How a Hacker Defrauded ‘Canadian Bitcoins’ Exchange

Here’s a very interesting story I stumbled upon this morning on the Ottawa Citizen (via Reddit) that focuses on an incident that took place on the 1st of October, 2013, in which a hacker managed to do away with $100,000 worth of bitcoins from Canadian Bitcoin Exchange Canadian Bitcoins using a bit of social engineering.

It started with a chat session with a technical support representative at Granite Networks, the former operator of the facility which housed Canadian Bitcoins’ server equipment.

The hacker claimed to be the exchange’s owner, James Grant. Claiming to have an issue with a server, he asked the technical support representative via the help chat to reboot the server into recovery mode — an effective way to dodge security barriers put up by the server.

And that he did, the representative unlocked the exchange’s cabinet in the data center, plugged in a laptop, and subsequently provided access to the attacker — the person claiming to be James Grant.

During the two-hour chat conversation, there was allegedly no request for “James Grant” to verify his identity, according to the Ottawa Citizen.

“It’s ridiculous,” the real James Grant was quoted as saying. “There was absolutely zero verification of who it actually was.”

All-told, the attacker managed to do away with 149.94 bitcoins that were stored in a hot wallet. The hot wallet balance was kept purposefully small, with a majority of user funds stored in cold wallets in safety deposit boxes.

Canadian Bitcoins has covered the loss right from their own pockets. They have since removed their servers from the facility.

“The situation surrounding this customer is unique to this customer, and does not apply to any other customer of Rogers Data Centres. Rogers has been fully co-operative with authorities in the investigation,” a statement from Rogers (the company who acquired Granite Networks) said. “Rogers Data Centres provides the highest level of security in the Canadian data centre industry. Its security protocol is operationally certified and in accordance with industry best practices. We have reviewed our security processes and continue to work with our customers to make sure they take advantage of all of our security features.”

According to Rogers, the customer was offered a service credit, but James Grant says it’s not nearly sufficient and is reportedly considering taking legal action.

Read the full story at Ottawa Citizen.