270137312 Bitstamp Incident Report 2-20-15

8/18/2019 270137312 Bitstamp Incident Report 2-20-15

1/37

.

Bitstamp Incident Report

Privileged and Confidential

February 20, 2015


2/37

Table of Contents

I. INTR!"CTIN ####..##################........1

$. Company Bac%&round.

B. Fundamentals of Bitcoin.

C. Bitstamp's transactional process.

II. INITI$( !I)C*+R $N! R+)-N)+ T T+ INCI!+NT............................../

$. !iscoery of te Breac.

B. +ntry point.

C. Incident Response Team.

!. Redeployin& our Tradin& -latform

+. +nsurin& Transparency.

F. Initial !ama&es +stimate.

III. CRN( F +*+NT) FR3 )TR4 IN*+)TI$TIN####........1

I*. T+CNIC$( $N$()I). #####################.1/

$. 3aterials Relied "pon.

B. !amian 3erla%'s (aptopC. Tomas Ro6man's (aptop.!. 3ia rcar's (aptop.+. 3ia rast's (aptopF. (u%a 7odric's (aptop.. )erer $nalysis.. ter 3edia.

*. CNC(")IN################.,##########..28

$--+N!IC+) $ 9 C.

http://var/www/apps/conversion/tmp/scratch_7/HYPERLINK%23_Toc412277165http://var/www/apps/conversion/tmp/scratch_7/HYPERLINK%23_Toc412277165http://var/www/apps/conversion/tmp/scratch_7/HYPERLINK%23_Toc412277165http://var/www/apps/conversion/tmp/scratch_7/HYPERLINK%23_Toc412277165http://var/www/apps/conversion/tmp/scratch_7/HYPERLINK%23_Toc412277165


3/37


4/37

I. INTRODUCTION.

Tis is a confidential report prepared by eor&e Frost, eneral Counsel of Bitstamp

(imited :;Bitstamp< or te ;te Companye ae identified at least one of te

ac%ers and are baitin& a ;oney trap< to lure im into te "7 in order to ma%e an arrest.

3oreoer, >e need to be ery careful not to educate oter criminal ac%ers about o> >e

safe&uard our assets and information. $ccordin&ly, no part of tis report may be made public

or &ien to a tird party >itout te prior eApress >ritten permission of Bitstamp (td.

A. Company Background.

Bitstamp (imited is a "7 cartered firm. $t tis time te firm also maintains

approAimately t>enty?fie support staff and serers in )loenia, >ere te firm >as founded.

Bitstamp is creatin& a ne> operatin& company in (uAembour&, and is in te process of

see%in& licensin& in (uAembour& as a payments proider. Te ne> company >ill serice

only +uropean customers. )imilarly, a ")$ operatin& entity is also bein& establised, >ic

>ill sere only ") residents.

Bitstamp operates a mat?based ;crypto?currency< tradin& platform ia te @orld

@ide @eb, and as approAimately 5,000 erified customers around te >orld, primarily

based in +urope.

1 Founded in 2000, )tro6 Friedber& is an international inesti&ations firm specialisin& in di&ital forensics,electronic disclosure, data breac and cybercrime response, as >ell as business intelli&ence serices andinesti&ations. )tro6 Friedber&'s mana&ement includes former prosecutors and former la> enforcement officers

>it bot &oernment and priate?sector eAperience in traditional and cyber?based inesti&ations, di&italforensics, data preseration and analysis, infrastructure protection, and electronic discoery.


5/37

Bitstamp's primary business is proidin& a mar%etplace tat facilitates te purcase,

trade and eAcan&e of ;Bitcoin< bet>een customers by te creation and maintenance of

Bitstamp accounts.

B. undamental! of Bitcoin.

Bitcoin' is a di&ital, decentrali6ed, partially anonymous protocol and currency tat is

not bac%ed by any &oernment or oter le&al entity. Bitcoin utili6es peer?to?peer transactions

tat are erified and recorded in a distributed public led&er called te ;bloc%cain.<

ConseDuently, users of bitcoin can ma%e transactions oer te Internet directly >it oter

users >itout needin& an intermediary suc as a ban%. :Bitstamp's customers, o>eer,

utili6e Bitstamp as an intermediary to maintain teir bitcoin for tem in a tradin& account.

See belo>.=

Bitcoin utili6es public?%ey crypto&rapy, >ic reDuires t>o separate crypto&rapic

;%eyseter its correspondin& priate %ey as

been used in a &ien crypto&rapic function. In te case of Bitcoin, te priate %ey is used to

create a di&ital si&nature for eery transactionE te priate %ey tus acts as confirmation of

o>nersip of te bitcoins inoled, and it sould neer be sared. Te correspondin& public

%ey can ten be used to erify te di&ital si&nature of te transaction i.e. tat te initiator is

indeed te o>ner of te bitcoins for tat transaction. -ublic %eys are also used to &enerate

Bitcoin addresses to receie bitcoins from a transactionE only te older of te correspondin&

priate %ey can access te bitcoins in te address &enerated from te public %ey.

$ Bitcoin address is an identifier of 2?5 alpanumeric caracters, an eAample of

>ic is G/8t1@p+4HCNmiecrnyi@rnDR@N(y. Bitcoin addresses are &enerated by

;asin&< te public %ey. asin& is a process by >ic a %no>n al&oritm, or matematical

formula, is calculated across a set of data, turnin& a lar&e amount of data into a fiAed?len&t


6/37

as alue. Te same as alue >ill al>ays result from te same data. 3odifyin& te data

in any >ay >ill ineitably can&e te as alue. Te resultant as alue is ten conerted

into a format named Base?58. Base 58 is an encodin& system tat remoes ambi&uous

caracters, suc as 0 and . To complete te Bitcoin address, an identifyin& number of eiter

1 or is added to te be&innin&, indicatin& tat te address is a public Bitcoin net>or%

address representin& a possible destination for a Bitcoin payment.

$ Bitcoin ;>allet< is a collection of priate %eys for a &ien user. Te %eys relate to

te user's Bitcoin addresses, and proide te ability to conduct transactions to or from tose

addresses. $ >allet is contained >itin a client, >ic is te soft>are pac%a&e proidin& te

user >it an interface to te Bitcoin net>or%. $ common name for a Bitcoin client >allet file

is wallet.dat . $ &ro>in& number of companies offer >allet serices to teir customers, and

safe&uard teir bitcoin for tem.

