BitStamp Hack Result of Phishing Attack says Leaked Internal Report
In January, the hot wallet of the popular European exchange BitStamp was hacked and over 5,000 BTC, about $5 million, was stolen. The story quickly made the media rounds, tainting the exchange’s, and Bitcoin’s, start to the new year.
In January, the hot wallet of the popular European exchange BitStamp was hacked and over 5,000 BTC, about $5 million, was stolen. The story quickly made the media rounds, tainting the exchange’s, and Bitcoin’s, start to the new year.
Unsurprisingly BitStamp’s reputation was damaged, but the exchange’s ability to move fast – integrating multi-signature to their hot wallet and moving to entirely new hardware – helped get the service back online quickly. A new unconfirmed report, leaked by an anonymous person, has shed new light on what the hack was and what has happened since.
Posted on the file sharing website, Scribd, the document, titled “Bitstamp Incident Report” and dated February 20, 2015, reveals the details of what actually happened. Author of the report is BitStamp general counsel, George Frost, and it is the result of an investigation by various policing agencies, including the FBI and Secret Service, as well as the private investigation firm, Stroz Friedberg.
The report, which has since been removed, spills the beans about how the hacker was able to get into BitStamp’s hot wallet. Initial attempts by the hacker actually started in late 2014, months before the final event, when the thief sent various phishing Skype messages to BitStamp employees. Each was highly personalized, indicating that the hacker had done plenty of due diligence.
The exchange’s CTO Damian Merlak was the first victim of the thief’s attack, which involved sending a message that would encourage the recipient to open a Word file that had malicious VBA code within it. Many other BitStamp employees were targeted, but it wasn’t until the company’s Systems Administrator was targeted, this time through email, that there was serious trouble for the exchange.
Despite several BitStamp employees opening the Word doc, and unknowingly executing the malicious code, it wasn’t until one of the two people with access to the company’s hot wallet, sysadmin Luka Kodric, was affected by the attack that funds were lost. “On 29 December 2014, SSH logs show that Mr.Kodric’s account logged in to LNXSRBTC and the DORNATA server at the data centre,” read the report.
“On this occasion, Mr.Kodric was certain that these logins were not made by him, and must therefore have been the attacker. Analysis indicates that the attacker accessed LNXSRVBTC, where the wallet.dat file was held, and the DORNATA server, where the passphrase for the bitcoin wallet was stored, before data was transferred out to both servers to IP 1**.**.***.**8, which is part of a range owned by a German hosting provider. We suspect that the the attacker copied the Bitcoin wallet file and passphrase at this stage […] Together the wallet and passphrase would have enabled the attacker to steal bitcoins from the Bitcoin wallet.”
— – Bitstamp Incident Report
A suspect in the hack was identified, according to report, but he seemed to be in a jurisdiction that put them out of reach. Law enforcement were apparently waiting for a chance to arrest him in a country they have authority in. It is unclear whether anyone has, or hasn’t, been arrested in connection to the crime since the report was created.
The report also notes that BitStamp was one of the first exchanges to implement multi-signature technology for cold wallet storage. And because of that, unlike previous hacks of bitcoin exchanges, BitStamp only lost the bitcoins in its hot wallets, a small portion of the company’s total holding. The exchange’s cold wallet was safe and sound during the attack.
Frost noted that the exchange has made, and will continue to make, improvements to its security. Partnering with BitGo, the exchange has already brought the multi-sig technology to its hot wallet, preventing such a hack from happening again. Not previously publicly revealed before, BitStamp has also enlisted the bitcoin payments and secure storage bitcoin startup, Xapo, to secure the firm’s cold wallet.
Any sensitive info not previously publicly available that could obstruct the current ongoing investigation has been censored.
Brave New Coin reaches 500,000+ engaged crypto enthusiasts a month through our website, podcast, newsletters, and YouTube. Get your brand in front of key decision-makers and early adopters. Don’t wait – Secure your spot and drive real impact in Q4. Find out more today!