On August 9, the Federal Trade Commission (FTC) issued an order denying the petition sought by the New Jersey-based Bachi.Tech Corporation to quash or limit portions of a Civil Investigative Demand (CID). The FTC is trying to determine whether Bachi.Tech engaged in “deceptive, unfair, or otherwise unlawful acts or practices regarding the marketing and operating of BitMart currency exchange services.”
The FTC issued a similar order on July 18 to Spread Technologies LLC, another entity associated with BitMart’s operations. Both parties had been served with “virtually identical” CIDs on May 11 and responded with “nearly identical” arguments. The two firms argued that the FTC couldn’t compel them to produce materials located outside the U.S., that some of the info sought was irrelevant to the investigation, that the FTC’s requests were overbroad, and that producing the documentation would impose an undue burden.
The order denying the petition states that the firms offered no evidence to support their claims, nor did they schedule or attend a ‘meet and confer.’ They also failed to respond to the portions of the CID requests they hadn’t objected to, improperly treating their partial objections as a rejection of the whole, thereby putting the firms in default of their production obligations.
As the FTC order acidly notes, ‘mere statements by counsel in a brief do not provide a factual basis to support CID objections,’ recalling the judge in the recent Alex Jones defamation trial reminding him that “your beliefs do not make something true.” The FTC has given Bachi.Tech until August 19 to comply in full with the CID.
The FTC’s probe is a multi-faceted affair, involving “BitMart’s representations concerning its advertised exchange services; allegations that consumers have been denied access to their accounts; and concerns about the security of customer accounts.”
The probe intends to find out whether BitMart engaged in “unfair [or] deceptive … acts or practices … relating to the marketing of goods and services,” as well as “deceptive or unfair acts or practices related to consumer privacy and/or data security.”
Not all hacks are created equal
BitMart was the target of a “large scale security breach” that resulted in around $200 million in customer tokens being stolen from the site in December 2021. While BitMart promised to make customers whole shortly after the incident, users were still seeking the return of their assets more than a month later.
BitMart CEO Sheldon Xia blamed the incident on compromised private keys to two hot crypto wallets containing a variety of tokens on the Ethereum blockchain and Binance Smart Chain. The tokens were subsequently converted to ETH and laundered through the Tornado Cash privacy mixer.
A few months prior to that hack, BitMart was allegedly the conduit for malicious actors trading bogus Bitcoin SV tokens derived from an attempted block reorg attack on the BSV blockchain. While the block reorg attack was successfully repelled by honest BSV nodes, BitMart’s lack of adequate know your customer (KYC) and anti-money laundering (AML) protocols allowed the attackers to swiftly swap their bogus BSV tokens for other digital assets, which were then withdrawn and transferred to other exchanges.
BitMart belatedly attempted to close the barn door long after the cows had fled, freezing dozens of accounts and asking a New York court to prevent the attackers from moving their ill-gotten gains off the third-party exchanges to which they’d been transferred. But the heavily redacted court filing sparked more questions than it provided answers.
For instance, why was BitMart the only exchange the reorg attackers chose to launder their bogus tokens? Is BitMart’s KYC/AML just that legendarily lax? That’s entirely within the realms of possibility, given that BitMart’s court filing concludes that the perpetrators were “foreign, impossible to identify hackers” who were nonetheless allowed to open multiple BitMart accounts.
BitMart claimed that 43 customers were collectively tricked out of more than $5 million by trading digital assets such as BTC, ETH and XRP for the bogus BSV tokens, but for some reason—in stark contrast to the December 2021 hack—these customers appear to have observed strict radio silence about having been victimized. Moreover, BitMart has yet to provide evidence of hashes of any double-spends on either the valid BSV blockchain or the orphaned chain that resulted from the failed reorg attack.
And while BitMart was quick to pursue highly public legal action against their alleged BSV hackers, there’s been a far less visible follow-up on bringing the perpetrators of its much larger December 2021 hack to justice—despite the fact that this hack involved someone with access to the company’s private keys, which in theory should have dramatically limited the pool of possible suspects.
BitMart clearly didn’t do itself any favors in treating the FTC’s requests for information with such disdain. The FTC officials in charge of this probe have almost certainly been imbued with fresh determination to get to the bottom of things. Let’s hope they dig deep enough to discover what other aspects of BitMart’s affairs may have been less than upstanding.
New to Bitcoin? Check out CoinGeek’s Bitcoin for Beginners section, the ultimate resource guide to learn more about Bitcoin—as originally envisioned by Satoshi Nakamoto—and blockchain.