CustodyStress
Archive › Named Events › Bitfinex 2016 Hack and Bitcoin Custody Losses — CustodyStress
Part of the CustodyStress archive of observed Bitcoin custody incidents

Bitfinex 2016 Hack and Bitcoin Custody Losses — CustodyStress

Documented Bitcoin custody cases associated with the Bitfinex exchange in the Bitcoin Custody Incident Archive. The August 2016 hack of Bitfinex resulted in the theft of approximately 119,756 BTC and the involuntary loss of approximately 36% of account balances across all customers.

Outcome distribution — 7 documented cases
Blocked 3 (43%) Constrained 4 (57%) Survived 0 (0%)

The most frequently documented recovery path in these cases is Exchange Support (4 of 7 cases). 57% of determinate cases resulted in some form of access recovery.

Background

Bitfinex was one of the largest Bitcoin exchanges by trading volume in 2016. On August 2, 2016, an attacker exploited vulnerabilities in Bitfinex's multi-signature wallet architecture — implemented in partnership with BitGo — to steal approximately 119,756 BTC, valued at approximately $72 million at the time. Rather than file for bankruptcy, Bitfinex implemented a socialised loss mechanism: all customer accounts were reduced by approximately 36%, regardless of whether the customer's specific funds had been stolen. Affected customers received BFX tokens representing claims against the platform, which were subsequently redeemed over the following eight months. In 2022, the US Department of Justice recovered approximately 94,000 of the stolen BTC.

Custody structure

Bitfinex at the time used a multi-signature wallet architecture developed with BitGo, in which each customer had a segregated multi-signature wallet requiring signatures from both Bitfinex and BitGo to authorise transactions. This architecture was intended to provide customer-level segregation but was implemented with a configuration that allowed the attacker to compromise the signing process at scale.

How access failed

The hack exploited the multi-signature implementation to steal Bitcoin from customer segregated wallets. The custody architecture failed not through the multi-signature model itself but through its specific configuration and API implementation. The subsequent socialised loss mechanism meant that customers who had not been directly hacked lost approximately 36% of their balance. The custody failure was partially resolved through BFX token redemption and partially through the 2022 government recovery.

Archive note

Archive cases involving Bitfinex document individual access failures associated with the 2016 hack and subsequent account haircut. The archive focuses on custody survivability failures — the forced reduction in customer balances through the socialised loss mechanism is the primary failure mode in scope.

Browse all cases Archive statistics Scenarios Dependencies About All events
Documented cases
GreenAddress User Locked Out by 2FA Requirement Despite Mnemonic Backup
Collaborative custody
Constrained
A GreenAddress user transferred Bitcoin from Bitfinex to a GreenAddress multisig wallet, securing an encrypted backup of their recovery mnemonics using their Br
Bitfinex Account Freeze: 2.1 BTC Trapped After Escalating KYC Demands
Exchange custody
Blocked
A long-standing Bitfinex user with a six-year account history initiated a withdrawal of 2.1 BTC in early 2021, during a period of significant Bitcoin price appr
Altsbit Exchange Hack (February 2020): Institutional Failure, Partial Recovery
Exchange custody
Blocked 2020
Altsbit, an Italian cryptocurrency exchange that had been operational for only a few months, suffered a catastrophic security breach in February 2020. Attackers
Bitfinex Fiat Withdrawal Freeze: Crypto Capital Processing Delays October–November 2018
Exchange custody
Constrained 2018
Bitfinex paused fiat deposits in October 2018 and announced implementation of a new deposit system. The exchange had been routing USD withdrawals through Crypto
Yapizon Exchange Hack (April 2017): 3,831 BTC Stolen, Socialised Loss Model Applied to All Users
Exchange custody
Blocked 2017
On April 22, 2017, Yapizon, a South Korean cryptocurrency exchange, suffered a security breach resulting in the theft of 3,831 BTC—approximately 37% of the exch
Bitfinex Account Freeze: 4 BTC Inaccessible for Months During 2017 US Regulatory Scrutiny
Exchange custody
Constrained 2017
In 2017, following regulatory scrutiny from US authorities, Bitfinex began restricting account access for US-based customers. One Reddit user reported that thei
Bitfinex May 2015 Hot Wallet Breach: 1,400 BTC Stolen, Trading Suspended
Exchange custody
Constrained 2015
Bitfinex, a major cryptocurrency exchange operating under Hong Kong incorporation and British Virgin Islands registration, suffered a security breach in May 201