BitNZ MailJet Hack

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

BitNZ Logo/Homepage

BitNZ was a cryptocurrency exchange based in New Zealand, which operated since 2011. MailJet is an email delivery service which assisted with sending out emails, including for password resets. Coins were generally stored and withdrawn from a hot wallet, automatically based on customer request. An attacker was able to breach the MailJet service, which allowed them to view outgoing emails from BitNZ. Using that access, they could reset customer credentials and initiate withdrawals in cases where the customer did not enable 2FA. BitNZ took responsibility and repaid customers who lost funds. BitNZ continued to operate until eventually shutting down in 2017 over banking difficulties.

[1][2][3][4][5][6][7][8][9]

About BitNZ

BitNZ was a cryptocurrency exchange based in New Zealand which had operated since 2011.

Homepage:[10]

Founder Danial Newton

“Danial Newton [was] the administrator of bitnz”

Reddit Username: djpnewton[4]

The Reality

BitNZ used a MailJet account for sending outgoing mail, including customer password reset emails. Based on the events which occurred, this account appears to have had limited protections against unauthorized access.

MailJet provided advanced warnings about the breach[11][12].

Hello,

I am contacting you regarding a data security incident that occurred for a duration of 57 seconds at 11am UTC on July 30th, 2014. We believe a very small percentage of a database may have potentially been exposed to unknown third parties due to this incident. We can assure you that none of your encrypted billing information was compromised.

Please know we have taken the necessary steps to address this particular incident. As of right now, we have reinforced all firewalls and updated all of the credentials on our servers. Additionally, we are closely monitoring all activities on our SMTP servers in real-time and continue to monitor for any unauthorized access to our servers.

As an additional precaution, we strongly recommend that you reset your Mailjet account password as soon as possible.

We sincerely apologize for the occurrence of this incident, regret any inconvenience it may cause, and encourage you to contact our support desk here should you have any additional questions or concerns. Any further updates regarding this incident will be communicated on our status page.

Mailjet takes this incident very seriously and is committed to fully protecting all of the information you entrusted to us.

Sincerely,

Alexis Renard

CEO of Mailjet

What Happened

“On Monday, 11 August 2014 at 3am NZ time, \~39 bitcoins were stolen from bitNZ.”[4]

Key Event Timeline - BitNZ MailJet Hack
Date Event Description
July 30th, 2014 5:00:00 AM MDT MailJet Reportedly Warns About Incident MailJet reportedly sent 2 emails to users of their service, warning them to change API keys[11].
August 8th, 2014 4:57:14 AM MDT First Deposit To Donation Address The first deposit of 0.02859706 bitcoin is sent to the donation address. This happened before the breach occurred, which suggests that the wallet was already in active use and reused as a donation wallet[13].
August 10th, 2014 9:00:00 AM MDT Bitcoin Theft “On Monday, 11 August 2014 at 3am NZ time, \~39 bitcoins were stolen from bitNZ.”[4]
August 11th, 2014 10:07:00 AM MDT First Donation To Donation Address What is believed to be the first donation of 0.01292593 bitcoin is sent to the donation address[13].
August 11th, 2014 7:22:55 PM MDT Reddit Announcement Made Danial Newton, the administrator of BitNZ, posts on Reddit to announce the theft and the method of breach. According to the post, the thieves were able to get into the BitNX MailJet account and intercept all outgoing mail from the exchange service. From this access, they could intercept password reset emails and access/withdraw bitcoin funds of any account without 2-factor authentication enabled. Danial states that he will cover the losses, although an address is provided if anyone wishes to contribute towards it[4].
February 8th, 2017 2:10:15 AM MST BitNZ Exchange Shuts Down BitNZ posts on Reddit to announce ther they are shutting down their services due to difficulties in obtaining banking, after having processed some 11,000 bank transactions[2]. Other platforms including News.Bitcoin.com[14], CCN[15] and CoinTelegraph cover the news, with CoinTelegraph claiming that there was full compliance with the KYC/AML regulations[16].

Technical Details

“Danial Newton, the administrator of bitnz in a reddit post explained that he believes that the perpetrator gained access to the exchanges outward mail queue at MailJet.com and then set about resetting people’s accounts and intercepting the reset codes.”

“Our email relay service provider was hacked which enabled the attacker to view all outgoing emails. The attacker used this information to reset user passwords and intercept the password reset email. If the user did not have 2FA the attacker was able to log on as the user and initiate a withdrawal. At the moment I am still analysing the the event and making sure the vulnerability is plugged (revoke email relay access, reset passwords/api-keys, purge sessions, check if user emails were modified etc).”

Total Amount Lost

The total amount lost was reported as ~39 BTC[4] and this value has been estimated at $23,000 USD.

Immediate Reactions

The BitNZ administrator named Danial posted on Reddit to announce what had happened.

