What would happen if Xapo got hacked

In light of the Bitfinex hack, we have been asked multiple times, “What happens if Xapo gets hacked?” This is the answer.

August 11, 2016

In light of the Bitfinex hack, we have been asked multiple times, “What happens if Xapo gets hacked?” This is the answer.

TL;DR: If Xapo’s hot wallet were hacked, Xapo would cover the loss from its own reserve of bitcoins. Less than 3% of bitcoins are kept in our hot wallet, so our bitcoin reserve would cover the full loss. If Xapo’s deep cold storage vaults were hacked, Xapo would cover the loss from its own reserve but the hack could be bigger than the reserve which would cause a net loss to our customers.

Over 97% percent of the bitcoins we hold for our customers are held in deep cold storage in multiple locations. “Deep cold storage” means that the private keys necessary to move those bitcoins are in servers that have never been online and will never be online; they are “air-gapped” and stored inside bunkered vaults with multiple access controls, mantraps, guards and surveillance systems. “Multiple locations” means that Xapo uses multi-signature technology so that, for every bitcoin address that we use, there are five corresponding private keys and any three of those keys are required to move those bitcoins (that is why Xapo bitcoin addresses start with a 3). These private keys are kept in different physical locations so that if a hacker wants to steal vaulted bitcoin, he or she will need to physically break through the multiple access controls, mantraps, guards and surveillance system to take physical possession of the servers, physically remove the servers from their location, and break their encryption. All of this needs to be done simultaneously in three locations in different continents.

The most exposed part of our bitcoins is the less than 3% that we keep “hot” (i.e. online) for customer transactions. We have many layers of security, multi-signature being just one of them, to prevent a hack of our hot wallet from occurring but, in theory, it could still happen because those bitcoins are highly available by definition.

Until recently, Xapo maintained third-party crime insurance on bitcoin stored in the Vault. The insurance policies kept getting narrower and narrower, covering less and less risk. We eventually decided that the insurance policies were not covering any significant risk and we decided not to renew the insurance. Instead, we implemented the Xapo Bitcoin Reserve. The Xapo Bitcoin Reserve is an amount of bitcoins that Xapo owns and keeps in deep cold storage; the Reserve encompasses an amount of bitcoins that is bigger than the funds kept in our hot wallet at any given time. As such, we are essentially self insuring against a hack of our hot wallet. If our hot wallet got hacked Xapo would cover the loss for its customers in full.

Since we originally set up the Xapo deep cold storage vaults over two years ago, we have continuously endeavored to improve our security infrastructure. Some of the main improvements we have made include improved physical security for our cold storage vaults, consensus-based security for our bitcoin operations and risk profiling for our bitcoin movements. We will continue to invest in these and other areas in order provide our users the most secure wallet/vault. 

Wences Casares

By Xapo Founder and CEO


Article published on August 11, 2016


Xapo Debit Card Update

The Debit Card has always been at the forefront of Xapo's efforts to bring secure, Bitcoin-based financial products to users around the world. According to Visa’s recent communication regarding different debit card programs, only customers in the European territory will be able to order new Xapo Debit Cards, effective today. In addition, Xapo must suspend service on all…

By Anni Rautio

Xapo Granted E-Money License

Xapo granted E-Money License We are proud to announce that Xapo (Gibraltar) Ltd. has been granted an E-money License by the Gibraltar Financial Services Commission effective July 10th 2017. License under the Financial Services (Banking) Act of 1992, License number FSC0063BNK. As a regulated E-Money Institution Xapo is now licensed to issue electronic money in…

By Diego Valenzuela

Xapo Bitcoin Cash (BCH) Update

As expected, yesterday the Bitcoin blockchain experienced a “fork”, in which a new coin called “Bitcoin Cash” was created. That means that, if you had bitcoins (BTC) in Xapo at the time of the fork, you now have your bitcoins and an equal amount of Bitcoin Cash (BCH). For your reference, the fork happened after…

By Federico Murrone