View
214
Download
0
Category
Preview:
Citation preview
8/18/2019 270137312 Bitstamp Incident Report 2-20-15
1/37
.
Bitstamp Incident Report
Privileged and Confidential
February 20, 2015
8/18/2019 270137312 Bitstamp Incident Report 2-20-15
2/37
Table of Contents
I. INTR!"CTIN ####..##################........1
$. Company Bac%&round.
B. Fundamentals of Bitcoin.
C. Bitstamp's transactional process.
II. INITI$( !I)C*+R $N! R+)-N)+ T T+ INCI!+NT............................../
$. !iscoery of te Breac.
B. +ntry point.
C. Incident Response Team.
!. Redeployin& our Tradin& -latform
+. +nsurin& Transparency.
F. Initial !ama&es +stimate.
III. CRN( F +*+NT) FR3 )TR4 IN*+)TI$TIN####........1
I*. T+CNIC$( $N$()I). #####################.1/
$. 3aterials Relied "pon.
B. !amian 3erla%'s (aptopC. Tomas Ro6man's (aptop.!. 3ia rcar's (aptop.+. 3ia rast's (aptopF. (u%a 7odric's (aptop.. )erer $nalysis.. ter 3edia.
*. CNC(")IN################.,##########..28
$--+N!IC+) $ 9 C.
http://var/www/apps/conversion/tmp/scratch_7/HYPERLINK%23_Toc412277165http://var/www/apps/conversion/tmp/scratch_7/HYPERLINK%23_Toc412277165http://var/www/apps/conversion/tmp/scratch_7/HYPERLINK%23_Toc412277165http://var/www/apps/conversion/tmp/scratch_7/HYPERLINK%23_Toc412277165http://var/www/apps/conversion/tmp/scratch_7/HYPERLINK%23_Toc412277165
8/18/2019 270137312 Bitstamp Incident Report 2-20-15
3/37
8/18/2019 270137312 Bitstamp Incident Report 2-20-15
4/37
I. INTRODUCTION.
Tis is a confidential report prepared by eor&e Frost, eneral Counsel of Bitstamp
(imited :;Bitstamp< or te ;te Companye ae identified at least one of te
ac%ers and are baitin& a ;oney trap< to lure im into te "7 in order to ma%e an arrest.
3oreoer, >e need to be ery careful not to educate oter criminal ac%ers about o> >e
safe&uard our assets and information. $ccordin&ly, no part of tis report may be made public
or &ien to a tird party >itout te prior eApress >ritten permission of Bitstamp (td.
A. Company Background.
Bitstamp (imited is a "7 cartered firm. $t tis time te firm also maintains
approAimately t>enty?fie support staff and serers in )loenia, >ere te firm >as founded.
Bitstamp is creatin& a ne> operatin& company in (uAembour&, and is in te process of
see%in& licensin& in (uAembour& as a payments proider. Te ne> company >ill serice
only +uropean customers. )imilarly, a ")$ operatin& entity is also bein& establised, >ic
>ill sere only ") residents.
Bitstamp operates a mat?based ;crypto?currency< tradin& platform ia te @orld
@ide @eb, and as approAimately 5,000 erified customers around te >orld, primarily
based in +urope.
1 Founded in 2000, )tro6 Friedber& is an international inesti&ations firm specialisin& in di&ital forensics,electronic disclosure, data breac and cybercrime response, as >ell as business intelli&ence serices andinesti&ations. )tro6 Friedber&'s mana&ement includes former prosecutors and former la> enforcement officers
>it bot &oernment and priate?sector eAperience in traditional and cyber?based inesti&ations, di&italforensics, data preseration and analysis, infrastructure protection, and electronic discoery.
8/18/2019 270137312 Bitstamp Incident Report 2-20-15
5/37
Bitstamp's primary business is proidin& a mar%etplace tat facilitates te purcase,
trade and eAcan&e of ;Bitcoin< bet>een customers by te creation and maintenance of
Bitstamp accounts.
B. undamental! of Bitcoin.
Bitcoin' is a di&ital, decentrali6ed, partially anonymous protocol and currency tat is
not bac%ed by any &oernment or oter le&al entity. Bitcoin utili6es peer?to?peer transactions
tat are erified and recorded in a distributed public led&er called te ;bloc%cain.<
ConseDuently, users of bitcoin can ma%e transactions oer te Internet directly >it oter
users >itout needin& an intermediary suc as a ban%. :Bitstamp's customers, o>eer,
utili6e Bitstamp as an intermediary to maintain teir bitcoin for tem in a tradin& account.
See belo>.=
Bitcoin utili6es public?%ey crypto&rapy, >ic reDuires t>o separate crypto&rapic
;%eyseter its correspondin& priate %ey as
been used in a &ien crypto&rapic function. In te case of Bitcoin, te priate %ey is used to
create a di&ital si&nature for eery transactionE te priate %ey tus acts as confirmation of
o>nersip of te bitcoins inoled, and it sould neer be sared. Te correspondin& public
%ey can ten be used to erify te di&ital si&nature of te transaction i.e. tat te initiator is
indeed te o>ner of te bitcoins for tat transaction. -ublic %eys are also used to &enerate
Bitcoin addresses to receie bitcoins from a transactionE only te older of te correspondin&
priate %ey can access te bitcoins in te address &enerated from te public %ey.
$ Bitcoin address is an identifier of 2?5 alpanumeric caracters, an eAample of
>ic is G/8t1@p+4HCNmiecrnyi@rnDR@N(y. Bitcoin addresses are &enerated by
;asin&< te public %ey. asin& is a process by >ic a %no>n al&oritm, or matematical
formula, is calculated across a set of data, turnin& a lar&e amount of data into a fiAed?len&t
8/18/2019 270137312 Bitstamp Incident Report 2-20-15
6/37
as alue. Te same as alue >ill al>ays result from te same data. 3odifyin& te data
in any >ay >ill ineitably can&e te as alue. Te resultant as alue is ten conerted
into a format named Base?58. Base 58 is an encodin& system tat remoes ambi&uous
caracters, suc as 0 and . To complete te Bitcoin address, an identifyin& number of eiter
1 or is added to te be&innin&, indicatin& tat te address is a public Bitcoin net>or%
address representin& a possible destination for a Bitcoin payment.
$ Bitcoin ;>allet< is a collection of priate %eys for a &ien user. Te %eys relate to
te user's Bitcoin addresses, and proide te ability to conduct transactions to or from tose
addresses. $ >allet is contained >itin a client, >ic is te soft>are pac%a&e proidin& te
user >it an interface to te Bitcoin net>or%. $ common name for a Bitcoin client >allet file
is wallet.dat . $ &ro>in& number of companies offer >allet serices to teir customers, and
safe&uard teir bitcoin for tem.
@en a Bitcoin transaction ta%es place, te information about tat transaction is
stored >itin te ;bloc%cain.< Te bloc%cain records o> many bitcoins >ere inoled in
te transaction, te address tey came from and te address to >ic te bitcoins >ere
transferred. Te ;bloc%cain< led&er is public, ma%in& it is possible :altou& a bit arduous,
until an automated searc system is deeloped= to reie> istorical transactions to determine
o> many bitcoins are eld by eac address and from >ere tose bitcoins ori&inated.
