As John McAfee said during D10E - keyloggers are the achillies heel of current Crypto security. I'd put money on it being something along those lines...
&/or an insider, they used to boast about front running orders there ffs
True, good point. Getting close enough to the keys either virtually or in the physical world isn't going to be easy. An inside job would at least explain how somebody could get into a position where they can compromise the system.
I'm just guessing here, but best I can gather about the BitFinex attack:
- The multisig they used is 2 out of 3 -- one key in cold storage, one key in bitfinex exchange, one key in bitgo via api.
- The attacker apparently forged withdrawal requests through bitfinex, which were signed by bitgo automatically (as an authenticated request.)
- Supposedly there were limits in place on the bitgo side, but they either didn't work or were bypassed.