Threatwatch

Australia-based bitcoin fund robbed of $70,000 after U.S. Marshals leaked contact info

Credential-stealing malware; Cyber espionage; Password cracking; Social engineering; Spearphishing; User accounts compromised

The email address of Sam Lee, co-founder of Bitcoins Reserve, was made public by accident, allowing an attacker to send him an infected message that stole company computer credentials.  

Lee’s contact details, along with those of others interested in an auction of 30,000 bitcoins confiscated from the Silk Road black marketplace, were recently leaked by the U.S. Marshalls Service by mistake.  

The hacker posed as a journalist requesting an interview to lure Lee into opening a bogus Google Doc. Lee believed the file contained interview questions.

By clicking on a link to the document, Lee unwittingly unleashed a malicious program that grabbed access to his email account and other passwords.

The attacker pried into company emails through that one opening

“They couldn’t gain direct access to Bitcoins Reserve’s bitcoins, Lee says, because it’s handled by a security expert ‘and they’re all locked down,’” StartupSmart reports. “Instead they sent an email from Lee’s email address, purporting to be him, to the company’s chief technology officer, requesting that 100 bitcoins be sent to a specific bitcoin address.”

The CTO requested to speak over the phone with the individual claiming to be Lee to confirm it was indeed him.

The attacker consented, but said the call would have to be later that afternoon since he was busy.

In an unfortunate coincidence, Lee actually was busy on the morning of the attack, and unable to answer his mobile, which made the attacker’s claims more credible.

The CTO called other fund executives who authorized the transaction, under the mistaken impression they were fulfilling an internal client withdrawal request.

“Is it the U.S. Marshals’ fault that the attack occurred? Absolutely! Is it their fault that we lost some Bitcoins? No,” Lee tells StartupSmart. “I’m glad it’s happened sooner rather than later, as it’s made us aware of our vulnerabilities.”

sector

Financial Services

reported

July 1, 2014

reported by

StartupSmart

number affected

Unknown

location of breach

Unknown

perpetrators

Criminals

location of perpetrators

Unknown

date breach occurred

Some point in mid to late June 2014

date breach detected

Some point in mid to late June 2014