C. Bit!tamp"! tran!actional proce!!.
Bitstamp's current transaction process >or%s as follo>sE2 $ customer opens an
account >it Bitstamp trou& its >ebsite at ttpsEJJ>>>.bitstamp.netJ. !urin& te si&nup
process, Bitstamp reDuires te customer's name, address, and proof of identity as part of its
7no> our Customer' :7C= policies and anti?money launderin& :$3(= procedures. No
ban%in& details or bitcoin deposit addresses are proided to customers until tese cec%s ae
2 ur serice proiders and certain process features >ill can&e once >e are operational in (uAembour&, and>e >ill be addin& more safe&uards to tis system, as detailed in our eAtensie filin& >it te C))F.
https://www.bitstamp.net/https://www.bitstamp.net/
8/18/2019 270137312 Bitstamp Incident Report 2-20-15
7/37
been completed. nce a customer's account is opened, tat customer can deposit cas from a
ban% account in teir name to te Bitstamp client account, >ic is eld >it one of seeral
commercial ban%s.
@en funds are receied from users into te Bitstamp client account, tese are
processed and credited into te user's led&er >itin Bitstamp's system as soon as possible.
Bitstamp insists tat all deposits into its ban% account must come from a ban% account in te
user's name because te ban% proides tis information to Bitstamp. Tis elps preent
fraud, and ensures tat Bitstamp >ill credit te correct user led&er in its system.
nce >e ae completed our $3( procedures in relation to tat user, a uniDue reference
number is ten automatically &enerated for tat user. ur customers are reDuired to use tis
as a reference on funds tey transfer into Bitstamp's account >it our ban% :Reiffeisen,
altou& >e ae oter bac%up ban%s= to identify te led&er to >ic te funds sould be
credited.
Te user's led&er >it Bitstamp is in t>o parts 9 tere is a balance in ") dollars, and
a balance in bitcoins :>ic >ill be 0 >en te led&er is first opened=. $ltou& Bitstamp
accepts deposits in almost all currencies, >en funds are receied tey are imported into our
system and allocated to a user's led&er conerted into ") dollars, >ic is done
automatically usin& te Reiffeisen ban% daily eAcan&e rate. Te led&er balance in Bitcoins
is te user's Bitcoin >allet eld >itin te Bitstamp system. nce te funds receied ae
been credited to te user's Bitcoin led&er, tey can trade on te platform and purcase
Bitcoins.
Te transfer of funds into bitcoins is not automatic, eac user decides >en and at >at price
e or se >ises to purcase :and sell= bitcoins. Te user is fully in control of te
transaction, Bitstamp simply proides te tradin& platform and credits user led&ers >it funds
receied from Reiffeisen ban%. @en a user as funds in teir account and >ises to use
8/18/2019 270137312 Bitstamp Incident Report 2-20-15
8/37
tese to buy bitcoins, tey >ill place an order. Te dates and times of eac order are
recorded, altou& tere can be a small delay bet>een te order bein& placed and te trade
ta%in& place.
@en te system as matced up an order to sell bitcoins >it an order to buy
bitcoins, it automatically transfers te bitcoins from one user's bitcoin led&er to te oter
user's bitcoin led&er. Te oter type of transaction so>n is a bitcoin >itdra>al reDuest,
>ere bitcoins are >itdra>n to a bitcoin >allet tat may be a Bitstamp bitcoin >allet :i.e. a
user bitcoin led&er= or a bitcoin >allet eld outside te Bitstamp eAcan&e. Tis is fairly
simple and on bot types of istory proides a record of te date on >ic te user reDuested
tat a certain number of bitcoins >ere >itdra>n from is or er led&er. It is possible to see
te bitcoin >allet address to >ic te bitcoins >ere >itdra>n. Te >itdra>al process is
an automatic process, it is not done manually.
nce bitcoins are remoed from te user's uniDue bitcoin led&er in BitstampKs system,
te transaction is &enerally irreersible. Te >ole bitcoin system >as set up in tis >ay so
Tis is so>n as ;opened instant buy order< or ;opened limit buy ordero different >ays in >ic a user may >is to buy Bitcoins. $n instant order is >ere te userinstructs BitstampKs system immediately to buy Bitcoins usin& a certain number of dollars or sell a set number of Bitcoins. Tis, and all oter orders, can be seen in te Lorder boo%L >ic is isible to all users on BitstampKs>ebsite. Te order boo% is a list of all orders tat ae been placed by Bitstamp's users. n receipt of an instantorder, te system >ill immediately searc te order boo% for te lo>est price at >ic someone is >illin& to sellor buy Bitcoins and >ill use te specified funds to purcase or sell Bitcoins as appropriate. In te case of instantsell orders te i&est price >ic is offered for te purcase of Bitcoins is used. In te case of instant buyorders te lo>est price >ic is offered for te sellin& of Bitcoins is used. If tere are an insufficient number ofBitcoins on sale at tat lo>est as%in& price to complete te order to te amount of ") dollars te user asspecified sould be used, te system automatically searces a&ain in 1 second interals and >ill ten purcaseBitcoins at te lo>est possible price at tat time, usin& te remainin& dollars. Te system continues to performtis process until all te funds specified by te user ae been conerted to Bitcoins, or until all te Bitcoinsae been sold. Te oter type of order listed is a limit order. Tis is >ere a user specifies te number ofBitcoins e or se >ises to buy or sell, and te price at >ic e >ants to buy or sell tem. Te system >illten searc all orders in te order boo% to matc up te reDuest >it anoter order at te same price and tencarry out te trade automatically. Tis means tat te user does not need constantly to searc te system for te
price e or se >ants, or >ait until te ri&t price becomes aailable. e can place te order and te system >ill perform te transaction >en it finds te same price. If te system is only able to find 50M of te desirednumber of Bitcoins for sale at te price reDuested, it >ill purcase tose Bitcoins and ten >ait until it neAt findste remainin& number of Bitcoins for sale at te price reDuested. Tus te entire order may ta%e seeral minutes,or ours, to complete, dependin& on te aailability of te number of Bitcoins for sale or purcase at te ri&t
price.
8/18/2019 270137312 Bitstamp Incident Report 2-20-15
9/37
as to proide :partial= confidentiality and certainty for users, and to aoid te ris% of car&e
bac%s :li%e tose eAperienced by credit card users= >ic >ould brin& uncertainty to
transactions.
Bitstamp &enerates its transactional reenue by ta%in& a percenta&e fee :&raduated
based on olume= from te dollar alue of eac trade. Bitstamp does not ;monitor<
indiidual trades and transactions as tey are bein& performed. It >ould be irtually
impossible to do soE up to ,000 users may be accessin& te site eery second.
Bitstamp >ill outline its security procedures belo>.
II. INITIA# DI$CO%&R' AND R&$PON$& TO T(& (AC)IN* INCID&NT.
A. Di!covery of t+e Breac+.
Bitstamp first learned about te ac%in& incident on te eenin& of Gan. t. Te
CT, !amian 3erla%, first noticed te loss of bitcoins from te Bitstamp >allet at circa 200
C+T on Ganuary 2015. 3r 3erla% >as in te ")$, so e notified !aid soni% and (u%a
7odric to inesti&ate locally. $fter accessin& te serers, Bitstamp staff noted a suspicious
data transfer on te net>or% lo&s, dated 2/ !ecember 201, bet>een 112/?1201 C+T. Te
data transfer >as approAimately .5B and >as sent to an unfamiliar erman I- address
:185.1.20/.128=.
