Investor losses legal battle against Bithumb for 2017 data breach incident

[Charles-Tim]

To be sincere, I can not believe this until I read on news about a victim that lost $401,000 due to the hack of the exchange he his using. Although, the hack could be due to the his fault, but reported by him to be as a result of the 2017 Bithump exchange hack. This was a shock and surprise on my side that how can someone keep such high amount of funds on an exchange, even custodial wallet is not perfect for such amount, neither are any hot wallet perfect for the purpose. Cold storage like hardware wallets like Trezor and Ledger nano should be perfect, which should also be carefully handled.

Previously, a number of other Bithumb users had attempted to hold the exchange accountable for losses stemming from the data breach. A judge ruled on September 3, however, to dismiss two out of the three claims — for $126,000 and $38,000. A third user was awarded $5000 (significantly less than their losses) when the court found that Bithumb was partially responsible in that particular case.

The fact still hold, that not your private key, not your coin. Even, the person that was seen to be hacked due to Bithump exchange hack was reportedly given an amount that is significantly lesser than his investment on the exchange. This would have not happened if these investors are using hardware wallet, in which they will have keys to control the coins themselves.

https://cointelegraph.com/news/investor-losses-legal-battle-against-bithumb-for-2017-data-breach-incident

[jackg]

Looks like it was a phishing attack with three claimants?

One succeeded somehow in recovering his funds while the other two didn't - not really sure how that works.

Anyway if it was a phishing scam then they are at least partially liable (the claimants).

[Charles-Tim]

Looks like it was a phishing attack with three claimants?

It was actually a phishing attack with only two of the victims, the third person's attack was linked to 2017 Bithumb exchange hack.

One succeeded somehow in recovering his funds while the other two didn't - not really sure how that works.

Non of them recovered their lost funds, only one of them was compensated with $5000 after claiming to have lost $27,200. Check the link below.

Anyway if it was a phishing scam then they are at least partially liable (the claimants).

Two of the victims were investigatesd faulty of their attacks. But the third person was compensated.

https://cointelegraph.com/news/bithumb-found-partially-liable-for-a-2017-hacking-incident
The individuals were seeking $126,000 and $38,000 respectively for damages related to a data breach incident back in 2017. According to Fn News, plaintiffs Hong and Seo (both named only by their surname) stated that they had lost money due to a phishing attack using private data that was extracted in a hack of Bithumb. The third claimant, Jang, was granted $5,000 to cover his total loss. This amount reflects a much lower dollar value than his initial $27,200 claim.

But that aside, normally, exchanges are too vulnerable to attacks, that is why Bytbit CEO even says most crypto exchanges are vulnerable by design that he isn’t surprised attacks happen on crypto exchanges. A statement we all know that is true.
https://cointelegraph.com/news/most-crypto-exchanges-are-vulnerable-by-design-says-bybit-ceo

[Upgrade00]

So, the hacker used information they stole from the Bithump hack to carry out a targeted attack on the users and get more information to actually steal funds from the users accounts. This does make the user partly liable for the scam along with the exchange, although I couldn't find information on how affected users were notified of the data breach besides the percentage given;

Hackers succeeded in grabbing the personal information of 31,800 Bithumb website users, including their names, mobile phone numbers and email addresses. The exchange claims that this number represents approximately three percent of customers.

This could mean the users were not duely informed of the risk they were exposed to.
It is best practice to not keep your funds on a centralized platform or hold them in centralized tokens. In the recent Kucoin hack series of events happened to show the risks of giving up control of your funds;

• Firstly, the exchange security was breached and the hackers accessed funds stored on their hot wallets belonging to users of the platform. The users of course do not own their private keys and could do nothing to prevent this - no control
• The exchange temporarily locked withdrawals and deposits, meaning users could not access their funds, this was a security measure, but goes to show how centralization works and how users can be arbitrarily locked out of their assets - no control
• Developers of centralized tokens which were stolen restricted transactions to prevent the hackers from moving those funds. This 'freeze' feature can be abused by such devs - no control

One of the objective of bitcoins is users transacting freely without having to trust a third party, this purpose is defeated when a centralized party is involved.

