$1 500 000 USD

OCTOBER 2016

POLAND

BITCUREX

DESCRIPTION OF EVENTS

"Bitcurex is a European bitcoin exchange launched in 2012 and supporting PLN, EUR and USD trading." "Set up in July 2012, Bitcurex is based in Łódź, Poland. The cryptocurrency exchange is operated by local company Digital Future Ltd. Introduced first on BitcoinTalk forum on July 16, 2012." “The polish exchange was one of the oldest in the country” and “one of Poland’s largest exchanges”.

 

“It’s one of the bigger bitcoin exchanges serving the European market, specifically for trading zloty and also euros.”

 

"“Bitcurex,” shut shop after a reported 2300 BTC ($1.5 mln) theft. “On 13.10.2016 as a result of third-party systems service www.bitcurex.com [was] damaged by external interference in automated data collection and processing of information. The consequence of these actions is the loss of part of the assets managed by bitcurex.com/dashcurex.com.”

 

“Not only has the exchange shut down and people have most likely lost all their money, it also came to light that customer data of the exchange was also compromised in the hack that took place in October 2016.”

 

“Initially, the company promised users a 7-day currency refund. However, this did not happen.” “Given that the exchange required proved ownership of the site and that the confirmed balance disagreed with the facts, you can come to the conclusion that the exchange does not have a current copy of the database, which could be damaged at the time of the alleged hacking.” Just prior to the hack, Bitcurex in July announced “Polish bitcoin exchange Bitcurex has announced that it will be the first exchange in Poland to add a certified compliance department, adapting internal procedures to the most stringent standards operating in the financial sector.” Since the 2014 hack, “they appear to have been running without incident.” “Bitcurex processed over $50 million worth of BTC transactions in its final six months.”

 

“November 30 was the date of the planned launch of the Bitcurex exchange [which] closed after the alleged burglary. Unfortunately, the exchange was not launched and, worst of all, no new official message appeared on the website.” “A dozen or so days after the incident, the stock exchange has already started the refund procedure and has provided a form on its website. This form contained space for sensitive personal data, including personal identification cards, scanned ID cards and bills confirming check-in, and most interestingly the requirement to provide all evidence of customer funds on the site!”"

Although one might initially believe that Bitcurex did not learn from their first breach, the subsequent details, response and failed promises by the administration would tend to suggest otherwise. Timing is coincident with an increase in regulatory pressure from the Polish government, which the exchange publicly embraced. As the records of customer trades and balances are conveniently lost in the hack, and also don’t appear to have been properly backed up, it seems that whether the $1.5m official figure was the entirety of liabilities could be questioned. Bitcurex was known to be using cold storage back in 2014, which was not hacked in that breach. So it’s curious that they didn’t seem to mention any cold storage here. We’ve seen countless examples to demonstrate why multi-signature is so critical in preventing both hacks and insider fraud. The exchange was also entirely unaudited for the majority of it’s existence, giving customers no visibility at all into the operation.

HOW COULD THIS HAVE BEEN PREVENTED?

Bitcurex is one of a handful of cases where lots could have been done differently to prevent the tragedy.

 

Check Our Framework For Safe Secure Exchange Platforms

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.