Te data transfer struc% an ominous cord because .5B is te approAimate si6e of
te wallet.dat file containin& Bitstamp's Bitcoin >allet O see Appendix C for the log file
relating to this transfer P.
Bitstamp personnel also cec%ed te Bas istory and noted file searces tat ad not
been underta%en by our o>n staff. 3r. 3erla% notified te C+, also enroute to te ")$ on
anoter fli&t, and te eneral Counsel, tus actiatin& te Company's emer&ency response
plan.
8/18/2019 270137312 Bitstamp Incident Report 2-20-15
10/37
B. &ntry point.
@e soon learned from local forensic analysis tat te transfer >as initiated trou& a
*-N connection from 3r 7odric's laptop to te serer ostin& te Bitcoin >allet at
Bitstamp's data centre :(NQ)R*BTC=. $t te time, 3r 7odric's laptop >as in te office and
lo&&ed in to te net>or%. Te *-N connection to te data centre >as restricted to tree
autorised I- addressesE Bitstamp's office I-, 3r 3erla%'s ome I-, and 3r 7odric's ome
I-. T>o?factor autentication >as not reDuired to access te data centre from 3r 7odric's
laptop >ile it >as lo&&ed in to te office net>or%. Bitstamp terefore suspected tat te
attac%er ad remotely initiated te *-N connection in te bac%&round >ilst 3r 7odric >as
>or%in&.
Te teft reDuired access to 2 serers in te data centreE (NQ)R*BTC and
!RN$T$. Te wallet.dat file >as eld on (NQ)R*BTC. !RN$T$ eld te passprase
to access te bitcoins eld in te >allet. Cec%s by Bitstamp indicated tat data >as only
ta%en from tese t>o serers. Bitstamp found no eidence of access to oter infrastructure.
Te content of te data transferred >as not discernible from te net>or% lo&s, only te
olume of data.
)eparately, on Ganuary 2015, someone attempted to connect remotely to te
Bitstamp office net>or%, a&ain usin& 3r 7odric's account. *-N connections from an
eAternal I- address to te office net>or% reDuire t>o?factor autentication :as opposed to
*-N connections to te data centre from te tree permitted I- addresses, >ic do not=.
Bet>een 0/290/55 C+T, 3r 7odric receied nine notifications on is mobile pone to
proide secondary autentication for remote access to te office net>or% from is account.
Tese notifications are only &enerated once te correct username and pass>ord are entered.
Te remote lo&?in attempts >ere from an I- address in Romania :10/.1.2./=.
8/18/2019 270137312 Bitstamp Incident Report 2-20-15
11/37
(ater on Ganuary, te bitcoins started to drain from te Bitstamp >allet. Tis >ould
not ae reDuired access to eiter te office or data centre *-N, since te attac%er:s= already
ad te wallet.dat file and passprase :from te 2/ !ecember transfers=. 5000 bitcoins >ere
in te >allet >en it >as eAfiltrated on !ecember 2/, but oer 18000 bitcoins >ere stolen in
total due to additional deposits made before te teft >as noticed. :!eposit olume >as
unusually i& at tis time, and a number of lar&e ;sort< sellers appeared to ae been
accessin& Bitstamp's mar%et at te time.
Follo>in& our learnin& of te teft, Bitstamp employees >ere as%ed to %eep teir
laptops turned off, and te serers >ere %ept offline :but po>ered on=. Te eneral Counsel
also conducted initial interie>s and obtained early forensics, preparin& to moe for>ard
>it briefin& te outside inesti&ators from )tro6 and arious la> enforcement autorities.
C. Incident Re!pon!e Team.
Bitstamp immediately formed an incident response team to assess te loss, protect our
customers from furter attac%s, and to inesti&ate te breac. @e set up a response in te
company's )an Francisco offices, sared >it our cief inestor, -antera Capital. Te
eneral Counsel notified la> enforcement in te ") and in (ondon,5 and retained te )tro6
Friedber& firm to assist us in te inesti&ation.
Te )tro6 Friedber& team arried at te Bitstamp office in )loenia at / am on 8
Ganuary. $fter interie>in& te staff >it %no>led&e of te incident, tey identified and
catalo&ued all releant electronic media from te office and data centre for analysis. Te
ur primary ")$ contact is Gon Rein, )pecial $&ent, ") )ecret )erice, )an FranciscoField ffice, 15?0?8/5 onatan.reinSusss.ds.&o.
5 ur primary "7 contact is Ric+ard Butc+er, 3aor Inesti&ation Team ? Crime!irectorate, 3obileE :0= HH2 521 /2H +mailERicard.ButcerScityoflondon.pnn.police.u%
mailto:Richard.Butcher@cityoflondon.pnn.police.ukmailto:Richard.Butcher@cityoflondon.pnn.police.uk
8/18/2019 270137312 Bitstamp Incident Report 2-20-15
12/37
team follo>ed formal ;cain of custody< procedures at eac step. Te team ten commenced
ta%in& forensic ima&es of te media, includin& te follo>in& itemsE
? $ll 22 laptops tat >ere in use on te corporate net>or%.
? -riority irtual macines from pysical serers at te data centre, includin& a lo&icalcapture from te local +3C stora&e.? !ata from bot pysical serers in te office :containin& seeral internal irtualmacines used on te net>or%=.
$pproAimately 1 Terabytes of data >as collected in te first s>eep, >it furter
ima&in& on&oin&. In addition to tese items, tere are t>o lo>er priority serers acDuired for
later analysis.
D. Redeploying our Trading Platform.
-ursuant to our incident response plan, >e immediately retained a security firm
:based in Berlin >ic ad done prior security >or% for us= to assist us in preentin& furter
losses, identifyin& >at appened and &ettin& our eAcan&e bac% on line.
)ortly after discoery of te attac%, Bitstamp made an eApensie but necessary
decision to rebuild our entire tradin& platform and ancillary systems from te &round up,
rater tan tryin& to reboot our old system. @e did tis from a secure bac%up tat >as
maintained :accordin& to disaster recoery procedures= in a ;clean room< enironment. @e
also decided to deploy our distribution net>or% usin& $ma6on cloud infrastructure serers
located in +urope.
By redeployin& our system from a secure bac%up onto entirely ne> ard>are, >e
>ere able to protect our customers from furter miscief from te ac%er, and to presere all
te potential eidence on Bitstamp's ard dries and periperals for a full forensic
inesti&ation of te crime. @e also too% te opportunity to implement a number of ne>
security measures :includin& multi?si& tecnolo&y= and protocols so Bitstamp's customers
could resume usin& Bitstamp >it full confidence and trust.
8/18/2019 270137312 Bitstamp Incident Report 2-20-15
13/37
&. &n!uring Tran!parency.
$lso accordin& to our incident response plan, >e retained an outside firm to assist in
messa&in& and dealin& >it customers, >o >ere ri&tly concerned by te ac%in& incident
and >anted assurances tat teir bitcoin >as safe. @e >anted to underscore tat Bitstamp is
not 3toA, in any respect.
