The Australian Bitcoin fund “performs automated simultaneous trades across multiple exchanges with price differentials, to correct market inefficiencies and bring liquidity, all in the while netting profitable trades.” It also seeks to educate the general public on cryptocurrency investments.
Here’s how it happened, according to Sam Lee, co-founder and CEO: He was contacted via his leaked e-mail address by an individual posing as journalist, claiming to be interested in an interview. Lee believes that the address he was contacted from was itself compromised by the attacker.
The attacker shared with him a Google Doc to answer interview questions. First though, he was prompted with a link which appeared to request access to the Google Doc, but in fact requested access to his own e-mail.
The attacker gained access to Lee’s e-mail and successfully completed a password challenge, which granted access to all plain text passwords in the Chrome browser. The attacker than accessed the domain register and added a DNS record confirming with Google that he indeed owns the company’s Google Apps admin account. This allowed him to access all employee e-mail addresses.
Legal Risk Factor Beneath Ripple’s Lawsuit from SECGo to article >>
The attacker couldn’t directly access the company’s bitcoins, which are “locked down” by a security expert. Instead, the attacker sent a message from Lee’s e-mail address requesting a transfer of 100 bitcoins, to be sent to a certain address.
Naturally, the CTO requested a phone call to authenticate the transaction. The attacker “authorized” the transfer without the phone call, saying he approves but was unavailable at that time to make the phone call. The CTO then contacted the CFO, who authorized the transaction, believing it was a client withdrawal request.
The attacker was fortunate in that on the morning of the incident, Lee was unavailable to be reached on his mobile.
While this may not have happened if not for the leak, Lee isn’t blaming USMS directly for the theft, saying:
“Is it the US Marshals’ fault that the attack occurred? Absolutely! Is it their fault that we lost some Bitcoins? No….It’s supposed to be a confidential auction, they leaked the list, the hackers have got their hands on the mail list and made a very sophisticated attack revolving around this list….But people losing bitcoins could only because of their own lack of security procedures.
In fact, he believes it’s good thing that it happened. The lessons learned are key to preventing such attacks in the future: “I’m glad it’s happened sooner rather than later, as it’s made us aware of our vulnerabilities.”