BREAKING: Atlanta based Bitcoin giant BitPay hacked for nearly $2,000,000!

[mallard]

there is no way of knowing that they are robbing the customers

This was their money, not the money of their clients.

[coinpr0n]

there is no way of knowing that they are robbing the customers

This was their money, not the money of their clients.

Debatable...

The fraudster then sent emails to Bitpay CEO Stephen Pair purporting to be from Krohn, asking Pair to transfer 1,000 bitcoins to a Bitpay customer's "wallet," which he did.

Sounds like it was a customer's funds. They probably just covered the losses.

[Gleb Gamow]

there is no way of knowing that they are robbing the customers

This was their money, not the money of their clients.

$1.8M of their personal moneys on account or of moneys stemming from VCs? BTW, not bad for the sale of Bitcoin Magazine founded by Matthew Neal Wright, et al.

[Mickeyb]

Man what a freaking story. I mean what a hell and how long will this be happening. I agree with all of the comments above that Bitcoin cannot advance in adoption until we don't stop seeing horror stories like this in the newspaper.

I mean what are new people that don't understand Bitcoin get from this then, invest in Bitcoin and simply lose all of it by a simple email hack. For God's sake!!

[Sourgummies]

Its really amazing how quick some of these companies rise up to become a serious business only to later show they have little protection from any one that thinks of sniffing around them. Would be nice if there was almost a community that would take a look at some of these new businesses to help them out and show them leaks in any of their ways of business. Would be good for every one but then again the trusted people in charge of that service would also need to be looked at,so goes the never ending loop of protection.
The more you bring in the more you open up to being scammed,the less you bring in the bigger chance you get scammed by a hacker.

Can you win these days?

[Gleb Gamow]

Just took a break from doing what I was doing and it took me near two minutes to find the first two 1,000 BTC transactions (finding the 3,000 BTC shouldn't take me longer than that once I finish up with this post). It'll take me longer to post my findings than what it took to find the txs. HAHAHA

http://media.bizj.us/view/img/7016312/bitpay-2.pdf




https://www.walletexplorer.com/txid/587e9733b91d7a54c89517c8ab2b354a7105413f7db4d5a9ab57b19084e4243d



Shown below is the first 1,000 BTC stemming from BitPay: https://www.walletexplorer.com/txid/8524141d9bca1da61e9dfb3966b86def848d299b65878c4cd915627598747f5c



Below is the second 1,000 BTC stemming from Bitstamp, as outlined in the email exchange from the insurance company depicted in the image above: https://www.walletexplorer.com/txid/d400d5054e97363585f7026634544c405cecf38ec9c3d8c81a6fabbf56381b67

Q.E.D.

[RodeoX]

Man, I feel bad for Tony. He's a good guy and a good businessman. 

[Gleb Gamow]

Yep, just under two minutes after getting a fresh cup of coffee: https://blockchain.info/address/1GGrzbDaYUKF5bDLG9dprG44RtzP7Hv3vi

The two addresses (far left, below) providing the 3,000 BTC are BitPay's cold wallet addreses: https://www.walletexplorer.com/txid/30a32a2cdf4bcec3664d2c4d302c0a41709f60ae920c14c0dc16c6af434a4a5a



Just like the previous 2K, this 3K BTC tx was broken up into 600 BTC (400 BTC lots for the former) on the exact same date.

BTW, that 3,000 BTC stems from the last of several 5,000 BTC txs doled out depicted here: https://www.walletexplorer.com/wallet/00ed29a2496f353a

[Gleb Gamow]

The following depicts one example of two of the three transactions merging with one another: https://www.walletexplorer.com/wallet/1fef7eb8259a33ad



Notice the date, January 5, 2015. Guess what happened the day before. Give up? This: http://www.coindesk.com/unconfirmed-report-5-million-bitstamp-bitcoin-exchange/

In the case of Bitstamp, those behind the attack used Skype and email to communicate with employees and attempt to distribute files containing malware by appealing to their personal histories and interests. Bitstamp’s system became compromised after systems administrator Luka Kodric downloaded a file that he believed had been sent by a representative for an organization that was seeking his membership.

"I see patterns!"

[Gleb Gamow]

Unless BTC-e.com doesn't keep records, they should be able to shed tremendous light on who's behind the hack(?): https://www.walletexplorer.com/wallet/0786ae596ac30cb6

[hikedoon]

I've read this story 3 times today and the amount keeps getting bigger,ffs.
  Correct me if i'm wrong but i read that 5000 BTC were stolen.
 That doesn't equal $2 million at present prices.

