What would happen if Xapo got hacked

In light of the Bitfinex hack, we have been asked multiple times, “What happens if Xapo gets hacked?” This is the answer.

August 11, 2016

In light of the Bitfinex hack, we have been asked multiple times, “What happens if Xapo gets hacked?” This is the answer.

TL;DR: If Xapo’s hot wallet were hacked, Xapo would cover the loss from its own reserve of bitcoins. Less than 3% of bitcoins are kept in our hot wallet, so our bitcoin reserve would cover the full loss. If Xapo’s deep cold storage vaults were hacked, Xapo would cover the loss from its own reserve but the hack could be bigger than the reserve which would cause a net loss to our customers.

Over 97% percent of the bitcoins we hold for our customers are held in deep cold storage in multiple locations. “Deep cold storage” means that the private keys necessary to move those bitcoins are in servers that have never been online and will never be online; they are “air-gapped” and stored inside bunkered vaults with multiple access controls, mantraps, guards and surveillance systems. “Multiple locations” means that Xapo uses multi-signature technology so that, for every bitcoin address that we use, there are five corresponding private keys and any three of those keys are required to move those bitcoins (that is why Xapo bitcoin addresses start with a 3). These private keys are kept in different physical locations so that if a hacker wants to steal vaulted bitcoin, he or she will need to physically break through the multiple access controls, mantraps, guards and surveillance system to take physical possession of the servers, physically remove the servers from their location, and break their encryption. All of this needs to be done simultaneously in three locations in different continents.

The most exposed part of our bitcoins is the less than 3% that we keep “hot” (i.e. online) for customer transactions. We have many layers of security, multi-signature being just one of them, to prevent a hack of our hot wallet from occurring but, in theory, it could still happen because those bitcoins are highly available by definition.

Until recently, Xapo maintained third-party crime insurance on bitcoin stored in the Vault. The insurance policies kept getting narrower and narrower, covering less and less risk. We eventually decided that the insurance policies were not covering any significant risk and we decided not to renew the insurance. Instead, we implemented the Xapo Bitcoin Reserve. The Xapo Bitcoin Reserve is an amount of bitcoins that Xapo owns and keeps in deep cold storage; the Reserve encompasses an amount of bitcoins that is bigger than the funds kept in our hot wallet at any given time. As such, we are essentially self insuring against a hack of our hot wallet. If our hot wallet got hacked Xapo would cover the loss for its customers in full.

Since we originally set up the Xapo deep cold storage vaults over two years ago, we have continuously endeavored to improve our security infrastructure. Some of the main improvements we have made include improved physical security for our cold storage vaults, consensus-based security for our bitcoin operations and risk profiling for our bitcoin movements. We will continue to invest in these and other areas in order provide our users the most secure wallet/vault. 

Wences Casares

By Xapo Founder and CEO


Article published on August 11, 2016

More News

Introducing Xapo’s new experience

We’re thrilled that you finally get to see what we’ve been working on for the past few months! As part of our rebrand project, we’re releasing our revamped Android, iOS, and web apps which include exciting and refreshing new features. We’ve started the global rollout of the new app and it should reach you in…

By Carolina Fabroni

Meet the new Xapo

At Xapo, we’re firm believers that no matter who you are or where you're from, you deserve easy access to digital financial services. This conviction led us to create a simple-to-use bitcoin wallet and an industry-leading bitcoin storage platform, described by The Wall Street Journal as the “Fort Knox of bitcoin storage.” Since 2014, we’ve…

By Carolina Fabroni

Time to withdraw your Bitcoin Gold (BTG)

The time has come for you to withdraw your Bitcoin Gold (BTG) balance generated in your Xapo Wallet after the fork of October 24th, 2017. During this event, anyone owning Bitcoin (BTC) at the moment of the fork received an identical amount of BTG. So if you had BTC at Xapo at the time of…

By Federico Murrone