@en a Bitcoin transaction ta%es place, te information about tat transaction is

stored >itin te ;bloc%cain.< Te bloc%cain records o> many bitcoins >ere inoled in

te transaction, te address tey came from and te address to >ic te bitcoins >ere

transferred. Te ;bloc%cain< led&er is public, ma%in& it is possible :altou& a bit arduous,

until an automated searc system is deeloped= to reie> istorical transactions to determine

o> many bitcoins are eld by eac address and from >ere tose bitcoins ori&inated.

C. Bit!tamp"! tran!actional proce!!.

Bitstamp's current transaction process >or%s as follo>sE2 $ customer opens an

account >it Bitstamp trou& its >ebsite at ttpsEJJ>>>.bitstamp.netJ. !urin& te si&nup

process, Bitstamp reDuires te customer's name, address, and proof of identity as part of its

7no> our Customer' :7C= policies and anti?money launderin& :$3(= procedures. No

ban%in& details or bitcoin deposit addresses are proided to customers until tese cec%s ae

2 ur serice proiders and certain process features >ill can&e once >e are operational in (uAembour&, and>e >ill be addin& more safe&uards to tis system, as detailed in our eAtensie filin& >it te C))F.

https://www.bitstamp.net/https://www.bitstamp.net/


7/37

been completed. nce a customer's account is opened, tat customer can deposit cas from a

ban% account in teir name to te Bitstamp client account, >ic is eld >it one of seeral

commercial ban%s.

@en funds are receied from users into te Bitstamp client account, tese are

processed and credited into te user's led&er >itin Bitstamp's system as soon as possible.

Bitstamp insists tat all deposits into its ban% account must come from a ban% account in te

user's name because te ban% proides tis information to Bitstamp. Tis elps preent

fraud, and ensures tat Bitstamp >ill credit te correct user led&er in its system.

nce >e ae completed our $3( procedures in relation to tat user, a uniDue reference

number is ten automatically &enerated for tat user. ur customers are reDuired to use tis

as a reference on funds tey transfer into Bitstamp's account >it our ban% :Reiffeisen,

altou& >e ae oter bac%up ban%s= to identify te led&er to >ic te funds sould be

credited.

Te user's led&er >it Bitstamp is in t>o parts 9 tere is a balance in ") dollars, and

a balance in bitcoins :>ic >ill be 0 >en te led&er is first opened=. $ltou& Bitstamp

accepts deposits in almost all currencies, >en funds are receied tey are imported into our

system and allocated to a user's led&er conerted into ") dollars, >ic is done

automatically usin& te Reiffeisen ban% daily eAcan&e rate. Te led&er balance in Bitcoins

is te user's Bitcoin >allet eld >itin te Bitstamp system. nce te funds receied ae

been credited to te user's Bitcoin led&er, tey can trade on te platform and purcase

Bitcoins.

Te transfer of funds into bitcoins is not automatic, eac user decides >en and at >at price

e or se >ises to purcase :and sell= bitcoins. Te user is fully in control of te

transaction, Bitstamp simply proides te tradin& platform and credits user led&ers >it funds

receied from Reiffeisen ban%. @en a user as funds in teir account and >ises to use


8/37

tese to buy bitcoins, tey >ill place an order. Te dates and times of eac order are

recorded, altou& tere can be a small delay bet>een te order bein& placed and te trade

ta%in& place.

@en te system as matced up an order to sell bitcoins >it an order to buy

bitcoins, it automatically transfers te bitcoins from one user's bitcoin led&er to te oter

user's bitcoin led&er. Te oter type of transaction so>n is a bitcoin >itdra>al reDuest,

>ere bitcoins are >itdra>n to a bitcoin >allet tat may be a Bitstamp bitcoin >allet :i.e. a

user bitcoin led&er= or a bitcoin >allet eld outside te Bitstamp eAcan&e. Tis is fairly

simple and on bot types of istory proides a record of te date on >ic te user reDuested

tat a certain number of bitcoins >ere >itdra>n from is or er led&er. It is possible to see

te bitcoin >allet address to >ic te bitcoins >ere >itdra>n. Te >itdra>al process is

an automatic process, it is not done manually.

nce bitcoins are remoed from te user's uniDue bitcoin led&er in BitstampKs system,

te transaction is &enerally irreersible. Te >ole bitcoin system >as set up in tis >ay so

Tis is so>n as ;opened instant buy order< or ;opened limit buy ordero different >ays in >ic a user may >is to buy Bitcoins. $n instant order is >ere te userinstructs BitstampKs system immediately to buy Bitcoins usin& a certain number of dollars or sell a set number of Bitcoins. Tis, and all oter orders, can be seen in te Lorder boo%L >ic is isible to all users on BitstampKs>ebsite. Te order boo% is a list of all orders tat ae been placed by Bitstamp's users. n receipt of an instantorder, te system >ill immediately searc te order boo% for te lo>est price at >ic someone is >illin& to sellor buy Bitcoins and >ill use te specified funds to purcase or sell Bitcoins as appropriate. In te case of instantsell orders te i&est price >ic is offered for te purcase of Bitcoins is used. In te case of instant buyorders te lo>est price >ic is offered for te sellin& of Bitcoins is used. If tere are an insufficient number ofBitcoins on sale at tat lo>est as%in& price to complete te order to te amount of ") dollars te user asspecified sould be used, te system automatically searces a&ain in 1 second interals and >ill ten purcaseBitcoins at te lo>est possible price at tat time, usin& te remainin& dollars. Te system continues to performtis process until all te funds specified by te user ae been conerted to Bitcoins, or until all te Bitcoinsae been sold. Te oter type of order listed is a limit order. Tis is >ere a user specifies te number ofBitcoins e or se >ises to buy or sell, and te price at >ic e >ants to buy or sell tem. Te system >illten searc all orders in te order boo% to matc up te reDuest >it anoter order at te same price and tencarry out te trade automatically. Tis means tat te user does not need constantly to searc te system for te

price e or se >ants, or >ait until te ri&t price becomes aailable. e can place te order and te system >ill perform te transaction >en it finds te same price. If te system is only able to find 50M of te desirednumber of Bitcoins for sale at te price reDuested, it >ill purcase tose Bitcoins and ten >ait until it neAt findste remainin& number of Bitcoins for sale at te price reDuested. Tus te entire order may ta%e seeral minutes,or ours, to complete, dependin& on te aailability of te number of Bitcoins for sale or purcase at te ri&t

price.


9/37

as to proide :partial= confidentiality and certainty for users, and to aoid te ris% of car&e

bac%s :li%e tose eAperienced by credit card users= >ic >ould brin& uncertainty to

transactions.

