BitPay, one of the leading bitcoin payment processing providers, reportedly lost 5,000 bitcoins (worth $1.85 million) in a sophisticated hacking attack last December.
As reported by the Atlanta Business Chronicle, news of the loss came to light due to the ongoing legal dispute between BitPay, and its insurer, Massachusetts Bay Insurance Company (MBIC), which has rejected BitPay’s claim.
Prior to the attack on BitPay, the attacker first gained access to the computer of BTC Media CEO David Bailey. Posing as Bailey, the attacker then wrote to BitPay CFO Bryan Krohn, who was directed to a Google Doc, where he entered his BitPay e-mail credentials.
The hacker, then posing as Krohn, wrote to BitPay CEO Stephen Pair and executive chairman Tony Gallippi, asking for authorization to send three payments totaling 5,000 BTC to a Bitcoin address. The payments were purportedly for SecondMarket, whose apparent arrangement with BitPay was one where they can pay for the bitcoins at a later date.
On the third payment of 3,000 BTC, Pair copied SecondMarket employee Gina Guarnaccia via e-mail for confirmation. Guarnaccia replied “that she did not send the prior email noting the 3,000 bitcoins and address for them to be sent, and that SecondMarket did not purchase the bitcoins,” upon which the scam was discovered.
MBIC rejected BitPay’s claim of $950,000, half the amount that was lost. It argued that the loss was indirect, and therefore not covered. “The Policy does not afford coverage for indirect losses caused by a hacking into the computer system of someone other than the insured,” the insurer claimed.
What to Look for in a Liquidity ProviderGo to article >>
Furthermore, the property in question was not on BitPay’s physical premises. Bitcoins are stored electronically, not necessarily stored in a particular location. Therefore, MBIC argued, they are not covered by the Computer Fraud Insuring Agreement.
BitPay countered that MBIC, in considering the loss as indirect, misinterpreted its policy. As to whether bitcoins are even subject to the insurance policy, BitPay noted that special provisions for them were stipulated.
“MBIC agreed to add bitcoin to the Policy definition of ‘money’ thereby insuring BitPay against loss of bitcoin. Unlike traditional money, bitcoin does not exist in physical form in any location or premises, and it cannot be transferred from or to any physical location,” said attorney Jessica Pardi.
BitPay has sued MBIC for the $950,000, plus court fees and damages.
Gaining the Upper Hand
The decentralized structure of Bitcoin, left untreated, renders it susceptible to loss and theft. All a hacker needs is access to one’s private keys, and transactions are irreversible.
However, relative to 2014, this year has seen a marked decrease in security-related incidents resulting in the loss of bitcoins. In the few successful attempts, hackers have resorted to more sophisticated means, relying less on brute force measures. For example, the $5.3 million hacking of Bitstamp also materialized from e-mails, phishing and Google Docs.
In essence, such attacks are more a result of inadequate organizational protocols and controls. Bitcoin technology, on its own, appears to have evolved to the point capable of resisting most threats (with the possible exceptions of 51% attacks and double spending). Cold storage, multisignature functions and other supporting software make it possible to achieve bank-grade security, but are only useful when complemented with the right human behavior.