Documents leaked online show that Bitstamp, one of the larger online bitcoin exchanges, lost a whopping $5 million dollars worth of bitcoin several months ago. The case isn’t new, obviously, and this isn’t the first time it’s come into the public limelight as the company had announced the hack this past January at the CES trade show. A recently leaked report, however, lifts the curtain on one of the largest bitcoin hacks in recent memory, helping illustrate the interesting and minute details behind the case.
The hackers were able to crack Bitstamp’s outer defenses by using a combination of social engineering and phishing to get Bitstamp employees to divulge the sensitive information needed to break into the system. The hackers spent weeks contacting Bitstamp employees through a variety of elaborate phishing schemes, but most of the employees they initially targeted didn’t have the access the hackers needed.
The earliest known phishing attack, according to the report, occurred on November 4th, when a hacker contacted chief technology officer Damian Merlak, offering free tickets to a punk rock concert. A few weeks later the hackers contacted Miha Grcar, posing as reporters and trying to get Merlak to open a document supposedly containing an article for him to comment on. Merlak declined.
The hackers’ lucky break came when Luka Kodrič, BitStamp’s system administrator, fell for their phishing methods. Kodrič’s computers, including his own personal computer, had access to the hotwallets on the company’s servers. Kodrič turned out to be the perfect target for a phishing scheme, which the hackers successfully carried out by promising him a membership in a “special fraternity.”
Around mid December the hackers sent Kodrič a variety of attachments with further information on joining the supposed fraternity, but malicious VBA script was inserted into one of the documents, and when opened it directed the computer to pull a malicious file off of the web. Once the hackers gained access to Kodrič’s computer, they were able to access Bitstamp’s networks without any need for further credentials.
On January 4th over 18,000 bitcoins were stolen from Bitstamp throughout the day.
Stunningly, Kodrič actually received notifications that someone was logging into his computer while he himself was on business. The activity should have appeared odd, especially for someone working in bitcoin and who was a tech professional, but Kodrič didn’t bother to follow up on it, contact his company, or investigate the odd activities himself. Bitcoin scams are far from unheard of, and major companies are frequently targeted, so Kodrič’s lack of action is a bit puzzling.
Mind you, the hackers themselves were certainly persistent, intelligent, and patient, but Bitstamp’s employees weren’t exactly elderly ladies living on their pensions, they were leading tech professionals. Regardless, these pros allowed themselves to be caught up in phishing scams and to be subject to social engineering.
It’s terrible to see $5 million dollars worth of bitcoin fall into the wrong hands, but Bitstamp was able to survive the attack, and has promised to redo its entire platform. For now, the company’s mishap can serve as a reminded to other bitcoin companies and individuals trading bitcoin to take security seriously.
The original document was posted on Reddit, but has since been taken down. With luck, mirrors will be made available soon for people looking to dig into the details. The veracity of the report has not yet been confirmed.