Behind the 2000 BTC Incident: The Fundamental Problem of CEX Ledgers

Author: Ding Dang

Original Title: Behind the 2000 BTC Incident: The Fundamental Problem of CEX Ledgers

On the evening of February 6, during a routine marketing event, the Korean cryptocurrency exchange Bithumb created an incident significant enough to be recorded in the annals of the crypto industry.

This was originally just a small-scale "random treasure chest" event. According to the official design, the platform planned to distribute cash rewards totaling approximately 620,000 KRW to 695 participating users. Among them, 249 users actually opened the treasure chests and claimed the rewards, with each person receiving about 2,000 KRW, equivalent to just $1.4 USD. However, due to a backend unit configuration error, the reward unit was mistakenly set to BTC (Bitcoin) instead of KRW (Korean Won). Instantly, each user who opened a treasure chest was "airdropped" 2,000 BTC, totaling 620,000 Bitcoin. The displayed assets in a single account exceeded $160 million USD.

At the time, with Bitcoin priced at about 98 million KRW per coin (approximately $67,000 USD), the账面 value of these "out-of-thin-air" Bitcoins was about $41.5–44 billion USD. Although these assets did not exist on-chain, they were "tradable" within the exchange's internal system. The consequences were almost immediate: within just over ten minutes, the BTC/KRW trading pair on Bithumb plummeted from the global average price to 81.11 million KRW (about $55,000 USD), a drop of nearly 17%. The global BTC market also briefly fell by about 3%, and the derivatives market saw over $400 million in liquidations.

Is Bithumb's 'Swift Recovery' Really Something to Celebrate?

In a subsequent incident disclosure announcement, Bithumb stated that within 35 minutes of the erroneous payment, it had restricted transactions and withdrawals for the 695 affected customers. Over 99% of the erroneously paid amount had been recovered. The remaining 0.3% (1,788 BTC) that had been sold were covered by the company's own assets, ensuring no impact on user assets. Simultaneously, the platform introduced a series of compensation measures. Starting February 8, user compensation was rolled out in batches, including distributing 20,000 KRW to users online during the incident, refunding the price difference to users who sold at a low price plus an additional 10% consolation payment, and offering a 0% trading fee promotion on all trading pairs for 7 days starting February 9.

At this point, the entire incident seemed to have been brought under control.

But another question still lingers in our minds: Why could Bithumb generate 620,000 non-existent BTC in its backend all at once?

To answer this, we must return to the core, yet least understood by average users, layer of centralized exchanges: the accounting method.

Unlike decentralized exchanges where each transaction occurs directly on the blockchain and balances are determined in real-time by the on-chain state, centralized exchanges, in pursuit of extreme trading speed, low latency, and minimal cost, almost universally adopt a hybrid model of "internal ledger + delayed settlement."

The balances, transaction records, and profit/loss curves users see are essentially just numerical changes in the exchange's database. When you deposit, trade, or withdraw, only the parts that involve actual on-chain asset movements (like withdrawing to an external wallet, transferring between exchanges, or large internal settlements) trigger real blockchain transfer operations. In the vast majority of daily scenarios, the exchange only needs to modify a single database field to complete "an asset change"—this is the fundamental reason Bithumb could instantly "generate out of thin air" 620,000 BTC in displayed balances.

This model offers tremendous convenience: millisecond-order matching, zero Gas fees, support for complex financial products like leverage, contracts, and lending. But the flip side of this convenience is a fatal asymmetry of trust: users believe "my balance is my asset," while in reality, users only possess an IOU (I Owe You) from the platform. As long as the backend permissions are sufficiently broad and the validation mechanisms loose enough, a simple parameter error or malicious operation can cause the numbers in the database to severely diverge from the real on-chain holdings.

According to data disclosed by Bithumb for the third quarter of 2025, the platform's actual Bitcoin were about 42,600, of which only 175 were company-owned, and the rest were user custodial assets. Yet, in this incident, the system was able to credit user accounts with BTC amounts more than ten times the size of its real holdings in one go.

More importantly, these "phantom balances" were not just displayed in the backend; they could participate in real matching within the platform, affect prices, and create a false sense of liquidity. This is no longer just a single-point technical bug but a systemic risk inherent in the architecture of centralized exchanges: the severe disconnect between the internal ledger and the real on-chain assets.

The Bithumb incident is merely a moment when this risk was amplified enough for everyone to see.

Mt.Gox: How Ledger Illusion Once Destroyed an Era

History has repeatedly confirmed this with painful lessons. For example, the collapse of Mt.Gox in 2014. Even though over a decade has passed, we can still remember the market panic caused by each large transfer related to exchange repayments.

Mt.Gox, as the largest Bitcoin exchange at the time, once accounted for over 70% of Bitcoin trading volume. But in February 2014, it suddenly suspended withdrawals and declared bankruptcy, claiming to have "lost" approximately 850,000 BTC (valued at about $460 million at the time, later adjusted in some reports to around 744,000 BTC). On the surface, this was due to hackers exploiting the "transaction malleability" vulnerability in the Bitcoin protocol, altering transaction IDs causing the exchange to mistakenly believe withdrawals hadn't occurred, thus resending funds. But deeper investigations (including reports by security teams like WizSec in 2015) revealed a harsher truth: the vast majority of the lost Bitcoin had been gradually stolen between 2011 and 2013, yet Mt.Gox failed to detect it for years because its internal accounting system never performed regular, comprehensive reconciliations with the on-chain state.