Te security of our customers' bitcoin and account information is our top priority, and
as part of our strin&ent security protocol >e temporarily suspended our serices as of at /
a.m. "TC on Ganuary 5t. Bitstamp >as determined to be fortri&t and transparent in all our
communications to customers and te media. @e notified all customers by direct email, and
posted updates on a temporary Bitstamp >ebsite aided by our crisis team, >e employed
t>itter, media interie>s, and all oter means aailable to %eep tem informed.
ne principal messa&e >e needed to &et out ri&t a>ayE customers sould no lon&er
ma%e deposits to any preiously issued Bitstamp bitcoin deposit addresses, >ic mi&t ae
been compromised by te ac%er. $noter %ey messa&eE $ll bitcoin eld >it us prior to te
temporary suspension of Bitstamp serices are completely safe and >ill be onored in full.
ur bottom lineE No customer bitcoin >as lost, and no customer information >as
compromised Bitstamp >ould be bac% in business as soon as possible, but only >en >e are
certain >e can do so safely.
&. Initial Damage! &!timate.
Bitstamp is te sole ictim in tis incident, as te company used its o>n capital
reseres and bitcoin reseres to coer te loss from its ot >allet. No customer funds or
bitcoin >ere compromised, and >e ae found no reason >atsoeer to beliee tat any
customer account information or personal information >as compromised.
8/18/2019 270137312 Bitstamp Incident Report 2-20-15
14/37
Te ac%er >as able to steal 18,8 bitcoins from a ;ot >allet< residin& on one of
Bitstamp's serers. Te lost coins ad a contemporaneous mar%et alue of U5,2,1 based
on te Bistamp clearin& price of U2H/ per bitcoin at te time of te teft.
Bitstamp as lost customers, includin& maor clients en&a&ed in proidin& mercant
serices in bitcoin, and as suffered si&nificant dama&e to its reputation, >ic >e are unable
to Duantify eAactly at tis point, but >ic >e beliee eAceeds U2 million. o>eer, it
appears tat our Duic% response, transparency, and addition of ne> safe&uards : see below) as
>on te loyalty of te ast maority of our customers.
In addition, >e ae paid out approAimately U250,000 to pro&rammers ired to
rebuild and improe our platform paid approAimately U250,000 :and countin&= to te )tro6
Friedber& team and at least U150,000 more for arious security reie>s, and le&al and
financial adice. Tese out of poc%et costs are continuin& to accrue.
In addition, to preent future capital losses of tis %ind, >e ae contracted >it a
endor to proide ;multi?si&< tecnolo&y to better protect our ot >allet :tis particular
transfer could not ae appened today= and ired a s%illed tecnolo&y company, Qapo, to
assist in mana&in& our cold >allet. :Tis leel of protection is ery difficult to penetrate ??
Qapo actually splits apart te indiidual cold >allet addresses of our depositors, storin& tem
in secret locations in different parts of te >orld.= Finally, >e are acDuirin& insurance
coera&e for all bitcoin deposits, tus preserin& more of our o>n capital funds for &ro>t,
tecnolo&ical improements and improed customer serice.
III. C(RONO#O*' O &%&NT$ RO- $TRO RI&DB&R*
IN%&$TI*ATION.
Te metodolo&y and tecnical detail of te inesti&ation conducted by )tro6
Friedber& are set out in more detail belo>. In tis section >e aim to proide a cronolo&y of
8/18/2019 270137312 Bitstamp Incident Report 2-20-15
15/37
te attac% as understood follo>in& )tro6 Friedber&'s reie>. $n oerie> of te attac%
timeline is proided in Fi&ure 1 belo>.
igure /0 Timeline of Attack
Te infection ector for te compromise >as a tar&eted pisin& campai&n, >it siA
employees %no>n to ae been tar&eted by te attac%er in Noember J !ecember 201.
Te CT, !amian 3erla%, >as te first employee identified as bein& tar&eted by te attac%er.
n Noember 201, 3r 3erla% >as contacted by )%ype account pun%.roc%.oliday from
I- address :/.185.85.1H1=. Te &ambit for tis pisin& attac% >as to offer 3r 3erla% free
tic%ets to -un% Roc% oliday 2015. :3erla% is %een on pun% roc% and as played in a band.=
n 20 Noember, after a number of eAcan&es demonstratin& persistent effort from
te attac%er, pun%.roc%.oliday sent a participant form' to 3r 3erla% O-un% Roc% oliday
2015 TIC7+T Form1.docP. Tis document contained obfuscated malicious *B$ script
6 *isual Basic for $pplications :*B$= is a pro&rammin& lan&ua&e >ic enables certainfunctions to be built into te associated application :@ord in tis instance= and eAecutedautomatically. )uc functions >ould include connections to >ebsites or internet addresses
8/18/2019 270137312 Bitstamp Incident Report 2-20-15
16/37
desi&ned to call out to an eAternal I- address and pull do>n a file to te ictim computer.
$ltou& te document >as opened on 20 Noember and 21 Noember, tere is no
indication tat te script eAecuted, and none of te indicators of compromise identified on
oter macines as part of te attac% >ere found on !3's laptop. OSee Section III for further
technical analysis of this phishing attack .P
er a period of approAimately fie >ee%s, four more Bitstamp employees receied
similar i&ly tar&eted pisin& attac%s, eac tailored to indiidual interests. It is worth
noting that, however, that almost all of these targets lacked the itstamp security credentials
to have allowed access to itstamp servers containing bitcoin or account information, much
less a successful attack on itstamp!s hot wallet.
For eAample Toma6 Ro6man >as contacted by )%ype account Tomas.>on&.dl from
I- address /.185.85.1H1. Te preteAt for tis pisin& attac% >as a potential offer of
employment. n 5 !ecember 201, )%ype account on.lucas.si :ostensibly a collea&ue of
Tomas.>on&.dl= sent 3r Ro6man a messa&e containin& candidateVDuestionnaire.doc, also
from I- address /.185.85.1H1. Tis document contained te same obfuscated malicious
*B$ script described aboeE if opened, it connected to I- address 185./.8.1 and
do>nloaded a malicious file named >ordlibO1P.6ip Osee Section III for further technical
analysis of this malwareP.
)imilarly, on 18 Noember 201, C 3ia rcar >as contacted by )%ype account
ian.forei&npolicy. 3r. rcar is an aid policy and istory buff, particularly >it respect to
reece, >ere e preiously >or%ed as a reporter. No I- addresses >ere recoerable for te
communications from tis account at te time of our inesti&ation. n tis occasion, te
suspected attac%er >as posin& as a ournalist and en&a&ed 3r rcar re&ardin& articles e ad
preiously >ritten >ilst >or%in& for $tens Ne>s. n 2 Noember, as part of tis
from >itin an offline file :suc as a @ord document=.
8/18/2019 270137312 Bitstamp Incident Report 2-20-15
17/37
eAcan&e, ian.forei&npolicy attempted to send a >ord document of a recent article,
ostensibly see%in& comment from 3r rcar. 3r rcar declined to accept te document.
!espite messa&es from te attac%er persistin& until / !ecember, tere >as no si&n of
compromise on te laptop.
n 2 Noember 201, $n6e )imica% >as contacted by )%ype $ccount su%iVsa.