Bitstamp &enerates its transactional reenue by ta%in& a percenta&e fee :&raduated

based on olume= from te dollar alue of eac trade. Bitstamp does not ;monitor<

indiidual trades and transactions as tey are bein& performed. It >ould be irtually

impossible to do soE up to ,000 users may be accessin& te site eery second.

Bitstamp >ill outline its security procedures belo>.

II. INITIA# DI$CO%&R' AND R&$PON$& TO T(& (AC)IN* INCID&NT.

A. Di!covery of t+e Breac+.

Bitstamp first learned about te ac%in& incident on te eenin& of Gan. t. Te

CT, !amian 3erla%, first noticed te loss of bitcoins from te Bitstamp >allet at circa 200

C+T on Ganuary 2015. 3r 3erla% >as in te ")$, so e notified !aid soni% and (u%a

7odric to inesti&ate locally. $fter accessin& te serers, Bitstamp staff noted a suspicious

data transfer on te net>or% lo&s, dated 2/ !ecember 201, bet>een 112/?1201 C+T. Te

data transfer >as approAimately .5B and >as sent to an unfamiliar erman I- address

:185.1.20/.128=.

Te data transfer struc% an ominous cord because .5B is te approAimate si6e of

te wallet.dat file containin& Bitstamp's Bitcoin >allet O see Appendix C for the log file

relating to this transfer P.

Bitstamp personnel also cec%ed te Bas istory and noted file searces tat ad not

been underta%en by our o>n staff. 3r. 3erla% notified te C+, also enroute to te ")$ on

anoter fli&t, and te eneral Counsel, tus actiatin& te Company's emer&ency response

plan.


10/37

B. &ntry point.

@e soon learned from local forensic analysis tat te transfer >as initiated trou& a

*-N connection from 3r 7odric's laptop to te serer ostin& te Bitcoin >allet at

Bitstamp's data centre :(NQ)R*BTC=. $t te time, 3r 7odric's laptop >as in te office and

lo&&ed in to te net>or%. Te *-N connection to te data centre >as restricted to tree

autorised I- addressesE Bitstamp's office I-, 3r 3erla%'s ome I-, and 3r 7odric's ome

I-. T>o?factor autentication >as not reDuired to access te data centre from 3r 7odric's

laptop >ile it >as lo&&ed in to te office net>or%. Bitstamp terefore suspected tat te

attac%er ad remotely initiated te *-N connection in te bac%&round >ilst 3r 7odric >as

>or%in&.

Te teft reDuired access to 2 serers in te data centreE (NQ)R*BTC and

!RN$T$. Te wallet.dat file >as eld on (NQ)R*BTC. !RN$T$ eld te passprase

to access te bitcoins eld in te >allet. Cec%s by Bitstamp indicated tat data >as only

ta%en from tese t>o serers. Bitstamp found no eidence of access to oter infrastructure.

Te content of te data transferred >as not discernible from te net>or% lo&s, only te

olume of data.

)eparately, on Ganuary 2015, someone attempted to connect remotely to te

Bitstamp office net>or%, a&ain usin& 3r 7odric's account. *-N connections from an

eAternal I- address to te office net>or% reDuire t>o?factor autentication :as opposed to

*-N connections to te data centre from te tree permitted I- addresses, >ic do not=.

Bet>een 0/290/55 C+T, 3r 7odric receied nine notifications on is mobile pone to

proide secondary autentication for remote access to te office net>or% from is account.

Tese notifications are only &enerated once te correct username and pass>ord are entered.

Te remote lo&?in attempts >ere from an I- address in Romania :10/.1.2./=.


11/37

(ater on Ganuary, te bitcoins started to drain from te Bitstamp >allet. Tis >ould

not ae reDuired access to eiter te office or data centre *-N, since te attac%er:s= already

ad te wallet.dat file and passprase :from te 2/ !ecember transfers=. 5000 bitcoins >ere

in te >allet >en it >as eAfiltrated on !ecember 2/, but oer 18000 bitcoins >ere stolen in

total due to additional deposits made before te teft >as noticed. :!eposit olume >as

unusually i& at tis time, and a number of lar&e ;sort< sellers appeared to ae been

accessin& Bitstamp's mar%et at te time.

Follo>in& our learnin& of te teft, Bitstamp employees >ere as%ed to %eep teir

laptops turned off, and te serers >ere %ept offline :but po>ered on=. Te eneral Counsel

also conducted initial interie>s and obtained early forensics, preparin& to moe for>ard

>it briefin& te outside inesti&ators from )tro6 and arious la> enforcement autorities.

C. Incident Re!pon!e Team.

Bitstamp immediately formed an incident response team to assess te loss, protect our

customers from furter attac%s, and to inesti&ate te breac. @e set up a response in te

company's )an Francisco offices, sared >it our cief inestor, -antera Capital. Te

eneral Counsel notified la> enforcement in te ") and in (ondon,5 and retained te )tro6

Friedber& firm to assist us in te inesti&ation.

Te )tro6 Friedber& team arried at te Bitstamp office in )loenia at / am on 8

Ganuary. $fter interie>in& te staff >it %no>led&e of te incident, tey identified and

catalo&ued all releant electronic media from te office and data centre for analysis. Te

ur primary ")$ contact is Gon Rein, )pecial $&ent, ") )ecret )erice, )an FranciscoField ffice, 15?0?8/5 onatan.reinSusss.ds.&o.

5 ur primary "7 contact is Ric+ard Butc+er, 3aor Inesti&ation Team ? Crime!irectorate, 3obileE :0= HH2 521 /2H +mailERicard.ButcerScityoflondon.pnn.police.u%

mailto:[email protected]:[email protected]


12/37

team follo>ed formal ;cain of custody< procedures at eac step. Te team ten commenced

ta%in& forensic ima&es of te media, includin& te follo>in& itemsE

? $ll 22 laptops tat >ere in use on te corporate net>or%.

? -riority irtual macines from pysical serers at te data centre, includin& a lo&icalcapture from te local +3C stora&e.? !ata from bot pysical serers in te office :containin& seeral internal irtualmacines used on te net>or%=.

$pproAimately 1 Terabytes of data >as collected in te first s>eep, >it furter

ima&in& on&oin&. In addition to tese items, tere are t>o lo>er priority serers acDuired for

later analysis.

D. Redeploying our Trading Platform.

-ursuant to our incident response plan, >e immediately retained a security firm

:based in Berlin >ic ad done prior security >or% for us= to assist us in preentin& furter

losses, identifyin& >at appened and &ettin& our eAcan&e bac% on line.

