Payment Processor Hacking – 1,295 Bitcoins Stolen

BIPS, based in Copenhagen, one of Europe’s largest bitcoin payment processors, was breached last week. 1,295 bitcoins, worth around $1,000,000, were stolen. It is believed that a two-stage attack was employed – DDoS followed by hack – was employed.

BIPS primary service is to allow merchants to take payment in bitcoins, and then exchange them for other currencies. Part of the service it provides is access to bitcoin wallets to allow people to store their bitcoins free of charge. Attackers broke into the system and transferred the bitcoins to their own wallet/accounts.

It is understood that the  attack began on 15th November with what is described as a ‘massive DDoS attack.’ Two days later,  this was followed by a follow up attack that disabled the site and overloaded the managed switches and disconnected the iSCSI connection to the SAN on BIPS servers.

A written statement the company commented, “Regrettably, despite several layers of protection, the attack caused vulnerability to the system, which has then enabled the attacker/s to gain access and compromise several wallets.” BIPS believes the two attacks were related, and that the DDoS attack originated from Russia and neighbouring countries.

The BIPS CEO, Kris Henriksen, said most of the missing funds were ‘from the company’s own holdings’. BIPS uses an algorithm, based on the economic principles of supply and demand, to calculate out the number of bitcoins it needs to keep… in its ‘hot wallet’. It is not believed that the success of the attack was due to any vulnerability in the code itself.

David Harley, ESET senior research fellow, commented that the attack is symptomatic of the increasing overlap of virtuality into reality. “Bitcoin, and similar operations such as Litecoin, are of particular interest to cybercriminals because they can be used to purchase real assets, not just virtual assets. Rather like,” he says, “the way that ‘treasure’ and currency from online games and virtual environments like Second Life have spilled over into real life and real-life cybercrime in recent years.”

It has been speculated that the lack of central regulation may make virtual assets easier to exploit and virtual currencies are already targeted by malicious code such as Win32/Delf.QCZ, CoinMiner, and MSIL/PSW.LiteCoin.A.  There is, however, a great deal that can be done to protect against this malicious activity – implementing appropriate intrusion detection and prevention measures, following good systems and application patching practices, regular penetration testing and being cautious about the sort of social engineering that phishing crews employ.

Ironically, the lack of regulation has proved to be both a blessing and a curse in this instance. It would appear that that the same characteristics that made this kind of payment system so popular are the same ones that now prevent people from getting their stolen money back.

If your business needs help with security reviews, penetration testing or web security solutions, please contact Krypsys on 01273 044072 or [email protected].