Six employees of Bitstamp were targeted ter a weeks-long phishing attempt leading up to the theft of toughly $5m ter bitcoin te January, according to an unconfirmed incident report said to be drafted internally by the bitcoin exchange.
The confidential document, posted to Reddit by a single-purpose account, offers an in-depth look into what is believed to be the inwards story of the hack, which resulted te the loss of just under Nineteen,000 BTC earlier this year. Since then, the company has suggested scant details on what took place behind the scenes, citing confidentiality regarding the investigation into the lost funds.
The report’s findings are extraordinario spil they illustrate the risks facing bitcoin exchanges, including social engineering attacks ter which private information is used to trick victims into providing a means of access to sensitive materials.
Ter the case of Bitstamp, those behind the attack used Skype and email to communicate with employees and attempt to distribute files containing malware by appealing to their individual histories and interests. Bitstamp’s system became compromised after systems administrator Luka Kodric downloaded a verkeersopstopping that he believed had bot sent by a representative for an organization that wasgoed seeking his membership.
The report, attributed to Bitstamp militar counsel George Frost, explained:
“On 11th December, spil part of this suggest, the attacker sent a number of attachments. One of thesis, UPE_application_form.doc, contained obfuscated malicious VBA script. When opened, this script ran automatically and pulled down a malicious opstopping from IP address 184.108.40.206, thereby compromising the machine.”
Ultimately, the attackers were able to access two servers containing the wallet.dat opstopping for Bitstamp’s hot wallet and the passphrase for that verkeersopstopping.
The information contained te the report is said to be sourced from a third-party investigation conducted by digital forensics hard Stroz Friedberg, spil well spil from investigators working for the US Secret Service, the Federal Lessenaar of Investigation and UK-based cybercrime authorities.
Spil of the report’s drafting, the investigation into the hack wasgoed still ongoing but an hechtenis wasgoed expected ter the near future. The report alludes to an effort by investigators to create “a ‘honey trapje’ to lure [the attacker] into the UK ter order to make an hechtenis.”
Bitstamp declined to comment on the authenticity of the report when reached. A representative for Stroz Friedberg wasgoed not instantly available for comment.
Extended phishing attempt
According to the report, the earliest phishing attempt took place on 4th November, when one of the attackers contacted Bitstamp chief technology officer Damian Merlak suggesting free tickets to a punker rock festival.
Chief operating officer Miha Grcar wasgoed contacted by Skype ter mid-Novemer by someone posing spil a reporter. Te that exchange, the individual cited past articles written by Grcar when he himself wasgoed a reporter covering news te Greece.
The report notes:
“On 26th November, spil part of this from within an offline verkeersopstopping (such spil a Word document). exchange, ivan.foreignpolicy attempted to send a word document of a latest article, ostensibly seeking comment from Mr Grcar. Mr Grcar declined to accept the document.”
Two days prior, Bitstamp support manager Anzej Simicak wasgoed also reached by way of Skype, and ter that example the attacker posed spil someone seeking more information on RippleWise, a project for which Simicak acts spil COO.
Ter early December, several more Bitstamp staff members were contacted, including Kodric, whose account wasgoed ultimately compromised. Employee Miha Hrast’s rekentuig wasgoed then compromised after being messaged on Skype, tho’ he did not have access privileges for the servers.
After Kodric’s rekentuig wasgoed infiltrated, according to the report, extra malicious files were created inbetween 17th and 22nd December. On 23rd December, Kodric’s account wasgoed used to loom te to the server that held the wallet.dat opstopping.
On 29th December, the attackers leveraged Kodric’s laptop to access the servers containing the wallet.dat opstopping and the wallet passphrase.
“Wij suspect that the attacker copied the bitcoin wallet opstopping and passphrase at this stage, due to the correlation inbetween the size of thesis files and the size of the gegevens transfer seen on the logs,” the report notes. “Albeit the coetáneo content of the transfers cannot be confirmed from the logs available.”
Less than a week zometeen, the report resumes, the wallet wasgoed emptied, noting:
“On 4th January, the attacker drained the Bitstamp wallet, spil evidenced on the blockchain. Albeit the maximum content of this wallet wasgoed Five,000 bitcoins at any one time, the attacker wasgoed able to steal overheen Eighteen,000 bitcoins across the day spil further deposits were made by customers.”
Bitstamp moved quickly to assess and mitigate the harm, according to report, issuing a company-wide attent and establishing an incident response team. The company became aware of the theft on the evening of 4th January, and after auditing the servers discovered the 29th December entry and the gegevens transfer.
Stroz Friedberg began its investigation on 8th January, operating out of the company’s Slovenian office.
The report notes:
“Shortly after discovery of the attack, Bitstamp made an expensive but necessary decision to rebuild our entire trading toneelpodium and ancillary systems from the ground up, rather than attempting to reboot our old system. Wij did this from a secure backup that wasgoed maintained (according to disaster recovery procedures) te a ‘clean slagroom’ environment.”
The report added that Bitstamp “determined to deploy our distribution network using Amazon cloud infrastructure servers located te Europe” during that time.
Bitstamp lost Legitimate,866 BTC from its hot wallet, worth approximately $Five,263,614 at a time when the price of bitcoin averaged $279.
Yet the harm went beyond the bitcoins ter the hot wallet, the report explained, noting:
“Bitstamp has lost customers, including major clients engaged ter providing merchant services ter bitcoin, and has suffered significant harm to its reputation, which wij are incapable to quantify exactly at this point, but which wij believe exceeds $Two million.”
Extra costs include $250,000 paid to the Stroz Friedberg team, $250,000 paid to developers to rebuild the verhoging and $150,000 ter consulting and advisory fees. The costs, including those paid to Stroz Friedberg, “are continuing to accrue”, according to the report.
Ter the wake of the attack, the exchange now utilizes multi-sig wallet access and has contracted Xapo to treat its cold wallet storage.
Despite the losses and the alleged reputational harm, the company framed the incident spil a learning practice, concluding:
“This wasgoed a significant loss for Bitstamp, and it personages further doubt on the safety and integrity of the bitcoin ecosystem. However, it could have bot much worse, and wij are determined to use this spil a learning implement, and spil a fundament for making improvements ter our technology, security protocols, incident response programma and so forward.”
The leader te blockchain news, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a stringent set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests ter cryptocurrencies and blockchain startups.