)ortly after discoery of te attac%, Bitstamp made an eApensie but necessary

decision to rebuild our entire tradin& platform and ancillary systems from te &round up,

rater tan tryin& to reboot our old system. @e did tis from a secure bac%up tat >as

maintained :accordin& to disaster recoery procedures= in a ;clean room< enironment. @e

also decided to deploy our distribution net>or% usin& $ma6on cloud infrastructure serers

located in +urope.

By redeployin& our system from a secure bac%up onto entirely ne> ard>are, >e

>ere able to protect our customers from furter miscief from te ac%er, and to presere all

te potential eidence on Bitstamp's ard dries and periperals for a full forensic

inesti&ation of te crime. @e also too% te opportunity to implement a number of ne>

security measures :includin& multi?si& tecnolo&y= and protocols so Bitstamp's customers

could resume usin& Bitstamp >it full confidence and trust.


13/37

&. &n!uring Tran!parency.

$lso accordin& to our incident response plan, >e retained an outside firm to assist in

messa&in& and dealin& >it customers, >o >ere ri&tly concerned by te ac%in& incident

and >anted assurances tat teir bitcoin >as safe. @e >anted to underscore tat Bitstamp is

not 3toA, in any respect.

Te security of our customers' bitcoin and account information is our top priority, and

as part of our strin&ent security protocol >e temporarily suspended our serices as of at /

a.m. "TC on Ganuary 5t. Bitstamp >as determined to be fortri&t and transparent in all our

communications to customers and te media. @e notified all customers by direct email, and

posted updates on a temporary Bitstamp >ebsite aided by our crisis team, >e employed

t>itter, media interie>s, and all oter means aailable to %eep tem informed.

ne principal messa&e >e needed to &et out ri&t a>ayE customers sould no lon&er

ma%e deposits to any preiously issued Bitstamp bitcoin deposit addresses, >ic mi&t ae

been compromised by te ac%er. $noter %ey messa&eE $ll bitcoin eld >it us prior to te

temporary suspension of Bitstamp serices are completely safe and >ill be onored in full.

ur bottom lineE No customer bitcoin >as lost, and no customer information >as

compromised Bitstamp >ould be bac% in business as soon as possible, but only >en >e are

certain >e can do so safely.

&. Initial Damage! &!timate.

Bitstamp is te sole ictim in tis incident, as te company used its o>n capital

reseres and bitcoin reseres to coer te loss from its ot >allet. No customer funds or

bitcoin >ere compromised, and >e ae found no reason >atsoeer to beliee tat any

customer account information or personal information >as compromised.


14/37

Te ac%er >as able to steal 18,8 bitcoins from a ;ot >allet< residin& on one of

Bitstamp's serers. Te lost coins ad a contemporaneous mar%et alue of U5,2,1 based

on te Bistamp clearin& price of U2H/ per bitcoin at te time of te teft.

Bitstamp as lost customers, includin& maor clients en&a&ed in proidin& mercant

serices in bitcoin, and as suffered si&nificant dama&e to its reputation, >ic >e are unable

to Duantify eAactly at tis point, but >ic >e beliee eAceeds U2 million. o>eer, it

appears tat our Duic% response, transparency, and addition of ne> safe&uards : see below) as

>on te loyalty of te ast maority of our customers.

In addition, >e ae paid out approAimately U250,000 to pro&rammers ired to

rebuild and improe our platform paid approAimately U250,000 :and countin&= to te )tro6

Friedber& team and at least U150,000 more for arious security reie>s, and le&al and

financial adice. Tese out of poc%et costs are continuin& to accrue.

In addition, to preent future capital losses of tis %ind, >e ae contracted >it a

endor to proide ;multi?si&< tecnolo&y to better protect our ot >allet :tis particular

transfer could not ae appened today= and ired a s%illed tecnolo&y company, Qapo, to

assist in mana&in& our cold >allet. :Tis leel of protection is ery difficult to penetrate ??

Qapo actually splits apart te indiidual cold >allet addresses of our depositors, storin& tem

in secret locations in different parts of te >orld.= Finally, >e are acDuirin& insurance

coera&e for all bitcoin deposits, tus preserin& more of our o>n capital funds for &ro>t,

tecnolo&ical improements and improed customer serice.

III. C(RONO#O*' O &%&NT$ RO- $TRO RI&DB&R*

IN%&$TI*ATION.

Te metodolo&y and tecnical detail of te inesti&ation conducted by )tro6

Friedber& are set out in more detail belo>. In tis section >e aim to proide a cronolo&y of


15/37

te attac% as understood follo>in& )tro6 Friedber&'s reie>. $n oerie> of te attac%

timeline is proided in Fi&ure 1 belo>.

igure /0 Timeline of Attack

Te infection ector for te compromise >as a tar&eted pisin& campai&n, >it siA

employees %no>n to ae been tar&eted by te attac%er in Noember J !ecember 201.

Te CT, !amian 3erla%, >as te first employee identified as bein& tar&eted by te attac%er.

n Noember 201, 3r 3erla% >as contacted by )%ype account pun%.roc%.oliday from

I- address :/.185.85.1H1=. Te &ambit for tis pisin& attac% >as to offer 3r 3erla% free

tic%ets to -un% Roc% oliday 2015. :3erla% is %een on pun% roc% and as played in a band.=

n 20 Noember, after a number of eAcan&es demonstratin& persistent effort from

te attac%er, pun%.roc%.oliday sent a participant form' to 3r 3erla% O-un% Roc% oliday

2015 TIC7+T Form1.docP. Tis document contained obfuscated malicious *B$ script

6 *isual Basic for $pplications :*B$= is a pro&rammin& lan&ua&e >ic enables certainfunctions to be built into te associated application :@ord in tis instance= and eAecutedautomatically. )uc functions >ould include connections to >ebsites or internet addresses


16/37

desi&ned to call out to an eAternal I- address and pull do>n a file to te ictim computer.

$ltou& te document >as opened on 20 Noember and 21 Noember, tere is no

indication tat te script eAecuted, and none of te indicators of compromise identified on

oter macines as part of te attac% >ere found on !3's laptop. OSee Section III for further

technical analysis of this phishing attack .P

er a period of approAimately fie >ee%s, four more Bitstamp employees receied

similar i&ly tar&eted pisin& attac%s, eac tailored to indiidual interests. It is worth

noting that, however, that almost all of these targets lacked the itstamp security credentials

to have allowed access to itstamp servers containing bitcoin or account information, much

less a successful attack on itstamp!s hot wallet.

