Legal responsibility for the Bitfinex theft (aka "Bitfinexit")
So who might actually be liable for the Bitfinex theft and what hope might the victims have?
The thief
Obviously, the thief or thieves are fully liable. If they are caught, they can certainly be sued. And, of course, there's hope that the investigation into the theft might recover some or all of the funds.
BitGo
I don't see any way BitGo could be legally liable for the theft. All the evidence we have suggests that they complied with their contract with Bitfinex and their systems weren't compromised. There doesn't seem to be any credible argument that they breached the required standard of care.
The situation is somewhat analogous to one where they helped another company set up a cold wallet and then the other company put the secret keys on a server that was later compromised. BitGo provides total control over what authorization is needed to change system limits -- if Bitfinex put all the credentials needed to change those settings on systems that could be compromised, that's on them.
Bitfinex
Well, here's where it gets interesting. Bitfinex has announced that they are considering spreading the loss over their entire customer base. I do not see how they could possibly do this unless they are insolvent.
The two classes of Bitfinex customers
Bitfinex legally delivers bitcoins to its customers using segregated wallets. While Bitfinex has practical control over these wallets, it does not have legal control. Bitfinex has no right to transfer these funds without the customer's permission because they belong to the customer. These are the only funds that were stolen.
Other customers have what is essentially an IOU from Bitfinex. This is just a general liability and a claim against Bitfinex's assets. Bitfinex is obligated to pay these claims out of any assets they have unless they declare bankruptcy.
The Bitfinex announcement
Yet Bitfinex has announced that they are considering spreading the losses among their customers. I don't see how they can do this unless the are insolvent. If Bitfinex owed me $10 before the theft, they still owe me $10 now. If they pay me less than $10, I can sue them for the difference and I'll win unless they're insolvent.
So it sounds like Bitfinex believes they are liable for the theft of these customer funds, likely because they don't believe they provided the legally required standard of care. That would mean that they are insolvent and will have no choice but to declare bankruptcy.
What all this means
Under the law in most jurisdictions, someone who holds another's property for mutual benefit is only liable for a third party's theft of that property if they didn't provide reasonable care in securing the property. If this standard applies, that means Bitfinex's hint that losses would be imposed on customers equally means they believe that they would probably be found not to have provided reasonable care.
The good news
The theft only seems to account for somewhere between 10% and 30% of Bitfinex's holdings. This means there's a good chance that Bitfinex could continue operating, whether they are liable for the theft or not.
Disclaimer
I am not a lawyer. This is pure speculation based on limited, public information. If anyone knows of any errors or omissions, please make me aware of them.
- Follow me on Twitter
- Read this Steem exclusive about how banking regulation violate rights, stifles innovation, and make crime fighting harder.
- Read this article about dissatisfaction with America's two-party system and what we can do about it.
Wow just noticed your are posting on steem :) Welcome aboard joel - nice to see you posting here - happy steeming
@cass Sorry to post you against your comment. But, as it is the top comment, I'm posting against yours for visibility.
@joelkatz I expected an Action or Possible course of Action subheading in your article. As it is missing, here is one I am writing. Feel free to correct me...
Possible course of Action
Though Bitfinex is registered from Hong Kong, it appears that their anonymous owners are from USA. Otherwise, they would not have settled with FTC very recently and change their wallet practice. So, USA based affected users, can file a class action lawsuit against Bitfinex. On the other hand, non-USA based affected users, can file complaint online at SEC. Once these complaints start pouring in, we might see some action like Butterfly Labs.
It may be that even users outside the USA can participate in a USA class action. There's still a lot we don't know, but it seems Bitfinex intends to try to make users not affected by the theft settle for partial payments even though they are not insolvent and do not declare bankruptcy. That would be legally unprecedented and, it seems to me, legally impossible.
If Bitfinex concedes liability for the theft, they will get sued by the people whose funds were not stolen.
If Bitfinex contests liability for the theft, they will get sued by the people whose accounts were stolen.