Tis )%ype account uses te same I- address as te oter communications lin%ed to te
attac%er :/.185.85.1H1=. Te attac%er enDuired about Ripple@ise, a platform for an
alternatie cryptocurrency :te Ripple=. :3r )imica% is C for Ripple@ise as >ell as
>or%in& at Bitstamp.= 3r )imica% as%ed te attac%er to utili6e is Ripple@ise account for
furter communications, and tere is no trace of eiter te malicious >ord documents, or te
associated mal>are, on 3r )imica%'s laptop.
n / !ecember 201, 3ia rast >as contacted by )%ype account
piAi.enny.acmeister from I- address /.185.85.1H1. $ccordin& to is (in%edIn profile, 3r
rast preiously >or%ed at -iAi (abs, so tis attac% too, >as tailored specifically for tis
tar&et. T>o files >ere transferred successfully from piAi.enny.acmeister to 3r rastE "ixi#
$"ost$%mployment$&uestionnaire.rar on 11 !ecember and
"ixi$"ost$%mployment$&uestionnaire.doc on 12 !ecember. Te .doc file contained
obfuscated malicious *B$ script >ic, >en opened, do>nloaded te malicious file
wordcomp'(.*ip from I- address 185.1.20/.15. o>eer, rast did not and >ill not ae
access to te ot >allet.
n / !ecember 201, Bitstamp's )ystems $dministrator, (u%a 7odric, receied a
pisin& email to is mail account. "nli%e some of te oters tar&ets, 7ordic did ae
access to Bitstamp's ot >allet. Te email eader ad been spoofed to appear as if it ad
been sent from %onidasSacmO.Por&, altou& it >as actually receied from a Tor eAit node
Ote email cain and eader details can be seen in full at $ppendiA $P. $C3 is te
mailto:konidas@acm%5B.%5Dorgmailto:konidas@acm%5B.%5Dorg
8/18/2019 270137312 Bitstamp Incident Report 2-20-15
18/37
$ssociation for Computin& 3acinery, >ic describes itself as te >orld's lar&est
educational and scientific computin& society. Te sender >as offerin& 3r. 7odric te
opportunity to oin "psilon -i +psilon :"-+=, te International onour )ociety for te
Computin& and Information !isciplines. Te "-+ site is osted >itin te acm.or& domain.
n 11 !ecember, as part of tis offer, te attac%er sent a number of attacments. ne of
tese, +"%$application$form.doc, contained obfuscated malicious *B$ script. @en
opened, tis script ran automatically and pulled do>n a malicious file from I- address
185.1.20/.15, tereby compromisin& te macine.
n 12 !ecember 201, te attac%er s>itced to )%ype messa&in& >it 3r 7odric,
usin& )%ype account upsilonVpiVepsilon from I- address /.185.85.1H1. Furter malicious
eAecutables >ere ten created on 3r 7odric's laptop on 1H,18 and 22 !ecember Osee Section
III for further technical analysis of this malwareP. n 2 !ecember, 3r 7odric's account
lo&&ed in to (NQ)R*BTC a number of times. 3r 7odric belieed tese lo&?ins >ere
probably te attac%er, altou& e could not confirm >it absolute certainty tat tis >as not
is o>n le&itimate actiity.
n 2/ !ecember 201, )) lo&s so> tat 3r 7odric's account lo&&ed in to
(NQ)R*BTC and te !RN$T$ serer at te data centre. n tis occasion, 3r 7odric
>as certain tat tese lo&?ins >ere not made by im, and must terefore ae been te
attac%er. $nalysis indicates tat te attac%er accessed (NQ)R*BTC, >ere te wallet.dat
file >as eld, and te !RN$T$ serer, >ere te passprase for te Bitcoin >allet >as
stored, before data >as transferred out of bot serers to I- address 185.1.20/.128, >ic is
part of a ran&e o>ned by a erman ostin& proider. @e suspect tat te attac%er copied te
Bitcoin >allet file and passprase at tis sta&e, due to te correlation bet>een te si6e of
tese files and te si6e of te data transfer seen on te lo&s, altou& te actual content of te
8/18/2019 270137312 Bitstamp Incident Report 2-20-15
19/37
transfers cannot be confirmed from te lo&s aailable. To&eter te >allet and passprase
>ould ae enabled te attac%er to steal te bitcoins from te Bitcoin >allet.
n Ganuary, te attac%er drained te Bitstamp >allet, as eidenced on te
bloc%cain. $ltou& te maAimum content of tis >allet >as 5000 bitcoins at any one time,
te attac%er >as able to steal oer 18,000 bitcoins trou&out te day as furter deposits >ere
made by customers.
I%. T&C(NICA# ANA#'$I$.
A. -aterial! Relied Upon.
!urin& te course of its inesti&ation, )tro6 Friedber& collected te follo>in&
materials from Bitstamp. $ll materials >ere presered locally in )loenia, unless specifically
stated.
8/18/2019 270137312 Bitstamp Incident Report 2-20-15
20/37
Ta1le /0 -aterial! Collected
8/18/2019 270137312 Bitstamp Incident Report 2-20-15
21/37
)tro6 Friedber& analysed all 2H laptops listed in Table 1. )iA macines relatin& to
named indiiduals contained eidence of a tar&eted pisin& attac%, >it four indiiduals
receiin& poisoned attacments, tree macines so>in& si&ns of additional mal>are bein&
do>nloaded and one ictim ain& been fully compromised >it a Remote $ccess Troan.
$n oerie> of %ey attac%er actiity leadin& to te eentual teft of te bitcoins can be seen
in Fi&ure 2 belo>.
igure 20 Overvie3 of Attacker Activity
8/18/2019 270137312 Bitstamp Incident Report 2-20-15
22/37
)tro6 Friedber&'s inesti&ation uncoered eidence tat siA Bitstamp employees >ere
tar&eted by pisin& emails in total, altou& only four of tese resulted in malicious
attacments bein& receied. 3ia rcar refused to accept any attacments and $n6e
)imica%, a contractor, >as contacted in relation to anoter company e >or%s for, so
continued te conersation outside te Bitstamp net>or%. $ll of te pisin& messa&es >ere
i&ly tailored to te ictim, and so>ed a si&nificant de&ree of bac%&round %no>led&e on
te part of te attac%er.
B. Damian -erlak"! #aptop.
$nalysis of te file :-un%VRoc%VolidayV2015VTIC7+TVForm1.doc= from 3r
3erla%'s laptop reealed tat te malicious *B$ script >as not pass>ord protected as >it
te oter pisin& documents, altou& it is ery similar in terms of structure and
obfuscation. Te autor of tis document is listed as 7*Buc%'. $ number of online
security resources, suc as *irusTotal, identify files >it tis same autor listed, usin& te
same type of *B$ eAploit for arious scams or attac%s. $n initial reie> indicates tat some
of tese >ere i& olume pisin& scams serin& up ban%in& mal>are datin& bac% to
ctober 201. !ocuments containin& tis script and lin%ed to tis autor >ould, terefore,
ae been >idely aailable by te time 3r 3erla% >as tar&eted. Tis autor name does not,
terefore, necessarily directly lin% te Bitstamp teft to te preious attac%ers. Te
malicious code attempts to pull a file :im&V0/2.pn&= from I- address 5.1/.10.211.
