What would happen if Xapo got hacked

In light of the Bitfinex hack, we have been asked multiple times, “What happens if Xapo gets hacked?” This is the answer.

August 11, 2016

In light of the Bitfinex hack, we have been asked multiple times, “What happens if Xapo gets hacked?” This is the answer.

TL;DR: If Xapo’s hot wallet were hacked, Xapo would cover the loss from its own reserve of bitcoins. Less than 3% of bitcoins are kept in our hot wallet, so our bitcoin reserve would cover the full loss. If Xapo’s deep cold storage vaults were hacked, Xapo would cover the loss from its own reserve but the hack could be bigger than the reserve which would cause a net loss to our customers.

Over 97% percent of the bitcoins we hold for our customers are held in deep cold storage in multiple locations. “Deep cold storage” means that the private keys necessary to move those bitcoins are in servers that have never been online and will never be online; they are “air-gapped” and stored inside bunkered vaults with multiple access controls, mantraps, guards and surveillance systems. “Multiple locations” means that Xapo uses multi-signature technology so that, for every bitcoin address that we use, there are five corresponding private keys and any three of those keys are required to move those bitcoins (that is why Xapo bitcoin addresses start with a 3). These private keys are kept in different physical locations so that if a hacker wants to steal vaulted bitcoin, he or she will need to physically break through the multiple access controls, mantraps, guards and surveillance system to take physical possession of the servers, physically remove the servers from their location, and break their encryption. All of this needs to be done simultaneously in three locations in different continents.

The most exposed part of our bitcoins is the less than 3% that we keep “hot” (i.e. online) for customer transactions. We have many layers of security, multi-signature being just one of them, to prevent a hack of our hot wallet from occurring but, in theory, it could still happen because those bitcoins are highly available by definition.

Until recently, Xapo maintained third-party crime insurance on bitcoin stored in the Vault. The insurance policies kept getting narrower and narrower, covering less and less risk. We eventually decided that the insurance policies were not covering any significant risk and we decided not to renew the insurance. Instead, we implemented the Xapo Bitcoin Reserve. The Xapo Bitcoin Reserve is an amount of bitcoins that Xapo owns and keeps in deep cold storage; the Reserve encompasses an amount of bitcoins that is bigger than the funds kept in our hot wallet at any given time. As such, we are essentially self insuring against a hack of our hot wallet. If our hot wallet got hacked Xapo would cover the loss for its customers in full.

Since we originally set up the Xapo deep cold storage vaults over two years ago, we have continuously endeavored to improve our security infrastructure. Some of the main improvements we have made include improved physical security for our cold storage vaults, consensus-based security for our bitcoin operations and risk profiling for our bitcoin movements. We will continue to invest in these and other areas in order provide our users the most secure wallet/vault. 

Wences Casares

By Xapo Founder and CEO


Article published on August 11, 2016


Xapo update about Bitcoin Gold

On Tuesday, October 24th at 1:20 am GMT approximately Bitcoin Gold (BTG) was created (or forked) as a new cryptocurrency based on the original Bitcoin Blockchain. Xapo is handling this fork according to its fork policy, just like we did with the Bitcoin Cash fork. If you had bitcoins in Xapo at the time of…

By Federico Murrone

Xapo and Phishing Attacks

  What is Phishing? At Xapo, we are constantly working to improve the security of our users by enhancing our infrastructure and helping customers identify various types of threats. Phishing is an attack, perpetrated by a criminal, tricking you into clicking on an url that looks very similar to the site you are trying to…

By Carlos Rienzi

About the Bitcoin SegWit2x update

When the Bitcoin Blockchain mines block number 494,784, which will happen on or around Saturday November 18th 2017, a block between 1MB and 2MB in size will be generated by the Bitcoin miners to increase network capacity (SegWit2x). At that point some miners may decide to ignore that block and continue mining on a 1MB…

By Federico Murrone