[jackg]

Looks like it was a phishing attack with three claimants?

It was actually a phishing attack with only two of the victims, the third person's attack was linked to 2017 Bithumb exchange hack.

One succeeded somehow in recovering his funds while the other two didn't - not really sure how that works.

Non of them recovered their lost funds, only one of them was compensated with $5000 after claiming to have lost $27,200. Check the link below.

Anyway if it was a phishing scam then they are at least partially liable (the claimants).

Two of the victims were investigatesd faulty of their attacks. But the third person was compensated.

https://cointelegraph.com/news/bithumb-found-partially-liable-for-a-2017-hacking-incident
The individuals were seeking $126,000 and $38,000 respectively for damages related to a data breach incident back in 2017. According to Fn News, plaintiffs Hong and Seo (both named only by their surname) stated that they had lost money due to a phishing attack using private data that was extracted in a hack of Bithumb. The third claimant, Jang, was granted $5,000 to cover his total loss. This amount reflects a much lower dollar value than his initial $27,200 claim.

But that aside, normally, exchanges are too vulnerable to attacks, that is why Bytbit CEO even says most crypto exchanges are vulnerable by design that he isn’t surprised attacks happen on crypto exchanges. A statement we all know that is true.
https://cointelegraph.com/news/most-crypto-exchanges-are-vulnerable-by-design-says-bybit-ceo

The third claimant, Jang, was granted $5,000 to cover his total loss.

I'm confused...?

Edit oh so that was the different 2017 attack.

I still think up to securing a users credentials should be on the exchange but securing the account (ie using 2fa) should be on the individual user.. And by extension, not clicking random links is on the user too.

[Smartvirus]

These incidents is either due to negligence or over confidence on the exchange. Probably that user isn't a member or pay less importance to the Bitcointalkforum else, I'm sure the user must have come across articles that relays exchanges for it is and not to serve the purposes of wallets, especially with huge amounts.
I'm marvelled but then,
What where the proofs expected from Mr. A other than his/her funds got stolen after the breech? For a fact, the funds had been there either he conducted some transactions or not.
I don't see how he could be in control of the information a hacker could access in a breech but, supposing he/she got notified almost immediately and due to the users negligence, the funds were later transacted then, the users claims can be nullified or rules out.
Your liable to the security of your account but, not the exchange.

[Charles-Tim]

So, the hacker used information they stole from the Bithump hack to carry out a targeted attack on the users and get more information to actually steal funds from the users accounts. This does make the user partly liable for the scam along with the exchange

Yes, and that is how it has been on exchanges that were hacked generally thus far. I read from a news today that vast majority of  exchanges are using hot wallets. Why won't the exchanges be hacked so far they are making use of online wallet to secure funds of thousands of users.

The vast majority of crypto exchange servers and storage networks, Zhou said, keep digital currencies in hot wallets. If hot wallets are not properly protected, then this opens them up to theft. Zhou thinks that a cold wallet system is more secure since hot wallets are connected to the internet, making them more vulnerable to hacking. Cold wallets, on the other hand, are not connected online. The only downside is not being able to make large withdrawals from an exchange immediately.

Edit oh so that was the different 2017 attack.

I still think up to securing a users credentials should be on the exchange but securing the account (ie using 2fa) should be on the individual user.. And by extension, not clicking random links is on the user too.

Nothing edited than the misspelled bithump exchange. Try to read the news using the links I provided. Although, you are right by faulting the two users that was not later linked to the hack, it was due to their fault through phishing attack, and all explained in my write up. But what about the third person? Over $27,000 was stolen but only compensated with $5000, that was my point. Why did you think he was compensated if the fault was not from bithump exchange? It was actually from the 2017 bithumb hack. I hope you know majority of the exchanges are using hot wallets to save the funds of thousands of users?

[cryptoaddictchie]

These incidents is either due to negligence or over confidence on the exchange.

Actually partly true. Somehow we can say some exchange breaached incidents are natural, look at what happened to Kucoin. Being hacked is negligence but we cant say we cant outperformed hackers who are genius to use an attack they cant expect.

