Bitstamp hot wallet hacked for 18,866 BTC due to human error

January 4, 2015

Summary #

During the events that unfolded between November 2014 and February 2015, an unknown attacker targeted Bitstamp employees through phishing messages and exploiting compromised accounts to steal the hot wallet file. During the attack, 18,866 BTC ($6.7 million adjusted for inflation) were stolen. Bitstamp suspended trading, notified customers, and eventually compensated them for their losses. The security failure stemmed from employees falling prey to social engineering attacks and distributing malware-laden files. The combination of sophisticated attack methods, including malware and persistent social engineering, led to theories that the perpetrator was an insider, a group of hackers, or even a state-sponsored actor.

Attackers #

The attacker has never been identified.

One theory is that the attacker was an insider because the attacker was able to gain access to Bitstamp’s hot wallet and steal the cryptocurrency. Another theory is that the attacker was a group of hackers. This is because the hack was carried out in a sophisticated manner. The attacker was able to bypass Bitstamp’s security measures by combining malware and social engineering techniques. Due to the sophistication of the attack, it is also possible that the attacker was a state-sponsored actor or a combination of an insider and a group of hackers with both inside knowledge and technical expertise.

Losses #

18,866 BTC was stolen, which was worth 5,289,837 USD at the time of the attack and amounts to 6,714,263 USD adjusted for inflation as of 2023. No assets were recovered, and Bitstamp covered the losses.

Timeline #

November 4, 2014: The attacker contacted Bitstamp’s CTO Damian Merlak offering free tickets to a punk rock festival.
November 26, 2014: Bitstamp’s COO Miha Grcar was targeted by a phishing message containing a Word document of a recent article, ostensibly seeking comment from Mr Grcar.
December, 2014: Several Bitstamp employees were targeted by phishing messages in early December. Bitstamp’s CEO Nejc Kodrič and employee Miha Hrast had their accounts compromised after being messaged on Skype.
December 11, 2014: The attacker sent a number of attachments containing an obfuscated malicious VBA script. When opened, the script downloaded a malicious file, which compromised Bitstamp employees’ machines.
December 23, 2014: Bitstamp CEO’s account was used to steal wallet.dat file from Bitstamp’s server.
January 4, 2015: Some of Bitstamp’s hot wallets were compromised.
January 5, 2015: Bitstamp confirmed that 18,866 BTC were stolen, notified customers that they should no longer make deposits to previously issued bitcoin deposit addresses and suspended all trading.
January 8, 2015: Bitstamp reopens trading with a new hot wallet.
January 12, 2015: Bitstamp announces that it will be compensating customers for the stolen Bitcoin.
February 2, 2015: Bitstamp begins distributing compensation to customers.
February 19, 2015: Bitstamp completes the distribution of compensation to customers.

Security Failure Causes #

A number of employees at the exchange fell victim to a social engineering attack in which they were persuaded to open and distribute files containing malware. The files were executed, and the attacker was ultimately able to obtain the backup passphrase to Bitstamp’s wallet.

Market Health Metrics API

Benford's Law

Volume distribution analysis

Time-of-Trade

Buy/Sell Ratio

VWAP

Attack Types

Entity Types

Target Entities

51% Attacks

Custodian Attacks

Flash Loan Attacks

Lockout Scams

Phishing Attacks

Reentrancy Attacks

Rug Pull Scam