BREAKING: Atlanta based Bitcoin giant BitPay hacked for nearly $2,000,000!

[Gleb Gamow]

Gleb is a psychopatic guy/troll (sry but you know it is true). i cant believe that anybody here believes this shit   - hopefully it is meant to be sarcastic but new members could believe that this shit is true. be careful!

Maybe you can clear things for us. What shouldn't we believe? That "Matthew Neal Wright is laughin' his ass off"? Because everything else are just true facts, not assumptions. He only shared some facts.

Even though the $1/yr salary for Vanessa is most likely not true, in context it was designed to make you guys think.

My intend was not to present Bryan and his wife as the culprits, for that would be too far-fetched, albeit not outside the realm of possibility. I merely presented facts in my own psychopathic way, facts, BTW, that had yet to be presented prior to my posts.

I'm pretty sure that FBI agents didn't think I was a psychopath when we spoke in-length on occasions about BFL's 1QAHVyRzkmD4j1pU5W89htZ3c6D6E7iWDs bitcoin wallet address, among other niceties, and how said wallet was once claimed to belong to HashTrade via an official press release penned by BitPay containing quotes from HashTrade and Jeff Ownby of BFL.

Sure is funny how the FTC found 1QAHVyRzkmD4j1pU5W89htZ3c6D6E7iWDs being used by BFL to store online sales of its hardware via BitPay and burn-in mining revenue, not to mention bitcoins moved there form BLF's Eclipse MC, formally owned by Josh Zerlan. Prior to the FTC came a callin' - just two days earlier - BFL used BitPay as an exchange via 1QAHV, oppose to ONLY as a third-party payment provider, to liquidate over ten million dollars worth of bitcoins to fiat, an act that would be impossible for you or I, although conversations of performing such took place during Bitcoin conferences which I was privy to, discussing how it could easily be achieved, all prior to the 1QAHV revelation.

Yep, I may be nut, but at least I'm not a whatnut (Joshua Zipkin-speak). 

[mistercoin]

can't blame the insurer for not wanting to cover for such incompetence (and can't say i've sided with an insurer before).

I am inclined to agree. When these many BTC are at stake, Signing the messages/emails should be mandatory at the very least...

[MF Doom]

can't blame the insurer for not wanting to cover for such incompetence (and can't say i've sided with an insurer before).

I am inclined to agree. When these many BTC are at stake, Signing the messages/emails should be mandatory at the very least...

yeah, it makes you wonder if any insurance claim against a btc loss will or has ever been claimed.  Seems to me like it'd be very tough to prove you deserve to win a claim like this.  BUT, I have no doubt that insurers will continue to offer btc policies and take peoples money, without any intent to pay out.

[ATL_US]

Gleb... You really don't rest do you...

[Gleb Gamow]

Gleb... You really don't rest do you...

Dude, I was takin' a nap when the Newbie alert siren went off. 

[bitpop]

Now the cover ups begin! The krohns were simply puppets. They met the hacker at a conference. The scapegoats will either go down or disappear soon.

[ournem]

A good case for 2-factor authorization on your email as well as your bitcoin accounts, as well as a text/email alert system for activity on your account.  I'm a little surprised the heads of the company didn't have text messages being sent to them for any transfers over a certain amount. 

[Gleb Gamow]

A good case for 2-factor authorization on your email as well as your bitcoin accounts, as well as a text/email alert system for activity on your account.  I'm a little surprised the heads of the company didn't have text messages being sent to them for any transfers over a certain amount.  

In fact, this is an excellent case for multi-factor authentication and multi-signature, combined, to be implemented.

Example below as to how such could've been used to thwart the successful ~$1.8M phishing attempts if were in place:

MFA:

Password: liver1212
Cat's name: TabbY
School mascot: Tiger
Mother's maiden name: Smith
Dog's name: Spot
Last four digits of your SSN: 1234

MS:

Sign if you approve this 1,000 BTC transfer: Tony
Sign if you approve this 1,000 BTC transfer: Stephen
Sign if you approve this 1,000 BTC transfer: Bryan
Sign if you approve this 1,000 BTC transfer: Alice (in laundry)
Sign if you approve this 1,000 BTC transfer: Bob (the janitor)

Due to the size of the above transaction, please wait at least one hour before playing again.

