Exchanges captured most of the headlines over the past seven days. In a week of mixed fortunes, BitMEX accidentally exposed email details for the ‘majority’ of its users and Deribit refunded jilted bulls $1.3 million after a flash crash triggered liquidations, while FTX added a new index to capitalize on new-found excitement around Chinese projects, Bakkt’s trading volumes hit new highs, Jack Dorsey invested in CoinList’s new trading platform and Binance expanded into Russia.
BitMEX Exposes User Details
Derivatives trading platform BitMEX, the source of more than $1.2 billion in daily Bitcoin trading volumes, committed the cardinal sin of doxxing its characteristically privacy-conscious users. Right from the marketing 101 rule book of how not to contact customers, the platform sent out communications to batches of users with all addresses visible in the ‘CC’ line, supposedly due to a software error. It is understood the marketing manager responsible for the mishap is no longer with the company.
Deribit Suffers Flash Crash
In week of market volatility, trading platform Deribit suffered a calamitous flaw in its pricing sources. The price of Bitcoin on the platform dropped from more than $9,000 to $7,800, due to an exchange rate calculation fault, triggering a cascade of liquidations. The company has since reimbursed users who lost money.
FTX Adds China Index
Following last week’s news that the Chinese government is taking a more cordial attitude towards blockchain, FTX has allowed users to gain exposure to any resultant volatility in popular Chinese crypto projects. The Dragon Index includes a portfolio of eight assets, including NEO, ONT, TRX and VET.
You Got the BitMex Email…what Do You Do Now?
On Thursday, crypto traders were anxiously checking their spam folders to see if their addresses were among those exposed by BitMEX’s marketing mishap (see summary above). On the surface, the error doesn’t seem like a big deal – what could anyone do with such basic information as a random email address? In reality it presents a number of implications.
Firstly, from a security perspective, potential hackers now have an indication of who actually trades on the platform and can use that information maliciously. Exploiting this information, they could (among other possible tactics):
- seek to brute force access to user accounts (both on BitMex and on other trading platforms where the user may use the same credentials) using bot-based software
- match those email addresses against information available on the Dark Web to try and piece together an attack, such as social engineering efforts on the exchange employees to gain access to the account
- target the addresses directly through phishing emails to gain further sensitive details or to hijack access to their accounts through malware.
There’s also a major privacy issue. A proportion of BitMEX’s users are US-based traders who are legally banned from using the platform but do so via a VPN. Authorities such as the CFTC and the IRS may take advantage of the leak to find US residents that have furtively been trading on the platform and take action.
What’s more, this information has been easy for those not party to the original emails to obtain. The Block’s Larry Cermak was able to collect 23,000 addresses within a day of the leak. While Larry was doing the collection for research purposes, it’s likely that others were doing the same for more malicious reasons.
UPDATE: I now have access to 23,000 emails that were leaked by BitMEX. Surprisingly, there is only one person that used a .gov email. There were 66 students/alumni that used .edu email. NYU dominates (7 people), followed by Berkley, and University of Michigan. https://t.co/vmcyVz5Uqe— Larry Cermak (@lawmaster) November 2, 2019
Indeed, there are suggestions some have already taken advantage of the leak. A rogue Telegram chatroom called BitMEX Hack Group claims to have been using the information to access accounts. While the credibility is dubious, the groups claims to already have stolen 115 BTC from ill-protected accounts. It’s likely that further horror stories (whether genuine or not) will emerge over the coming weeks and months.
BitMEX has so far been relatively quiet on the scandal, issuing only one direct communication so far to report that it is investigating the implications. Whether they will seek to make any form of reparation to user remains to be seen.
On early evidence, the incident doesn’t appear to have impacted trading volumes on the platform. In any case, the platform will have work to do to regain customer trust and restore credibility.
So, if you were on the list, what should you do? Here are some steps you might consider taking:
- Change your master email address for BitMEX and any other exchanges you use. You should use a unique address for each platform, and ensure that the address offers no personal information (i.e. avoid [email protected]).
- Make sure you use a unique, high entropy password for each platform. Password management tools such as LastPass and 1Password can be useful to generate and store complex passwords.
- Make sure you are using two-factor authentication (2FA) for any accounts you have. Tools such as Google Authenticator and Authy are useful for implementing an additional layer of security to accounts in the event someone is able to hack your password.
Tweets of the Week
Blackbeard points out one party that will be taking interest in the BitMex leak:
Carter Thomas shares a timeless piece of wisdom that crypto traders would be wise to keep in mind:
I can't remember the exact quote but it was from the book "One Way Pockets" written in 1917— Carter Thomas (@carterthomas) October 29, 2019
He said people tend to focus on trading for the short term at the bottom of cycles and focus on investing for the long term at the top
Something to look for in your Twitter feeds
The Week’s Best Content:
Recommendation 1 – On the brink with Nic Carter and Tom Lee
Castle Island Venture’s Nic Carter interviews Fundstrat research analysis Tom Lee on the parallels between the cryptocurrency market and other high-growth markets Lee has covered over his extensive career.
Recommendation 2 – Exchanges are Open Finance
Multicoin Capital continues its recent flow of quality content with discussion around how crypto exchanges are evolving their services to capitalize on their role as ‘capital aggregators’.
Recommendation 3 – Blockchain is the censored word for Bitcoin
Rhythm of Bitcoin discusses the growing battleground between the US and China over digital currencies and what it means for Bitcoin.
Ethereum Blockchain Hands-on Coding Session
University of Greenwich, London
6 November, 10am
There are few better ways to become involved in the Ethereum network than to build software products on or around the blockchain. University of Greenwich is offering a free two-hour workshop to help aspiring developers get to grips with the network.