Bitstamp Hot Wallet Hack: Difference between revisions

Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Bitstamp Logo/Homepage

Bitstamp was one of the largest and most widely used exchanges at the time. Multiple services such as ATMs sourced their liquidity from Bitstamp. A phishing attack tricked Bitstamp into releasing wallet backup files and pass phrases. Bitstamp has since set up multi-signature hot wallets through BitGo, while the majority of funds remain in cold storage. No customers of the exchange appear to have lost their funds in the incident as Bitstamp has reportedly covered all losses.

^{[1][2][3][4][5]}

https://web.archive.org/web/20150702005806/https://www.scribd.com/word/removal/270137312

https://www.pymnts.com/news/2015/bitstamp-goes-dark-after-possible-hack/

https://davidgerard.co.uk/blockchain/2017/11/22/correction-huobi-wasnt-hacked-in-2015-but-the-2015-bitstamp-hacker-did-withdraw-12000-btc-from-huobi/

https://www.reddit.com/r/Bitcoin/comments/2re2pw/18864_coins_stolen_from_stamp_that_doesnt_look/

https://www.reddit.com/r/CryptoCurrency/comments/7eho5y/tether_was_hacked_by_the_same_person_who_hacked/

https://www.ccn.com/bitcoin-exchange-just-lose-12-bitcoins-possible-bitstamp-hack-address-contains-18866-stolen-btc/

https://web.archive.org/web/20221206090614/http://www.reddit.com/r/Bitcoin/comments/2re2pw/18864_coins_stolen_from_stamp_that_doesnt_look/

https://web.archive.org/web/20221109113756/https://www.reddit.com/r/Bitcoin/comments/3bpdb4/bitstamp_incident_report_22015/

https://web.archive.org/web/20220909002622/https://www.reddit.com/user/coinleak/

About Bitstamp

Bitstamp was originally founded in 2011^[6], reportedly by the "Merlak brothers"^[7]. Bitstamp has been reported as being based in Slovenia^[6][7] and based in Luxembourg. Bitstamp is the world's longest-running cryptocurrency exchange^[8].

A significant portion of the initial investment in Bitstamp at the time came from Pantera Capital^[9].

"Bitstamp is a cryptocurrency exchange based in Luxembourg. It allows trading between fiat currency, bitcoin and other cryptocurrencies. It allows USD, EUR, GBP, bitcoin, ALGO, XRP, Ether, litecoin, bitcoin cash, XLM, Link, OMG Network, USD Coin or PAX deposits and withdrawals."

"Bitstamp makes trading easy, fast & reliable. With 24/7 support, staking and bank-grade security & insurance. Since 2011."

"The company was founded as a European-focused alternative to then-dominant bitcoin exchange Mt. Gox. While the company trades in US dollars, it accepts fiat money deposits for free only via the European Union's Single Euro Payments Area, a mechanism for transferring money between European bank accounts."

Wikipedia: ^[8]

Homepage: bitstamp.net^[10]

Twitter: Bitstamp

The Reality

At the time of the attack, no cryptocurrency platforms were yet using multi-signature wallets. Bitstamp's staff stored backups of the private keys and passphrase on networked computers. The system administrator was not properly trained to defend against phishing attacks.

A wallet file (named wallet.dat) was encrypted with only a simple passphrase, which was also stored online.

What Happened

Bitstamp lost close to 19,000 BTC from the exchange’s hot wallet after a successful phishing attack against staff.

Technical Details

The attack against Bitstamp was a spearphishing campaign^[7]. Multiple employees of the platform appear to have been targeted with friendly emails and Skype communication^[7]. The most significant part of the attack was a successful phishing of the system administrator, an individual named Luka Kodrich^[7].

Luka was tricked into clicking on a link and downloading malware onto the Bitstamp work computer^[7], allowing the attacker to access multiple PCs. While the wallet and passphrase were stored on separate computers, computers in the system were all networked together, and the attacker with system administrator level access was able to get both the wallet.dat file and the passphrase required to unlock it. These were copied to a server run by a German hosting provider and subsequently used to withdraw close to 19,000 bitcoin.

Spearphishing Campaign

"Surprisingly, a banal phishing attack was used by hackers — the exchange employees received personal emails and messages in Skype from seemingly friendly sources.”^[7]

“Six employees of Bitstamp were targeted in a weeks-long phishing attempt leading up to the theft of roughly $5m in bitcoin in January, according to an unconfirmed incident report said to be drafted internally by the bitcoin exchange.”

“What’s maybe even more surprising is that the person responsible for security, Bitstamp system administrator Luka Kodrich, clicked the link and downloaded malware onto the working computer, after which the exchange was hacked. Bitstamp hurried to notify traders about what was happening, however, the attackers had already stolen the funds.”^[7]

Wallet/Passphrase Files Copied

A wallet file (named wallet.dat) was encrypted with only a simple passphrase, which was also stored online.

