- Victims of the $200 million BitMart hack say that five weeks have passed since the crypto exchange vowed to return their money.
- In early December, BitMart wrote in an official statement that it would use its own money to reimburse victims of the large-scale security breach, which the exchange blamed on a stolen private key.
- Many BitMart customers say they haven't received any form of reimbursement.
Victims of the $200 million BitMart hack say that five weeks have passed since the crypto exchange vowed to return their money, but many still haven't seen a dime.
"I'm not one to bitch and moan a lot," said Paul DeLong, a business owner in Austin. "BitMart, from a communication perspective, they said that they were going to give us more updates. We have not received any updates at all."
DeLong says he has reached out to the exchange multiple times, and each time, he's received a canned response from a bot to inform him that BitMart and their attorneys are "working on it."
In early December, BitMart wrote in an official statement that it would use its own money to reimburse victims of the large-scale security breach, which the exchange blamed on a stolen private key.
But users are getting restless waiting for BitMart to make good on its promise.
CNBC spoke to multiple BitMart users who were targets of the attack, some of whom face total financial ruin if their funds aren't retrieved.
Money Report
"Whether it's $20, $500, $10,000, it doesn't matter, just communicate back to us, and let us know," said DeLong.
Many of the victims lost a particular token known as safemoon, which is a cryptocurrency token built on the Binance Smart Chain blockchain. The coin saw a massive run-up in the second quarter of 2021 after a slew of celebrity endorsements from the likes of rapper Lil Yachty and YouTuber Jake Paul.
Get a weekly recap of the latest San Francisco Bay Area housing news. Sign up for NBC Bay Area’s Housing Deconstructed newsletter.
CNBC reached out to ask whether BitMart still planned to make good on its promise to reimburse victims. The email address of BitMart CEO Sheldon Xia, which he lists on his unverified Twitter profile, bounced back, just as it did when CNBC first reached out to Xia in early December.
A spokesperson replied, "We will support all user withdrawals. We're also talking to multiple project teams to confirm the most reasonable solutions such as token swaps. Any further updates will be announced on our official website." The company did not respond to more detailed questions.
Victims plead for transparency
CNBC talked to more than a dozen BitMart users personally affected by the breach. One common theme across many of these conversations was a desire for transparency. The shared feeling was that bad news was better than no news.
One BitMart user, who said he felt his tokens were "being held hostage," sent CNBC a screenshot of his exchange with the admin who runs BitMart's Telegram account. When he asked Thursday evening whether there was any further guidance on when he would be receiving his safemoon tokens back, the reply read, "We'll announce when there's an update."
Toronto-based Mohamad, who asked that CNBC just refer to him by his first name, said he feels close to committing suicide because of his experience with BitMart.
The Iranian refugee has $53,000 worth of the safemoon token stored on his BitMart wallet, $40,000 of which came from a loan that he has to pay back with 4% interest.
The 38-year-old tells CNBC that from 7 A.M. until 10 P.M., seven days a week, he works as a tow truck driver for a road side assistance company. He says he has to work long hours because his employer pays him a per-job commission rather than an hourly wage. He gets $20 per job, but he has to pay for his own diesel fuel.
He began to invest in cryptocurrencies to try to carve out a future for himself in Canada.
"I just was thinking I can grow my money, then I can go to school to learn English and go to college," Mohamad shared with CNBC. "I don't have any savings."
Another BitMart user tells CNBC that it is not just his money at stake. His mother and mother-in-law pooled together $30,000 and asked him to invest the cash in BitMart on their behalf.
"After I put it in, the freaking hack happened, so I was going crazy, because I didn't have anything to give them," he said.
New York-based "Mr. Blik," who also asked not to use his real name, tells CNBC the timing couldn't have been worse.
"This happened close to the holidays...People sometimes have to liquidate some of their positions to cover expenses, to buy things for kids for Christmas. Their inability to make people whole really created an environment where that freedom that we all strive for was taken away from us," Mr. Blik said.
