We understand many of you are concerned about the email disclosure which happened over this weekend and no doubt have many questions.

Our teams across the world have been working around the clock to protect your account security and make sure we are back on course. Our support team has already assisted many of our users and we are continuing to establish contact with everyone. This is a staggered process, to ensure that the proper processes are all followed, the delivery is logistically smooth and that all underlying security concerns are appropriately covered. If you have not yet heard from us already, you will do very soon.

We would like to apologise unreservedly for the concern this has caused. Below contains further information about what happened, how we can assist you and some steps that you can take to improve your protection.

What happened?

On Friday, November 1 at 06:00 UTC, many of our users received an email which contained the email addresses of other users in the “To:” field. This was a general email update to our users about upcoming changes to the weighting of our indices. As a result, many BitMEX user email addresses, including a large number of inactive addresses, were disclosed to other users in small batches. No other information was disclosed.

BitMEX is a global business that sends emails to many different email providers. Email deliverability itself is a multi-layered problem, involving decades of work in building sender reputation systems and automatic spam filters. Unfortunately, this makes the job of large services such as BitMEX difficult at times: we only send mass emails to all users on rare occasions. We intend to keep a high signal-to-noise ratio, and only send emails when absolutely necessary.

The index change we published on 1 Nov was of sufficient importance – it will impact pricing of all of our products – that we felt it necessary to inform all our users about it. However, bulk mail sends such as this are a difficult and complex undertaking when it’s on a global scale, to all recipients. Some mail servers, especially the global arms of large brands like Yahoo and 163, have very tight controls that are often triggered when we send large amounts of mail. For system notifications such as withdrawals, password resets, and liquidations, it is imperative that the customer receives mail dependably.

To remedy this, we built an in-house system to handle the necessary rendering, translation, staging, and piecemeal (as not to trigger rate limits) sending of important email. BitMEX has not sent an email to every customer at once since 2017, and much has changed since then. When we initiated the send, it became clear that it would take upwards of 10 hours to complete, and there was a desire on the team to ensure users received the same material information on a more reasonable timescale.

To handle this, the tool was quickly rewritten to send single SendGrid API calls in batches of 1,000 addresses. Unfortunately, due to the time constraints, this was not put through our normal QA process. It was not immediately understood that the API call would create a literal concatenated “To:” field, leaking customer email addresses. As soon as we became aware, we immediately prevented further emails from being sent and have addressed the root cause. Since then we have been aiding all who have been affected as best we can and mitigating the damage to contain the leak.

BitMEX is a company that takes engineering seriously, and we are disappointed that this lapse in care has resulted in unwanted disclosure for our customers. We believe that processes, not engineers, are to blame for these failures. Our processes failed here. We are working around-the-clock to revamp them and to ensure that even the simplest-looking code changes are put under strict review.

Additionally, and unrelated to this action, the BitMEX Twitter account was accessed by an external individual. The account was back under BitMEX control within 6 minutes and re-secured, and the event is under security review.

Beyond email addresses, no personal or account information has been disclosed. At no point were any of our core systems at risk.

Who was affected?

Most BitMEX users were affected by this action. You can self-diagnose your exposure with the following steps:

• If you received an email about the index change, and your email was the only one listed in the “To:” field, you were not affected.
• If you received the index change email, and you saw multiple addresses in the To: field, you were affected.
• If you did not receive an index change email, you may have been affected and we still recommend that you follow steps below to improve your protection online. While the system was cut-off before it completed entirely, many recipients began marking BitMEX emails as spam, understandably out of hope that it would stop further emails. This caused deliverability issues at some hosts, causing mail not to be delivered. Unfortunately, someone else in your batch may have received the email, exposing your email address.
  • The deliverability issues caused by the spam reporting caused some follow-up password resets to be delayed for several hours. Our operation teams remedied this by 06:00 UTC on Nov 2.

What are we doing to help?

After the discovery of the disclosure, BitMEX employees have since worked through the nights and days to reduce risk for users. We are aware that many users reuse email addresses across services. This, combined with a very human tendency to reuse passwords, meant that many of our users may have been at risk due to password hash dumps on other platforms, even ones unrelated to crypto.