Mt.Gox's internal ledger allowed "magic transactions": employees or intruders could arbitrarily add or subtract user balances without corresponding on-chain transfers. The hot wallet was repeatedly compromised, funds were slowly transferred to unknown addresses, but the platform continued to show "normal balances." It was even rumored that after a major theft in 2011, management chose to conceal it rather than declare bankruptcy, leading to subsequent operations continuing on a "fractional reserve" basis. This ledger illusion was maintained for years until the hole became too large to cover in 2014, using the "transaction malleability bug" as an excuse for public disclosure. Ultimately, Mt.Gox's bankruptcy not only destroyed user trust but also caused Bitcoin's price to crash over 20%, becoming the most famous "collapse of trust" case in crypto history.

FTX: When the Ledger Transforms from a 'Recording Tool' to a 'Cover-Up Tool'

Recently, due to the popularity of Openclaw, a topic has resurfaced: the intersection of crypto and AI, which peaked during the FTX era. Before its collapse, FTX heavily invested in the AI field, its most famous case being leading a hundreds-of-millions USD funding round for AI startup Anthropic. If FTX hadn't fallen, its Anthropic stake could be worth tens of billions USD today, but bankruptcy liquidation turned this "AI lottery ticket" to dust. The reason for its collapse was the long-term, intentional mismatch between FTX's internal ledger and real assets. Through commingling of funds and covert operations, client deposits were turned into a "back garden" that could be freely misappropriated.

FTX was highly intertwined with its quantitative trading sister company, Alameda Research, both controlled by Sam Bankman-Fried (SBF). Alameda's balance sheet was filled with FTT, a native token issued by FTX itself. This asset had almost no external market anchor, its value primarily relying on internal liquidity and artificially maintained prices. More critically, the FTX platform granted Alameda a nearly unlimited line of credit (disclosed at one point as high as $65 billion), and the real "collateral" for this credit was the deposits of FTX users.

These client funds were secretly transferred to Alameda for use in high-leverage trading, venture investments, and even SBF's personal luxury spending, real estate purchases, and political donations. The internal ledger played a "cover-up" role here.

According to court documents, FTX's database could easily record client deposits as "normal balances," while simultaneously using custom code in the backend to keep Alameda's account in a negative balance without triggering any automatic liquidation or risk alerts. The balances users saw in the app seemed safe and reliable, but the actual on-chain assets had long been挪走 (moved away) to fill Alameda's loss holes or prop up the FTT price.

FTX creditor repayments are still not fully resolved, and the bankruptcy liquidation process is still ongoing.

Bithumb's 35 Minutes is Just a Narrow Window

Returning to Bithumb, the fact that this incident was contained within 35 minutes does not掩盖 (mask) the severity of this risk. On the contrary, it precisely illustrates the limits of emergency response: the disaster was only contained within a range "manageable by covering the shortfall out of pocket" because the number of affected users was limited (only 695), the erroneous assets had not yet been moved on-chain on a large scale, and the platform had extremely strong account control capabilities (the ability to freeze trading/withdrawal/login permissions in bulk with one click). If this blunder had happened at the full platform user level, or if some users had already withdrawn the "phantom coins" to other exchanges or even on-chain, Bithumb could likely triggered a larger systemic shock.

Even regulators have noticed this. On February 9, the Korean Financial Supervisory Service (FSS) stated that the erroneous Bitcoin distribution incident at Bithumb highlights the systemic vulnerabilities existing in the crypto asset field, necessitating further strengthening of regulatory rules. FSS Governor Lee Chan-jin pointed out at a press conference that the incident reflects structural problems in the electronic systems of virtual assets. Regulatory authorities are conducting a focused review on this matter and will incorporate related risks into subsequent legislative considerations to promote the inclusion of digital assets into a more完善的 (complete/robust) regulatory framework. An emergency on-site inspection has been launched and explicitly stated to be expanded to other local exchanges like Upbit and Coinone. This likely means regulators have understood this signal.

Conclusion

Bithumb's $40 billion phantom airdrop, seemingly absurd on the surface, is actually profound. It laid bare a long-standing problem in the most直观的 (intuitive) way. The convenience of centralized exchanges is essentially built on a highly asymmetric trust relationship: users believe the "balance" in their account is equivalent to real assets, while in reality, it is merely a unilateral promise from the platform to the user. Once internal controls fail or are maliciously exploited, 'your balance' can vanish in an instant.

Therefore, even if the Bithumb incident ended "under control," it should not be interpreted as a successful crisis management case, but rather as an alarm bell that must be heard. The speed, low cost, and high liquidity pursued by exchanges are always obtained at the cost of users relinquishing direct control over their assets. As long as this premise is not正视 (acknowledged/addressed head-on), similar risks cannot truly disappear.

Twitter:https://twitter.com/BitpushNewsCN

Bitpush TG Discussion Group:https://t.me/BitPushCommunity

Bitpush TG Subscription: https://t.me/bitpush