How a Clever Hacker Tricked a Major Bitcoin Company Out of $1.8 Million

The hacker convinced the CEO to send them 5,000 bitcoins.

|
Sep 17 2015, 5:15pm

Image: Flickr/scottks

Executives of BitPay, a popular payment service for the cryptocurrency Bitcoin, were tricked into giving away $1.8 million to a clever hacker in December of 2014.

The hack, which was never disclosed by BitPay, was just revealed in court documents relating to a lawsuit BitPay filed against its insurer, which denied the company's claims on the lost funds, on September 15th. In a blog post today, BitPay assured customers that they weren't affected.

"This was an isolated incident, and none of BitPay's customers, affiliates or merchants lost any funds," the statement says. "All merchant funds were secure, and there were no disruptions to BitPay's payment services at any time." BitPay declined to comment further.

The hacker was able to learn details about BitPay's business

According to the filing, the attacker first gained access to BTC Media CEO David Bailey's computer, and used it to send an email to BitPay CFO Bryan Krohn containing a link to a Google doc. BTC Media was in talks to buy BitPay's magazine business. Krohn entered his corporate email information into the doc, which gave the hacker full access to his account.

According to the filing, Krohn believes the hacker was able to learn details about BitPay's business, knowledge which proved crucial to the scam.

The hacker then used Krohn's account to send emails to Bitpay CEO Stephen pair to ask that 5,000 bitcoins—spread out over three transactions—be sent to a wallet address the hacker claimed was owned by SecondMarket, a transaction software company that is also the only BitPay client not required to pay in advance for bitcoins. The scam was only revealed after a SecondMarket employee was notified of the completed transaction.

BTC Media representatives could not be reached for comment.

The insurance claim on the lost funds was denied because BitPay's computers were never hacked—instead, they just gave away their email passwords in what appears to be a classic phishing scam. Phishing is when an attacker send a scammy email in the hopes that the victim is not savvy enough to trash it immediately.

BitPay is one of the largest and oldest Bitcoin payment services, and in the past it has partnered with Microsoft and 50 Cent to process Bitcoin payments for their products. Several months after the hack, BitPay was reportedly processing more than $1 million in payments every day.