For this reason, we took the following steps after we notified our users of the disclosure:

• Our Security and Support teams began enhanced monitoring of access patterns to flag accounts with suspicious activity after the disclosure. This led to several account password resets and human review with Support.
• At 13:00 UTC on the day of the email, we conducted additional checks during our usual human review of withdrawals. We identified criteria that could be indicative of a compromise given the circumstances. We cancelled requests from accounts that (i) did not have two-factor authentication, (ii) were withdrawing to a previously unseen Bitcoin address, (iii) were submitted with previously unseen new IP address, and (iv) were made after the email address disclosure had occurred. All other withdrawal requests were unaffected. These actions were taken in the interest of protecting our users and those affected have already been contacted.
• As it became clear that several groups were working to collate BitMEX email addresses in order to attempt to compromise them, BitMEX engineers forced a password reset for all users with balances and without Two-Factor devices. Affected users were notified via email (after a thorough QA review and retrospective on the original bug).
• BitMEX Support (contact here) is working shifts with extra agents, continuing to handle customer requests to change email addresses, answer questions, and provide security assessment and advice.

If you are concerned about your personal exposure, on BitMEX or on any other platform, the best thing you can do is to enable Two-Factor Authentication on all critical services. Start with your email address first. We have  published advice on this topic, as have others, including this very helpful guide by Paul Stamatiou.

BitMEX engineering teams are working on new features to increase the number of security keys supported by the platform, to improve the signal of account notifications, and to give users more tools to avoid and contain account takeovers.

Do I need to do anything?

Although no-one’s personal information or account details beyond their email address were disclosed, as best practice, we recommend that you:

• Please be vigilant against phishing attempts. Emails from BitMEX are sent from “support@bitmex.com” and “noreply@bitmex.com”. We recommend adding these addresses to your contacts list. We will never ask for your password.
• Note that BitMEX will never ask you to transfer any funds. The only way to fund your BitMEX account is to send Bitcoin to your unique BitMEX deposit address. Your unique BitMEX deposit address will begin with “3BMEX” or “3BitMEX” and can be found on the deposit page of your BitMEX account.
• Please take note of our official BitMEX communications channels. Only instructions provided via these avenues should be observed.
• Protect your account by using strong and unique passwords; enabling Two-Factor Authentication (2FA) for all of your accounts (both BitMEX and personal); and to use a password manager.

We want to reassure you that beyond email addresses, no personal or account information has been disclosed. At no point during this issue were any of our systems at risk, and they remain secure, as we continue to take measures to enhance our security. Your privacy and security remain our top priority.

In the meantime, if you need any immediate assistance, please contact Support via our contact form.

Vivien Khoo,
Deputy Chief Operating Officer

Earlier today, some of our users received an email which contained the email addresses of other users in the ‘to’ field. We apologise for the concern this communication may have caused. This was the result of a software error which has now been addressed.

BitMEX takes the privacy and security of our users very seriously. Rest assured that in this instance, beyond email addresses, no other personal data or account information have been disclosed and no further emails have been sent. The error which has caused this has been identified and fixed, ensuring our usual high standards of privacy are upheld.

We are continuing work to ensure this will not occur again in future, and will be introducing additional features to further protect our users. Further communications on this matter will be issued in due course.

In the meantime, please find below some immediate guidance which should be observed in order to ensure the continued safety of your account:

1. Please be aware of phishing attempts. Emails from BitMEX are sent from “support@bitmex.com” and “noreply@bitmex.com”. Please add these email addresses to your contacts list to ensure that these emails do not land in your spam folder. BitMEX will never ask for your password.
   
   
2. BitMEX will never ask you to transfer funds. The only way to fund your BitMEX account is to send bitcoin to your unique BitMEX deposit address. Your unique BitMEX deposit address will begin with “3BMEX” or “3BitMEX” and can be found on the deposit page of your BitMEX account.
   
   
3. Please take note our official BitMEX communications channels. These are our primary, official social media communications channels and only instructions provided via these avenues should be observed.
   
   
4. We would like to remind all of our users to please protect their accounts by using strong and unique passwords; enabling Two-Factor Authentication (2FA) for all of your accounts (both BitMEX and personal); and to use a password manager. Further advice can be found here.

We will continue to communicate updates on our blog. We take the security and privacy of our users very seriously and will take steps to ensure this does not occur again in future.

We are aware that some of our users have received a general user update email earlier today, which contained the email addresses of other users.

Our team have acted immediately to contain the issue and we are taking steps to understand the extent of the impact. Rest assured that we are doing everything we can to identify the root cause of the fault and we will be in touch with any users affected by the issue.

The privacy of our users is a top priority and we are very sorry for the concern this has caused to our users.

As a growing company we are always looking to bring on exciting new talent. It is our mission to be as successful and relevant in decades to come, as we are today. To do this, we recognise we need the right people, resources and capabilities to help us stay ahead of the market and continue to provide the best experience for our traders.  

This is why we are thrilled to announce that HDR Global Trading Limited has appointed Derek Gobel as our group’s General Counsel. He will oversee the group’s legal function and help us move forward in today’s continually evolving regulatory environment.