For eAample Toma6 Ro6man >as contacted by )%ype account Tomas.>on&.dl from

I- address /.185.85.1H1. Te preteAt for tis pisin& attac% >as a potential offer of

employment. n 5 !ecember 201, )%ype account on.lucas.si :ostensibly a collea&ue of

Tomas.>on&.dl= sent 3r Ro6man a messa&e containin& candidateVDuestionnaire.doc, also

from I- address /.185.85.1H1. Tis document contained te same obfuscated malicious

*B$ script described aboeE if opened, it connected to I- address 185./.8.1 and

do>nloaded a malicious file named >ordlibO1P.6ip Osee Section III for further technical

analysis of this malwareP.

)imilarly, on 18 Noember 201, C 3ia rcar >as contacted by )%ype account

ian.forei&npolicy. 3r. rcar is an aid policy and istory buff, particularly >it respect to

reece, >ere e preiously >or%ed as a reporter. No I- addresses >ere recoerable for te

communications from tis account at te time of our inesti&ation. n tis occasion, te

suspected attac%er >as posin& as a ournalist and en&a&ed 3r rcar re&ardin& articles e ad

preiously >ritten >ilst >or%in& for $tens Ne>s. n 2 Noember, as part of tis

from >itin an offline file :suc as a @ord document=.


17/37

eAcan&e, ian.forei&npolicy attempted to send a >ord document of a recent article,

ostensibly see%in& comment from 3r rcar. 3r rcar declined to accept te document.

!espite messa&es from te attac%er persistin& until / !ecember, tere >as no si&n of

compromise on te laptop.

n 2 Noember 201, $n6e )imica% >as contacted by )%ype $ccount su%iVsa.

Tis )%ype account uses te same I- address as te oter communications lin%ed to te

attac%er :/.185.85.1H1=. Te attac%er enDuired about Ripple@ise, a platform for an

alternatie cryptocurrency :te Ripple=. :3r )imica% is C for Ripple@ise as >ell as

>or%in& at Bitstamp.= 3r )imica% as%ed te attac%er to utili6e is Ripple@ise account for

furter communications, and tere is no trace of eiter te malicious >ord documents, or te

associated mal>are, on 3r )imica%'s laptop.

n / !ecember 201, 3ia rast >as contacted by )%ype account

piAi.enny.acmeister from I- address /.185.85.1H1. $ccordin& to is (in%edIn profile, 3r

rast preiously >or%ed at -iAi (abs, so tis attac% too, >as tailored specifically for tis

tar&et. T>o files >ere transferred successfully from piAi.enny.acmeister to 3r rastE "ixi#

$"ost$%mployment$&uestionnaire.rar on 11 !ecember and

"ixi$"ost$%mployment$&uestionnaire.doc on 12 !ecember. Te .doc file contained

obfuscated malicious *B$ script >ic, >en opened, do>nloaded te malicious file

wordcomp'(.*ip from I- address 185.1.20/.15. o>eer, rast did not and >ill not ae

access to te ot >allet.

n / !ecember 201, Bitstamp's )ystems $dministrator, (u%a 7odric, receied a

pisin& email to is mail account. "nli%e some of te oters tar&ets, 7ordic did ae

access to Bitstamp's ot >allet. Te email eader ad been spoofed to appear as if it ad

been sent from %onidasSacmO.Por&, altou& it >as actually receied from a Tor eAit node

Ote email cain and eader details can be seen in full at $ppendiA $P. $C3 is te

mailto:konidas@acm%5B.%5Dorgmailto:konidas@acm%5B.%5Dorg


18/37

$ssociation for Computin& 3acinery, >ic describes itself as te >orld's lar&est

educational and scientific computin& society. Te sender >as offerin& 3r. 7odric te

opportunity to oin "psilon -i +psilon :"-+=, te International onour )ociety for te

Computin& and Information !isciplines. Te "-+ site is osted >itin te acm.or& domain.

n 11 !ecember, as part of tis offer, te attac%er sent a number of attacments. ne of

tese, +"%$application$form.doc, contained obfuscated malicious *B$ script. @en

opened, tis script ran automatically and pulled do>n a malicious file from I- address

185.1.20/.15, tereby compromisin& te macine.

n 12 !ecember 201, te attac%er s>itced to )%ype messa&in& >it 3r 7odric,

usin& )%ype account upsilonVpiVepsilon from I- address /.185.85.1H1. Furter malicious

eAecutables >ere ten created on 3r 7odric's laptop on 1H,18 and 22 !ecember Osee Section

III for further technical analysis of this malwareP. n 2 !ecember, 3r 7odric's account

lo&&ed in to (NQ)R*BTC a number of times. 3r 7odric belieed tese lo&?ins >ere

probably te attac%er, altou& e could not confirm >it absolute certainty tat tis >as not

is o>n le&itimate actiity.

n 2/ !ecember 201, )) lo&s so> tat 3r 7odric's account lo&&ed in to

(NQ)R*BTC and te !RN$T$ serer at te data centre. n tis occasion, 3r 7odric

>as certain tat tese lo&?ins >ere not made by im, and must terefore ae been te

attac%er. $nalysis indicates tat te attac%er accessed (NQ)R*BTC, >ere te wallet.dat

file >as eld, and te !RN$T$ serer, >ere te passprase for te Bitcoin >allet >as

stored, before data >as transferred out of bot serers to I- address 185.1.20/.128, >ic is

part of a ran&e o>ned by a erman ostin& proider. @e suspect tat te attac%er copied te

Bitcoin >allet file and passprase at tis sta&e, due to te correlation bet>een te si6e of

tese files and te si6e of te data transfer seen on te lo&s, altou& te actual content of te


19/37

transfers cannot be confirmed from te lo&s aailable. To&eter te >allet and passprase

>ould ae enabled te attac%er to steal te bitcoins from te Bitcoin >allet.

n Ganuary, te attac%er drained te Bitstamp >allet, as eidenced on te

bloc%cain. $ltou& te maAimum content of tis >allet >as 5000 bitcoins at any one time,

te attac%er >as able to steal oer 18,000 bitcoins trou&out te day as furter deposits >ere

made by customers.

I%. T&C(NICA# ANA#'$I$.

A. -aterial! Relied Upon.

!urin& te course of its inesti&ation, )tro6 Friedber& collected te follo>in&

materials from Bitstamp. $ll materials >ere presered locally in )loenia, unless specifically

stated.


20/37

Ta1le /0 -aterial! Collected


21/37

)tro6 Friedber& analysed all 2H laptops listed in Table 1. )iA macines relatin& to

named indiiduals contained eidence of a tar&eted pisin& attac%, >it four indiiduals

receiin& poisoned attacments, tree macines so>in& si&ns of additional mal>are bein&

do>nloaded and one ictim ain& been fully compromised >it a Remote $ccess Troan.

