UPDATE (17th September 15:25 BST): This piece has been updated with additional information, including the court documents filed by BitPay in federal court.
According to documents obtained by the Atlanta Business Chronicle, the bitcoin payment processor was defrauded in mid-December by an unknown individual posing as BTC Media CEO David Bailey, whose computer was infiltrated prior to the attack.
The attacker subsequently obtained email credentials for BitPay CFO Bryan Krohn, which were then used to prompt CEO Stephen Pair and executive chairman Tony Gallippi to authorize three payments totalling 5,000 BTC on 11th and 12th December, including one transaction from a wallet on the bitcoin exchange Bitstamp.
BitPay filed a claim for the losses days after the event with Massachusetts Bay Insurance Company, which later denied the claim in a letter dated 8th June. BitPay’s legal representation disputed the rejection, and the insurer went on to reaffirm its decision the following month.
After demanding that its claim be honored, BitPay filed suit in the US District Court for the Northern District of Georgia on 15th September. The company alleged breach of contract and is seeking damages and court fees in addition to its $950,000 claim.
The attack demonstrates the risk companies handling digital currencies face from such attacks, as well as the cost of fraud resulting from the failure of operational policies to prevent such intrusions.
Court documents from the trial, including the complaint and the letters exchanged between BitPay and Massachusetts Bay’s lawyers, outline how the assailant, pretending to be Bailey, initiated the attack by sending by email containing a link to a Google document.
Bailey’s computer had been compromised prior to this, though no details regarding this incident are mentioned.
The complaint states:
“The phony email sent by the person who hacked Mr Bailey’s computer, directed Mr Krohn to a website controlled by the hacker wherein Mr Krohn provided the credentials for his BitPay corporate email account. After capturing Mr Krohn’s BitPay credentials, the hacker used that information to hack into Mr Krohn’s BitPay email account to fraudulently cause a transfer of bitcoin.”
A timeline included in Massachusetts Bay’s initial denial letter goes into further detail.
“Immediately after clicking on the Google doc link, Mr Krohn enters his authenticating information as prompted in order to access the purported Google docs and receives an error message,” the letter states. “[Krohn] believes his private information was stolen at that time and that his response provided access to his email to the fraudster.”
A key detail included in the emails was now accessible to the fraudster: the fact that BitPay did not require SecondMarket to advance pay for bitcoins it received from the company.
Using this information, the individual crafted an email chain showing a conversation between Krohn and SecondMarket vice president Preston Blankenship regarding a purchase of 1,000 BTC.
“The email requests that 1,000 bitcoins be transferred to SecondMarket at a specific wallet address provided. At 3:33 PM the bitcoins are sent from BitPay’s hot wallet,” Massachusetts Bay’s letter stated.
Less than an hour later, the individual controlling Krohn’s email requested an additional 1,000 BTC be sent to the same bitcoin address. This amount was then transferred from an account held on Bitstamp by Gallippi after Pair indicated by email that there were insufficient funds in BitPay’s “warm” wallet following the second request.
The next day, Krohn’s email was used to request that Pair send an additional 3,000 BTC to another address said to be controlled by SecondMarket.
Pair responded “to confirm that this request, which exceeded the usual 1000-2000 daily bitcoin amount between the companies, was valid”. The assailant responded by copying an email address purportedly from SecondMarket and confirming that the request was valid.
After processing the transaction, Pair confirmed the move by email and copied SecondMarket employee Gina Guarnaccia.
Guarnaccia wrote back “that she did not send the prior email noting the 3,000 bitcoins and address for them to be sent, and that SecondMarket did not purchase the bitcoins”.
Claims dispute emerges
Following an investigation, BitPay’s claim was rejected by the insurer. Massachusetts Bay argued in its rejection letter that BitPay incurred an indirect loss rather than a direct one, thereby excluding the incident from coverage.
The letter stated:
“The facts as presented do not support a direct loss since there was not a hacking or unauthorized entry into BitPay’s computer system fraudulently causing a transfer of money. Instead, the computer system of David Bailey, BitPay’s business partner, was compromised resulting in fictitious emails being received by BitPay.”
“The Policy does not afford coverage for indirect losses caused by a hacking into the computer system of someone other than the insured,” the letter added.
Further, the insurance company argued that because bitcoins exist in an electronic medium, any incident resulting in their loss wouldn’t be considered as taking place on BitPay’s “premises”.
“It is Hanover’s understanding that the bitcoins were held online, and transferred online, and are not on the physical premises of BitPay. It does not appear that the bitcoin transactions involved a transfer of property from inside the premises to outside the premises,” the insurer wrote. “As such, Hanover must respectfully decline to provide coverage for this loss under the Computer Fraud Insuring Agreement.”
A week later, Morris, Manning & Martin LLP, a law firm representing BitPay, responded by demanding that the insurer rescind its claim rejection and pay the requested $950,000.
BitPay disputed the assertion that its losses were indirect, positing that Massachusetts Bay was misinterpreting its own policy provision regarding computer fraud. The company further stated that, per its agreement with the insurer, its bitcoin holdings were subject to special consideration given the particulars of the digital currency.
“MBIC agreed to add bitcoin to the Policy definition of ‘money’ thereby insuring BitPay against loss of bitcoin. Unlike traditional money, bitcoin does not exist in physical form in any location or premises, and it cannot be transferred from or to any physical location,” attorney Jessica Pardi wrote in the letter.
“Accordingly, any agreement to insure bitcoin that purportedly requires bitcoin to be on BitPay’s premises is illusory, and MBIC’s interpretation is meritless and evidences bad faith,” she added.
In a response letter sent by law firmer Leo & Weber, the insurer reaffirmed its refusal to honor the claim and disputed BitPay’s counterarguments about the losses being direct rather than indirect.
“We are unaware of any evidence to support that the perpetrator gained access to the BitPay computer system or device. The ultimate transfer of bitcoins did not result from the perpetrator’s access to the BitPay computer system or device,” the letter stated. “Ultimately, Mr Krohn’s superiors made the decision to send bitcoins in three separate transactions, prior to receiving payment, to whom they believed was SecondMarket.”
Days later, BitPay reiterated its demands and threatened to sue if it wasn’t paid. The insurer refused to accept the claim or pay the requested amount, according to the complaint.
BitPay and Massachusetts Bay did not immediately respond to requests for comment.
BitPay’s complaint, along with additional documents, can be found below:
Gavel image via Shutterstock
Disclaimer: CoinDesk founder Shakil Khan is an investor in BitPay.