Derek brings with him 28 years of experience working on a wide range of legal matters, including his most recent role as BNP Paribas’ General Counsel for APAC. Recognised in the 2017 Legal 500’s GC Powerlist in China and Hong Kong, we look forward to having him on board.

On 13 September 2019 at 08:30 UTC, BitMEX will list new quarterly futures.

Please see the following tables for listings and settlements for current and upcoming futures contracts for Q4 2019. Bolded rows are the new contracts.

The .TRXXBT index will retire on 27 September 2019. It will be replaced by the .BTRXXBT Index. TRXU19 will reference .TRXXBT until its Settlement Date, TRXZ19 will reference .BTRXXBT from its Listing Date. 

Code	Pair	Listing	Settlement
ADAU19	Cardano / Bitcoin	14 June 2019	27 Sept 2019
ADAZ19	Cardano / Bitcoin	13 Sept 2019	27 Dec 2019
BCHU19	Bitcoin Cash / Bitcoin	14 June 2019	27 Sept 2019
BCHZ19	Bitcoin Cash / Bitcoin	13 Sept 2019	27 Dec 2019
EOSU19	EOS Token / Bitcoin	14 June 2019	27 Sept 2019
EOSZ19	EOS Token / Bitcoin	13 Sept 2019	27 Dec 2019
ETHU19	Ether / Bitcoin	14 June 2019	27 Sept 2019
ETHZ19	Ether / Bitcoin	13 Sept 2019	27 Dec 2019
LTCU19	Litecoin / Bitcoin	14 June 2019	27 Sept 2019
LTCZ19	Litecoin / Bitcoin	13 Sept 2019	27 Dec 2019
TRXU19	Tron / Bitcoin	14 June 2019	27 Sept 2019
TRXZ19	Tron / Bitcoin	13 Sept 2019	27 Dec 2019
XRPU19	Ripple Token (XRP) / Bitcoin	14 June 2019	27 Sept 2019
XRPZ19	Ripple Token (XRP) / Bitcoin	13 Sept 2019	27 Dec 2019
XBTU19	Bitcoin / USD	15 Mar 2019	27 Sept  2019
XBTZ19	Bitcoin / USD	14 June 2019	27 Dec  2019
XBTH20	Bitcoin / USD	13 Sept 2019	27 Mar 2020

To encourage efficient trading strategies and incentivise behaviours that improve the executable liquidity of the market, BitMEX will be gradually introducing a number of trading rules for the platform. These rules are specifically designed to improve the quality of the exchange offering for users and are the result of a large amount of research over the past few months. This concept is nothing new and indeed most traditional venues employ similar rules.

You can read more about the first Trading Rule to be introduced in our API Announcement on the Quote Fill Ratio Threshold. This rule aims to discourage the use of strategies that submit quotes to the market without the intent to trade and therefore further strengthen the quality of liquidity on the platform in addition to freeing resources for other market participants.

We believe the introduction of these rules to be a positive step forward for the industry and we are committed to continuing innovation in the space.

Background

For many years now, BitMEX has been the most liquid market offering cryptocurrency derivatives. A key indicator of the quality of a market is the depth and size of the quotes in the order book: liquidity is often measured by price slippage for a given volume to execute. Sk3w.co offers a visual comparison of the price slippage across various cryptocurrency markets. In the sample below, the implied bid-offer spread for executing 1000 XBT worth of contracts on BitMEX’s XBTUSD market fluctuates around 0.5%. Compare this with other venues, where price slippage is roughly 10x higher, ranging from 3% to over 15%.

 

 

Since day 1, BitMEX has provided unprecedented access to the platform through our industry-leading API. Every action that can be performed on the BitMEX.com website, can also be performed via our API. In fact, the BitMEX.com web interface is just a client of our public API. This open approach has been a key contributor to BitMEX becoming the most liquid market in the industry.

Liquidity is only useful however if it is genuinely executable liquidity. In the month of June, fewer than 2% of active users on BitMEX accounted for over 60% of the order management requests processed, and less than 2% of the volume traded. Users fitting this behaviour profile are incredibly inefficient with their use of the API, submitting a disproportionately high number of orders per contracts traded.

There are a number of explanations for this kind of API usage. We often discover accounts that have signed up to an online automated trading service (or “bot”), entered their API keys, and then forgotten entirely about the account whilst it continues to place/amend/cancel thousands of orders every day. Other times, it could be a misconfigured trading system or client algo, which is quoting too wide and very rarely trades.

This kind of behaviour, whilst not currently against the rules, takes resources away from participants genuinely looking to trade on the platform. We believe that discouraging this kind of behaviour will further strengthen the liquidity of the market and provide a better overall experience for users.