$nalysis from *irusTotal lin%s tis I- address :>ic is part of a ran&e allocated to a Frenc
ostin& serice= >it te preious distribution of malicious content. From our analysis, it
appears tat te *B$ code >as desi&ned to do>nload im&V0/2.pn&, rename it to
$3F*747FCB).eAe, and eAecute it. @e did not see any indication tat
$3F*747FCB).eAe >as accessed, do>nloaded or eAecuted on 3r 3erla%'s laptop,
o>eer. Te attac%er also used )%ype account &oraroc%a and proided a contact email
8/18/2019 270137312 Bitstamp Incident Report 2-20-15
23/37
address of ian.pun%.sloS&mail.com durin& is eAcan&e >it 3r 3erla%. n 2/
!ecember :18E22EH=, 3r 3erla% also receied a )%ype messa&e from tim.le>%o> statin&
tat ;Te Bitstamp ot >allet as a near 6ero BTC balance.< )tro6 Friedber& does not %no>
>eter tis messa&e >as connected to te attac%, but it is notable because te >allet >as
also transferred by te attac%er on 2/ !ecember.
C. Toma! Roman"! #aptop.
)tro6 Friedber& identified t>o separate mal>are files on 3r Roman's laptop as a
result of tis attac%. Te first of tese, wordlib'(.*ip, >as pulled do>n from I- address
185./.8.1 on 5 !ecember after 3r Ro6man opened CandidateVDuestionnaire.6ip. Tis
file contained te same obfuscated malicious *B$ script as seen on 3r 3erla%'s computer,
altou& tis time it >as pass>ord protected. Tis file is te earliest file >e ae obsered
tat resulted in te successful do>nload of one of te attac%er's malicious payloads.
o>eer, our analysis indicates tat tis mal>are failed to eAecute properly.
n 11 !ecember, te second mal>are file, >ordcompO1P.6ip, >as do>nloaded from I-
address 185.1.20/.15 after 3r Ro6man opened IntVmbVdlVmutualVnon?
disclosureVa&reement.doc. nce a&ain, te mal>are failed to eAecute properly.
D. -i+a *rcar"! #aptop.
Tere >ere no recoerable lo& files relatin& to te I- address for 3r rcar's )%ype
contact >it ian.forei&npolicy. o>eer, te unsolicited nature of te contact, te attempt
to inei&le 3r rcar in to openin& an attacment, and te complete lac% of erifiable
bac%&round data on te pseudonym used are all consistent >it te confirmed attac%er
communications.
&. -i+a (ra!t"! #aptop.
$ reie> of te application eent lo&s from 3r rast's laptop so> a recorded
>arnin& >it te follo>in& details, eAplainin& >y te mal>are eAecutable >as not runE
8/18/2019 270137312 Bitstamp Incident Report 2-20-15
24/37
$ccess to CEW"sersW3I$X1.R$W$pp!ataW(ocalWTempW$3F*747FCB).eAe as been
restricted by your $dministrator by te default soft>are restriction policy leel. Tere are
also references to te >ordcomp.6ip and also te $3F*747FCB).eAe file >itin a file
&enerated by 3icrosoft )ecurity +ssentials named 3p@ppTracin&?1212201?0820?
0000000?ffffffff.bin' su&&estin& tat tese t>o files >ere fla&&ed by te 3icrosoft )ecurity
+ssentials pro&ram installed on te laptop.
. #uka )odric"! #aptop.
3r 7odric >as te first employee >om >e identified as bein& initially tar&eted
trou& email, rater ten )%ype. Te attac%er ostensibly emailed 3r 7odric from address
%onidasSacm.or&, but analysis of te eader information reeals tat all of te emails
ori&inated from mail serers osted by a ree% I)- :otenet.&r= >ic is not desi&nated as a
permitted sender for te acm.or& domainH. Te attac%er connected to te mail serers trou&
arious Tor eAit nodes, tereby dis&uisin& is o>n I- address. is mail client re&istered as
bein& set to "TC 000 for all communications8.
Te malicious *B$ script contained >itin te 2V"-+VapplicationVform.doc emailed
to 3r 7odric pulled do>n a lar&e pro&ramme, >ordcompO1P.6ip. Tis is identical to te file
of te same name found on 3r Ro6man's laptop, and >as do>nloaded from te same I-
address. !espite te file eAtension, te file is actually an eAecutable. "pon eAecution, te file
installs itself to te re&istry location )oft>areW3icrosoftW@indo>sWCurrent*ersionWRun' to
aciee persistence on te macine. Te eAecutable >as "-Q?pac%ed :meanin& te "-Q
pro&ramme ad been used to compress te file si6e and tereby dis&uise te si&nature of te
ori&inal eAecutable=.
7 Based on Sender Policy Framework. Further details can be found inAppendi A and at www.openspf.or!".
# $he %$& time 'one co(ers) inter alia) western *ussia) +eor!ia andArmenia) as well as %A, and parts of eastern Africa. $his does not)howe(er) mean that the attacker is physically located in this 'one.
mailto:konidas@acm.orghttp://www.openspf.org/mailto:konidas@acm.orghttp://www.openspf.org/
8/18/2019 270137312 Bitstamp Incident Report 2-20-15
25/37
Te >ordcompO1P.6ip is file a i&ly sopisticated pro&ramme >it dierse
functionality. It could proide an attac%er >itE access to te ost macine's re&istry access
to its clipboard emulation of mouse moements possible %eyboard lo&&in& capability :tese
functions may be used or may be te result of importin& >ole libraries=. $t te time of
analysis, it >as not detected >en submitted to maor $* proiders.
ur analysis of >ordcompO1P.6ip indicates tat it is desi&ned to call I- address
21H.12.202., and possibly to AApEJJadermar%et.net and AApEJJadermar%etnonfree.net/.
Te >ordcompO1P.6ip file also contains tousands of domain names, suc as omeftp.or&,
%imino.&ifu.p, and Cambrid&e.museum. Te eAact purpose of tese is unclear, altou& it is
consistent >it clic%?fraud mal>are >ere le&itimate referrin& "R(s are coded into te
mal>are. It is terefore possible tat tis is a multi?functional mal>are, >it only part of its
capability bein& used for tis attac%.
In addition to >ordcompO1P.6ip, >e also found mal>are files named >f.eAe,
mso2010.eAe and office.eAe. @e could not determine te proenance of tese files from te
lo& data aailable at te time of te inesti&ation, and compreensie reerse en&ineerin& of
te mal>are files as not been conducted. $nalysis of >f.eAe identified tat it drops a drier,
>inntdr.sys, >ic could possibly be a root%it :soft>are desi&ned to ide te eAistence of
certain processes or pro&rams and enable continued priile&ed access to a computer= onto te
ost macine. Tis file contains te strin& ssdtoo%E an ))!T oo% is a type of root%it. Te
file calls out to I- address 212.8.1.0. >f.eAe and mso2010.eAe are te ;same< pro&ram in
terms of functionality. o>eer, tey are merely unpac%ers for te maority of te binary
data.
*.$erver Analy!i!.
- http/ has been replaced with /hp/ as a precaution to pre(ent readersaccidentally linkin! to the malicious %*0.
8/18/2019 270137312 Bitstamp Incident Report 2-20-15
26/37
ur inesti&ation stron&ly indicated tat te attac%er accessed t>o serers directly,
(NQ)R*BTC and !RN$T$, and ad access to information eld on te +3C serer
trou& !RN$T$. @e did not find any si&n of intrusion into, or eAfiltration of data from,
any oter serers from te data aailable at te time of our inesti&ation.