“On this occasion, Mr.Kodric[h] was certain that these logins were not made by him, and must therefore have been the attacker. Analysis indicates that the attacker accessed LNXSRVBTC, where the wallet.dat file was held, and the DORNATA server, where the passphrase for the bitcoin wallet was stored, before data was transferred out to both servers to IP 1**.**.***.**8, which is part of a range owned by a German hosting provider. We suspect that the the attacker copied the Bitcoin wallet file and passphrase at this stage [...]”

Withdrawal of Funds

“Together the wallet and passphrase would have enabled the attacker to steal bitcoins from the Bitcoin wallet.”

Links To Tether Hack

“A wallet associated with [the] $31 million Tether hack has been linked to previous bitcoin exchange thefts numbering in the tens of thousands of bitcoins.”

No, the team and physical operations remain in the EU. Some of our team was in the US during the breach, but no operations were moved.^[15]

Blockchain Information

Thief Wallet Address: 1L2JsXHPMYuAa9ugvHGLwkdstCPUDemNCf^[27]

First Blockchain Transaction: a32697f1796b7b87d953637ac827e11b84c6b0f9237cff793f329f877af50aea

Total Amount Lost

Despite the initial announcement from Bitstamp being clear that the amount was "less than 19,000 BTC"^[6], the amount lost is consistently reported as 19,000 BTC across almost all major sources^{[18][24][25][26][6]}.

Various sources have reported this amount as "equivalent to $5 million", "$5.000k"^[25], "5,000,000.00"^[24], "$5 million"^[6], "more than $5 million"^[18], and "about $5.1m at press time"^[16].

There is no reason to believe that any personal information was compromised^[15].

The total amount lost has been estimated at $5,100,000 USD.

Immediate Reactions

Halting Of Platform

The compromise affected some of Bitstamp's operational wallets, leading to the suspension of deposits and ultimately a temporary shutdown of the platform^[16]. BitStamp temporarily suspended its services and urged customers not to deposit funds into previously issued Bitcoin deposit addresses^[18]. The exchange assured customers that the breach, affecting some operational wallets, would not impact consumer assets, as the overwhelming majority of Bitstamp's Bitcoin reserves are stored in secure offline cold storage systems^[18].

The Bitstamp platform was taken offline on January 5th^[15]. Bitstamp provided a justification for this on multiple occasions^[15][9]:

We took the decision to rebuild our systems from the ground up from a secure backup for a few reasons. By redeploying our system from a secure backup onto entirely new hardware, we were able to preserve the evidence for a full forensic investigation of the crime. We have also taken this time to implement a number of new security measures and protocols so that customers can resume using Bitstamp with full confidence and trust. While this decision means we have not been able to provide you with services for a number of days, we feel this extra measure of precaution was in the best interest of our customers.

As an additional security measure, we suspended our systems and disabled our website to preserve the forensic environment, to engage with authorities to fully investigate the incident, and to redeploy from a secure backup a totally new instance of our code and platform on totally new hardware. We also moved our hosting location from a local hosting site to Amazon Web Services (in the EU) and implemented multi-sig technology to further improve security—the first major exchange to do so.

Report of Platform Breach

Bitstamp, reported the security breach resulting in the loss of less than 19,000 BTC (approximately $5.1 million)^[16]. Bitstamp assured customers that funds held prior to the service suspension would not be affected, emphasizing that the majority of its Bitcoin reserves are stored in secure offline cold storage systems^[16]. The exchange reported they were actively collaborating with law enforcement in an ongoing investigation^[16]. Bitstamp's CEO, Nejc Kodrič, stated that the breach represents only a small fraction of the total Bitcoin reserves, and efforts are underway to transfer a secure backup of the platform to a new environment, with plans to resume services in the coming days^[16].

"Bitstamp customers can rest assured that their bitcoins held with us prior to temporary suspension of services on January 5th (at 9 am UTC) are completely safe and will be honored in 'full.

On January 4th, some of Bitstamp's operational wallets were compromised, resulting in a loss of less than 19,000 BTC. Upon learning of the breach, we immediately notified all customers that they should no longer make deposits to previously issued bitcoin deposit addresses. As an additional security measure. we suspended our systems while we fully investigate the incident and actively engage with law enforcement officials.

This breach represents a small fraction of Bitstamp's total bitcoin reserves, the overwhelming majority of which are are held in secure offline cold storage systems. We would like to reassure all Bitstamp customers that their balances held prior to our temporary suspension of services will not be affected and will be honored in full.

We appreciate customers' patience during this disruption of services. We are working to transfer a secure backup of the Bitstamp site onto a new safe environment and will be bringing this online in the corning days. Customers can stay informed via updates on our website, on Twitter (@Bitstamp) and through Bitstamp customer support at support@bitstamp.net."

Ultimate Outcome

Trading on the Bitstamp platform was resumed on January 9th. A Relaunch FAQ was posted shortly afterward on January 12th. Bitstamp ultimately improved their platform security as a result, implementing multi-signature security. The same attacker appears to have succeeded at breaching Tether, however those funds were quickly frozen.