$n oerie> of %ey attac%er actiity leadin& to te eentual teft of te bitcoins can be seen

in Fi&ure 2 belo>.

igure 20 Overvie3 of Attacker Activity


22/37

)tro6 Friedber&'s inesti&ation uncoered eidence tat siA Bitstamp employees >ere

tar&eted by pisin& emails in total, altou& only four of tese resulted in malicious

attacments bein& receied. 3ia rcar refused to accept any attacments and $n6e

)imica%, a contractor, >as contacted in relation to anoter company e >or%s for, so

continued te conersation outside te Bitstamp net>or%. $ll of te pisin& messa&es >ere

i&ly tailored to te ictim, and so>ed a si&nificant de&ree of bac%&round %no>led&e on

te part of te attac%er.

B. Damian -erlak"! #aptop.

$nalysis of te file :-un%VRoc%VolidayV2015VTIC7+TVForm1.doc= from 3r

3erla%'s laptop reealed tat te malicious *B$ script >as not pass>ord protected as >it

te oter pisin& documents, altou& it is ery similar in terms of structure and

obfuscation. Te autor of tis document is listed as 7*Buc%'. $ number of online

security resources, suc as *irusTotal, identify files >it tis same autor listed, usin& te

same type of *B$ eAploit for arious scams or attac%s. $n initial reie> indicates tat some

of tese >ere i& olume pisin& scams serin& up ban%in& mal>are datin& bac% to

ctober 201. !ocuments containin& tis script and lin%ed to tis autor >ould, terefore,

ae been >idely aailable by te time 3r 3erla% >as tar&eted. Tis autor name does not,

terefore, necessarily directly lin% te Bitstamp teft to te preious attac%ers. Te

malicious code attempts to pull a file :im&V0/2.pn&= from I- address 5.1/.10.211.

$nalysis from *irusTotal lin%s tis I- address :>ic is part of a ran&e allocated to a Frenc

ostin& serice= >it te preious distribution of malicious content. From our analysis, it

appears tat te *B$ code >as desi&ned to do>nload im&V0/2.pn&, rename it to

$3F*747FCB).eAe, and eAecute it. @e did not see any indication tat

$3F*747FCB).eAe >as accessed, do>nloaded or eAecuted on 3r 3erla%'s laptop,

o>eer. Te attac%er also used )%ype account &oraroc%a and proided a contact email


23/37

address of ian.pun%.sloS&mail.com durin& is eAcan&e >it 3r 3erla%. n 2/

!ecember :18E22EH=, 3r 3erla% also receied a )%ype messa&e from tim.le>%o> statin&

tat ;Te Bitstamp ot >allet as a near 6ero BTC balance.< )tro6 Friedber& does not %no>

>eter tis messa&e >as connected to te attac%, but it is notable because te >allet >as

also transferred by te attac%er on 2/ !ecember.

C. Toma! Roman"! #aptop.

)tro6 Friedber& identified t>o separate mal>are files on 3r Roman's laptop as a

result of tis attac%. Te first of tese, wordlib'(.*ip, >as pulled do>n from I- address

185./.8.1 on 5 !ecember after 3r Ro6man opened CandidateVDuestionnaire.6ip. Tis

file contained te same obfuscated malicious *B$ script as seen on 3r 3erla%'s computer,

altou& tis time it >as pass>ord protected. Tis file is te earliest file >e ae obsered

tat resulted in te successful do>nload of one of te attac%er's malicious payloads.

o>eer, our analysis indicates tat tis mal>are failed to eAecute properly.

n 11 !ecember, te second mal>are file, >ordcompO1P.6ip, >as do>nloaded from I-

address 185.1.20/.15 after 3r Ro6man opened IntVmbVdlVmutualVnon?

disclosureVa&reement.doc. nce a&ain, te mal>are failed to eAecute properly.

D. -i+a *rcar"! #aptop.

Tere >ere no recoerable lo& files relatin& to te I- address for 3r rcar's )%ype

contact >it ian.forei&npolicy. o>eer, te unsolicited nature of te contact, te attempt

to inei&le 3r rcar in to openin& an attacment, and te complete lac% of erifiable

bac%&round data on te pseudonym used are all consistent >it te confirmed attac%er

communications.

&. -i+a (ra!t"! #aptop.

$ reie> of te application eent lo&s from 3r rast's laptop so> a recorded

>arnin& >it te follo>in& details, eAplainin& >y te mal>are eAecutable >as not runE


24/37

$ccess to CEW"sersW3I$X1.R$W$pp!ataW(ocalWTempW$3F*747FCB).eAe as been

restricted by your $dministrator by te default soft>are restriction policy leel. Tere are

also references to te >ordcomp.6ip and also te $3F*747FCB).eAe file >itin a file

&enerated by 3icrosoft )ecurity +ssentials named 3p@ppTracin&?1212201?0820?

0000000?ffffffff.bin' su&&estin& tat tese t>o files >ere fla&&ed by te 3icrosoft )ecurity

+ssentials pro&ram installed on te laptop.

. #uka )odric"! #aptop.

3r 7odric >as te first employee >om >e identified as bein& initially tar&eted

trou& email, rater ten )%ype. Te attac%er ostensibly emailed 3r 7odric from address

%onidasSacm.or&, but analysis of te eader information reeals tat all of te emails

ori&inated from mail serers osted by a ree% I)- :otenet.&r= >ic is not desi&nated as a

permitted sender for te acm.or& domainH. Te attac%er connected to te mail serers trou&

arious Tor eAit nodes, tereby dis&uisin& is o>n I- address. is mail client re&istered as

bein& set to "TC 000 for all communications8.

Te malicious *B$ script contained >itin te 2V"-+VapplicationVform.doc emailed

to 3r 7odric pulled do>n a lar&e pro&ramme, >ordcompO1P.6ip. Tis is identical to te file

of te same name found on 3r Ro6man's laptop, and >as do>nloaded from te same I-

address. !espite te file eAtension, te file is actually an eAecutable. "pon eAecution, te file

installs itself to te re&istry location )oft>areW3icrosoftW@indo>sWCurrent*ersionWRun' to

aciee persistence on te macine. Te eAecutable >as "-Q?pac%ed :meanin& te "-Q

pro&ramme ad been used to compress te file si6e and tereby dis&uise te si&nature of te

ori&inal eAecutable=.