!urin& our reie> of te serers, >e discoered a &6ip file on !RN$T$, >ic >as
created a fe> minutes before te attac%er sent data to te erman serer :2/ !ecember 201,
112/?1201C+T=. @ile >e cannot confirm >eter te file itself >as eAfiltrated, it >as
clearly accessed by te attac%er sortly before te attac%er eAfiltrated data. Tis folder is a
6ip of te Jsr folder contained on !RN$T$. Te Jsr folder contains te bitstamp.net.%ey
file, as >ell as >at appears to be a small amount of source code. ne of te subfolders of
Jsr is ;uploads< :JsrJbitstampJuploads=. Tat uploads folder is a lin% to JJemcsare00. Te
6ip file contains a substantial amount of information from te ;accountVistory< sub?folder
relatin& to customer account interactions. ur reie> as not identified any personally
identifiable information or financial data in te accountVistory folder. It does, o>eer,
demonstrate tat te attac%er ad access to te +3C serer trou& !RN$T$.
(. Ot+er -edia.
ur inesti&ators conducted analysis of all te macines listed in Table 1. @e did not
find any %no>n indicators of compromise for tis attac% on macines oter tan tose
specifically referenced aboe.
%. CONC#U$ION.
Based on our inesti&ation, >e beliee tat tis >as a i&ly tar&eted attac%
underta%en by a determined attac%er, >o so>ed a ery de&ree of operational security and
tecnical sopistication. Te pisin& attac%s >ere i&ly tailored and appeared, at least
initially, credible to te recipients. Te attac%er only eer tar&eted a small number of ictims
simultaneously, and perseered in te face of apparent disinterest on te part of is
8/18/2019 270137312 Bitstamp Incident Report 2-20-15
27/37
interlocutors. $s an eAample, 3r 3erla% reDuired 11 prompts to respond on one occasion.
Te attac%er communications, >eter )%ype or email, >ere all cannelled trou&
an anonymous proAy in order to protect te identity of te sender. Te infrastructure used to
support te attac%, suc as te serers used to delier te mal>are files or te destination
serer for te bitcoin >allet teft, are part of osted infrastructure across multiple
urisdictions, leain& limited opportunity for furter inesti&ation. Based on te data
aailable at te time of te inesti&ation, te attac%er's actiity >itin te net>or% also
appeared to be focused and left minimal footprint. Te malicious *B$ script used in te
initial compromise so>s si&ns of bein& a multi?purpose crime tool. o>eer, bot ad been
si&nificantly modified so as to eade maor $* soft>are. Tis tailorin& and obfuscation
enablin& it to eade $* products indicates tat te attac%ers ad a i& de&ree of
sopistication and eAperience in tis field, as it reduces te ability for attribution.
Tis >as a si&nificant loss for Bitstamp, and it cast furter doubt on te safety and
inte&rity of te bitcoin ecosystem. o>eer, it could ae been muc >orse, and >e are
determined to use tis as a learnin& tool, and as a basis for ma%in& improements in our
tecnolo&y, security protocols, incident response plannin& and so fort.
Bitstamp >as te first eAcan&e to implement te ot and cold >allet system, and it
>or%ed as desi&ned. @e lost only a small portion of te bitcoin placed >it us, and >e
coered all losses from our o>n reseres. No customer funds or data >ere lost. $nd because
of our nimble disaster recoery efforts, >e >ere able to &et up and operatin& >itin days after
te ac% Y standin& up a completely ne> and ;clean< instance of our tradin& platform, >ile
preserin& all te prior serers and laptops for eidentiary purposes.
Follo>in& tis criminal attac%, Bitstamp as instituted additional industry?leadin&
protections Y >e are first to be usin& multi?si& to protect our ot and cold >allets, and are
obtainin& insurance coera&e for all funds. @e are under&oin& a top to bottom security
8/18/2019 270137312 Bitstamp Incident Report 2-20-15
28/37
reie> by a tird party, and >ill ma%e >ateer can&es are indicated. :$ fe> of tese are
obious 9 >e ae implemented Fire+ye email and internet screenin& soft>are >e >ill
reDuire multi?si& approals for any and all access to te ot >allet and >e >ill ensure tat
any mana&er's laptop >it access to bitcoin deposits or sensitie customer information is
i&ly restricted, and ;sin&le purpose,< i.e., it does not also ae capabilities to receie email,
en&a&e in s%ype calls, or cruise te internet.
Finally, Bitstamp is >or%in& closely >it te )ecret )erice, FBI and "7 cybercrime
inesti&ators to appreend and prosecute te ac%er, and >e are ery close to doin& so. @e
intend to be industry leaders in deelopin& tecnolo&y and practices to fully safe&uard our
customers' assets and sensitie information, and >e >ill sare >at >e ae learned to assist
oters in te Bitcoin ecosystem, includin& re&ulators and la> enforcement.
$ny Duestions or comments may be directed to eor&e Frost, eneral Counsel, at
&eofrostScomcast.net.
8/18/2019 270137312 Bitstamp Incident Report 2-20-15
29/37
$--+N!IQ $ 9 (u%a 7odric -isin& +mail Z eaders
!eliered?ToE lu%a.%odricS&mail.com
Return?-atE [%onidasSacm.or&\
ReceiedE from ecidna.otenet.&r :smtp?out.otenet.&r. O8.25./.P=
by mA.&oo&le.com >it +)3T- id fHsi2H5>c.81.201.12.0/.08.0.
for [lu%a.%odricS&mail.com\ Tue, 0/ !ec 201 08E0E ?0800 :-)T=
Receied?)-FE softfail :&oo&le.comE domain of transitionin& %onidasSacm.or& does not
desi&nate 8.25./. as permitted sender= client?ip]8.25./.
ReceiedE from O0.0.0.0P :tor?eAit?readme.dfri.se O1H1.25.1/.25P=
by ecidna.otenet.&r :+)3T-= >it +)3T-)$
for [lu%a.%odricS&mail.com\ Tue, / !ec 201 18E0E 0200 :++T=
3essa&e?I!E [58H1+0$.0H0100Sacm.or&\
!ateE Tue, 0/ !ec 201 20E0E 000
FromE L%onidasSacm.or&L [%onidasSacm.or&\
ToE lu%a.%odricS&mail.com
)ubectE "psilon -i +psilon ? a membersip offer
8/18/2019 270137312 Bitstamp Incident Report 2-20-15
30/37
??????????????????????????????????????????????????????????????????????????????
!eliered?ToE lu%a.%odricS&mail.com
Return?-atE [%onidasSacm.or&\
ReceiedE from spinA.otenet.&r :smtp?out.otenet.&r. O8.25./.P=
by mA.&oo&le.com >it +)3T- id d10si1H80H8>ib.80.201.12.0/.12.5H.2
for [lu%a.%odricS&mail.com\ Tue, 0/ !ec 201 12E5HE2 ?0800 :-)T=
Receied?)-FE softfail :&oo&le.comE domain of transitionin& %onidasSacm.or& does not
desi&nate 8.25./. as permitted sender= client?ip]8.25./.
