Six employees of Bitstamp were targeted in a weeks-long phishing attempt leading up to the theft of roughly $5m in bitcoin in January, according to an unconfirmed incident report said to be drafted internally by the bitcoin exchange.
The confidential document, posted to Reddit by a single-purpose account, offers an in-depth look into what is believed to be the inside story of the hack, which resulted in the loss of just under 19,000 BTC earlier this year. Since then, the company has offered scant details on what took place behind the scenes, citing confidentiality regarding the investigation into the lost funds.
The report’s findings are notable as they illustrate the risks facing bitcoin exchanges, including social engineering attacks in which personal information is used to trick victims into providing a means of access to sensitive materials.
In the case of Bitstamp, those behind the attack used Skype and email to communicate with employees and attempt to distribute files containing malware by appealing to their personal histories and interests. Bitstamp’s system became compromised after systems administrator Luka Kodric downloaded a file that he believed had been sent by a representative for an organization that was seeking his membership.
The report, attributed to Bitstamp general counsel George Frost, explained:
“On 11th December, as part of this offer, the attacker sent a number of attachments. One of these, UPE_application_form.doc, contained obfuscated malicious VBA script. When opened, this script ran automatically and pulled down a malicious file from IP address 220.127.116.11, thereby compromising the machine.”
Ultimately, the attackers were able to access two servers containing the wallet.dat file for Bitstamp’s hot wallet and the passphrase for that file.
The information contained in the report is said to be sourced from a third-party investigation conducted by digital forensics firm Stroz Friedberg, as well as from investigators working for the US Secret Service, the Federal Bureau of Investigation and UK-based cybercrime authorities.
As of the report’s drafting, the investigation into the hack was still ongoing but an arrest was expected in the near future. The report alludes to an effort by investigators to create "a ‘honey trap’ to lure [the attacker] into the UK in order to make an arrest."
Bitstamp declined to comment on the authenticity of the report when reached. A representative for Stroz Friedberg was not immediately available for comment.
Extended phishing attempt
According to the report, the earliest phishing attempt took place on 4th November, when one of the attackers contacted Bitstamp chief technology officer Damian Merlak offering free tickets to a punk rock festival.
Chief operating officer Miha Grcar was contacted by Skype in mid-Novemer by someone posing as a reporter. In that exchange, the individual cited past articles written by Grcar when he himself was a reporter covering news in Greece.
The report notes:
“On 26th November, as part of this from within an offline file (such as a Word document). exchange, ivan.foreignpolicy attempted to send a word document of a recent article, ostensibly seeking comment from Mr Grcar. Mr Grcar declined to accept the document.”
Two days prior, Bitstamp support manager Anzej Simicak was also reached by way of Skype, and in that instance the attacker posed as someone seeking more information on RippleWise, a project for which Simicak acts as COO.
In early December, several more Bitstamp staff members were contacted, including Kodric, whose account was ultimately compromised. Employee Miha Hrast’s computer was then compromised after being messaged on Skype, though he did not have access privileges for the servers.
After Kodric’s computer was infiltrated, according to the report, additional malicious files were created between 17th and 22nd December. On 23rd December, Kodric’s account was used to log in to the server that held the wallet.dat file.
On 29th December, the attackers leveraged Kodric’s computer to access the servers containing the wallet.dat file and the wallet passphrase.
“We suspect that the attacker copied the bitcoin wallet file and passphrase at this stage, due to the correlation between the size of these files and the size of the data transfer seen on the logs,” the report notes. “Although the actual content of the transfers cannot be confirmed from the logs available.”
Less than a week later, the report continues, the wallet was emptied, noting:
“On 4th January, the attacker drained the Bitstamp wallet, as evidenced on the blockchain. Although the maximum content of this wallet was 5,000 bitcoins at any one time, the attacker was able to steal over 18,000 bitcoins throughout the day as further deposits were made by customers.”
Bitstamp moved quickly to assess and mitigate the damage, according to report, issuing a company-wide alert and establishing an incident response team. The company became aware of the theft on the evening of 4th January, and after auditing the servers discovered the 29th December entry and the data transfer.
Stroz Friedberg began its investigation on 8th January, operating out of the company’s Slovenian office.
The report notes:
“Shortly after discovery of the attack, Bitstamp made an expensive but necessary decision to rebuild our entire trading platform and ancillary systems from the ground up, rather than trying to reboot our old system. We did this from a secure backup that was maintained (according to disaster recovery procedures) in a 'clean room' environment.”
The report added that Bitstamp “decided to deploy our distribution network using Amazon cloud infrastructure servers located in Europe” during that time.
Bitstamp lost 18,866 BTC from its hot wallet, worth approximately $5,263,614 at a time when the price of bitcoin averaged $279.
Yet the damage went beyond the bitcoins in the hot wallet, the report explained, noting:
“Bitstamp has lost customers, including major clients engaged in providing merchant services in bitcoin, and has suffered significant damage to its reputation, which we are unable to quantify exactly at this point, but which we believe exceeds $2 million.”
Additional costs include $250,000 paid to the Stroz Friedberg team, $250,000 paid to developers to rebuild the platform and $150,000 in consulting and advisory fees. The costs, including those paid to Stroz Friedberg, "are continuing to accrue", according to the report.
In the wake of the attack, the exchange now utilizes multi-sig wallet access and has contracted Xapo to handle its cold wallet storage.
Despite the losses and the alleged reputational damage, the company framed the incident as a learning experience, concluding:
“This was a significant loss for Bitstamp, and it cast further doubt on the safety and integrity of the bitcoin ecosystem. However, it could have been much worse, and we are determined to use this as a learning tool, and as a basis for making improvements in our technology, security protocols, incident response planning and so forth.”
Confidential papers image via Shutterstock