BitPay sues insurer for denying $1m claim after spear-phishing attack

Not all phishing attacks amount to computer fraud, according to a US insurance firm, which is being sued by bitcoin payments processor BitPay for knocking back its claim.

BitPay this week filed a suit against its insurer for declining a $950,000 claim to cover the loss of 5,000 bitcoins to a phishing scammer. The predicament for BitPay is that it's CEO authorised the transfer of the cryptocurrency worth $1.8m to the scammer.

The Atlanta Business Review obtained BitPay's complaint filed on September 15 against insurer Massachusetts Bay Insurance Company (MBIR) and the revealed law suit and BitPay's financial loss on Wednesday.

The Atlanta based e-commerce firm helps companies accept payments in Bitcoin. It raised $30m from investors including Yahoo co-founder Jerry Yang last year ahead of a partnership with PayPal amid growing confidence in the cryptocurrency’s viability for trading.

Bitcoin news site CoinDesk detailed a well-planned phishing attack on BitPay’s CFO Bryan Krohn that resulted in CEO Stephen Pair authorising three payments totalling 5,000 BTC on 11 and 12 December to the attacker.

The attack started when Krohn received an email from a person posing as David Bailey, the CEO of Bitcoin media group BTC Media. Krohn was unaware that Bailey’s computer had been hacked and his email account hijacked.

The attacker directed Krohn to a phishing site where the CFO provided the credentials for Google-based Bitpay corporate email account. The attacker then used the credentials to pose as Krohn and instruct Pair to transfer the bitcoins to a wallet he believed was controlled by SecondMarket, a US trading software firm that is a real BitPay customer.

As the Chronicle noted, Pair realised he’d been duped upon making the third transaction. He'd decided to copy SecondMarket in on his response to Krohn, however the company replied that it did not purchase the bitcoins.

Shortly after the loss, BitPay filed a claim for $950,000 with MBIC, however in June the insurance firm denied the claim.

As the court documents show, BitPay's insurance policy covered acts of computer fraud however the MBIC’s lawyers disagreed on the basis that Pair had authorised the payments.

“The ultimate transfer of bitcoins did not result from the perpetrator’s access to the Bitpay computer system or device. Ultimately Mr Krohn’s superiors made the decision to send bitcoins in three separate transactions, prior to receiving payment, to whom they believed was Second Market,” MBIC’s law firm LEO & Weber noted.

The firm goes on to argue that BitPay “would have suffered the same loss had the request for bitcoins come in by fictitious fax, letter or means other than a computer email.”

“Computer fraud equates to the use of a computer to ‘fraudulently cause a transfer’ and is not the use of a computer somewhere in a transaction that involves fraud, false pretences or misrepresentations,” the law firm said.

Read more: 10.5 Tips to Protect Your Magento Store from Smart Hacker

BitPay declined to comment on the case when contacted by CSO Australia. However BitPay’s Pair has since issued a statement on its blog, saying the MBIC’s decline was made in bad faith.

“On September 15, 2015, BitPay filed suit against its insurer, Massachusetts Bay Insurance Company (“MBIC”) to recover amounts owed under a commercial crime policy issued by MBIC to BitPay as well as penalties for MBIC’s bad faith denial of the amounts owed to BitPay under the policy,” said Pair.

“BitPay cannot discuss the pending litigation other than to say the amounts owed relate to a theft incident which occurred in December of 2014, nearly one year ago. This was an isolated incident, and none of BitPay’s customers, affiliates or merchants lost any funds. The only victim of the theft was BitPay. All merchant funds were secure, and there were no disruptions to BitPay’s payment services at any time. Additionally, advances in bitcoin cybersecurity over the last year allow BitPay to further protect funds and better serve merchants and bitcoin users.”

Blast from the past?

Try our new Space Invaders inspired video game NOW.

What score can you get ?

Tags e-commercephishing attacksBitPaycomputer fraudCSO AustraliaLEO & Weberbitcoin paymentsspear-phishing attack

Show Comments