Bitcoin Payment Service BitPay Loses $1.8M in a Classic Phishing Hack

Atlanta’s BitPay, a Bitcoin processor, suffered losses of 5000 Bitcoins, nearly USD $1.8 million due to a spear-phishing attack instigated by a hacker, court documents revealed.

A filing of court documents have revealed that top management at BitPay, a payment processor for the cryptocurrency Bitcoin, were tricked into sending nearly $1.8 million to an opportunistic hacker, armed with a classic phishing scam.

The incident was never brought to light by BitPay themselves until court documents revealed it, reports the Atlanta Business Chronicle.

The Scam

The details of the hack were revealed when BitPay filed a lawsuit against its insurer after the latter’s refusal to pay for the losses incurred due to the hack.

The complete lawsuit is available to download here. The reasons for BitPay’s rejected insurance claim is documented here.

Here’s how the scam was spun:

  • The hacker gained access to David Bailey, BTC Media CEO’s computer to send an email to BitPay CFO Bryan Krohn. The email contained a link to a Google Doc.
  • The first hack of the BTC CEO’s email was crucial as the company was in regular communication with BitPay to purchase the latter’s magazine business.
  • The Google document was promptly filled up by BitPay CFO Krohn with his corporate email information that inadvertently granted the hacker complete access to the Krohn’s account.

After gaining access to Krohn’s email, the hacker got to “learn specific details about how BitPay transacted business,” the lawsuit reads.

With the necessary details and tools at his disposal now, the hacker launched the next phase of his plan.

  • Using Krohn’s email account, the hacker sent emails to BitPay CEO Stephen Pair (purporting to be from Krohn) and asked Pair to transfer 1000 bitcoins to a BitPay customer’s wallet. Pair promptly did the same.
  • A short while later, the CEO received a second email with the same request for another 1000 bitcoins, which he also proceeded to do.
  • Emboldened, the hacker then sent another email to the CEO asking for an additional 3000 Bitcoins the next day. When Pair emailed Krohn to confirm the request, the hacker (still in control of Krohn’s email) sent an email back, validating the request.
  • The CEO then sent 3000 bitcoins to the wallet(approx. $700,000 in today’s rates).

The scam was only discovered after the CEO cc’d the real BitPay customer on the final email about the transfer of 3000 coins, which prompted a reply from the customer noting that they did not purchase the bitcoins.

In a statement by BitPay CEO Stephen Pair, he confirmed that BitPay was the only victim of the hacker’s scam and did not affect any of its users.

”This was an isolated incident, and none of BitPay’s customers, affiliates or merchants lost any funds. The only victim of the theft was BitPay. All merchant funds were secure, and there were no disruptions to BitPay’s payment services at any time,” the statement read.