BitPay sues insurer for denying $1m claim after spear-phishing attack

Not all phishing attacks amount to computer fraud, according to a US insurance firm, which is being sued by bitcoin payments processor BitPay for knocking back its claim.

BitPay this week filed a suit against its insurer for declining a $950,000 claim to cover the loss of 5,000 bitcoins to a phishing scammer. The predicament for BitPay is that it's CEO authorised the transfer of the cryptocurrency worth $1.8m to the scammer.

The Atlanta Business Review obtained BitPay's complaint filed on September 15 against insurer Massachusetts Bay Insurance Company (MBIR) and the revealed law suit and BitPay's financial loss on Wednesday.

The Atlanta based e-commerce firm helps companies accept payments in Bitcoin. It raised $30m from investors including Yahoo co-founder Jerry Yang last year ahead of a partnership with PayPal amid growing confidence in the cryptocurrency’s viability for trading.

Bitcoin news site CoinDesk detailed a well-planned phishing attack on BitPay’s CFO Bryan Krohn that resulted in CEO Stephen Pair authorising three payments totalling 5,000 BTC on 11 and 12 December to the attacker.

The attack started when Krohn received an email from a person posing as David Bailey, the CEO of Bitcoin media group BTC Media. Krohn was unaware that Bailey’s computer had been hacked and his email account hijacked.

The attacker directed Krohn to a phishing site where the CFO provided the credentials for Google-based Bitpay corporate email account. The attacker then used the credentials to pose as Krohn and instruct Pair to transfer the bitcoins to a wallet he believed was controlled by SecondMarket, a US trading software firm that is a real BitPay customer.

As the Chronicle noted, Pair realised he’d been duped upon making the third transaction. He'd decided to copy SecondMarket in on his response to Krohn, however the company replied that it did not purchase the bitcoins.

Shortly after the loss, BitPay filed a claim for $950,000 with MBIC, however in June the insurance firm denied the claim.

As the court documents show, BitPay's insurance policy covered acts of computer fraud however the MBIC’s lawyers disagreed on the basis that Pair had authorised the payments.

“The ultimate transfer of bitcoins did not result from the perpetrator’s access to the Bitpay computer system or device. Ultimately Mr Krohn’s superiors made the decision to send bitcoins in three separate transactions, prior to receiving payment, to whom they believed was Second Market,” MBIC’s law firm LEO & Weber noted.

The firm goes on to argue that BitPay “would have suffered the same loss had the request for bitcoins come in by fictitious fax, letter or means other than a computer email.”

“Computer fraud equates to the use of a computer to ‘fraudulently cause a transfer’ and is not the use of a computer somewhere in a transaction that involves fraud, false pretences or misrepresentations,” the law firm said.

BitPay declined to comment on the case when contacted by CSO Australia. However BitPay’s Pair has since issued a statement on its blog, saying the MBIC’s decline was made in bad faith.

“On September 15, 2015, BitPay filed suit against its insurer, Massachusetts Bay Insurance Company (“MBIC”) to recover amounts owed under a commercial crime policy issued by MBIC to BitPay as well as penalties for MBIC’s bad faith denial of the amounts owed to BitPay under the policy,” said Pair.

“BitPay cannot discuss the pending litigation other than to say the amounts owed relate to a theft incident which occurred in December of 2014, nearly one year ago. This was an isolated incident, and none of BitPay’s customers, affiliates or merchants lost any funds. The only victim of the theft was BitPay. All merchant funds were secure, and there were no disruptions to BitPay’s payment services at any time. Additionally, advances in bitcoin cybersecurity over the last year allow BitPay to further protect funds and better serve merchants and bitcoin users.”

Blast from the past?

Read more: 10.5 Tips to Protect Your Magento Store from Smart Hacker

Try our new Space Invaders inspired video game NOW.

What score can you get ?

Join the CSO newsletter!

Error: Please check your email address.

Tags LEO & WeberBitPaye-commercebitcoin paymentsspear-phishing attackphishing attacksCSO Australiacomputer fraud

More about BTCCSOGooglePayPalYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place