ReceiedE from O0.0.0.0P :1/5?15?215?8.re.poneytelecom.eu O1/5.15.215.8P=
by spinA.otenet.&r :+)3T-= >it +)3T-)$
for [lu%a.%odricS&mail.com\ Tue, / !ec 201 22E5HE20 0200 :++T=
3essa&e?I!E [58H22$.H010002Sacm.or&\
!ateE @ed, 10 !ec 201 00E5HE1 000
FromE L%onidasSacm.or&L [%onidasSacm.or&\
ToE (u%a 7odric [lu%a.%odricS&mail.com\
)ubectE ReE "psilon -i +psilon ? a membersip offer
??????????????????????????????????????????????????????????????????????????????
!eliered?ToE lu%a.%odricS&mail.com
Return?-atE [%onidasSacm.or&\
ReceiedE from medusa.otenet.&r :smtp?out1.otenet.&r. O8.25./.1P=
by mA.&oo&le.com >it +)3T- id >A8si20H>b.H5.201.12.10.00..2
for [lu%a.%odricS&mail.com\ @ed, 10 !ec 201 00EE2 ?0800 :-)T=
Receied?)-FE softfail :&oo&le.comE domain of transitionin& %onidasSacm.or& does not
desi&nate 8.25./.1 as permitted sender= client?ip]8.25./.1
ReceiedE from O0.0.0.0P :cs?tor.bu.edu O20.8.15.12P=
8/18/2019 270137312 Bitstamp Incident Report 2-20-15
31/37
by medusa.otenet.&r :+)3T-= >it +)3T-)$
for [lu%a.%odricS&mail.com\ @ed, 10 !ec 201 10EE20 0200 :++T=
!ateE @ed, 10 !ec 201 12EE1 000
FromE L%onidasSacm.or&L [%onidasSacm.or&\
ToE (u%a 7odric [lu%a.%odricS&mail.com\
)ubectE ReE "psilon -i +psilon ? a membersip offer
??????????????????????????????????????????????????????????????????????????????
Return?-atE [%onidasSacm.or&\
ReceiedE from spinA.otenet.&r :smtp?out.otenet.&r. O8.25./.P=
by mA.&oo&le.com >it +)3T- id r5si2001>y.H.201.12.10.2.50.2
for [lu%a.%odricS&mail.com\ @ed, 10 !ec 201 2E50E28 ?0800 :-)T=
Receied?)-FE softfail :&oo&le.comE domain of transitionin& %onidasSacm.or& does not
desi&nate 8.25./. as permitted sender= client?ip]8.25./.
ReceiedE from O0.0.0.0P :1.transminn.c6 OH.15H.1/5.1HP=
by spinA.otenet.&r :+)3T-= >it +)3T-)$
for [lu%a.%odricS&mail.com\ Tu, 11 !ec 201 0/E50E21 0200 :++T=
!ateE Tu, 11 !ec 201 11E50E1 000
FromE L%onidasSacm.or&L [%onidasSacm.or&\
ToE (u%a 7odric [lu%a.%odricS&mail.com\
)ubectE ReE "psilon -i +psilon ? a membersip offer
??????????????????????????????????????????????????????????????????????????????
!eliered?ToE lu%a.%odricS&mail.com
Return?-atE [%onidasSacm.or&\
ReceiedE from spinA.otenet.&r :smtp?out.otenet.&r. O8.25./.P=
by mA.&oo&le.com >it +)3T- id esi2H0/2>ic.8H.201.12.11.01.02.0H
8/18/2019 270137312 Bitstamp Incident Report 2-20-15
32/37
for [lu%a.%odricS&mail.com\ Tu, 11 !ec 201 01E02E08 ?0800 :-)T=
Receied?)-FE softfail :&oo&le.comE domain of transitionin& %onidasSacm.or& does not
desi&nate 8.25./. as permitted sender= client?ip]8.25./.
ReceiedE from O0.0.0.0P :coms%y.torserers.net OHH.2H.181.12P=
by spinA.otenet.&r :+)3T-= >it +)3T-)$
for [lu%a.%odricS&mail.com\ Tu, 11 !ec 201 11E01E5/ 0200 :++T=
!ateE Tu, 11 !ec 201 1E01E5 000
FromE L%onidasSacm.or&L [%onidasSacm.or&\
ToE (u%a 7odric [lu%a.%odricS&mail.com\
)ubectE ReE "psilon -i +psilon ? a membersip offer
??????????????????????????????????????????????????????????????????????????????
!eliered?ToE lu%a.%odricS&mail.com
Return?-atE [%onidasSacm.or&\
ReceiedE from cimaera.otenet.&r :smtp?out2.otenet.&r. O8.25./.2P=
by mA.&oo&le.com >it +)3T- id lc/si1H80>c./.201.12.11.0..55
for [lu%a.%odricS&mail.com\ Tu, 11 !ec 201 0EE55 ?0800 :-)T=
Receied?)-FE softfail :&oo&le.comE domain of transitionin& %onidasSacm.or& does not
desi&nate 8.25./.2 as permitted sender= client?ip]8.25./.2
ReceiedE from O0.0.0.0P :tor?eAit0?readme.dfri.se O1H1.25.1/.20P=
by cimaera.otenet.&r :+)3T-= >it +)3T-)$
for [lu%a.%odricS&mail.com\ Tu, 11 !ec 201 1EE52 0200 :++T=
!ateE Tu, 11 !ec 201 15EE/ 000
FromE L%onidasSacm.or&L [%onidasSacm.or&\
ToE (u%a 7odric [lu%a.%odricS&mail.com\
)ubectE ReE "psilon -i +psilon ? a membersip offer
8/18/2019 270137312 Bitstamp Incident Report 2-20-15
33/37
??????????????????????????????????????????????????????????????????????????????
!eliered?ToE lu%a.%odricS&mail.com
Return?-atE [%onidasSacm.or&\
ReceiedE from medusa.otenet.&r :smtp?out1.otenet.&r. O8.25./.1P=
by mA.&oo&le.com >it +)3T- id o2si11H288/>y.H/.201.12.12.00.5./
for [lu%a.%odricS&mail.com\ Fri, 12 !ec 201 00E5E/ ?0800 :-)T=
Receied?)-FE softfail :&oo&le.comE domain of transitionin& %onidasSacm.or& does not
desi&nate 8.25./.1 as permitted sender= client?ip]8.25./.1
ReceiedE from O0.0.0.0P :ns1585.ip?/1?121?1/.eu O/1.121.1/.P=
by medusa.otenet.&r :+)3T-= >it +)3T-)$
for [lu%a.%odricS&mail.com\ Fri, 12 !ec 201 10E5EH 0200 :++T=
!ateE Fri, 12 !ec 201 12E5E 000
FromE L%onidasSacm.or&L [%onidasSacm.or&\
ToE (u%a 7odric [lu%a.%odricS&mail.com\
)ubectE ReE "psilon -i +psilon ? a membersip offer
8/18/2019 270137312 Bitstamp Incident Report 2-20-15
34/37
$--+N!IQ B 9 IN!IC$TR) F C3-R3I)+
8/18/2019 270137312 Bitstamp Incident Report 2-20-15
35/37
8/18/2019 270137312 Bitstamp Incident Report 2-20-15
36/37
$--+N!IQ C 9 C$CTI ( FI(+ "T-"T FR (NQ)R*BTC
8/18/2019 270137312 Bitstamp Incident Report 2-20-15
37/37
Recommended