MFA:

Password: liver1212
Cat's name: TabbY
School mascot: Tiger
Mother's maiden name: Smith
Dog's name: Spot
Last four digits of your SSN: 1234

MS:

Sign if you approve this 1,000 BTC transfer: Tony
Sign if you approve this 1,000 BTC transfer: Stephen
Sign if you approve this 1,000 BTC transfer: Bryan
Sign if you approve this 1,000 BTC transfer: Alice (in laundry)
Sign if you approve this 1,000 BTC transfer: Bob (the janitor)

Due to the size of the last two transactions, please wait an additional at-least twelve hours before playing again.

<After a good night's sleep, first thing Friday morning on December 12, 2014...>

MFA:

Password: liver1212
Cat's name: TabbY
School mascot: Tiger
Mother's maiden name: Smith
Dog's name: Spot
Last four digits of your SSN: 1234

MS:

Sign if you approve this 3,000 BTC transfer: Tony
Sign if you approve this 3,000 BTC transfer: Stephen
Sign if you approve this 3,000 BTC transfer: Bryan
Sign if you approve this 1,000 BTC transfer: Alice (in laundry)
Sign if you approve this 1,000 BTC transfer: Bob (the janitor)

Due to having the combined MFA and MS in place, a phishing attempt was almost halted in its tracks. Thanks for playing. Enjoy the rest of your Break-away Friday.

[BitcoinChica]

You have to wonder why did BitPay not insist on a PGP signed email from the client when requesting so many bitcoins?

We're still tryin' to get our heads wrapped around why Bryan Krohn wasn't using his official bryan@bitpay.com email address. Curious as to if tony@bitpay.com and stephen@bitpay.com email addresses were used during the outer-inter-office exchanges. Surely, all three weren't using gMail, were they?

Maybe BitPay uses Gmail white label servers which they offer.

[knowhow]

Makes no sense a ceo send any ammount of money without to contact the boss,i mean why would i send money from a company without know or have direct orders.... nowadays we must read twice or more times the same thing to avoid these things to happen and well 2fa is on strenght tool to avoid get hacked and loose bitcoins.

[smoothie]

A good case for 2-factor authorization on your email as well as your bitcoin accounts, as well as a text/email alert system for activity on your account.  I'm a little surprised the heads of the company didn't have text messages being sent to them for any transfers over a certain amount.  

In fact, this is an excellent case for multi-factor authentication and multi-signature, combined, to be implemented.

Example below as to how such could've been used to thwart the successful ~$1.8M phishing attempts if were in place:

MFA:

Password: liver1212
Cat's name: TabbY
School mascot: Tiger
Mother's maiden name: Smith
Dog's name: Spot
Last four digits of your SSN: 1234

MS:

Sign if you approve this 1,000 BTC transfer: Tony
Sign if you approve this 1,000 BTC transfer: Stephen
Sign if you approve this 1,000 BTC transfer: Bryan
Sign if you approve this 1,000 BTC transfer: Alice (in laundry)
Sign if you approve this 1,000 BTC transfer: Bob (the janitor)

Due to the size of the above transaction, please wait at least one hour before playing again.

MFA:

Password: liver1212
Cat's name: TabbY
School mascot: Tiger
Mother's maiden name: Smith
Dog's name: Spot
Last four digits of your SSN: 1234

MS:

Sign if you approve this 1,000 BTC transfer: Tony
Sign if you approve this 1,000 BTC transfer: Stephen
Sign if you approve this 1,000 BTC transfer: Bryan
Sign if you approve this 1,000 BTC transfer: Alice (in laundry)
Sign if you approve this 1,000 BTC transfer: Bob (the janitor)

Due to the size of the last two transactions, please wait an additional at-least twelve hours before playing again.

<After a good night's sleep, first thing Friday morning on December 12, 2014...>

MFA:

Password: liver1212
Cat's name: TabbY
School mascot: Tiger
Mother's maiden name: Smith
Dog's name: Spot
Last four digits of your SSN: 1234

MS:

Sign if you approve this 3,000 BTC transfer: Tony
Sign if you approve this 3,000 BTC transfer: Stephen
Sign if you approve this 3,000 BTC transfer: Bryan
Sign if you approve this 1,000 BTC transfer: Alice (in laundry)
Sign if you approve this 1,000 BTC transfer: Bob (the janitor)

Due to having the combined MFA and MS in place, a phishing attempt was almost halted in its tracks. Thanks for playing. Enjoy the rest of your Break-away Friday.

I like it phin. Perfect way to avoid a hack. Other variations exist but this is pretty comprehensive other than an actual token key each person could have to sign/verify they are who they are in the confirmation process.

