Attacker steals wallet with 5,000 BTC, waits to fill up

Jul 3, 2015 08:43 GMT  ·  By

A leaked confidential report regarding the robbery of almost 19,000 bitcoins from digital currency exchange service Bitstamp reveals that the attack relied on powerful social engineering skills and sophisticated malware invisible to major AV products.

The heist occurred on January 4, 2015, but the initial compromise was traced to December 11, 2014, while the actual theft of Bitstamp’s online wallet and its password occurred on December 29, 2014.

Attacker did background research

Up until the intrusion, the attacker had targeted six employees, although not all of them had the credentials to log into the server storing the wallet file and the one holding the access passphrase.

Spear-phishing attempts started on November 4, 2014, and messages were tailored for each target. The attacker collected extensive background information about the victim, allowing the creation of a lure that had the best chances of success.

Damian Merlak, Bitstamp CTO, for instance, was contacted about free tickets for the Punk Rock Holiday 2015 event in Slovenia. Merlak is a fan of the genre and also used to play in a band.

The company’s COO, Miha Grcar, was also approached on Skype by the attacker, who posed as a journalist seeking comments for an article delivered in a Word document. Grcar worked as a reporter for Athens News and is keen on policy and history topics.

Most contacts made over Skype

Other Bitstamp employees were also contacted using as lure a connection with a previous or parallel position at a different organization.

In most cases, the potential victim was approached via Skype, and the goal was to make them accept and run a Word file laced with a malicious macro (VBA script) that would deliver the payload.

However, Bitmap’s systems administrator, Luka Kodric, received the bait to his Gmail inbox. The lure was the opportunity to join Upsilon Pi Epsilon (UPE), the International Honour Society for the Computing and Information Disciplines, and came from a spoofed address of the Association for Computing Machinery.

Kodric was one of the few targets that could log into the two servers storing the active bitcoin wallet and its passcode.

The malicious document was disguised as an application form, which downloaded malware on Kodric’s computer.

Trojan went undetected by major antivirus products

The Trojan was described in the report as a “highly sophisticated programme with diverse functionality,” which, at the time of the analysis, “was not detected when submitted to major AV providers.”

The malware included multiple capabilities that allowed it to access the host’s registry, the clipboard, emulate mouse movements or keylogging via plugins. Evidence shows that it could be used for click-fraud activities.

Attacker waits a week for spoils to quadruple

Although successful infiltration was achieved on December 11, 2014, the attacker copied the bitcoin wallet and the corresponding access key on December 29.

At that time, there were 5,000 bitcoins available, but the currency was not transferred from the wallet. During the ensuing days, additional deposits were made, and on January 4, 2015, the amount grew to 18,866 BTC, which were worth $5.2 / €4.45 million; that's when the attacker started to transfer the money.

The attacker connected to the server with the active wallet through a VPN connection from Kodric’s laptop in the office, probably while the admin was working.

Employee was alerted of unauthorized remote access attempts

“The VPN connection to the data centre was restricted to three authorised IP addresses: Bitstamp’s office IP, Mr Merlak’s home IP, and Mr Kodric’s home IP. Two-factor  authentication was not required to access the data centre from Mr Kodric’s laptop while it was logged in to the office network,” the report says.

Interestingly, on the day of the robbery, a Sunday, Kodric received on the mobile phone a total of nine notifications for the second authentication code that allowed remote access to the office network.

Such an alert is generated only when the correct credentials are used. The report says that the remote access attempts came from an IP address in Romania. However, the threat actor relied on TOR network for the malicious activity to hide the origin of the attack.

The incident response document was first published on Scribd but it was removed at Bitstamp's request. However, it is currently available from multiple sources online.