Six employees of Bitstamp were targeted in a weeks-long phishing attempt leading up to the theft of roughly $5m in bitcoin in January, according to an unconfirmed incident report said to be drafted internally by the bitcoin exchange.
The confidential document, posted toRedditby a single-purpose account, offers an in-depth look into what is believed to be the inside story of the hack, which resulted in the loss of justunder 19,000 BTCearlier this year. Since then, the company has offered scant details on what took place behind the scenes, citing confidentiality regarding the investigation into the lost funds.
The reports findings are notable as they illustratethe risks facing bitcoin exchanges, includingsocial engineering attacks in which personal information is used to trick victims into providing a means of access to sensitive materials.
In the case of Bitstamp,those behind the attack used Skype and email to communicate with employees and attempt to distribute files containing malware by appealing to their personal histories and interests. Bitstamps system became compromised after systems administrator Luka Kodric downloaded a file that he believed had been sent by a representative for an organization that was seeking his membership.
The report, attributed to Bitstamp general counsel George Frost, explained:
On 11th December, as part of this offer, the attacker sent a number of attachments. One of these, UPE_application_form.doc, contained obfuscated malicious VBA script. When opened, this script ran automatically and pulled down a malicious file from IP address 18.104.22.168, thereby compromising the machine.
Ultimately, the attackers were able to access two servers containing the wallet.dat file for Bitstamps hot wallet and the passphrase for that file.
The information contained in the report is said to be sourced from a third-party investigation conducted by digital forensics firm Stroz Friedberg, as well as from investigators working for the US Secret Service, the Federal Bureau of Investigation and UK-based cybercrime authorities.
As of the reports drafting, the investigation into the hack was still ongoing but an arrest was expected in the near future. The report alludes to an effort by investigators to create “a honey trap to lure [the attacker] into the UK in order to make an arrest.”