Author

Topic: BitPay Hacked for $1.8 Million in Bitcoin During December 2014 (Read 411 times)

vip
Activity: 1428
Merit: 1145
There's already a thread up. Thanks for playing.

https://bitcointalksearch.org/topic/breaking-atlanta-based-bitcoin-giant-bitpay-hacked-for-nearly-2000000-1182490

FWIW, it was boring till I got there. HAHAHA
full member
Activity: 144
Merit: 100
[This post originally appeared in SiliconANGLE's Bitcoin coverage section. Head on over for the best in Social journalism, or subscribe to my posts for occasional highlights. Kyt Dotson is the original author of this post. This post published under a CC 2008-2015 (BY-SA 4.0) SiliconANGLE Media. Feel free to re-use or re-publish with attribution. -mrh]

Court documents filed on September 15 in a federal court in Atlanta, GA have revealed that Atlanta-based BitPay, Inc. was hacked to the tune of 5,000 bitcoins (approximately $1.8 million) in December of 2014.

As a major financial services provider in the Bitcoin marketplace, BitPay is an extremely obvious target for hackers. Of course, BitPay relies on an insurer, Massachusetts Bay Insurance Company, for instances of hacks and this court case involves the insurer refusing to pay on a policy involving hacks and fraudulent activity.

A copy of the lawsuit is available here [PDF] and further documents submitted by BitPay are available here [PDF].

BitPay: Bitcoins stolen were obtained by fraud
According to the Atlanta Business Chronicle, the court documents reveal that the hacker first compromised the e-mail account of Bryan Krohn, BitPay's chief financial officer via a technique known as spear phishing. This technique targets a specific individual and directs them to a web page that looks legitimate, but is really controlled by the hacker. When the targeted individual enters the credentials into that page the hacker then gets their login information.

To get Krohn's credentials the hacker used access to the e-mail account of David Bailey, the founder of yBitcoin (a property of BTC Media Inc.), a print and digital media guide of the Bitcoin ecosystem, who had been in negotiation with BitPay over a Bitcoin-related magazine purchase. As for the phishing web page, the hacker crafted a Google document that appeared to be from Bailey to Krohn that acted to steal Krohn’s corporate account credentials and give the hacker access.

According to court documents, the hacker used this access to review Krohn’s e-mail history and learn how BitPay transacted business. Using this knowledge and access to Krohn’s account, the hacker then began to masquerade as Krohn.

Using this subterfuge, the hacker first e-mailed BitPay’s CEO Stephen Pair and asked for 1,000 BTC to be transferred to a wallet claimed to belong to SecondMarket, Inc. vice president Preston Blankenship, which he did. Shortly thereafter another e-mail was sent for another 1,000 BTC, also transferred.

The next day, the imposter grew braver and asked for 3,000 BTC to be transferred to the customer’s wallet. This time, the CEO e-mailed Krohn to verify the transfer, but the hacker had control of that e-mail account so simply replied that the request was valid.

The scam, however, was uncovered at this point because Pair had copied the real e-mail of a SecondMarket representative in the e-mail asking for verification. This led to a reply stating that SecondMarket had not bought 3,000 BTC.

Of course, by this time all 3,000 bitcoins had been spirited away.

The lawsuit emerges
BitPay attempted to get Massachusetts Bay Insurance Company, BitPay’s insurer, to pay $950,000 of the total, but in June the insurer declined to pay. The resulting court documents that this information has been peeled from is the result of BitPay’s lawsuit.

The refusal by the insurer to pay out appears to be regarding the nature of the hack:

“The facts as presented do not support a direct loss since there was not a hacking or unauthorized entry into Bitpay's computer system fraudulently causing a transfer of Money. Instead, the computer system of David Bailey, Bitpay's business partner, was compromised resulting in fictitious emails being received by Bitpay. The Policy does not afford coverage for indirect losses caused by a hacking into the computer system of someone other than the insured.”

That the insurance only covers what would be considered hack by electronic compromise, and not the significant portion of modern hacking, which is “social engineering,” makes this a strange insurance policy.

Featured image credit: photo via Charis Tsevis

Discuss! Does this explain the financial troubles that BitPay has been rumored to be experiencing lately?

Mark Hopkins
Jump to: