Leaked document reveals internal Bitstamp Bitcoin raid investigation

A confidential leaked document from Bitstamp details how the Bitcoin trader was hacked and how the crime has been investigated.

Double whammy as UK users hit by banking and ransomware
Double whammy as UK users hit by banking and ransomware

A confidential, leaked document details an attack in which bitcoin cryptocurrency trader Bitstamp lost 18,866 Bitcoins in an attack which culminated on 29 December last year.

The company admitted the theft publically within days, saying the total amount stolen, worth around £3.6 million was a fraction of the company's total reserves. According to ZDNet, Bitstamp reported it held offline reserves of 183,497 Bitcoins (£34 million) in May meaning they lost around 10 percent of their assets in the raid.

According to the report, written by Bitstamp's general counsel George Frost, the loss was discovered on 4 January by the chief technology officer Damian Merlak. He noticed a suspicious data transfer of 3.5GB to an unfamiliar IP address. This raised alarm bells because that's the size of the wallet.dat file containing Bitstamp's Bitcoin wallet.

It was a sophisticated attack which required that the attacker connect to the company's data server through one of three IP addresses. This was accomplished by accessing the laptop of Bitstamp employee Luka Kodric, which was connected via VPN to the server.

Having obtained the wallet, the attacker needed to access another server to get the passphrase to access the Bitcoins.

Separately, on 4 January someone attempted to access the Bitstamp office network again, using Kodric's account. Because VPN connections from an external IP address require two-factor authentication, Kodric received nine notifications on his mobile phone in the space of 20 minutes to provide additional authentication. The login attempts were from a Romanian IP address.

The attack vector was a targeted phishing campaign, with six employees known to be targeted between 4 November and 12 December. The attacker was persistent, contacting each of the targets via Skype with offers tailored to their specific interests. Having gained their trust, the attacker then sent them Word documents containing obfuscated malicious VBA script designed to connect to an external IP address and download a file.

On the sixth attempt, the hacker managed to get Kodric to download a malicious file. As systems administrator, he had access to Bitstamp's hot wallet. The phishing email purportedly came from the Association for Computing Machinery and offered Kodric the chance to join an international honour society. As part of this, he was sent a Word document containing the malicious VBA script which downloaded the malicious script and compromised the machine.

Following this, the attacker switched to Skype conversations with Kodric, following which further malicious executable files were created on his laptop. On 23 December, his computer logged onto the server containing the wallet.dat file and this was followed by the successful attack on 29 December in which they logged into the data file server and the server containing the passphrase.

The attacker then waited until 4 January when they drained the Bitstamp wallet. Normally containing just 5,000 Bitcoins, on that day it held over 18,000.

Kevin Epstein, VP of advanced security and governance at Proofpoint, said, "This is yet further confirmation that the human factor remains the weakest link in many security profiles – and that use of attachments and macros continues to exploit that weakness. Clearly conventional email gateways aren't succeeding in blocking this type of attack, so organizations who don't proactively invest in modern targeted attack protection and threat response systems will continue to make headlines as victims.”