It began with an email that was sent to BitPay’s Chief Financial Officer (CFO) Bryan Krohn. Court documents give the identity of the email’s sender as David Bailey. David Bailey purported to be from yBitcoin, a digital currency publication, and he sought for Mr Krohn’s comment on a bitcoin industry document.
Apparently, David Bailey’s computer had also been hacked, and the email sent to Mr. Krohn directed him to a website that hacker controlled. The hacker’s website asked Mr. Krohn to provide his login credentials for his corporate email account. Using those credentials, the hacker was then able to transfer unauthorized transactions using Mr. Krohn’s corporate email account. This happened on December 11th / 12th 2014.
The hacker first took time to learn how BitPay transacted business. He then sent emails to BitPay CEO Stephen Pair using Mr Krohn’s email account. The emails required Mr. Pair to transfer 1,000 bitcoins to a customer’s wallet, which he did. Next, Mr. Pair received a second email asking him to send another 1,000 bitcoins to the same customer which he also did.
The following day, the hacker grew bolder. In his email asked the BitPay CEO to send an additional 3,000 bitcoins. This time, Mr. Pair sent an email to Mr. Krohn asking for confirmation not knowing that Mr. Krohn’s email had been compromised. It was discovered because Mr. Pair copied the customer about the transfer of the 3,000 bitcoins. The customer replied saying that they had not purchased any bitcoins.
BitPay next tried to get its insurer to cover the loss to the amount of US$ 950,000. However Massachusetts Bay Insurance Company declined to pay, leading BitPay to take the matter to court. This happened in June 2015. In documents submitted to the court the insurer said,
the Policy requires that the loss of money be the direct result of the use of any computer to fraudulently cause a transfer of that property from inside the premises to a person or place outside the premises. “Direct” means without any intervening step i.e. without any intruding or diverting factor. The Computer Fraud Insuring Agreement is only triggered by situations where an unauthorized user hacks into or gains unauthorized access into your computer system and uses that access to fraudulently cause a transfer of Money to an outside person or place. The facts as presented do not support a direct loss since there was not a hacking or unauthorized entry into Bitpay’s computer system fraudulently causing a transfer of Money. Instead, the computer system of David Bailey, Bitpay’s business partner, was compromised resulting in fictitious emails being received by Bitpay. The Policy does not afford coverage for indirect losses caused by a hacking into the computer system of someone other than the insured.
The matter is yet to be determined.
Featured image from Shutterstock.