BitPay's CFO receives an email from a Scammer/Hacker claiming to be BitPay's CEO. The Scammer then manages to suckers the CFO into sending not one, but three, separate transactions equaling to 1.8 million dollars in the amounts of 1000, 1000, and 3000 bitcoins.

Yeah, that's want you want in a Chief Financial Officer. Can somebody please get me his resume as soon as humanly possible?

"Yo Bry! Shoot 1.8 Million over to BitCo-B for me will ya? Coolsters! Tell 'em I said 'Howdy'!"

Did not any of this seem a bit odd to CFO Bryan Krohn? I suppose not, since he just shot it right over. Not in a single transaction either, so there was time to suspect something was off. However, this gray matter showcase just sent, and sent, and sent again. 

It was supposedly a convincing phishing attack, but still, the long and short of it is that one email ended up in 1.8 Million bucks sent to a scammer-hacker with no apparent validation of authenticity, internal discovery, or perhaps even any common sense, just one big fat finger.

Shhhh ...

BitPay wasn't in a hurry to mention anything either. Shocker there. Only by way of public documents in the form of a lawsuit has this event come to light. As it turns out, BitPay's insurance company refused to cover the blunder. Ya think? 

I cannot speak to the particular policy coverage of BitPay and its insurance company, but let's look at the facts here.

The Chief Financial Officer is typically the executive chosen to oversee the money and financial matters of an organization and given the fact that this guy could so easily just toss 1.8 million any which direction he saw fit, there's no reason to question his authority in this case.

This particular Chief Financial Officer makes the decision (there were no reports of guns be held to heads or anything of that nature) to send 1.8 million bucks, in irreversible payment mind you, somewhere it did not belong because he was either duped, typed in the wrong information, or just plain and simply suffers from being an idiot. 

Hell, for all we know, he may well have sent it to his own damn wallet. Perhaps unknowingly while sleeping behind the wheel of his car on his way to work that morning.

The point is, this is a hard sell for any insurance reimbursement. If this somehow worked out in Bitpay's favor then there's a new line of insurance fraud scams coming down the pipe shortly thereafter.

Internal Controls And Common Sense, Or A Lack Thereof

Financial service companies have procedures. Lots and lots of procedures. They are called control documents and they are written instructions that every employee that touches any type of money or value must learn. Technically Bitpay is a software company,however one servicing a financial industry and a seemingly well run organization, so I really find it hard to believe that these types of control so not exist in some form or fashion at Bitpay. 

Furthermore, I find it even harder to believe that there was not some step on some document somewhere that required some level of validation beyond that of just an email.

Think about how many steps you have to go through to simply cash a $5 check. How many more for a $5,000 check. In many cases even a thumbprint is required. Apparently over at the Bitpay camp, just an email will suffice. 

Now I seriously doubt this man meant to do this and I am most certain this is something he deeply regrets, who wouldn't, that's allot of egg to clean off of one's face. There was an obvious breakdown in procedure here and in one small defense of the CFO, this scammer-hacker-phishing shithead was likely very slick and very convincing. Just from what is evident, this individual had knowledge of the internal Bitpay operations and that is what these folks spend copious amounts of time becoming exceptional at. It is there job to trick you.

I certainly am no advocate for insurance companies. They can be downright evil and try to weasel their way out of paying anything to anyone, ever. However, this is particular case it sounds like this could have been avoided with tighter internal controls and some due diligence, or perhaps by simply following procedure of existing controls.

If procedure was followed, then Bitpay just might want to think about heading back to the drawing board on that control. 


Post a Comment

Post a Comment

Powered by Blogger.