Not another Gox: Bitstamp shows how it's done

Monday 19 January 2015

The theft of $5 million worth of coins from Bitstamp on the first weekend of 2015 could have been devastating – not just for the exchange but for the entire bitcoin ecosystem. The spectre of Gox and the catastrophic impact it had in February (and throughout last year) loomed large. Instead, bitcoiners generally took the news in their stride, and the markets absorbed the revelation with barely a ripple. The episode shows how bitcoin has grown up in the interval since Gox folded, and some of the lessons learned by its community.

Anatomy of a heist
The Bitstamp theft happened during a frantic couple of days of trading for the exchange. With the Christmas break over, the first weekend of the new year saw panic sellers flocking to transfer and dump their coins in droves. Bitstamp’s hot wallet was bulging and activity still high when the hacker struck, siphoning off almost 19,000 coins in chunks of hundreds and thousands (all of which can be seen on the blockchain). By the time anyone noticed, Bitstamp had lost around $5 million.

When Bitstamp realised what had happened, they emailed all their customers warning them not to send coins to their regular deposit addresses – presumably because they had lost control of that wallet and any funds would be swept to the hacker’s address. They were also quick to reassure customers that deposits prior to this email would be honoured. CEO Nejc Kodric tweeted that the majority of their bitcoins were in cold storage (some 135,000). They later closed the exchange altogether to rebuild their systems and allow law enforcement officials the opportunity to survey the evidence available.

The differences
In the early hours after the news was announced, comparisons with Gox were widespread. Gox’s shadow still paints a large black streak over the bitcoin community, and suspicion is the default response. 19,000 coins is comparatively few compared to Gox’s lost 850,000 (or 650,000, once the 200,000 ‘old format’ wallet coins were found...), but $5 million is still a serious hit. A question mark hung over the exchange: would they ever reopen or, like Gox and a hundred other failed bitcoin businesses, would the delays stretch on and on and the drip-feed of bad news develop into a steady stream, until finally the end was announced that everyone knew had been coming for a long time anyway?bitstamp logo

There were some differences. Bitstamp’s trouble came out of nowhere. It was a lightning strike that took advantage of an unknown vulnerability. Gox’s woes, by contrast, had been rumbling on for months and were likely more to do with an inside job than transaction malleability. Fiat withdrawals had been experiencing serious delays, pushing bitcoin prices up way above market rates since this was the easiest way to get money out, creating excess demand. They had experienced numerous hacks and other problems before.

CEO Mark Karpeles also went out of its way to hide what had been going on – if, indeed, he even knew its full extent. (Even now, that’s not crystal clear.) Bitstamp immediately emailed its customers and kept them informed, with new updates every few hours via its twitter feed, cross-posted to their site. Transparency was excellent, within the constraints of what was possible under the circumstances (for legal and security reasons, they released no details of how the hot wallet was compromised).

Even if their initial estimate for coming back online was a little optimistic, trading resumed after just three days, during which their system was completely reconstructed; Bitstamp’s employees missed the CES (International Consumer Electronics Show, a major tech exhibition) to finish the necessary work. Lastly, when the exchange opened again, they offered zero-fee trading for the following week to thank their customers for their patience.

No apocalypse
Speculation raged on a few threads in the forums during the outage, with accusations that the losses were worse than they admitted, that they were running a fractional reserve, that they would never reopen, and if they did they would experience a run that would crash the price far beneath the recent low of that weekend as traders rushed to get their money out.

In fact, the only verdict that mattered – that of the market – was completely underwhelming. Traders barely reacted at all when the news was announced, either when the site went down or when trading resumed. Bitcoin has a way of surprising people, and the gag it pulled this time was that it didn’t blink. From the market’s perspective, the hack was a non-event.

There are a number of possible explanations for this. 19,000 coins might be a lot to regular punters, but it’s not so many in the grand scheme of things – remember that 25 are mined every 10 minutes, so that sum is equivalent to the number being added to the supply every five days or so. Not only that, but miners obtain their coins legitimately and can cash out whenever they want. The hacker will have to mix or otherwise launder the money, and that’s not easy for a $5 million stash. The coins are already moving around, but they will be carefully watched. One slip and his identity could be compromised – and most exchanges won’t touch them in the first place anyway. The possibility of them hitting the market any time soon is low.

But the most likely explanation is that Bitstamp dealt with the situation very well. There is no systemic failure of bitcoin; Bitstamp has promised to compensate its customers and has the means to do so (in fact, they won’t even notice there’s been an issue – balances were preserved at log in); the site was restored in remarkably quick order. Markets dislike uncertainty, and from the get-go Bitstamp did everything they could to make sure everyone knew where they stood. Their reaction was cool and professional – at least, on the surface, which is what counts. The market was also exhausted after a weekend of heavy selling. The Bitstamp hack simply gave it no reason to continue.

Bitcoin is still in its early days, and its exchanges are still unregulated. But Bitstamp have shown that we’ve come a very long way since the days of Mt Gox, and are starting to leave the ‘Wild West’ times behind us.


Brandon Hurst

comments powered by Disqus