Skip to content
Naked Security Naked Security

BitPay spearphished and loses $1.8 million, insurer refuses to pay

BitPay is embroiled in a legal dispute with its insurer over a commercial crime policy it says should cover $1.8m spear phishing losses.

shutterstock_49083688Bitcoin payments processor BitPay was spearphished late last year after a hacker gained access to an email account belonging to David Bailey, Editor-in-Chief of digital currency publication Bitcoin Magazine.

Not once, not twice, but three times.

It all began one day in December 2014 when BitPay’s chief financial officer, Bryan Krohn, received an email that appeared to have come from Bailey, asking for his comments on a bitcoin industry document.

Of course it wasn’t really Bailey who sent the message – someone had hacked his computer and gained access to his email account – but it was convincing enough to send Krohn to a fake website where he gave up the login credentials to his own BitPay corporate email account.

Using those same credentials, the hacker was able to gain intimate knowledge of how BitPay conducted its business, which in turn allowed him or her to initiate three separate fraudulent bitcoin transfers on 11 and 12 December.

Using Krohn’s email, the hacker contacted Stephen Pair, BitPay’s CEO, asking him to transfer 1000 bitcoins to a customer’s virtual wallet. When that ruse proved successful, the hacker repeated the request and Pair obliged by transferring another thousand bitcoins.

As if almost three quarters of a million dollars worth of bitcoins was not enough, the hacker then emailed Pair again the next day, this time asking for a further 3000 bitcoins to be sent to the customer. Perhaps suspecting something was up, Pair sought confirmation from ‘Krohn’ who of course replied that the transfer was perfectly valid.

The con was only detected after the point of no return had been passed – Pair copied the real customer into an email he sent after the transfer had completed. Unsurprisingly, the customer indicated that they had not requested any such purchase of bitcoins.

Court documents estimated that the 5000 bitcoins lost by BitPay were worth $1,850,000.

Fortunately for the company, or so it thought, it had a commercial crime policy in place to cover such an eventuality.

But when it approached Massachusetts Bay Insurance Company to claim $1,000,000 of the loss, less an excess of $50,000, the insurer refused to pay out, saying:

The Computer Fraud Insuring Agreement is only triggered by situations where an unauthorized user hacks into or gains unauthorized access into your computer system and uses that access to fraudulently cause a transfer of money to an outside person or place.

As Massachusetts Bay Insurance Company quite correctly points out in a letter issued on 8 June 2015, BitPay’s own systems were not hacked – it was David Bailey’s computer that suffered that fate – and the insurance company maintains that the policy does not cover consequential losses incurred as a result of a third party being hacked.

Despite additional arguments over the semantics of fraudulent activity, BitPay responded on 15 June, explaining how courts had previously held that “‘Computer Fraud’ occurs when someone ‘hacks’ or obtains unauthorized access or entry to a computer in order to make an unauthorized transfer or otherwise uses a computer to fraudulently cause a transfer of funds”.

The insurer countered that argument, saying that BitPay’s loss was a result of spear phishing emails sent to Kohn, not a breach of its own computer systems, further arguing that:

Computer fraud equates to the use of a computer to "fraudulently cause a transfer" and is not the use of a computer somewhere in a transaction that involves fraud, false pretenses or misrepresentations.

BitPay has issued court proceedings in an attempt to mitigate at least part of its losses.

According to legal documents filed on 15 September, the company is seeking the $950,000 it says it is owed under the insurance policy, a 50% penalty worth $475,000 and reimbursement of its legal costs.

As for what this bitcoin theft means to everyone else, the answer is thankfully not a lot – a statement from BitPay suggests the matter had no adverse affect on any of its customers or business partners:

This was an isolated incident, and none of BitPay's customers, affiliates or merchants lost any funds. The only victim of the theft was BitPay. All merchant funds were secure, and there were no disruptions to BitPay's payment services at any time.

 

Image of spear fisherman courtesy of Shutterstock.com

4 Comments

“Of course it wasn’t really Bailey who sent the message – someone had hacked his computer and gained access to his email account ”

I have a question – did somebody really hack his computer, or was he using the web mail interface everybody wants to use these days because they are so convenient? I have a feeling that many of these “hacked computers” are really breached web mail accounts.

Reply

As much as this is an indication BitPay had some less than ideal security practices, this does still seem like a case of “gaining unauthorized access” to their systems. Regardless of the original source.

I’m guessing the insurer is forced to pay out on this one.

Reply

Bugger the policy holders, think of the cost to the shareholders… LOL

Reply

find it mind boggling that when sending such large amount of money you don’t actually Check the person (just a quick call) to make sure it was a legit transfer, unless i guess £400k worth of bitcoins is normal move around that you do over email and not talk to a real person is mind boggling (bitpay must be making a lot of money)

Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!