Bitpay

Date: 2015-09-17

Assets stolen: 1.8M USD

Bitpay, a popular Bitcoin payment gateway, lost 1.8M USD in phishing attack.

Bitpay’s Chief Financial Office, Bryan Krohn, received an email from a business partner email address having a link pointing to a phishing site. Krohn proceeded to give out his email account credentials on the site. The attacker logged into Khrohn’s email and gained intel from the past conversations in the inbox.

Then the attacker send email to CEO Stephen Pair and executive chairman Tony Gallippi to authorize payments to “a customer wallet”. There were four different payments, total of 5,000 BTC, 5,000 BTC, 3,000 BTC and 1,000 BTC. For the last payment, the CEO Pair asked confirmation from Krohn via email if the request was genuine. The attacker, still in control of the Krohn’s email account, replied.

The C-level executives of Bitpay become aware of the attack when one of the real customers was CC’d in the email conversation. This customer contacted Bitpay that they had not asked for the payment.

Bitpay tried to get its insurer to cover $950,000 of the loss, but in June 2015 the insurer declined to pay. Bitpay is now suing the insurer.

Related evaluation points:

• Basic security practices
• Minimized email usage
• Two-factor authentication on email
• Multisignature for major withdraws

Links:

• Atlanta’s Bitpay got hacked for $1.8 million in bitcoins (Atlanta Business Chronicle)
• BitPay Sues Insurer After Losing $1.8 Million in Phishing Attack (CoinDesk)