I don't see Bitfinex getting out of this without a lawsuit from a significant fraction of their customers. A Court will have to determine whether or not they are liable for the theft. If so, they'll have to declare bankruptcy. If not, they cannot spread the losses.
I am not a lawyer. There might be something I'm missing. But nobody has told me what it could be.
I got caught up in this whole mess (sadly). I had USD (that wasn't loaned out at the time). By bypassing both Bitfinex and BitGo security measures this looks like an inside job to me.
Social losses of what has been going around will be BTC and USD ( margin lenders) that will be taking the hit, inactive USD and other alts will not be affected. Bitfinex seems like they don't care as they have a shady coorperate setup that basically doesn't make it easy for anyone to sue them, while the people that lost money want social losses to be spread amongst all the customers (similar to a bankruptcy and asset liquidation).
As I explained four days before, your logic that bankruptcy is required is incorrect because presumably the BTC funds held at Bitgo were not partitioned according to segregated accounts, thus the BTC is part of a BTC and non-BTC pool of assets which backs all segregrated accounts BTC and non-BTC. Your logic would only apply to physical non-fungible assets. Thus even if Bitfinex were not bankrupt, it would still need to spread the loss proportionally to all "segregated" accounts BTC and possibly also non-BTC. The concept of segregated account is not to be used for what you are thinking, rather it is to protect the account holder from a lawsuit against Bitfinex which would attempt to grab those assets marked as owned by the segregated account owners. But since these assets are not partitioned by account number, then all of the BTC and possibly also non-BTC accounts are of equal standing w.r.t. to the asset pool. So although Bitfinex would be bankrupt if they could not pay the BTC account holders out of proportional losses for other account holders (BTC and/or non-BTC), they do not have to declare bankruptcy in order to spread the losses proportionally, unless the assets were partitioned by segregated account number. But with a fungible, electronic asset, it seems entirely arbitrary to mark some fungible units for some accounts if all were accessible by the same password set vulnerability. The vulnerability indicates the assets were not partitioned, at least not for all BTC account holders although perhaps one could make an argument that the non-BTC assets were partitioned since they were apparently not subject to the same vulnerability as partitioned. QED.
In other words, the pertinent qualifier is, “segregated from what?”. The crypto assets were segregated at least from the other business liabilities of Bitfinex, but not from each other (or at least not BTC accounts segregated from each other).
LOL, so youre saying that the deposits were like buying stock.... The SEC might have something to say about that.
but no, it doesnt work that way... see peoples westchester vs. FDIC.
The same SEC that was impotent in the failure of segregated assets in the MF global case.
What I am saying is that you the customer have to understand that if the partitioned segregation isn't defined, then you are not protected.
43 B.R. 623
34 B.R. 333
356 F.2d 749
It doesnt matter if the segregation is defined, merely if the funds are traceable. In this case, they are. We clearly know which funds got stolen and which didn't -- they were in specific wallets.
The fact that the segregation wasn't explicitly explained in the TOS isnt sufficient to invalidate the bailment,
MF global there was never any controversy, that i know of, about secured debt and commingling of funds... everyone just lost their money because it was all gone. but the account holders still got paid ahead of the unsecured creditors.
NO they would not... its obvious youre just making stuff up now. As the cites clearly showed you, "meaningful segregation" isnt neccessary. The standard of law is identifiability. Simply saying something is true, and that the courts "routinely" do it, without citation, is nonsense.
Also im pretty sure you think the word fungible means something it doesn't.
You don't like the way the law works, and thats fine. but that doesnt mean it doesnt work that way.
OTOH say if all the btc was in one huge wallett, then a portion of the wallet was stolen, then it would be different...
