The CEO of Bitcoin merchant services industry leader BitPay has suffered a phishing scam that cost the company 5,000 bitcoins or over US$1.8 million, reports the Atlanta Business Chronicle

Three separate thefts by one skilled hacker

The scam occurred last December and the target was BitPay’s chief financial officer, Bryan Krohn. It all started when Krohn received an email, allegedly from an online digital currency publication looking for commentary on a document about the Bitcoin industry.

This was an email sent from a hacker who had taken over a computer. The hacker sent Krohn to a website where Krohn is alleged to have given the log-in information for his Bitpay corporate email account. According to lawsuit paperwork:

"After capturing Mr. Krohn's Bitpay credentials, the hacker used that information to hack into Mr. Krohn's Bitpay email account to fraudulently cause a transfer of bitcoin.”

Now armed with Krohn’s corporate log-in credentials, the hacker accessed the account and used them "to learn specific details about how Bitpay transacted business.” The hacker sent emails to the CEO of BitPay, Stephen Pair, as if he were Krohn, and asked Pair to send 1,000 BTC to a consumer’s wallet, which Pair did. After this worked, the hacker repeated the request and was again successful.

The following day, still with access and control of Krohn’s account, the hacker asked for a 3,000 BTC transfer from Pair. The CEO double-checked with Krohn via email, but since the hacker has control of the account, he received confirmation from Krohn’s account. Pair sent the 3000 BTC as specified.

Pair did help uncover the scam because he copied BitPay's real customer on the final email about the transfer of the 3,000 coins. It was then discovered that there was no order for 3,000 bitcoins after the customer replied.

BitPay’s chief financial officer, Bryan Krohn

Paying up is hard to do

It appears that BitPay does not have any better luck making an insurance claim as anyone else does. Their insurance company, Massachusetts Bay Insurance Company, refused to pay on a claim for US$950,000 by BitPay in June. BitPay has since filed a lawsuit against their insurance company (see the lawsuit document here).

Massachusetts Bay Insurance Company, represented by Michael Weber of Illinois law firm Leo & Weber, sees the issue differently. This excerpt comes from a letter written by Weber to Jessica Pardi of Morris, Manning & Martin, LLP, who appears to be representing BitPay:

“Mr. Krohn was deceived by the email purportedly from David Bailey, which resulted in Mr. Krohn providing his Google credentials to the perpetrator. This is commonly referred to as a ‘spear phishing’ email scheme. While the spear phishing email appears to be from a trusted source, in actuality the sole purpose is to obtain confidential information. This scheme allowed the perpetrator to obtain Mr. Krohn's Google email account with the credentials Mr. Krohn provided.”

“The perpetrator was then able to access a computer system maintained by Google, which provides hosting services for Mr. Krohn's Google account,” it continues. “We are unaware of any evidence to support that the perpetrator gained access to the Bitpay computer system or device. The ultimate transfer of bitcoins did not result from the perpetrator's access to the Bitpay computer system or device. Ultimately Mr. Krohn's superiors made the decision to send bitcoins in three separate transactions, prior to receiving payment...”