Redeployment on New Hardware

Bitstamp redeployed "on 100% new hardware deployed from a completely secure backup of our code and data"^[9].

This new hardware was apparently using Amazon Web Services. "Bitstamp is now running on Amazon’s world-class AWS cloud infrastructure, architected to be one of the most secure and reliable cloud computing environments available."^[9]

Implementation of Multi-Sig Wallet

Bitstamp implemented a multi-signature wallet, in partnership with BitGo^[20]. Bitstamp described themselves as "the first and only major bitcoin exchange to incorporate the industry's best security practices available today"^[9].

Resumption of Trading

Trading resumed on January 9th, and customers can deposit and withdraw bitcoins securely^[15].

Customers were given a full week of commission-free trading on the platform^[9].

On a personal note, I’d like to thank the incredible teams at Bitstamp and at our lead investor Pantera Capital who have worked around-the-clock from multiple time zones in the last few days. I’m incredibly proud of the herculean work of this extended team, and grateful to the phenomenal show of support from customers, friends, and partners in the bitcoin community.

Relaunch FAQ Posted

The platform shared a "Relaunch FAQ" post after the site was already back online. This covered over the reason for suspension, that the breach only affected a small fraction of Bitstamp's total bitcoin reserves, and that the majority of customer funds were held in secure offline cold storage systems. Bitstamp assured that no customer bitcoins held prior to the suspension were compromised, and Bitstamp is committed to reimbursing all legitimate deposits affected by the breach. As a gesture of gratitude to loyal customers, Bitstamp waived all commission fees for one week. The exchange has implemented additional security measures, including moving to Amazon Web Services, integrating multi-sig technology, and changing hosting locations^[15].

Improved Security Policies

According to Bitcoin Magazine, as a result of this theft, Bitstamp's security policies changed to store 98% of bitcoin in cold storage^[26]. CoinTelegraph reports that "carrying out transactions on Bitstamp [now] requires using multisignature, and 98 percent of the cryptocurrency is stored in a cold wallet"^[7].

Third Party Coverage

The incident was included in SlowMist^[28] and listed as one of the six biggest hacks of all time by CoinSutra^[6].

Same Wallets Used In Hack Of Tether Stablecoin

“A wallet associated with [the] $31 million Tether hack has been linked to previous bitcoin exchange thefts numbering in the tens of thousands of bitcoins.”

In 2017, a $31 million Tether hack was linked to the previous Bitstamp theft involving tens of thousands of bitcoins^[23]. The Tether development team disclosed the hack of its hot wallet, and an analyst discovered a connection between the wallet used in the Tether hack and those involved in the 2015 Bitstamp bitcoin exchange theft of over 18,500 BTC, valued at $5 million then and over $150 million today^[23]. The hacker, who seems to have stolen at least $250 million in current value, brazenly linked wallets from multiple hacks, even connecting them to LocalBitcoins transactions from 2015^[23]. The analyst suggests that the hacker either disregards the power of blockchain analytics tools or is ignorant of their capabilities^[23].

Total Amount Recovered

It is unclear whether customer funds were covered by the Bitstamp platform. A CoinTelegraph article reports that "[c]ompensation did not followed (sic)"^[7], however other sources seem to suggest that the platform continued operating and fully reimbursed customers^[6].

“all BTC held with [Bitstamp] prior to the temporary suspension of services were honored in full.”

"We would like to reassure all Bitstamp customers that their balances held prior to our temporary suspension of services will not be affected and will be honored in full."^[6]

It is unclear if Bitstamp has made any progress on recovering the funds which were taken.

Ongoing Developments

TBD

Investigation With Law Enforcement

Bitstamp is reportedly working with law enforcement agencies on an investigation^[15]. On their FAQ, they stated they are "working closely with US and international law enforcement agencies specializing in digital-currency" but did not elaborate on which law enforcement agencies are involved^[15].

General Prevention Policies

Coming soon.

Individual Prevention Policies

When using any third party custodial platform (such as for trading), it is important to verify that the platform has a full backing of all assets, and that assets have been secured in a proper multi-signature wallet held by several trusted and trained individuals. If this can't be validated, then users should avoid using that platform. Unfortunately, most centralized platforms today still do not provide the level of transparency and third party validation which would be necessary to ensure that assets have been kept secure and properly backed. Therefore, the most effective strategy at present remains to learn proper self custody practices and avoid using any third party custodial platforms whenever possible.

Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

All wallets, minting functions, and critical infrastructure should be implemented with a multi-signature requirement, with a recommended minimum of 3 signatures required. This means that making important changes or approving spending will require the keys held by at least 3 separate individuals within the organization to approve. The multi-signature should be implemented at the lowest layer possible, all key holders should have security training, and all key holders should be empowered and encouraged to exercise diligence.

All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.

Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.

Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References