Following the results from the U.S. Marshals bitcoin auction, which were released in part on Monday, we have learned that only one entity walked away with the 30,000 bitcoins at stake.
However, while many bitcoin companies now walk away feeling dissatisfied, one bitcoin company is suffering the most.
On June 18, the U.S. Marshals leaked the email addresses and names of individual who showed interest in bidding in the upcoming auction.
A mistake that appeared to be costly for the Melbourne-based bitcoin arbitrage fund Bitcoins Reserve, which lost a reported 100 BTC.
As reported by StartupSmart, Bitcoins Reserve is now a victim to what the company’s co-founder Sam Lee has described as a serious cyber-attack.
Because of the leaked email list, an individual was able to gain access to the email address in which the company had used to inquire on the upcoming and now-closed auction.
An individual approached Lee using the email address posing as a journalist looking to conduct an interview. The attacker then used a third party’s address, which was too likely compromised, to then share with Lee a Google Doc which was maliciously presented as a set of questions.
Lee then explained that he was provided with an input that essentially was alleging to serve as an access point to view the document; however, the link, in disguise, was secretly gaining access to his personal email account.
Following the overtaking of Lee’s email, the attackers processed a password challenge, which then provided them with a list of all of the passwords that had been previously listed within the browser.
They then retrieved Bitcoins Reserve’s domain register, and then proceeded to add another DNS record that gave them access through Google to the company’s admin page for their apps account.
However, it was here that the attacker realized that they would not be able to access the company’s bitcoins, due to the fact that they are handled by security experts who reportedly have them on lock down.
Nonetheless the thieves had now gained access to every single email address within the employee register at Bitcoins Reserve; however, as this didn’t allow for much at this point either, the attackers then went on to send an email from Lee’s address to the company’s CTO.
The email requested the company’s chief technology officer to initiative a bitcoin transfer of 100 BTC to a specific address.
The CTO, according to Lee, then went on to verify the initiation by requesting a personal call from Lee; however, the attacker responded to the request via email saying no problem, but that it would have to be later in the day because he (posing as Lee) was too busy.
Then, in an unfortunate, yet coincidental series of events, the CTO called Lees co-founder and chief financial officer who gave the transaction the green light because he thought they were filling a routine client withdrawal request internally.
And as it turns out, Lee was indeed busy on the morning of the attack, unable to get to his phone in time for a conformation, making the attackers sound even more legitimate.
Lee explains to StartupSmart his feelings on the attack:
“Is it the US Marshals’ fault that the attack occurred? Absolutely! Is it their fault that we lost some Bitcoins? No. [...] Bitcoin is still in its infancy, and the untraceable nature of it attracts very high profile hackers to jump on board and try to add to their incomes.”
As it turns out, Lee and Bitcoins Reserve were not the only ones targeted in the attack, Lee revealed that after speaking to others whose emails were leaked as a result of the U.S. Marshals neglect to reply using the BCC field, that they were also targeted by hackers.
Lee tells StartupSmart:
“It’s supposed to be a confidential auction, they leaked the list, the hackers have got their hands on the mail list and made a very sophisticated attack revolving around this list. [...] But people losing bitcoins could only because of their own lack of security procedures.”
While Lee is obviously disappointed that the attack took place as a result of the U.S. Marshals’ negligence, it is by no means a death knoll to the company, both he and Bitcoins Reserve will be just fine he explains:
“I’m glad it’s happened sooner rather than later, as it’s made us aware of our vulnerabilities. It lets us know about our weaknesses in these kinds of areas.”
Following the initial attack, the attacker went on to blackmail Lee with a threat to leak the last 7 years of his personal emails should he not pay the additional request of 200 BTC.
Lee does not intend on pursuing the attack any further, while noting that they is little to nothing that the Police could do under such circumstances. He does however intend to cover the losses out of his own pockets.
According to StartupSmart, Lee will be publicly speaking in-depth about the attack at Wednesday night’s Bitcoin Melbourne meetup event.