShift. That is a fraction of what U.S. forex exchanges’ are required to put up.
Retail FX trading platform FXCM, for instance, is required by the Commodity Futures Trading Commission to have at least $25 million in capital at all times.
A key factor tied to the risk posed by exchanges is whether customers are reimbursed after closure or after the loss of bitcoins following a hack. Each closure and breach have been handled differently, but Tandy’s Moore said the risk of losing funds stored in exchanges are real.
In the case of Bitfinex, which is now up and running after the hack August 2, customers lost 36 percent of the assets they had on the platform and were compensated for the losses with tokens of credit that would be converted into equity in the parent company.
At Tokyo’s MtGox, customers have yet to recover their investments more than two years after closure.
Experts say trading venues acting like banks such as Bitfinex will remain vulnerable. These exchanges act as custodial wallets in which they control users’ digital currencies like banks control customer deposits.
“The big exchanges that hold customer deposits are a big target for hackers,” said ShapeShift’s Voorhees, “and unfortunately most bitcoin exchanges store user funds.”
When customers’ checking accounts are hacked, there is always a third party at the bank that can step in to deal with the theft.
Not so with bitcoin, said Seattle-based Darin Stanchfield, chief executive officer at KeepKey, a hardware wallet provider. He expects more of these attacks to happen despite efforts to improve security at bitcoin exchanges.
“Unfortunately because of its irreversible nature, bitcoin requires near perfect security.”
Reporting by Gertrude Chavez-Dreyfuss; Editing by Edward Tobin
Our Standards: The Thomson Reuters Trust Principles.