UPDATE (17th September 15:25 BST): This piece has been updated with additional information, including the court documents filed by BitPay in federal court.
BitPay has filed suit against a Massachusetts insurance company after losing $1.8m during a phishing attack last December.
According to documents obtained by the Atlanta Business Chronicle, the bitcoin payment processor was defrauded in mid-December by an unknown individual posing as BTC Media CEO David Bailey, whose computer was infiltrated prior to the attack.
The attacker subsequently obtained email credentials for BitPay CFO Bryan Krohn, which were then used to prompt CEO Stephen Pair and executive chairman Tony Gallippi to authorize three payments totalling 5,000 BTC on 11th and 12th December, including one transaction from a wallet on the bitcoin exchange Bitstamp.
BitPay filed a claim for the losses days after the event with Massachusetts Bay Insurance Company, which later denied the claim in a letter dated 8th June. BitPayâs legal representation disputed the rejection, and the insurer went on to reaffirm its decision the following month.
After demanding that its claim be honored, BitPay filed suit in the US District Court for the Northern District of Georgia on 15th September. The company alleged breach of contract and is seeking damages and court fees in addition to its $950,000 claim.
The attack demonstrates the risk companies handling digital currencies face from such attacks, as well as the cost of fraud resulting from the failure of operational policies to prevent such intrusions.
Court documents from the trial, including the complaint and the letters exchanged between BitPay and Massachusetts Bayâs lawyers, outline how the assailant, pretending to be Bailey, initiated the attack by sending by email containing a link to a Google document.
Baileyâs computer had been compromised prior to this, though no details regarding this incident are mentioned.
The complaint states:
âThe phony email sent by the person who hacked Mr Baileyâs computer, directed Mr Krohn to a website controlled by the hacker wherein Mr Krohn provided the credentials for his BitPay corporate email account. After capturing Mr Krohnâs BitPay credentials, the hacker used that information to hack into Mr Krohnâs BitPay email account to fraudulently cause a transfer of bitcoin.â
A timeline included in Massachusetts Bayâs initial denial letter goes into further detail.
âImmediately after clicking on the Google doc link, Mr Krohn enters his authenticating information as prompted in order to access the purported Google docs and receives an error message,â the letter states. â[Krohn] believes his private information was stolen at that time and that his response provided access to his email to the fraudster.â
AÂ key detail included in the emails was now accessible to the fraudster: the fact that BitPay did not require SecondMarket to advance pay for bitcoins it received from the company.
Using this information, the individual crafted an email chain showing a conversation between Krohn and SecondMarket vice president Preston Blankenship regarding a purchase of 1,000 BTC.
âThe email requests that 1,000 bitcoins be transferred to SecondMarket at a specific wallet address provided. At 3:33 PM the bitcoins are sent from BitPayâs hot wallet,â Massachusetts Bayâs letter stated.
Less than an hour later, the individual controlling Krohnâs email requested an additional 1,000 BTC be sent to the same bitcoin address. This amount was then transferred from an account held on Bitstamp by Gallippi after Pair indicated by email that there were insufficient funds in BitPayâs âwarmâ wallet following the second request.
The next day, Krohnâs email was used to request that Pair send an additional 3,000 BTCÂ to another address said to be controlled by SecondMarket.
Pair responded âto confirm that this request, which exceeded the usual 1000-2000 daily bitcoin amount between the companies, was validâ. The assailant responded by copying an email address purportedly from SecondMarket and confirming that the request was valid.
After processing the transaction, Pair confirmed the move by email and copied SecondMarket employee Gina Guarnaccia.
Guarnaccia wrote back âthat she did not send the prior email noting the 3,000 bitcoins and address for them to be sent, and that SecondMarket did not purchase the bitcoinsâ.
Following an investigation, BitPayâs claim was rejected by the insurer. Massachusetts Bay argued in its rejection letter that BitPay incurred an indirect loss rather than a direct one, thereby excluding the incident from coverage.
The letter stated:
âThe facts as presented do not support a direct loss since there was not a hacking or unauthorized entry into BitPayâs computer system fraudulently causing a transfer of money. Instead, the computer system of David Bailey, BitPayâs business partner, was compromised resulting in fictitious emails being received by BitPay.â
âThe Policy does not afford coverage for indirect losses caused by a hacking into the computer system of someone other than the insured,â the letter added.
Further, the insurance company argued that because bitcoins exist in an electronic medium, any incident resulting in their loss wouldnât be considered as taking place on BitPayâs âpremisesâ.
âIt is Hanoverâs understanding that the bitcoins were held online, and transferred online, and are not on the physical premises of BitPay. It does not appear that the bitcoin transactions involved a transfer of property from inside the premises to outside the premises,â the insurer wrote. âAs such, Hanover must respectfully decline to provide coverage for this loss under the Computer Fraud Insuring Agreement.â
A week later, Morris, Manning & Martin LLP, a law firm representing BitPay, responded by demanding that the insurer rescind its claim rejection and pay the requested $950,000.
BitPay disputed the assertion that its losses were indirect, positing that Massachusetts Bay was misinterpreting its own policy provision regarding computer fraud. The company further stated that, per its agreement with the insurer, its bitcoin holdings were subject to special consideration given the particulars of the digital currency.
âMBIC agreed to add bitcoin to the Policy definition of âmoneyâ thereby insuring BitPay against loss of bitcoin. Unlike traditional money, bitcoin does not exist in physical form in any location or premises, and it cannot be transferred from or to any physical location,â attorney Jessica Pardi wrote in the letter.
âAccordingly, any agreement to insure bitcoin that purportedly requires bitcoin to be on BitPayâs premises is illusory, and MBICâs interpretation is meritless and evidences bad faith,â she added.
In a response letter sent by law firmer Leo & Weber, the insurer reaffirmed its refusal to honor the claim and disputed BitPayâs counterarguments about the losses being direct rather than indirect.
âWe are unaware of any evidence to support that the perpetrator gained access to the BitPay computer system or device. The ultimate transfer of bitcoins did not result from the perpetratorâs access to the BitPay computer system or device,â the letter stated. âUltimately, Mr Krohnâs superiors made the decision to send bitcoins in three separate transactions, prior to receiving payment, to whom they believed was SecondMarket.â
Days later, BitPay reiterated its demands and threatened to sue if it wasnât paid. The insurer refused to accept the claim or pay the requested amount, according to the complaint.
BitPay and Massachusetts Bay did not immediately respond to requests for comment.
BitPayâs complaint, along with additional documents, can be found below:
BitPay Complaint and Documents
Gavel image via Shutterstock
Disclaimer: CoinDesk founder Shakil Khan is an investor in BitPay.