One Kansas-based crypto investor, who has around $35,000 stuck in BitMart, told CNBC he wasn't terribly worried until recently.
"There was some general understanding, even patience, from holders that BitMart was merely waiting until after the first of the year to re-purchase the stolen hot wallet tokens for tax reasons," he said.
This same BitMart customer now says he is in touch with around 6,800 holders who are considering filing a class-action suit against the exchange. They are giving it about a week until they take action.
Beware the Safemoon Army
The company's vagueness has helped fire up the so-called "Safemoon Army" — a term given to the community of safemoon token holders, who have historically proven to be a formidable force when they coalesce around a cause.
The BitMart hackers made off with a mix of more than 45 coins, but safemoon tokens accounted for a hefty portion of the spoils. While some BitMart users have reported reimbursements for tokens like saitama, safemoon holders remain in limbo.
Safemoon investors using BitMart also say they haven't received their "reflection" payments — a dividend-like perk distributed to existing holders of the token — since November. BitMart's safemoon investors are therefore feeling doubly burned.
Even safemoon holders who have never used BitMart feel they've been indirectly burned by the breach.
One United States Air Force veteran made the point that when the hacker stole the safemoon coins and sold them all on the open market, it dropped the price of the entire project. "We're all affected by this," he said.
The Safemoon Army is pressuring BitMart through a Twitter campaign designed to shame the exchange into following through on paying back victims of the hack. The safemoon contingent is pushing the Twitter hashtag #WenBitMart, which began trending on Monday night.
Although BitMart told CNBC it would support token exchanges, victims say that could cost them money.
One person said that if he liquidates his tokens on BitMart to USDT (a popular stablecoin pegged to the value of the U.S. dollar), he would do so at a market position that is one-third of where his safemoon tokens trade today. He would also face a 10% fee for making the trade because of safemoon's trading requirements. (This 10% transaction tax serves as an incentive for users to keep holding the token, which helps put a floor under its price. They also fund dividends that the token creators pay holders as an added incentive.)
Even if BitMart does make good and pay everyone back, it remains to be seen whether the exchange will repurchase the equivalent assets lost at their current prices, which in some cases, could be significantly higher.
Safemoon's global head of products is himself a BitMart customer. Ryan Arriaga says that 15% of his safemoon stash is on BitMart. But he believes the exchange will do the right thing.
"It's not like it was four or five years ago, where a lot of these people who were involved are anonymous...People are wisening up to the space, they understand it more, they can read contracts better," said Arriaga.
"We've come such a long way now that I believe that BitMart will keep their promise and do the right thing...Especially with the safemoon army, we have such a great support for what we're trying to achieve that it wouldn't die down. It won't only add more fuel to the fire."
Users dig deeper
As BitMart customers wait for answers, some are biding the time by going deep on the crypto exchange itself. CNBC participated in a Twitter Spaces chat on Wednesday night in which nearly 700 people discussed the situation.
BitMart closed a $13.7 million Series B funding round at the end of 2021 at a $300 million valuation, giving pause to some who wonder how the exchange is equipped to self-fund reimbursements of $200 million to customers.
Others have asked why BitMart isn't going through insurance to reimburse stolen funds. CNBC put that question to BitMart, and the exchange declined to respond.
CNBC also asked if the exchange was running an internal audit to gauge whether anything ran afoul within its own ranks, and again, BitMart opted not to respond to that question.
The December hack affected two of BitMart's "hot wallets," but other assets were apparently "safe and unharmed."
Cryptocurrency can be stored "hot," "cold," or some combination of the two. A hot wallet is connected to the internet and allows owners relatively easy access to their coins so that they can access and spend their crypto. The trade-off for convenience is potential exposure to bad actors.
The final and resounding concern among many BitMart users is that instead of halting trading of the affected and non-collateralized tokens, BitMart only stopped withdrawals. CNBC has seen a video in which one person purchased safemoon tokens on the exchange on Jan. 5, well after the hack.