Atlanta-based bitcoin payment processor BitPay has suffered a phishing attack costing the company $1.8 million.
According to documents obtained by the Atlanta Business Chronicle, a hacker posing as BitPay CFO Bryan Krohn sent emails in December from his account authorizing the transfer of 5,000 bitcoins in three separate transactions to SecondMarket — ostensibly BitPay’s one customer from whom it does not require advance payment.
The email account of David Bailey, founder of Bitcoin quarterly yBitcoin, was compromised first. Krohn then received an email appearing to be from Bailey requesting he review modifications made in a Google document. At the time they were in negotiations about the purchase of BitPay’s magazine business by yBitcoin, according to documents filed by BitPay.
Krohn believes his login credentials were stolen when he entered them to access the supposed document. Besides pretending to be him, Krohn suspects the hacker also obtained details about how BitPay transacts with its customers, like SecondMarket’s advance payment exemption.
On Dec. 11 someone posing as Krohn emailed BitPay CEO Stephen Pair requesting the transfer of 1,000 bitcoins to SecondMarket at a specified wallet address. It was sent about an hour later and shortly after, Pair received another email requesting he send another 1,000 bitcoins to the same address. That transaction was sent from the company’s wallet on Bitcoin exchange Bitstamp.
The following morning, the hacker again emailed Pair as Krohn, requesting 3,000 bitcoins be sent to SecondMarket at a different wallet address.
When the transfer was completed, also from Bitstamp, Pair confirmed the transaction in an email to Krohn and SecondMarket’s Gina Guarnaccia, who denied that her company purchased the bitcoins or that she sent a previous email verifying the 3,000 bitcoins and the wallet address.
BitPay filed a claim for losses days later, which its insurance company, Massachusetts Bay Insurance Company, denied in a June 8 letter. On Sept. 15 BitPay filed a suit against MBIC for breaching contract, bad faith failure to pay and statutory damages. It is seeking $950,000 in damages plus court fees.