[Gleb Gamow]

A good case for 2-factor authorization on your email as well as your bitcoin accounts, as well as a text/email alert system for activity on your account.  I'm a little surprised the heads of the company didn't have text messages being sent to them for any transfers over a certain amount.  

In fact, this is an excellent case for multi-factor authentication and multi-signature, combined, to be implemented.

Example below as to how such could've been used to thwart the successful ~$1.8M phishing attempts if were in place:

MFA:

Password: liver1212
Cat's name: TabbY
School mascot: Tiger
Mother's maiden name: Smith
Dog's name: Spot
Last four digits of your SSN: 1234

MS:

Sign if you approve this 1,000 BTC transfer: Tony
Sign if you approve this 1,000 BTC transfer: Stephen
Sign if you approve this 1,000 BTC transfer: Bryan
Sign if you approve this 1,000 BTC transfer: Alice (in laundry)
Sign if you approve this 1,000 BTC transfer: Bob (the janitor)

Due to the size of the above transaction, please wait at least one hour before playing again.

MFA:

Password: liver1212
Cat's name: TabbY
School mascot: Tiger
Mother's maiden name: Smith
Dog's name: Spot
Last four digits of your SSN: 1234

MS:

Sign if you approve this 1,000 BTC transfer: Tony
Sign if you approve this 1,000 BTC transfer: Stephen
Sign if you approve this 1,000 BTC transfer: Bryan
Sign if you approve this 1,000 BTC transfer: Alice (in laundry)
Sign if you approve this 1,000 BTC transfer: Bob (the janitor)

Due to the size of the last two transactions, please wait an additional at-least twelve hours before playing again.

<After a good night's sleep, first thing Friday morning on December 12, 2014...>

MFA:

Password: liver1212
Cat's name: TabbY
School mascot: Tiger
Mother's maiden name: Smith
Dog's name: Spot
Last four digits of your SSN: 1234

MS:

Sign if you approve this 3,000 BTC transfer: Tony
Sign if you approve this 3,000 BTC transfer: Stephen
Sign if you approve this 3,000 BTC transfer: Bryan
Sign if you approve this 1,000 BTC transfer: Alice (in laundry)
Sign if you approve this 1,000 BTC transfer: Bob (the janitor)

Due to having the combined MFA and MS in place, a phishing attempt was almost halted in its tracks. Thanks for playing. Enjoy the rest of your Break-away Friday.

I like it phin. Perfect way to avoid a hack. Other variations exist but this is pretty comprehensive other than an actual token key each person could have to sign/verify they are who they are in the confirmation process.

My outline works when you include the secret handshake and wiggle your ears.

In case anybody missed it, a two- or multi-factor authentication and multi-signature wouldn't of worked to thwart the phishing attempt, especially the latter since all parties (not Alice and Bob) were already in agreement when sending the moneys.

Here's a question: Which one of the three (Tony, Stephen, or Bryan) wouldn't pick up the phone to make a call to verify after a loved one who just supposedly emailed them requested a mere $1,000 USD? I'll make it simple for you: All three would make the call. But, we're lead to believe that not a one of them had the same exact foresight to pick up a phone upon an ~$1.8M USD payment request spread out over two days in three payments.

Here's another question: How did SecondMarket know for sure that the request from BitPay was genuine? Either SecondMarket didn't have any defense mechanisms in place, or the person making the call from BitPay had to jump through hoops to get the requested moneys, but not once thought about using the same, or a similar procedure to verify what's requested of them, of which was of a higher BTC/$ amount.

If you've been boiling water for years sans a lid, but for the first time notice some dude using a lid whereupon his water boils faster, as a college grad you'll be inclined to start using a lid yourself from that moment forward oppose to ignoring what you just witnessed the competition doing.

One final question: Since a crime was committed, was a police report filed or just an insurance claim?

[zero01]

WoW  that hacker was very great and courageous
the money he stole so much, surely the government will pursue the hackers

[DavidBAL]

A good case for 2-factor authorization on your email as well as your bitcoin accounts, as well as a text/email alert system for activity on your account.  I'm a little surprised the heads of the company didn't have text messages being sent to them for any transfers over a certain amount.  

In fact, this is an excellent case for multi-factor authentication and multi-signature, combined, to be implemented.

