BitGrail Hack — February 2018
Overview
In February 2018, BitGrail, an Italian cryptocurrency exchange, suffered a hack resulting in the loss of approximately $170 million worth of Nano (XRB) tokens (formerly known as RaiBlocks). On 8 February 2018 the site posted a notice to users stating that hackers had made off with 17 million units of NANO (XRB).
Technical Root Cause / Attack Vector
• BitGrail had issues validating users' balances and allowed insufficient withdrawals from the system.
• It was reportedly possible to run BitGrail's own JavaScript manually to withdraw a greater amount of XRB than what was in the user's balance — i.e. a withdrawal-accounting / race-condition flaw on the exchange backend, not a flaw in the Nano protocol.
• Nano explicitly stated that no double-spending was detected on the ledger and that the issue resided entirely in BitGrail's software.
Timeline
• Some unauthorized withdrawals began as early as October 19–23, 2017 (well before the public disclosure). One single withdrawal of 1,000,000 XRB was logged on October 23, 2017.
• The vast majority of the 17M XRB had reportedly been drained from BitGrail's hot/operational wallets before November 2017, but the issue was only disclosed in February 2018.
Financial Impact
• Loss: ~17,000,000 XRB ≈ $170 million at the time of disclosure.
• Affected: BitGrail customers holding NANO/XRB on the exchange.
Response & Aftermath
• BitGrail founder Francesco "The Bomber" Firano publicly asked the Nano core team to fork the Nano ledger to roll back transactions and restore the stolen funds. Nano refused.
• BitGrail filed for insolvency / was placed in administration in Italy.
• Nano core team published a series of updates (e.g. "BitGrail Insolvency Update — 2/11/18") indicating that on-chain analysis showed funds were drained over a long period and the on-chain ledger itself was healthy.
• Class-action / civil lawsuits were filed against BitGrail and Firano in both the United States and Italy. An Italian court eventually ruled Firano partly liable and ordered restitution to creditors, though full recovery of user funds did not materialize.
• BitGrail ceased operations.
Notable Sources Located (not directly fetchable in this run)