7 Based on Sender Policy Framework. Further details can be found inAppendi A and at www.openspf.or!".

# $he %$& time 'one co(ers) inter alia) western *ussia) +eor!ia andArmenia) as well as %A, and parts of eastern Africa. $his does not)howe(er) mean that the attacker is physically located in this 'one.

mailto:[email protected]://www.openspf.org/mailto:[email protected]://www.openspf.org/


25/37

Te >ordcompO1P.6ip is file a i&ly sopisticated pro&ramme >it dierse

functionality. It could proide an attac%er >itE access to te ost macine's re&istry access

to its clipboard emulation of mouse moements possible %eyboard lo&&in& capability :tese

functions may be used or may be te result of importin& >ole libraries=. $t te time of

analysis, it >as not detected >en submitted to maor $* proiders.

ur analysis of >ordcompO1P.6ip indicates tat it is desi&ned to call I- address

21H.12.202., and possibly to AApEJJadermar%et.net and AApEJJadermar%etnonfree.net/.

Te >ordcompO1P.6ip file also contains tousands of domain names, suc as omeftp.or&,

%imino.&ifu.p, and Cambrid&e.museum. Te eAact purpose of tese is unclear, altou& it is

consistent >it clic%?fraud mal>are >ere le&itimate referrin& "R(s are coded into te

mal>are. It is terefore possible tat tis is a multi?functional mal>are, >it only part of its

capability bein& used for tis attac%.

In addition to >ordcompO1P.6ip, >e also found mal>are files named >f.eAe,

mso2010.eAe and office.eAe. @e could not determine te proenance of tese files from te

lo& data aailable at te time of te inesti&ation, and compreensie reerse en&ineerin& of

te mal>are files as not been conducted. $nalysis of >f.eAe identified tat it drops a drier,

>inntdr.sys, >ic could possibly be a root%it :soft>are desi&ned to ide te eAistence of

certain processes or pro&rams and enable continued priile&ed access to a computer= onto te

ost macine. Tis file contains te strin& ssdtoo%E an ))!T oo% is a type of root%it. Te

file calls out to I- address 212.8.1.0. >f.eAe and mso2010.eAe are te ;same< pro&ram in

terms of functionality. o>eer, tey are merely unpac%ers for te maority of te binary

data.

*.$erver Analy!i!.

- http/ has been replaced with /hp/ as a precaution to pre(ent readersaccidentally linkin! to the malicious %*0.


26/37

ur inesti&ation stron&ly indicated tat te attac%er accessed t>o serers directly,

(NQ)R*BTC and !RN$T$, and ad access to information eld on te +3C serer

trou& !RN$T$. @e did not find any si&n of intrusion into, or eAfiltration of data from,

any oter serers from te data aailable at te time of our inesti&ation.

!urin& our reie> of te serers, >e discoered a &6ip file on !RN$T$, >ic >as

created a fe> minutes before te attac%er sent data to te erman serer :2/ !ecember 201,

112/?1201C+T=. @ile >e cannot confirm >eter te file itself >as eAfiltrated, it >as

clearly accessed by te attac%er sortly before te attac%er eAfiltrated data. Tis folder is a

6ip of te Jsr folder contained on !RN$T$. Te Jsr folder contains te bitstamp.net.%ey

file, as >ell as >at appears to be a small amount of source code. ne of te subfolders of

Jsr is ;uploads< :JsrJbitstampJuploads=. Tat uploads folder is a lin% to JJemcsare00. Te

6ip file contains a substantial amount of information from te ;accountVistory< sub?folder

relatin& to customer account interactions. ur reie> as not identified any personally

identifiable information or financial data in te accountVistory folder. It does, o>eer,

demonstrate tat te attac%er ad access to te +3C serer trou& !RN$T$.

(. Ot+er -edia.

ur inesti&ators conducted analysis of all te macines listed in Table 1. @e did not

find any %no>n indicators of compromise for tis attac% on macines oter tan tose

specifically referenced aboe.

%. CONC#U$ION.

Based on our inesti&ation, >e beliee tat tis >as a i&ly tar&eted attac%

underta%en by a determined attac%er, >o so>ed a ery de&ree of operational security and

tecnical sopistication. Te pisin& attac%s >ere i&ly tailored and appeared, at least

initially, credible to te recipients. Te attac%er only eer tar&eted a small number of ictims

simultaneously, and perseered in te face of apparent disinterest on te part of is


27/37

interlocutors. $s an eAample, 3r 3erla% reDuired 11 prompts to respond on one occasion.

Te attac%er communications, >eter )%ype or email, >ere all cannelled trou&

an anonymous proAy in order to protect te identity of te sender. Te infrastructure used to

support te attac%, suc as te serers used to delier te mal>are files or te destination

serer for te bitcoin >allet teft, are part of osted infrastructure across multiple

urisdictions, leain& limited opportunity for furter inesti&ation. Based on te data

aailable at te time of te inesti&ation, te attac%er's actiity >itin te net>or% also

appeared to be focused and left minimal footprint. Te malicious *B$ script used in te

initial compromise so>s si&ns of bein& a multi?purpose crime tool. o>eer, bot ad been

si&nificantly modified so as to eade maor $* soft>are. Tis tailorin& and obfuscation

enablin& it to eade $* products indicates tat te attac%ers ad a i& de&ree of

sopistication and eAperience in tis field, as it reduces te ability for attribution.

Tis >as a si&nificant loss for Bitstamp, and it cast furter doubt on te safety and

inte&rity of te bitcoin ecosystem. o>eer, it could ae been muc >orse, and >e are

determined to use tis as a learnin& tool, and as a basis for ma%in& improements in our

tecnolo&y, security protocols, incident response plannin& and so fort.

Bitstamp >as te first eAcan&e to implement te ot and cold >allet system, and it

>or%ed as desi&ned. @e lost only a small portion of te bitcoin placed >it us, and >e

coered all losses from our o>n reseres. No customer funds or data >ere lost. $nd because

of our nimble disaster recoery efforts, >e >ere able to &et up and operatin& >itin days after

te ac% Y standin& up a completely ne> and ;clean< instance of our tradin& platform, >ile

preserin& all te prior serers and laptops for eidentiary purposes.

Follo>in& tis criminal attac%, Bitstamp as instituted additional industry?leadin&

protections Y >e are first to be usin& multi?si& to protect our ot and cold >allets, and are

obtainin& insurance coera&e for all funds. @e are under&oin& a top to bottom security


28/37

reie> by a tird party, and >ill ma%e >ateer can&es are indicated. :$ fe> of tese are

obious 9 >e ae implemented Fire+ye email and internet screenin& soft>are >e >ill

reDuire multi?si& approals for any and all access to te ot >allet and >e >ill ensure tat

any mana&er's laptop >it access to bitcoin deposits or sensitie customer information is

i&ly restricted, and ;sin&le purpose,< i.e., it does not also ae capabilities to receie email,

en&a&e in s%ype calls, or cruise te internet.

