A mistake by the US Marshals Service has led to Melbourne-based bitcoin arbitrage fund Bitcoins Reserve losing 100 bitcoins, valued at around $70,000, in a cyber-attack, according to co-founder Sam Lee.
Lee’s contact details, along with the details of others interested in the auction of 30,000 bitcoins confiscated from the Silk Road black marketplace, were accidently leaked by the US Marshalls Service about two weeks ago.
Bitcoins Reserve was the victim of what Lee calls “a serious attack”, where an individual approached him on the leaked email address, purporting to be a journalist requesting an interview.
Lee says the address the attacker used was owned by a third party, which he believes has been compromised by the attacker, and used to share with him a Google Doc with what Lee believed to be interview questions.
He was then prompted with an input which required him to request access to Google Doc, but the link was actually requesting access to his own email account.
Once the attackers had gained access to his email account they were able to complete a password challenge, which then gave the attacker access to all the plain text passwords in his chrome web browser.
They then accessed Bitcoins Reserve’s domain register, added a new DNS record that confirmed with Google that they had ownership of the company’s Google apps admin account.
Through that they were able to access the email addresses of all the employees at Bitcoins Reserve.
They couldn’t gain direct access to Bitcoins Reserve’s bitcoins, Lee says, because it’s handled by a security expert “and they’re all locked down”.
Instead they sent an email from Lee’s email address, purporting to be him, to the company’s chief technology officer, requesting that 100 bitcoins be sent to a specific bitcoin address.
Lee says “naturally” the CTO’s response was to request a phone call from the attacker purporting to be Lee, to confirm that it was in fact Lee making the request, the attacker responded saying that’s fine, but the phone call would have to be later that afternoon as he was busy.
The CTO then called Lee’s co-founder and CFO who authorised the transaction, who mistakenly thought they were fulfilling an internal client withdrawal request.
In an unfortunate coincidence, Lee was busy on the morning of the attack, and unable to answer his mobile, which made the attackers claims more credible.
“Is it the US Marshals’ fault that the attack occurred? Absolutely! Is it their fault that we lost some Bitcoins? No,” Lee says.
“Bitcoin is still in its infancy, and the untraceable nature of it attracts very high profile hackers to jump on board and try to add to their incomes.”
Lee says he has spoken to other individuals whose details were also leaked by the US Marshals Service, who say they were also targeted.
“It’s supposed to be a confidential auction, they leaked the list, the hackers have got their hands on the mail list and made a very sophisticated attack revolving around this list,” he says.
“But people losing bitcoins could only because of their own lack of security procedures.
“I’m glad it’s happened sooner rather than later, as it’s made us aware of our vulnerabilities.
“It lets us know about our weaknesses in these kinds of areas.
“Bitcoin in general is such a new industry, things are happening at a lightening pace, and security gets left on the wayside and we leave our doors open to such social engineering, because these things happen so quickly.”
Lee says the individuals behind the attack followed it up with a blackmail attempt, requesting a further 200 bitcoins to ensure Lee’s last seven years of email correspondence isn’t leaked.
He says, they’ll cover the losses “out of our own pockets” and have no plans to contact Police, because he doesn’t believe there’s much they could do.
The attack had limited impact on the Bitcoins Reserve arbitrage fund, it resulted in the fund missing out on some arbitrage opportunities on the day the bitcoins were lost.
Lee will speak about the attack at Wednesday night’s Bitcoin Melbourne meetup event.
The US Marshals Service has announced that a single bidder has won all of the bitcoins being auctioned.
It did not identify the winner, or disclose the winning bid.