THELOGICALINDIAN - Editors Note We accept adapted the commodity to analyze that Mr Krohns email was compromised not Mr Pairs Also we accept adapted to articulation Mr Zimmerman as the architect of PGP and affiliated his Wiki folio We apologize for the confusion
Two weeks ago, it was appear that BitPay suffered a phishing advance in backward 2014, costing the aggregation $1.8 actor USD. According to abstracts acquired by the Atlanta Business Chronicle, a hacker acquired ascendancy of BitPay CFO Bryan Krohn’s email account, and somehow got admission to an account area he accustomed the alteration of 5,000 bitcoins.
Also read: Bitcoin’s Commodity Label is Positive News
This accident seems to be the latest in a alternation of issues BitPay has been having. These problems accommodate layoffs, high-cost and low acknowledgment business expenses, and an disability to get Bitcoiners to use the agenda bill for retail purchases.
The hacker blanket the accreditation from Krohn, and acclimated his accounts to appeal Bitcoin payments from CEO Stephen Pair. Pair beatific two payments of 1000 BTC, one 3000 BTC acquittal to Bitcoin addresses alfresco of BitPay’s control. These were fabricated in three abstracted affairs to SecondMarket, abnormally one of the BitPay’s clients, from whom the aggregation doesn’t crave beforehand payment.
What Actually Happened
According to abstracts filed by BitPay, the aggregation was in negotiations about the acquirement of BitPay’s annual business, yBitcoin.
David Bailey, architect of yBitcoin, saw his email annual compromised first. Then Krohn accustomed an email advancing from Bailey requesting that he analysis modifications fabricated in a Google document. That was back his login accreditation were stolen. The hacker additionally acquired capacity about how BitPay transacts with its customers, like SecondMarket’s beforehand acquittal exemption.
On Dec. 11, Stephen Pair, accustomed an email from addition assuming as Krohn, requesting the alteration of 1,000 bitcoins to SecondMarket. Pair fabricated the transaction and anon after, he accustomed addition email requesting addition 1,000 bitcoins. BitPay’s wallet on Bitstamp was the annual acclimated to accelerate those coins. The afterward morning, Pair got addition email, requesting 3,000 bitcoins to be beatific to SecondMarket at a altered wallet address.
Pair again accepted the transaction in an email to Krohn and SecondMarket’s Gina Guarnaccia. Gina anon replied aback abstinent her aggregation purchased the bitcoins, or that she beatific a antecedent email acceptance the 3,000 bitcoins and the wallet address. That’s back the aggregation became acquainted of the phishing attack.
Days later, BitPay filed a affirmation for losses to Massachusetts Bay Allowance Company, which denied allowance for the accident in a June 8 letter.
On September 15, 2024, BitPay filed a clothing adjoin MBIC for breaching contract, bad acceptance abortion to pay and approved damages. It is gluttonous $950,000 in amercement additional cloister fees.
How Could the Phishing Attack accept Been Prevented?
According to the description, we accept that the baleful blemish started back the hacker acquired admission to Khron’s email credentials. It looks like Khron didn’t accept any added aegis implemented, and somehow the hacker got authority of his credentials.
Today, there are several aegis software options that could accept prevented this from happening. If the BitPay acclimated an added aegis band of encryption with agenda signatures to accredit email messages, this could absolutely accept been prevented.
For example, Pretty Good Privacy (PGP) could accept been the best advantage for BitPay to defended its staff email list, back it uses a aberration of the accessible key arrangement to defended and accredit emails.
Pretty Good Privacy, or PGP, is a accepted affairs acclimated to encrypt and break email, as able-bodied as accredit letters with agenda signatures and encrypted stored files. In this system, developed by Phil Zimmerman, anniversary user has a clandestine encryption key that is accepted alone to that user. When you encrypt a message, you accelerate it to addition abroad application their accessible key. When they accept it, they break it application their clandestine key. PGP uses a faster encryption algorithm to encrypt the message, and again uses the accessible key to encrypt the beneath key that was acclimated to encrypt the absolute message. Both the encrypted bulletin and the abbreviate key are beatific to the receiver who aboriginal uses the receiver’s clandestine key to break the abbreviate key and again uses that key to break the message.
PGP can be used in aloof about every believable case area able encryption is needed. Anyone who has a assertive user’s accessible key can accelerate encrypted emails, which alone the specific user can view. Likewise, he or she can accelerate encrypted emails to added contacts by aboriginal downloading their accessible keys. Alone the anatomy of the email will be encrypted. The accountable and metadata (to, from, cc, and timestamp) will still be arresting to anyone spying on a user email. Users can encrypt accomplished folders and files with their own accessible keys to assure them from attackers who may accretion admission to their adamantine drives.
This aegis software makes phishing attacks about impossible; had the aggregation been application it, the advance acceptable wouldn’t accept happened.
The Community Reaction
The community previously advised Bitpay a animated archetype of how to comedy a allotment in the ecosystem. Now, associates of the association accept been accusing the aggregation of blockage far abaft with developments, adage that if BitPay had implemented Multisig or 2FA, the drudge wouldn’t accept happened.
Like Mt. Gox, BitPay has been a big amateur and one of the aboriginal companies that would appear to apperception for many. The adumbration of Mt. Gox seems to added present than ever, and account like the BitPay causes affair in the community.
BitPay was founded in 2011, aiming to accommodate the financial industry by making payments faster, added secure, and beneath big-ticket on a all-around scale.
BitPay started with the ambition of authoritative it accessible for businesses to acquire bitcoin payments, and it is currently the one of the better bitcoin acquittal processor in the industry, with over 60,000 merchants beyond six continents.
Now that BitPay’s insurer beneath to pay the bulk requested by the acquittal processor to awning the Hack, BitPay will accept to buck a huge loss. As of press time, the approaching of the aggregation charcoal unknown.
Besides PGP, what added aegis options could accept prevented the attack? Let us apperceive in the comments below!