Ultimate Outcome

The BitNZ exchange ultimately shut down in 2017 with an inability to obtain further banking.

“In mid-February, New Zealand bitcoin exchange BitNZ revealed it was ‘impossible’ to continue operations claiming New Zealand banks’ refusal to offer banking services to the platform. BitNZ, which has been functional since 2011, claimed to have processed over 11,000 bank transactions” “The New Zealand Bitcoin exchange Bitnz has recently announced to its customers it will be closing its doors soon. The company explains the unfortunate closure is due to a New Zealand banking system that won’t allow Bitcoin operations to hold bank accounts.” “Questions over bitNZ’s compliance with AML/KYC requirements were quickly answered, with the exchange having complied in full.”

Total Amount Recovered

Danial stated that he would cover losses for all users and so it is believed that all user losses were covered.

Donation Address:[17]

Ongoing Developments

There are no ongoing developments as the platform has been shut down. It is unclear whether there is any further investigation going on into the culprits.

Individual Prevention Policies

All funds were ultimately reimbursed by the platform. This case does not appear to have resulted in a loss to any individual. Individuals should ensure that 2FA is enabled on accounts and that they are using reputable platforms whenever possible.

When using any third party custodial platform (such as for trading), it is important to verify that the platform has a full backing of all assets, and that assets have been secured in a proper multi-signature wallet held by several trusted and trained individuals. If this can't be validated, then users should avoid using that platform. Unfortunately, most centralized platforms today still do not provide the level of transparency and third party validation which would be necessary to ensure that assets have been kept secure and properly backed. Therefore, the most effective strategy at present remains to learn proper self custody practices and avoid using any third party custodial platforms whenever possible.

Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

The exploit suggests that all the coins taken were stored in a hot wallet, so smaller reserves or any sort of time delay would have reduced the losses. Any platform protecting the funds in cold storage would have also been protected the moment the withdrawals were noticed as suspicious, and a multi-signature wallet can protect against an issue with a single administrator.

2FA was supported but not enabled on many accounts. 2FA was a big part of the strategy following the incident.

All wallets, minting functions, and critical infrastructure should be implemented with a multi-signature requirement, with a recommended minimum of 3 signatures required. This means that making important changes or approving spending will require the keys held by at least 3 separate individuals within the organization to approve. The multi-signature should be implemented at the lowest layer possible, all key holders should have security training, and all key holders should be empowered and encouraged to exercise diligence.

All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.

Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.

Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. New Zealand Exchange Bitnz.com hacked, 39 bitcoin stolen. - MineForeman.com (Accessed Mar 3, 2020)
  2. 2.0 2.1 Bitnz shutting down due to bank hostility - NZBitcoin Reddit (Accessed Mar 3, 2020)
  3. Bitnz Offline? down for maintenance - BitcoinTalk (Accessed Mar 3, 2020)
  4. 4.0 4.1 4.2 4.3 4.4 4.5 bitNZ Announcement - NZBitcoin Reddit (Accessed Mar 3, 2020)
  5. https://old.reddit.com/r/Bitcoin/comments/2dapx7/new_zealand_bitcoin_exchange_hacked_via_mail/ (Accessed Sep 20, 2024)
  6. https://old.reddit.com/r/newzealand/comments/2db20b/bitnz_bitcoin_exchage_announcement_our_email/
  7. https://web.archive.org/web/20140209211037/https://bitnz.com/
  8. https://web.archive.org/web/20130817060344/https://bitnz.com/
  9. https://en.bitcoin.it/wiki/BitNZ
  10. BitNZ Homepage Archive August 17th, 2013 12:03:44 AM MDT (Accessed Sep 25, 2024)
  11. 11.0 11.1 "Unfortunately this possibly could have been prevented - Mailjet sent at least two emails to users before this attack regarding the data security incident that occurred for 57 seconds at 11am UTC on July 30th, 2014. The emails asked users to reset their passwords and API keys." - Reddit (Accessed Sep 20, 2024)
  12. Warning From MailJet - Pastebin (Accessed Sep 25, 2024)
  13. 13.0 13.1 0.01292593 Donation Transaction - Blockchain.com (Accessed Sep 20, 2024)
  14. New Zealand Exchange Bitnz Shuts Down Due to 'Banking Hostility' - News.Bitcoin.com (Accessed Mar 3, 2020)
  15. New Zealand Sees New Bitcoin Exchange after BitNZ Shutdown - CCN (Accessed Mar 3, 2020)
  16. Flagship New Zealand Exchange bitNZ Refused Banking, Shuts Down - CoinTelegraph (Accessed Mar 3, 2020)
  17. https://www.blockchain.com/explorer/addresses/btc/1NAVXrA8NnXURzdFNLf79p8YoLPBBfwnFi (Accessed Sep 4, 2024)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=BitNZ_MailJet_Hack&oldid=6184"