$100 000 USD
DESCRIPTION OF EVENTS
"Canadian Bitcoins is a cryptocurrency brokerage allowing customers to buy or sell bitcoins, litecoins and other cryptocurrencies." "Fill out the BUY form on the Buy/Sell page. Specifying the amount of $CAD you wish to spend on Bitcoins/Crypto, and your wallet address that you want to receive the purchased crypto at. Choose your payment method, and follow the instructions that are emailed to you. When we receive the payment, we will deposit the Bitcoins/crypto to the provided wallet address." "Please note orders must still be approved manually on our side before any coins are sent, typically Mon-Fri 9-5." "We can currently only service Canadians, living in Canada."
"Canadian Bitcoins’ servers were being run by a company called Rogers Data Centre (who were technically in the process of taking the data centre over from its previous operator, Granite Networks)." "Rogers bought Granite Networks for $6.25 million in late September." "The 28,000-square-foot centre, located on Hazeldean Road in Bells Corners, was built to some of the highest security standards in the industry."
"The Ottawa police are investigating an Oct. 1, 2013, incident at Canadian Bitcoins, when someone opened an online chat session with a technical support worker at Granite Networks, now owned by Rogers Communications, and claimed to be Canadian Bitcoins owner James Grant." "A hacker was allegedly able to steal 149 bitcoin, or around $100,000 at the time, from Canadian Bitcoins by messaging Rogers Data Centre and just asking for access to the servers."
"With nothing more than a chat session and smooth talk, a crafty cybercriminal convinced an attendee at Rogers Data Centre to reboot the Canadian Bitcoins server in fail safe mode, bypassing all security measures."
"The Bitcoin thief started a customer service chat session with Granite Networks, the company hosting Canadian Bitcoins’ server, and claimed to have a problem with it." "The hacker pretended to be Canadian Bitcoins CEO James Grant over instant message – just by saying “I am James Grant”, there wasn’t any fancy trickery going on – and was given access." “It’s ridiculous,” said the real James Grant when asked about the incident. “There was absolutely zero verification of who it actually was.” "The server was rebooted in safe mode, which bypassed the all-important security measures that would normally keep it safe."
"According to a text copy of the chat session obtained by the Citizen, at no point during the nearly two-hour-long conversation was the caller asked to verify his identity. After being asked, the technical support worker gained access to Grant’s locked server pen, plugged in a laptop and then manually gave the fraudster access to Canadian Bitcoins servers, where he cleaned out a wallet containing 149.94 bitcoins, valued at around $100,000."
"Grant said the damage could have been far worse. But Canadian Bitcoins only keeps a small amount of the currency in its active online wallet to allow for small trades and transfers. The vast majority of customers’ bitcoins are securely stored in an inactive wallet which is locked in a safety deposit box. To access those reserves, customers must leave notice."
"After the intrusion, Grant said he noticed the server had been rebooted several times, but couldn’t access it from the company’s offices. The company’s servers are configured so they are only accessible from Canadian Bitcoins’ head office in Nepean."
"In order to check the servers himself, he needed to call two hours in advance to alert Rogers officials about his visit. He then needed a key card to enter the building, enter the lobby, activate the retinal scanner, pass through two more sets of locked doors and then he had to provide a numeric code to unlock the padlocked gate on the cage of his servers."
“The situation surrounding this customer is unique to this customer, and does not apply to any other customer of Rogers Data Centres. Rogers has been fully co-operative with authorities in the investigation,” according to a statement from the company. “Rogers Data Centres provides the highest level of security in the Canadian data centre industry. Its security protocol is operationally certified and in accordance with industry best practices. We have reviewed our security processes and continue to work with our customers to make sure they take advantage of all of our security features.”
"Canadian Bitcoins covered the $100,000 loss out of their own pocket, Grant said, and moved to get their computer equipment out of the facility."
"Rogers said it has offered Canadian Bitcoins a “credit” as a result of the situation. Grant said the credit was nowhere near sufficient to cover the company’s loss and as a result his firm is contemplating legal action."
Canadian Bitcoins offers a cryptocurrency brokerage service based in Ottawa. Their wallet was hosted in a prestigious Rogers data center with an impressive array of security. However, one staff member there was fully accommodating to a James Grant impersonater, and granted him full access to the server, where he proceeded to steal the full $100k balance of the company hot wallet.
HOW COULD THIS HAVE BEEN PREVENTED?
The problem came about due to a lack of verification on access to key server infrastructure, and could also have been mitigated by running transactions through a multi-sig with a separate system. These funds were in the Canadian Bitcoins hot wallet and stored online. As with all hot wallets, the loss of the entire balance should be planned for. No customer funds were lost, as the balance was all platform funds. (Canadian Bitcoins does not custody customer funds.)
100 Crypto Thefts: A Timeline of Hacks, Glitches, Exit Scams, and other Lost Cryptocurrency Incidents (Jan 24)
Bitcoin Scams and Cryptocurrency Hacks List - BitcoinExchangeGuide.com (Mar 4)
The 9 Biggest Screwups in Bitcoin History (Oct 1)
No Title? (Nov 12)
Canadian Bitcoins - Headquarter Locations, Competitors, Financials, Employees (Nov 12)
Canadian Bitcoins - 26 Reviews - Bitcoin Exchange - BitTrust.org (Nov 12)
How it Works - Canadian Bitcoins (Nov 12)
Ottawa bitcoin exchange defrauded of $100,000 in cyber currency | Ottawa Citizen (Nov 12)
Ottawa bitcoin exchange defrauded of $100,000 in easiest heist ever | Financial Post (Nov 12)