Events of Friday - BitInstant Back Online - Blog - Genesis Block - The BitInstant Blog

Afternoon folks! 

As many of you know, BitInstant was down starting Thursday evening and was turned back on today (Monday) with a limited relaunch. 

None of your personal or transactional information has been leaked. We keep all that data offline to protect everyones privacy. 

Over the weekend the BitInstant team has been hard at work securing our system from a sophisticated attack on Thursday evening. Overall, due to major choke points and redundancies in our system, the hacker was only able to walk away with $12,480 USD in BTC, and send them in 3 installments of 333 BTC to bitcoin addresses. 

15WeVhV1rSUVGqBWuzi4ogV3BGSwAw8fCX

12Sfsc4XVBfSkcz9CayqfZdhYuntbjtjXp

1Fimj1BzMBessvPw2RKeqvgPg7VLgJCQi

Background:

We've long been targeted by someone using social engineering tactics to attempt to compromise our various accounts at exchanges, with our hosting provider Amazon AWS and even on my personal accounts, mostly without success. At no time have we ever had a single system or account compromised through technical means, or indeed at all before yesterday. For the sake of convenience I'll refer to this mystery person as simply "the attacker". This individual was only successful due to the failure of the staff at our domain registrar as I will explain below, we intend to move to a more secure registrar ASAP.

What happened:

The attacker contacted our domain registrar at Site5 posing as me and using a very similar email address as mine, they did so by proxying through a network owned by a haulage company in the UK whom I suspect are innocent victims the same as ourselves. Armed with knowledge of my place of birth and mother's maiden name alone (both facts easy to locate on the public record) they convinced Site5 staff to add their email address to the account and make it the primary login (this prevented us from deleting it from the account). We immediately realized what was going on, and logged in to change the information back. After changing this info and locking the attacker out, overnight he was able to revert my changes and point our website somewhere else. Site5 is denying any damages, but we suspect this was partly their fault. 

After gaining access, they redirected DNS by pointing the nameservers to hetzner.de in germany, they used hetzner's nameservers to redirect traffic to a hosting provider in ukraine. By doing this, he locked out both my login and Gareths's login and they used this to hijack our emails and reset the login for one exchange (VirWox), enabling them to gain access and steal $12,480 USD worth of BTC. No other exchanges were affected due to either Mult Factor Authentication, OTP, Yubikey's and auto lockdowns. 

The hacker was also able to pull a few hours of internal company emails. However due to mandatory PGP encrytion between members of our company and tools like Cryptocat, sensitive information was not breached. 

Information about the attacker:

Based on their general MO, the attacker is not highly technically skilled but is sneaky enough to cover their tracks. Some of the hosting providers they directed our domain at may have billing information, but such billing information is likely a stolen card. Geographically, I would personally suspect them to be Russian, based on the choice of providers and based on past fruitless attempts that clearly were of Russian origin. They seem focused on me in particular and have tried many times to gain access to my accounts (both personal and business)

Other parties involved (the attacker used these parties in some way):

meta.ua - email provider

hetzner.de - nameservers for the first attempt were hosted here

ukraine.com.ua - hosting provider involved in the first hijack

smtp.parkside.at - mail provider which was involved in the email hijack

Circle Express Ltd - their network was used as a proxy, the actual IP

is registered to BT PLC but is used by Circle Express on a business

line of some variety

So, we wanted to provide this update in order to continue our practice of transparency, but also as a lesson to the community - you must be ever-vigilant in making security your top priority. We outline many more of our security protocals here: bitinstant.com/security

Thanks for your patience, support, and trust during these times. 

- The Team @ BitInstant.