In March 2019, cryptocurrency exchange BiKi.com faced a significant security incident involving unauthorized password changes and asset theft from user accounts. The platform swiftly responded by halting withdrawals, freezing affected accounts, and publicly committing to cover the full financial loss—totaling 123,300 USDT. This event highlighted the importance of robust account security in the digital asset space, especially during a bear market marked by increased scrutiny and cyber threats.
Overview of the Security Breach
On March 26, 2019, BiKi.com confirmed that a number of user accounts had been compromised due to a combination of missing two-factor authentication (2FA) and a third-party SMS verification vulnerability. According to the official statement:
- 37 accounts had their passwords altered without authorization.
- Of these, 18 accounts experienced actual asset transfers.
- The total loss amounted to 123,300 USDT, a stablecoin pegged to the U.S. dollar.
The breach was first detected when a user reported their password being changed and requested assistance reactivating Google Authenticator. Initially an isolated case, the issue escalated when 28 more users reported similar incidents within hours. The platform’s risk control system triggered alerts, prompting immediate action.
👉 Discover how top platforms prevent account takeovers with advanced security layers.
Root Cause and Immediate Response
BiKi.com's technical team identified the root cause as a dual vulnerability:
- Lack of Google Authenticator binding on some user accounts.
- SMS interception via a compromised third-party verification provider.
This combination allowed attackers to reset passwords and gain access—even without physical control of the user’s device, if SMS-based 2FA was the only protection.
In response, BiKi.com took several emergency measures within one hour:
- All withdrawals and over-the-counter (OTC) trading were suspended.
- Affected accounts were frozen to prevent further fund movement.
- The risk control system was upgraded to enforce a 48-hour withdrawal delay after any password change.
- The platform switched to a more secure SMS verification channel to reduce future interception risks.
These actions helped block multiple attempted malicious withdrawals, minimizing the final loss.
Platform Responsibility and Long-Term Safeguards
One of the most notable aspects of BiKi.com’s response was its commitment to user protection. The exchange announced it would fully absorb the 123,300 USDT loss, ensuring no affected user suffered financial damage.
Additionally, the platform introduced a new User Risk Reserve Fund, pledging to allocate 20% of its monthly revenue toward safeguarding user assets. This proactive measure signaled a shift toward institutional-grade security standards, aiming to rebuild trust and strengthen resilience against future threats.
“Each high-growth platform will encounter bumps along the way, but we have the confidence and capability to resolve every issue,” BiKi.com stated in its official release.
With nearly 1 million registered users and over 50,000 daily active traders at the time, BiKi.com was one of the fastest-growing exchanges in 2018–2019 despite challenging market conditions.
Key Cryptocurrency Security Best Practices
This incident underscores essential security habits every crypto user should adopt:
- Always enable Google Authenticator or hardware-based 2FA—never rely solely on SMS.
- Regularly audit account activity and connected devices.
- Use unique, complex passwords for exchange accounts.
- Monitor official channels for security alerts and updates.
Platforms must also invest in multi-layered defense systems, including behavioral analytics, delayed withdrawal policies, and secure communication channels.
👉 Learn how modern exchanges use AI-driven monitoring to stop fraud before it happens.
Frequently Asked Questions (FAQ)
Q: How did hackers gain access to BiKi.com accounts?
A: Attackers exploited a vulnerability in the third-party SMS verification system and targeted accounts not protected by Google Authenticator, allowing them to reset passwords and initiate unauthorized transfers.
Q: Did users lose money in this incident?
A: No. BiKi.com assumed full responsibility for the 123,300 USDT loss and compensated all affected users entirely.
Q: What is the 48-hour withdrawal rule?
A: After any password change, users must wait 48 hours before initiating withdrawals. This cooling-off period helps prevent immediate fund theft after account compromise.
Q: What is a risk reserve fund?
A: It’s a dedicated pool of funds—financed by a portion of platform revenue—used to reimburse users in case of security breaches or unexpected losses.
Q: Why is SMS verification risky?
A: SMS can be intercepted through SIM-swapping attacks or provider-level breaches. It's less secure than app-based authenticators like Google Authenticator or Authy.
Q: Is BiKi.com still operational today?
A: While this article focuses on the 2019 incident, many exchanges evolve their security models post-breach. However, users should always verify current platform credibility through independent audits and community feedback.
Industry Context and Market Impact
The BiKi.com breach occurred during a broader period of increased security challenges in the crypto industry. In 2019 alone, multiple exchanges reported similar incidents tied to weak authentication protocols. As decentralized finance (DeFi) and digital wallets grow in popularity, protecting user identity remains paramount.
BiKi.com had recently received a $5 million strategic investment from Ju Du, a well-known figure in the blockchain space who previously backed Huobi and Fcoin. This support signaled strong market confidence in BiKi.com’s long-term vision—even amid operational setbacks.
👉 See how leading platforms combine cold storage and multi-sig tech to protect assets.
Final Thoughts
The BiKi.com security incident serves as a cautionary tale about the evolving nature of cyber threats in cryptocurrency. While rapid growth brings opportunities, it also magnifies risks—especially when security infrastructure lags behind user acquisition.
For users, the lesson is clear: take personal responsibility for account security. For platforms, the expectation is equally firm: protect users proactively, not just reactively.
As the digital asset ecosystem matures, transparency, accountability, and layered security will define which platforms earn lasting trust.
Core Keywords: cryptocurrency security, account breach, USDT loss, two-factor authentication, risk reserve fund, exchange safety, password hijacking, SMS interception