Finally, Bitstamp is >or%in& closely >it te )ecret )erice, FBI and "7 cybercrime

inesti&ators to appreend and prosecute te ac%er, and >e are ery close to doin& so. @e

intend to be industry leaders in deelopin& tecnolo&y and practices to fully safe&uard our

customers' assets and sensitie information, and >e >ill sare >at >e ae learned to assist

oters in te Bitcoin ecosystem, includin& re&ulators and la> enforcement.

$ny Duestions or comments may be directed to eor&e Frost, eneral Counsel, at

&eofrostScomcast.net.


29/37

$--+N!IQ $ 9 (u%a 7odric -isin& +mail Z eaders

!eliered?ToE lu%a.%odricS&mail.com

Return?-atE [%onidasSacm.or&\

ReceiedE from ecidna.otenet.&r :smtp?out.otenet.&r. O8.25./.P=

by mA.&oo&le.com >it +)3T- id fHsi2H5>c.81.201.12.0/.08.0.

for [lu%a.%odricS&mail.com\ Tue, 0/ !ec 201 08E0E ?0800 :-)T=

Receied?)-FE softfail :&oo&le.comE domain of transitionin& %onidasSacm.or& does not

desi&nate 8.25./. as permitted sender= client?ip]8.25./.

ReceiedE from O0.0.0.0P :tor?eAit?readme.dfri.se O1H1.25.1/.25P=

by ecidna.otenet.&r :+)3T-= >it +)3T-)$

for [lu%a.%odricS&mail.com\ Tue, / !ec 201 18E0E 0200 :++T=

3essa&e?I!E [58H1+0$.0H0100Sacm.or&\

!ateE Tue, 0/ !ec 201 20E0E 000

FromE L%onidasSacm.or&L [%onidasSacm.or&\

ToE lu%a.%odricS&mail.com

)ubectE "psilon -i +psilon ? a membersip offer


30/37

??????????????????????????????????????????????????????????????????????????????



ReceiedE from spinA.otenet.&r :smtp?out.otenet.&r. O8.25./.P=

by mA.&oo&le.com >it +)3T- id d10si1H80H8>ib.80.201.12.0/.12.5H.2

for [lu%a.%odricS&mail.com\ Tue, 0/ !ec 201 12E5HE2 ?0800 :-)T=



ReceiedE from O0.0.0.0P :1/5?15?215?8.re.poneytelecom.eu O1/5.15.215.8P=

by spinA.otenet.&r :+)3T-= >it +)3T-)$

for [lu%a.%odricS&mail.com\ Tue, / !ec 201 22E5HE20 0200 :++T=

3essa&e?I!E [58H22$.H010002Sacm.or&\

!ateE @ed, 10 !ec 201 00E5HE1 000


ToE (u%a 7odric [lu%a.%odricS&mail.com\

)ubectE ReE "psilon -i +psilon ? a membersip offer

??????????????????????????????????????????????????????????????????????????????



ReceiedE from medusa.otenet.&r :smtp?out1.otenet.&r. O8.25./.1P=

by mA.&oo&le.com >it +)3T- id >A8si20H>b.H5.201.12.10.00..2

for [lu%a.%odricS&mail.com\ @ed, 10 !ec 201 00EE2 ?0800 :-)T=


desi&nate 8.25./.1 as permitted sender= client?ip]8.25./.1

ReceiedE from O0.0.0.0P :cs?tor.bu.edu O20.8.15.12P=


31/37

by medusa.otenet.&r :+)3T-= >it +)3T-)$

for [lu%a.%odricS&mail.com\ @ed, 10 !ec 201 10EE20 0200 :++T=

!ateE @ed, 10 !ec 201 12EE1 000




??????????????????????????????????????????????????????????????????????????????



by mA.&oo&le.com >it +)3T- id r5si2001>y.H.201.12.10.2.50.2

for [lu%a.%odricS&mail.com\ @ed, 10 !ec 201 2E50E28 ?0800 :-)T=



ReceiedE from O0.0.0.0P :1.transminn.c6 OH.15H.1/5.1HP=


for [lu%a.%odricS&mail.com\ Tu, 11 !ec 201 0/E50E21 0200 :++T=

!ateE Tu, 11 !ec 201 11E50E1 000




??????????????????????????????????????????????????????????????????????????????




by mA.&oo&le.com >it +)3T- id esi2H0/2>ic.8H.201.12.11.01.02.0H


32/37

for [lu%a.%odricS&mail.com\ Tu, 11 !ec 201 01E02E08 ?0800 :-)T=



ReceiedE from O0.0.0.0P :coms%y.torserers.net OHH.2H.181.12P=


for [lu%a.%odricS&mail.com\ Tu, 11 !ec 201 11E01E5/ 0200 :++T=

!ateE Tu, 11 !ec 201 1E01E5 000




??????????????????????????????????????????????????????????????????????????????



ReceiedE from cimaera.otenet.&r :smtp?out2.otenet.&r. O8.25./.2P=

by mA.&oo&le.com >it +)3T- id lc/si1H80>c./.201.12.11.0..55

for [lu%a.%odricS&mail.com\ Tu, 11 !ec 201 0EE55 ?0800 :-)T=



ReceiedE from O0.0.0.0P :tor?eAit0?readme.dfri.se O1H1.25.1/.20P=

by cimaera.otenet.&r :+)3T-= >it +)3T-)$

for [lu%a.%odricS&mail.com\ Tu, 11 !ec 201 1EE52 0200 :++T=

!ateE Tu, 11 !ec 201 15EE/ 000





33/37

??????????????????????????????????????????????????????????????????????????????



ReceiedE from medusa.otenet.&r :smtp?out1.otenet.&r. O8.25./.1P=

by mA.&oo&le.com >it +)3T- id o2si11H288/>y.H/.201.12.12.00.5./

for [lu%a.%odricS&mail.com\ Fri, 12 !ec 201 00E5E/ ?0800 :-)T=



ReceiedE from O0.0.0.0P :ns1585.ip?/1?121?1/.eu O/1.121.1/.P=

by medusa.otenet.&r :+)3T-= >it +)3T-)$

for [lu%a.%odricS&mail.com\ Fri, 12 !ec 201 10E5EH 0200 :++T=

!ateE Fri, 12 !ec 201 12E5E 000





34/37

$--+N!IQ B 9 IN!IC$TR) F C3-R3I)+


35/37


36/37

$--+N!IQ C 9 C$CTI ( FI(+ "T-"T FR (NQ)R*BTC


37/37

Documents

270137312 Bitstamp Incident Report 2-20-15