Compensation for this hacked is not acceptable, seriously 5k usd what if some guys have more than that. There should be an insurance for every exchange if ever their platform gor breached and contract stipulated to users.

[20kevin20]

Some people are sometimes caught in the middle of worst situations possible. You could deposit a large number of BTC on an exchange willing to do a very quick trade and withdraw everything, but have the hack happening exactly while you were doing the trade/depositing. It does not necessarily mean that the guy was holding his $401k on the exchange as a safe storage.

While Bithumb may have been to blame for having security breaches, this is centralization and what trusting a third party means. All platforms have doors open for security breaches, you just have to find them.

[jseverson]

One succeeded somehow in recovering his funds while the other two didn't - not really sure how that works.

The investor with $401k apparently wasn't able to convince the court that the hack was related to the data breach:

A High Court judge determined that the man (identified as “Mr. A” for privacy purposes) had failed to successfully prove that his data was compromised during the incident. As a result, the exchange will not be held liable for Mr. A’s lost funds.

It seems to me that the exchange should be responsible, since the phishing attempts probably only worked because of the data breach, but I can see how that would be difficult to prove in court. I'm assuming the other two people are on the same boat. The last person, on the other hand, from a different article:

The judge, however, found both Bithumb and Jang partially responsible, noting that the victim provided details that were not originally included in the data which was exfiltrated from the exchange.

I don't really know what that means myself lol. I mean, isn't the point of phishing to gather more data about you using data they already have? Details are scant so we can't really make conclusions of our own, but if there's something to be taken out of this, it's that you shouldn't store large amounts in exchanges.

[DdmrDdmr]

The articles circulating on the matter of these three cases are not crystal clear. As far as I can make it (after reading quite a few, and using Google to translate https://www.fnnews.com/news/202009010831511143):

- Two of the cases were dismissed because, it seems, their data (name, phone number, etc.) was not proven to be part of the Exchange’s data breach. The judge claims that it could have therefore been obtained elsewhere, and the subsequent vishing that took place could subsequently not be pinned on the Exchange.

- The third case’s set of data was part of the data breach, and the vishing that lead to his funds been stolen was ruled as being 50% liable to either party. The Exchange was at fault due to the breach, but the victim was also considered at fault for falling to the vishing scheme, compulsory for the hackers to obtain the codes to access the assets on the account (not sure if they are talking about password or 2FA codes here).

Why that lead to only 5K$ equivalent refund, instead of the 13,6K$ equivalent that corresponds to the 50% of the original claim I can’t make out. Perhaps the funds were values at cost price upon purchase, and not sell price when the breach took place.

[jackg]

One succeeded somehow in recovering his funds while the other two didn't - not really sure how that works.

The investor with $401k apparently wasn't able to convince the court that the hack was related to the data breach:

A High Court judge determined that the man (identified as “Mr. A” for privacy purposes) had failed to successfully prove that his data was compromised during the incident. As a result, the exchange will not be held liable for Mr. A’s lost funds.

It seems to me that the exchange should be responsible, since the phishing attempts probably only worked because of the data breach, but I can see how that would be difficult to prove in court. I'm assuming the other two people are on the same boat. The last person, on the other hand, from a different article:

The judge, however, found both Bithumb and Jang partially responsible, noting that the victim provided details that were not originally included in the data which was exfiltrated from the exchange.

I don't really know what that means myself lol. I mean, isn't the point of phishing to gather more data about you using data they already have? Details are scant so we can't really make conclusions of our own, but if there's something to be taken out of this, it's that you shouldn't store large amounts in exchanges.

I thought it probably just came down to a different judge or different defence. Potentially as Charles said a different hack as exchanges probably face a lot of these anyway...

The 20% or so was probably how muchtthe judge assumed the exchange was liable on the third count.

But yeah the article was very scarce on actual court information - but that could just be the court hasn't released it for the same reasons they haven't named the claimants.

I didn't think they'd leave someone nameless for their involvement in courts before, that might be a positive sign on the side of adoption.