Stephen Pair, CEO of BitPay, a well-known global Bitcoin payment service provider headquartered in Atlanta, Georgia, has suffered a phishing scam that cost the company more than US$1.8 million or about 5,000 bitcoins. The scam occured in December of 2014, according to the company’s blog post.
BitPay filed a claim for losses, which Massachusetts Bay Insurance Company, its insurance company, denied in June. On September 15, 2015, BitPay filed a suit against MBIC for breaching contract, bad faith failure to pay and statutory damages. It is seeking $950,000 in damages plus court fees, states American Banker.
The company’s blog reads that BitPay can’t discuss the pending litigation between the company and its insurer.
“This was an isolated incident, and none of BitPay’s customers, affiliates or merchants lost any funds. The only victim of the theft was BitPay. All merchant funds were secure, and there were no disruptions to BitPay’s payment services at any time. Additionally, advances in bitcoin cybersecurity over the last year allow BitPay to further protect funds and better serve merchants and bitcoin users.”
As for the the hacking itself, the hacker’s target was BitPay’s chief financial officer, Bryan Krohn, who received an email, allegedly from an online digital currency publication. The email helped the hacker to take over Krohn’s computer.
The hacker sent Krohn to a website where Krohn is alleged to have given the log-in information for his Bitpay corporate email account, says Cointelegraph. According to lawsuit paperwork:
“After capturing Mr. Krohn’s Bitpay credentials, the hacker used that information to hack into Mr. Krohn’s Bitpay email account to fraudulently cause a transfer of bitcoin.”
Having Krohn’s corporate log-in credentials, the hacker accessed the account and managed “to learn specific details about how Bitpay transacted business.” Then, Stephen Pair, the CEO of BitPay, received emails from the hacker as if he were Krohn. The hacker asked Pair to send 1,000 BTC to a user’s wallet. Having seen that it worked, the hacker asked to send bitcoins again.
The next day, the imposter sent another email to the CEO asking him to send an additional 3000 bitcoins to the customer. The CEO emailed Krohn to confirm the request, and the imposter sent back an email saying the transfer was valid. The CEO then sent the bitcoins, reads Atlanta Business Chronicle.
The scam was uncovered thanks to Pair who copied BitPay’s real customer on the final email about the transfer of the 3,000 coins. It helped discover that there was no order for 3,000 bitcoins after the customer replied.
This hacking can be considered the latest example of scam artists using sophisticated means to infiltrate the victims’ systems through assumed identities.