A recently leaked report, removed from the web upon request from Bitstamp, says that the January hacking of the exchange was caused by a phishing attack.
The attackers apparently had very good intelligence on six Bitstamp employees, and attempted to lure them with customized e-mail and Skype messages.
Bitstamp lost close to 19,000 bitcoins ($5.3 million) in the attack on its hot wallet, and could have lost more had it not kept the bulk of its funds offline.
The report, compiled by forensics investigation firm Stroz Friedberg in February, says:
“All of the phishing messages were highly tailored to the victim, and showed a significant degree of background knowledge on the part of the attacker.”
TrioMarkets Partners with HokoCloud, Expands its Portfolio with Social TradingGo to article >>
In one attack, an employee was asked to fill out an MS Word document to get free tickets to Punk Rock Holiday 2015. The file apparently contained a malicious macro, which may have failed to execute.
Bitstamp’s luck ran out when systems administrator Luka Kodric, who had access to the hot wallet, received a phishing e-mail, ostensibly from the Association for Computing Machinery. After following up via skype, he too received an application form, which installed a remote-access Trojan on his system.
From there, the attacker copied the bitcoin wallet file and passphrase. Even though the hot wallet can contain no more than 5,000 BTC at any given time, the attacker continued to drain its contents as new deposits came in.
The report’s authors go on to state:
“We believe we have identified at least one of the hackers and are baiting a ‘honey trap’ to lure him into the U.K. in order to make an arrest. Moreover, we need to be very careful not to educate other criminal hackers about how we safeguard our assets and information.”
Security experts have pointed out the dangers of storing server credentials on the same machine as for checking e-mail. Bitstamp has reportedly addressed this issue in a system revamp for which it has spent $650,000 to date.