[Gleb Gamow]

I've read this story 3 times today and the amount keeps getting bigger,ffs.
  Correct me if i'm wrong but i read that 5000 BTC were stolen.
 That doesn't equal $2 million at present prices.

http://www.investing.com/currencies/btc-usd-historical-data

Dec 12, 2014   346.00   341.49   349.65   340.05   1.32%
Dec 11, 2014   341.49   340.00   356.99   332.51   0.44%

5,000 BTC X $356.99 = $1,784,950 (close enough to $1.8M)

Looks like I'm the first to mention the 1CgVfhL676UMhFuc8jmV3RHAhpi9tyYgwL and 14TSsT8Pf3hQvEFNmZXy7Nn8gXsQL3P5kv bitcoin wallet addresses initially used for the hack(?).

[adamstgBit]

the insurer refused to pay out, saying:

The Computer Fraud Insuring Agreement is only triggered by situations where an unauthorized user hacks into or gains unauthorized access into your computer system and uses that access to fraudulently cause a transfer of money to an outside person or place.

[edric]

The insurer is arguing the clause...

"The Computer Fraud Insuring Agreement is only triggered by situations where an unauthorized user hacks into or gains unauthorized access into your computer system and uses that access to fraudulently cause a transfer of money to an outside person or place."

They are saying that the CFO's computer is a third party and not insured under the agreement.  They say...

"Computer fraud equates to the use of a computer to "fraudulently cause a transfer" and is not the use of a computer somewhere in a transaction that involves fraud, false pretenses or misrepresentations."

Yes, the security was not very good at BitPay and the guy should have known better, but at the same time, the insurance company seems to be making a really flimsy argument.  It's like Bill Clinton and the meaning of "is."

https://www.youtube.com/watch?v=j4XT-l-_3y0

[Gleb Gamow]

You do realize that Tony, Stephen and Bryan, all three, communicated via email during the ordeal, never face-to-face, thus at least two, perhaps all three, weren't at BitPay's office there in Atlanta on 12-11/12-12, 2014.

[The Sceptical Chymist]

In theory This could also happen to a bank after such a social engineering attack. This has nothing to do with usong bitcoin, except for the anonimity regarding the coins. (bank accounts are easier to trace).

Agree with everybody that sendimg 1000 btc without double checking in anyway is a massive failure and a complete lack of common sense.

I hate that phrase "social engineering".  I much prefer "tard hack".

[Kprawn]

Something smells fishy... I know some people are saying the CEO and founder of this company will never do this to his own company, but I have to disagree.

It was just too easy for these guys to "hack" $ 2 000 000  .... I cannot imagine that there are no checks and balances in place to confirm/verify transfers like this.

I will not trust BitPay if this is the way they handle money transfers. The first email should already have raised some red flags.   

[MicroGuy]

Something smells fishy... I know some people are saying the CEO and founder of this company will never do this to his own company, but I have to disagree.

It was just too easy for these guys to "hack" $ 2 000 000   .... I cannot imagine that there are no checks and balances in place to confirm/verify transfers like this.

I will not trust BitPay if this is the way they handle money transfers. The first email should already have raised some red flags.  

I might have missed something but it does seems that if Bitpay was sending millions in BTC, they would have only done so to a "known bitcoin address" already existing on file for customer transfers. It's hard to imagine any competent/sane individual sending that volume to a fresh unknown address(es) based on an email request alone.

[mallard]

Something smells fishy... I know some people are saying the CEO and founder of this company will never do this to his own company, but I have to disagree.

It was just too easy for these guys to "hack" $ 2 000 000   .... I cannot imagine that there are no checks and balances in place to confirm/verify transfers like this.

I will not trust BitPay if this is the way they handle money transfers. The first email should already have raised some red flags.  

I might have missed something but it does seems that if Bitpay was sending millions in BTC, they would have only done so to a "known bitcoin address" already existing on file for customer transfers. It's hard to imagine any competent/sane individual sending that volume to a fresh unknown address(es) based on an email request alone.

I thought that you were supposed to make a new address for each transaction

https://en.bitcoin.it/wiki/Address_reuse

[MicroGuy]

Something smells fishy... I know some people are saying the CEO and founder of this company will never do this to his own company, but I have to disagree.

It was just too easy for these guys to "hack" $ 2 000 000   .... I cannot imagine that there are no checks and balances in place to confirm/verify transfers like this.

I will not trust BitPay if this is the way they handle money transfers. The first email should already have raised some red flags.  

I might have missed something but it does seems that if Bitpay was sending millions in BTC, they would have only done so to a "known bitcoin address" already existing on file for customer transfers. It's hard to imagine any competent/sane individual sending that volume to a fresh unknown address(es) based on an email request alone.

I thought that you were supposed to make a new address for each transaction

https://en.bitcoin.it/wiki/Address_reuse

Good point!



One day I would like to meet the person that wrote that wiki page. lol