Bitfinex Reveals It Did Not Engage Security Firm to Investigate Hack
Bitfinex did not engage blockchain forensics company Ledger Labs to investigate its July 2016 hack, the company has revealed. Despite announcing last August that Ledger Labs was auditing, it appears that company was unable to provide the services required.
[Update 5th May 14:50 EST] Brandon from Community Services at Bitfinex has clarified Ledger Labs did perform a security audit, but not a financial audit — as per the company’s posted update.
Bitfinex spokesman BFX_drew told Bitsonline:
“At the time of the post, Bitfinex believed Ledger Labs could provide such a service, but they could not. More details will be revealed in an announcement May 5th, about the actual audit.”
First, some background. Bitfinex published a blog post on 17th August 2016 that said:
“Ledger Labs Inc., a top blockchain forensics and technology firm, is undertaking an analysis of our systems to determine exactly how the security breach occurred and to make our system’s design better going forward. We engaged Ledger Labs in the hours immediately after the attack happened. The investigation is ongoing. We are also in the process of engaging Ledger Labs to perform an audit of our complete balance sheet for both cryptocurrency and fiat assets and liabilities.”
However, on 4th May an update appeared on the same post. It read:
“Ledger Labs has not been engaged to perform a financial audit of Bitfinex. When in initial discussions with Ledger Labs in August 2016, we had initially understood that they could offer this service to us. Our discussions with Ledger Labs were continuing at the time of publication of this blog post. However, we should clarify that Ledger Labs’s role was limited to security and investigative services related to the security breach. We understand that they do not offer auditing services to clients.”
The update added that Bitfinex is now in the process of engaging a reputable third-party accounting firm to audit its balance sheet, which is taking longer than anticipated. It did not mention whether anyone was performing a forensic investigation into the breach and theft itself.
What Bitfinex Said Last August
Bitfinex suffered a hack in August 2016 in which it lost 120,000 BTC. The culprit has not been caught or identified. The exchange spread losses across all currency accounts and issued users with tradable “IOU” tokens.
After the initial update appeared, Bitfinex’s then-spokesman Zane Tackett wrote in a reddit thread that the company was “also in the process of engaging Ledger Labs to perform an audit of our complete balance sheet for both cryptocurrency and fiat assets and liabilities.”
In response to questions, Tackett added Bitfinex was “working with the FBI and European authorities”. Regarding Ledger’s role he said “We are working with them on both a security and financial audit.”
It appears the company believed Ledger Labs would proceed with that investigation, and instructed staff to broadcast that message.
On Ledger Labs’ website, the company describes itself as “Canada’s leading blockchain services firm”.
Why Did the Update Come Only Now?
However, the question remains: why did Bitfinex only update the information now? It’s been eight months. Users have been waiting with bated breath for answers to what happened.
Blockchain industry researcher Tim Swanson posted a lengthy article on 1st May detailing the Bitfinex hack and subsequent “recovery” process. In it, he questioned the status of Ledger Labs’ audit. Michael Perklin, Ledger Labs’ then-head of security and investigative services, was apparently no longer with the company.
“Thus the question, what happened to the promise of a public audit?” Swanson wrote.
On reddit, BFX_drew said “It would have been corrected earlier but it was an oversight. A mistake.” The company may indeed have been too busy dealing with the aftershocks of the incident, fending off angry users and implementing the recovery tokens. Or it may have received a reminder from Swanson’s and others’ recent questions.
There was much online discussion of Ledger Labs’ role and capabilities in the days after the initial announcement. However it is plausible that, even then, both Ledger and Bitfinex still expected the investigation to continue.
In any case, Bitfinex has now promised to provide further updates ASAP. But given it still hasn’t found a capable auditor, it’s unlikely affected users will get any satisfaction soon.
What’s going on at Bitfinex. Will we ever find out? Let’s hear your thoughts.
Images via Bitfinex, Pixabay