Example below as to how such could've been used to thwart the successful ~$1.8M phishing attempts if were in place:

MFA:

Password: liver1212
Cat's name: TabbY
School mascot: Tiger
Mother's maiden name: Smith
Dog's name: Spot
Last four digits of your SSN: 1234

MS:

Sign if you approve this 1,000 BTC transfer: Tony
Sign if you approve this 1,000 BTC transfer: Stephen
Sign if you approve this 1,000 BTC transfer: Bryan
Sign if you approve this 1,000 BTC transfer: Alice (in laundry)
Sign if you approve this 1,000 BTC transfer: Bob (the janitor)

Due to the size of the above transaction, please wait at least one hour before playing again.

MFA:

Password: liver1212
Cat's name: TabbY
School mascot: Tiger
Mother's maiden name: Smith
Dog's name: Spot
Last four digits of your SSN: 1234

MS:

Sign if you approve this 1,000 BTC transfer: Tony
Sign if you approve this 1,000 BTC transfer: Stephen
Sign if you approve this 1,000 BTC transfer: Bryan
Sign if you approve this 1,000 BTC transfer: Alice (in laundry)
Sign if you approve this 1,000 BTC transfer: Bob (the janitor)

Due to the size of the last two transactions, please wait an additional at-least twelve hours before playing again.

<After a good night's sleep, first thing Friday morning on December 12, 2014...>

MFA:

Password: liver1212
Cat's name: TabbY
School mascot: Tiger
Mother's maiden name: Smith
Dog's name: Spot
Last four digits of your SSN: 1234

MS:

Sign if you approve this 3,000 BTC transfer: Tony
Sign if you approve this 3,000 BTC transfer: Stephen
Sign if you approve this 3,000 BTC transfer: Bryan
Sign if you approve this 1,000 BTC transfer: Alice (in laundry)
Sign if you approve this 1,000 BTC transfer: Bob (the janitor)

Due to having the combined MFA and MS in place, a phishing attempt was almost halted in its tracks. Thanks for playing. Enjoy the rest of your Break-away Friday.

I like it phin. Perfect way to avoid a hack. Other variations exist but this is pretty comprehensive other than an actual token key each person could have to sign/verify they are who they are in the confirmation process.

My outline works when you include the secret handshake and wiggle your ears.

In case anybody missed it, a two- or multi-factor authentication and multi-signature wouldn't of worked to thwart the phishing attempt, especially the latter since all parties (not Alice and Bob) were already in agreement when sending the moneys.

Here's a question: Which one of the three (Tony, Stephen, or Bryan) wouldn't pick up the phone to make a call to verify after a loved one who just supposedly emailed them requested a mere $1,000 USD? I'll make it simple for you: All three would make the call. But, we're lead to believe that not a one of them had the same exact foresight to pick up a phone upon an ~$1.8M USD payment request spread out over two days in three payments.

Here's another question: How did SecondMarket know for sure that the request from BitPay was genuine? Either SecondMarket didn't have any defense mechanisms in place, or the person making the call from BitPay had to jump through hoops to get the requested moneys, but not once thought about using the same, or a similar procedure to verify what's requested of them, of which was of a higher BTC/$ amount.

If you've been boiling water for years sans a lid, but for the first time notice some dude using a lid whereupon his water boils faster, as a college grad you'll be inclined to start using a lid yourself from that moment forward oppose to ignoring what you just witnessed the competition doing.

One final question: Since a crime was committed, was a police report filed or just an insurance claim?

Police report- it's an active investigation involving multiple law enforcement agencies. I could answer most of these questions but at this point it is unwise considering the ongoing lawsuit. Look forward to sharing more later when the dust settles... as much as I enjoy the entertainment in this thread there is zero basis for any of it. This incident should be taken as a wake up call to all bitcoin startups that highly skilled groups of hackers are actively stalking you, and will go to extreme lengths, working for months around the clock, to exploit your systems. And to be clear, 2-factor is not good enough.

[1aguar]

So, the lesson is to use PGP?

[bitpop]

So, the lesson is to use PGP?

No the insiders will simply leak the key and with pgp, you'd trust much bigger requests

[Gleb Gamow]

BitPay Bug Bounty Program

Mina Hanczyc

May 04, 2015 07:32

BitPay values its close relationship with the security research community. To show its appreciation for external contributions, BitPay maintains a Bug Bounty Program designed to reward responsible disclosure of qualifying security vulnerabilities.

Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure

[knowhow]

Well i still dont believe that some hacked has entered into some email and asked the ceo to make the transfers... should have more then one thing to do to make such transaction i mean phone,email 1by one talk .

[1aguar]

So, the lesson is to use PGP?

No the insiders will simply leak the key and with pgp, you'd trust much bigger requests

But if an employee deliberately leaks the key, then that is covered by the insurance under "employee theft".