BitStamp is a European bitcoin exchange company and is officially registered in the United Kingdom.
Recently a new document has been surfaced over the Internet, apparently the BitStamp incident report, which details that how a phishing attack occurred several months ago robbed off the company.
It was apparent that BitStamp’s reputation was ruined, but the company’s prompt action to the phishing attack helped them in getting their services back up and running with an enhanced security. But they never disclosed what actually caused this attack.
Now the unconfirmed breach report, leaked by an unidentified individual, marked as confidential but has been making rounds over the Internet and mirror sites, which tells us about the story behind BitStamp’s attack and what really happen.
Initially, the report document was posted on Scribd (it has been removed now), named “BitStamp Incident Report” dated February 20th. The report is endorsed by George Frost, General Counsel of BitStamp, and consists of investigation reports provided by the Stroz Friedberg private investigation group, as well as investigators from the UK’s cybercrime unit, the Secret Service and the FBI.
The page nine of the leaked report details how the breach was discovered initially by the company, “Bitstamp staff noted a suspicious data transfer on the network logs, dated 29 December 2014, between 1129-1201 CET. The data transfer was approximately 3.5GB” which was sent to suspicious German IP address.
This was the point when the investigators resolute that their “wallet.dat” file had gone from BitStamp servers to some unfamiliar IP. After preliminary investigations, the company learned that the transfer was initiated through a VPN (Virtual Private Network) connection from Luka Kodric’s laptop, which was located within his office.
Accessing BitStamp’s network was an easy task for the hackers because of an initial phishing attack conducted on Luka Kodric’s laptop while surprisingly he was connected to the VPN network. The report reveals that the VPN connection to the servers was restricted to only three authorised IP addresses i.e. Kodric’s home IP, Merlak’s home IP, and BitStamp’s office IP. So two-factor authentication wasn’t required, at that time, to access the data centre through Kodric’s laptop.
But still there was a bit of work that has to be done by the attackers. Like they must had to have concurrent access to two servers located in the data centre. Investigations confirm that the data was transferred from these two servers, but BitStamp was unable to distinguish about the content of transferred data, only the total volume of transferred data was identified.
The report suggests that the hackers were able to get access to the BitStamp’s hot wallet and the early attempts were actually begun in late 2014, several months before the final hacking attempt, when the numerous phishing messages was sent by hacker via Skype to different BitStamp targeted employees. It was also noted that each message was custom tailored and the hackers were working real hard to rob bitcoins than the company was working to secure their assets.
A simple phishing scam ruined everything for Bitstamp
The report further reveals that Damian Merlak, BitStamps Chief Technology Officer, was the first victim of the phishing attack which involved a message that would encourage the receiver to open a Word document that contains malicious VBA code.
“Six Bitstamp employees were targeted by phishing emails in total, although only four of these resulted in malicious attachments being received. […] All of the phishing messages were highly tailored to the victim and showed a significant degree of background knowledge on the part of the attacker,” the report reads.
And the hacking attempts continued until the attacker was able to successfully compromise the system administrator computer. Critically, that specific “sysadm” has access to the IDs for BitStamp’s hot wallet. And then almost a month later a successful hacking attack of $5 million in bitcoins was conducted.