September 18, 2015 by

Bitcoin Payment Service BitPay Loses $1.8M in a Classic Phishing Hack

Atlanta’s BitPay, a Bitcoin processor, suffered losses of 5000 Bitcoins, nearly USD $1.8 million due to a spear-phishing attack instigated by a hacker, court documents revealed.

A filing of court documents have revealed that top management at BitPay, a payment processor for the cryptocurrency Bitcoin, were tricked into sending nearly $1.8 million to an opportunistic hacker, armed with a classic phishing scam.

The incident was never brought to light by BitPay themselves until court documents revealed it, reports the Atlanta Business Chronicle.

The Scam

The details of the hack were revealed when BitPay filed a lawsuit against its insurer after the latter’s refusal to pay for the losses incurred due to the hack.

The complete lawsuit is available to download here. The reasons for BitPay’s rejected insurance claim is documented here.

Here’s how the scam was spun:

  • The hacker gained access to David Bailey, BTC Media CEO’s computer to send an email to BitPay CFO Bryan Krohn. The email contained a link to a Google Doc.
  • The first hack of the BTC CEO’s email was crucial as the company was in regular communication with BitPay to purchase the latter’s magazine business.
  • The Google document was promptly filled up by BitPay CFO Krohn with his corporate email information that inadvertently granted the hacker complete access to the Krohn’s account.

After gaining access to Krohn’s email, the hacker got to “learn specific details about how BitPay transacted business,” the lawsuit reads.

With the necessary details and tools at his disposal now, the hacker launched the next phase of his plan.

  • Using Krohn’s email account, the hacker sent emails to BitPay CEO Stephen Pair (purporting to be from Krohn) and asked Pair to transfer 1000 bitcoins to a BitPay customer’s wallet. Pair promptly did the same.
  • A short while later, the CEO received a second email with the same request for another 1000 bitcoins, which he also proceeded to do.
  • Emboldened, the hacker then sent another email to the CEO asking for an additional 3000 Bitcoins the next day. When Pair emailed Krohn to confirm the request, the hacker (still in control of Krohn’s email) sent an email back, validating the request.
  • The CEO then sent 3000 bitcoins to the wallet(approx. $700,000 in today’s rates).

The scam was only discovered after the CEO cc’d the real BitPay customer on the final email about the transfer of 3000 coins, which prompted a reply from the customer noting that they did not purchase the bitcoins.

In a statement by BitPay CEO Stephen Pair, he confirmed that BitPay was the only victim of the hacker’s scam and did not affect any of its users.

”This was an isolated incident, and none of BitPay’s customers, affiliates or merchants lost any funds. The only victim of the theft was BitPay. All merchant funds were secure, and there were no disruptions to BitPay’s payment services at any time,” the statement read.

 

About the author

Image of Author

LIFARS is a digital forensics and cybersecurity intelligence firm based in New York City. LIFARS is ranked as one of the top Digital Forensics and Cyber Investigations companies in 2016 and as one of the top cybersecurity companies in the New York metropolitan area for 2015 on the Cybersecurity 500 – a directory of the hottest and most innovative companies to watch in the cybersecurity industry.

Related articles

Jason Straight on Managed Detection and Response

Jason is Senior Vice President and Chief Privacy Officer at UnitedLex.  In this role, Jason manages...

Read more arrow_forward

Los Angeles Hospital Targeted by Ransomware Attack

The Pacific Alliance Medical Center in Los Angeles has revealed it is the victim of a ransomware...

Read more arrow_forward

HBO Refuses to Pay Hackers as Leaks Continue

HBO is refusing to negotiate with hackers who have allegedly stolen up to 1.5 terabytes of data from...

Read more arrow_forward

If you have any further questions, please don't hesitate to contact us.