In a new document leaked from Bitstamp, one of the more popular Bitcoin exchanges in the world, the company details how a phishing attack several months ago bereft the company of roughly $5 million at then-current prices (which are not radically different from current prices).…
Beginning around page nine of the leaked report, which is clearly marked confidential but is already floating around numerous mirror sites since its initial leak, the document details how the company discovered an “ominous” and large data movement of around 3.5 gigabytes from Bitstamp’s server to an IP in Germany.
From there, the company determined that it was their wallet.dat file that had gone over the tubes from their servers to some unknown. After an initial local investigation, they learned that it was company System Administrator Luka Kodrič’s laptop, sitting in his office at the company headquarters, which handled the initial entry of the hacker. Through further research, they were able to determine what security researchers know all too well: the human will always be the weakest link in computer security.
Despite the easy access to the network that the hackers had due to an initial phishing attack conducted on Kodrič while he was using the company network, which did not require him any special credentials to utilize while plugged in at the company, there was still a fair bit of leg work for the attacker to do. For instance, they had to have simultaneous access to two servers. In an apparent failure to implement proper logging procedures (which do exist), the company had no way of knowing what the hacker touched while he was in the servers, only how much data he took. This is similar to having a thief steal from a line of endlessly reproducing widgets: you’ll never know which thing he stole, because everything is still there when you arrive to check.
But in the case of Bitstamp, it became clear rather quickly what had gone missing, although the thief played a much longer con than is normal with exchange hacks. While Kodrič was away on business, his phone sent him notifications that someone was logging in back at the company network. For an inexplicable reason, he failed to report this strange behavior to anyone during this time.
By January 5th, more than 18,000 BTC were transferred out of the wallet and proliferated out into the ether. This is about the time that Bitstamp began discovering what had gone on, much too late. Readers will remember the high-profile episodes in which Bitstamp reported from CES that it was rebuilding its entire platform, and also came clean about the attack, admitting that the coins had gone missing. Not until now has the public known much of why the coins went missing, and Bitstamp has repeatedly said they have been quiet with the details they have to be able to try and catch the attacker. Further, they did refund all lost deposits.
Regardless, the ineptitude illustrated by this report would certainly scare sane investors away. The actual contents of the phishing e-mail are not made apparent, but throughout the report it becomes clear that the hackers were working much harder to steal the bitcoins than the company was to secure them. Personal computers should never be attached to sensitive work networks, least of all those related to finance or politics. No security is insurmountable.
In its deeper investigation, the company collected all computers that were attached to the network at the time of the attacks and pulled all the data from them, totaling about 13 terabytes. It was during this search that they discovered an ongoing history of highly targeted phishing attacks conducted against Bitstamp employees. These were the types of attacks that couldn’t be conducted without some prior knowledge, but the report makes clear that most of the potential victims were not employees with the kind of access the hackers needed.
The organized attackers continued their efforts to penetrate the company, eventually getting in via Luka Kodrič. In early December, he was contacted by a group purportedly inviting him to join a prestigious fraternity, and from his very initial contacts with them, his laptop, which was permitted access to the hot wallet servers, was gradually compromised. Not quite a month later, a successful attack of around $5 million in bitcoins was conducted until the hack was fully uncovered and customers were told to halt deposits.
The document has not yet been verified by Bitstamp as genuine, but CCN is awaiting comments.
Featured image from Shutterstock.
Last modified: January 25, 2020 11:08 PM UTC