What would happen if Xapo got hacked

In light of the Bitfinex hack, we have been asked multiple times, “What happens if Xapo gets hacked?” This is the answer.

August 11, 2016

In light of the Bitfinex hack, we have been asked multiple times, “What happens if Xapo gets hacked?” This is the answer.

TL;DR: If Xapo’s hot wallet were hacked, Xapo would cover the loss from its own reserve of bitcoins. Less than 3% of bitcoins are kept in our hot wallet, so our bitcoin reserve would cover the full loss. If Xapo’s deep cold storage vaults were hacked, Xapo would cover the loss from its own reserve but the hack could be bigger than the reserve which would cause a net loss to our customers.

Over 97% percent of the bitcoins we hold for our customers are held in deep cold storage in multiple locations. “Deep cold storage” means that the private keys necessary to move those bitcoins are in servers that have never been online and will never be online; they are “air-gapped” and stored inside bunkered vaults with multiple access controls, mantraps, guards and surveillance systems. “Multiple locations” means that Xapo uses multi-signature technology so that, for every bitcoin address that we use, there are five corresponding private keys and any three of those keys are required to move those bitcoins (that is why Xapo bitcoin addresses start with a 3). These private keys are kept in different physical locations so that if a hacker wants to steal vaulted bitcoin, he or she will need to physically break through the multiple access controls, mantraps, guards and surveillance system to take physical possession of the servers, physically remove the servers from their location, and break their encryption. All of this needs to be done simultaneously in three locations in different continents.

The most exposed part of our bitcoins is the less than 3% that we keep “hot” (i.e. online) for customer transactions. We have many layers of security, multi-signature being just one of them, to prevent a hack of our hot wallet from occurring but, in theory, it could still happen because those bitcoins are highly available by definition.

Until recently, Xapo maintained third-party crime insurance on bitcoin stored in the Vault. The insurance policies kept getting narrower and narrower, covering less and less risk. We eventually decided that the insurance policies were not covering any significant risk and we decided not to renew the insurance. Instead, we implemented the Xapo Bitcoin Reserve. The Xapo Bitcoin Reserve is an amount of bitcoins that Xapo owns and keeps in deep cold storage; the Reserve encompasses an amount of bitcoins that is bigger than the funds kept in our hot wallet at any given time. As such, we are essentially self insuring against a hack of our hot wallet. If our hot wallet got hacked Xapo would cover the loss for its customers in full.

Since we originally set up the Xapo deep cold storage vaults over two years ago, we have continuously endeavored to improve our security infrastructure. Some of the main improvements we have made include improved physical security for our cold storage vaults, consensus-based security for our bitcoin operations and risk profiling for our bitcoin movements. We will continue to invest in these and other areas in order provide our users the most secure wallet/vault. 

Wences Casares

By Xapo Founder and CEO

@wences

Article published on August 11, 2016

MORE NEWS

Xapo regulatory status in Switzerland

Three years ago, Xapo set out to determine the optimal jurisdiction from which to serve non-U.S. customers.  Our research ultimately identified Switzerland as the ideal jurisdiction, as explained in a May 2015 blog post. We are happy to announce that, after almost two years of substantial effort and investment, Xapo has received conditional approval from…

By Wences Casares

Xapo joins in with industry leaders to support BIP101

Our community stands at a crossroads. The debate about which path to take has, by and large, been a healthy one, and we have not interposed our own positions or interfered in the discourse. Until today, our involvement has consisted of listening, researching and testing. We believe that work is complete, and it is time…

By Xapo Press

Announcing Xapo's Advisory Board

Today Xapo is proud to announce the formation of its advisory board with three visionary leaders, Dee Hock, John Reed and Lawrence H. Summers. Dee Hock is the founder of Visa, and is responsible for effectively creating payment systems as we know them today. “Bitcoin represents not only the future of payments but also the…

By Wences Casares