The tracing of thefts is certainly irrelevant if the BTC account holders are not associated with specific wallet partitions. And even if the BTC account holders are so associated, I am arguing such association is arbitrary, because the security methodology is fungible across all such wallet partitions, thus no such segregated account holders can be at a lower legal standing than the others of the same fungible asset. You are inventing an arbitrary mirage of partitioning. To be segregated, the assets must be meaningfully separate from each other, otherwise the segregation is not legally defined. Courts routinely look past obfuscation and directly to the salient attributes. Imagine if a bank had segregated fiat electronic balance accounts, and a hacker broke not the user's online access password, but some master password of the bank and stole balances from those accounts. Even if they were segregated, the losses would be charged to the bank and then to the accounts proportionally if the bank's assets were insufficient. You can't hold some users responsible for an arbitrary, luck-of-the-draw, meaningless partitioning which they have no control over. Segregation implies the user has control. The partitioning you are claiming can be traced, has no correspondence to the user's control over their account. The user doesn't even select which of the internal Bitfinex wallets they want their account to be associated with. Thus all segregated account are fungible w.r.t. to those arbitrary wallet partitions.
Thank you for the news and congratulations for the success of this post!
Hey @joelkatz! I didn't know you were here for all this time! (You probably don't remember me but I'm Jun from the SF Bitcoin meetups at 20 Mission when you guys were in the beginning stages of Ripple).. Enjoyed the read and I'll read the rest of your blog posts!
Those were definitely good times. Nice to see you here.
What I don't understand is why this doesn't fall ALL on Bitfinex's shoulders? They charge a "fee" on trades, which is for running of the site/profits/risks. From what I understand, they take a 15% cut out of the profits when "loaning" the funds to the margin traders. That 15% is due to the high risk of the counterparty risks associated with those daily loans. Bitfinex needs to take the 15% they have been earning and pay back the losses. Otherwise, file for bankruptcy.
Well, there will be global cut 36.067% but it seems Bitfinex will stay operating which is (probably) good new and maybe they will be able to cover some additional loss in time. I don't think the thief will be caught, though.
I thank God I withdrew all my balance 2 days before the hack, I had 1.3BTC (not much, but still). I have a question, if any of you had over 10BTC and wanted to cashout to a bank, what would you do ? I wouldn't use Payal or Western union, a bank withdrawl is the best option for large amouts of cash. So, to me, exchanges like Bitfinex or Bitstamp are good and bad at the same
And we know: they are going to divide the losses among all users :-( We are going to lose 36% of our balances.
"Interim Announcement
Aug 6, 16:00 UTC
Following the theft on August 2nd, the Bitfinex team has been working tirelessly towards bringing the platform back online in a secure and controlled manner. We have finalized the accounting of losses incurred and are currently coordinating strategic plans for compensating customers.
We intend to come online within 24-48 hours with limited platform functionality. Additional announcements will be made as we progressively enable more platform features and return to full operations. We appreciate that our customers and the public want this handled quickly, but it needs to be done a way in which all assets are secure and immune from vulnerabilities. Every resource is being leveraged to make that happen in a safe and optimal way.
As disclosed in earlier announcements, all withdrawals, open orders, and open funding offers have been cancelled and all financed positions have been settled. Exact settlement prices were published on August 3rd.
After much thought, analysis, and consultation, we have arrived at the conclusion that losses must be generalized across all accounts and assets. This is the closest approximation to what would happen in a liquidation context. Upon logging into the platform, customers will see that they have experienced a generalized loss percentage of 36.067%. In a later announcement we will explain in full detail the methodology used to compute these losses.
We are actively discussing various strategic options with numerous potential investors as part of our strategy to fully compensate our customers. Such discussions, however, are in early stages and will likely take time to play out. In the meantime, In place of the loss in each wallet, we are crediting a token labeled BFX to record each customer’s discrete losses. Tokens will be distributed without release or waiver. The BFX tokens will remain outstanding until redeemed in full by Bitfinex or possibly exchanged—upon the creditor’s request and Bitfinex’s acceptance—for shares of iFinex Inc. We are still sorting out many details on this; we will post further updates in the coming days.
Thank you for your continued patience and for the many generous offers of support that we have received over the last several days. Notwithstanding this attack, we continue to believe in the possibilities associated with bitcoin. We will continue to update our customers and the public as and when we can."
https://www.bitfinex.com/