If you have any further questions please contact Support via our contact form: https://www.bitmex.com/app/support/contact.

In 2014, HDR Global Trading Limited (HDR) was founded in Mahé, Seychelles as a small, dedicated team of young entrepreneurs focused on a simple mission: to build a crypto trading platform geared toward experienced traders first. We focused on building the most responsive interface, featuring groundbreaking products, controlled by a complete and seamless API, with the tightest security. From those ideals, BitMEX was built.

The market has spoken: BitMEX has succeeded. We are proud to have built the most innovative, reliable, and secure cryptocurrency platform in the world.

As BitMEX grows, so the world grows with it. In 2013, only months before we began, Bitcoin had just crashed from its second major bull-run. The dreams and wallet balances of the greater crypto community crashed with it. A new set of priorities emerged, focusing on safety, security, and stability. Financial regulators started to pay more attention to Bitcoin, and rightly so. It was clear to all of us that new standards were needed for this new industry.

Since then, the cryptocurrency landscape has changed dramatically, and leaders such as BitMEX have been working with regulators to help shape the industry, creating the standards that will help it go mainstream. 

The increased involvement of regulators with all the major players in the industry is not only to be expected, it is to be welcomed. It is the mission of good regulators to ensure that honest citizens are not being cheated. Regulators bear the burden of ensuring that risks are clearly communicated, products are fair, and taxes are collected. Through this process, we will see a new era of legitimacy for cryptocurrency exchanges: a future where market operation standards are clearly stated and maintained, where security is paramount, and where financial reserves are independently and frequently audited.

We believe fervently in these goals. And we understand that nothing is more sacred than the safety of your funds and the stability of the platform.

For this reason, we have decided to restrict access to BitMEX for users in the jurisdictions in which HDR-affiliated employees and offices are located. Seychelles, Hong Kong and Bermuda will be added to the list of jurisdictions already restricted from access to BitMEX. This change will have no financial impact on the business and will affect very few people. The BitMEX team will be reaching out to those who are affected. 

The BitMEX platform is entering a new and exciting era. This conservative action is not taken reactively, but proactively. We want to ensure we lead the industry not just in innovation but also in standards. 

• We are extending the transparency of our systems so that our customers and stakeholders can better understand how BitMEX operates. 
  
  
• We are showing third-parties why we believe BitMEX is a safe place to trade; how our innovative contracts are structured; why we keep an Insurance Fund; how auto-deleveraging is orderly and fair; how we know all accounts are 100% backed; and why we believe BitMEX has one of the safest custody solutions in the world. 
  
  
• We are working on independent audits of our Insurance Fund, market making activities, and tradeable contract structure and we hope to share the results of these processes in the near future.
  

We believe success in the cryptocurrency space lies in the ability to think long-term, not short-term. And in that long-term view, we believe this course of action affords us the best opportunity to engage regulators in deep, thoughtful, and productive explorations of the risks and opportunities present in the cryptocurrency market.

BitMEX will not just be the most liquid, innovative place to trade. It will also be one where customers may rest assured – with independent affirmation – that accounts are solvent, settlements are honest, and all participants enjoy the same access and opportunity to Trade More.

Following on from our 28 May 2019 announcement of a donation to the MIT Digital Currency initiative, we are delighted to announce a US$60,000 grant to Bitcoin Core contributor, Michael Ford (AKA fanquake). Michael has been a Bitcoin contributor since 2012 and has recently been added to the list of maintainers for the Bitcoin Core software project.

HDR Global Trading Limited (which owns and operates the BitMEX cryptocurrency trading platform) is proud to support Bitcoin development and engineering, aimed at improving Bitcoin’s robustness, scalability and privacy. The grant is non exclusive and requires Michael to work on Bitcoin Core. We are pleased to be Michael’s first financial supporter during his time as a Bitcoin Core maintainer.

Sam Reed, CTO and co-founder of HDR Global Trading Limited, made the following remark about the grant:

HDR Global Trading Limited, like all other companies in the cryptocurrency space, relies heavily on the (mostly-volunteer) work of coders dedicated to the mission and ideals of Bitcoin. This work is difficult, demanding, and often thankless. We believe it is the duty of corporations to give back to the projects from which they benefit – and from which their very business model stems. Without the millions of free man-hours from dedicated OSS developers powering everything from our operating systems, to our web servers, to our ops tools and Bitcoin itself, the BitMEX trading platform could not have been built. We don’t forget this gift. Therefore, HDR considers this grant, provided on a no-strings-attached basis, to be only a small part of an ongoing commitment to bolstering Bitcoin and other OSS projects for the benefit of all.