On December 6, 2017, NiceHash suffered a security breach where 4,736 bitcoins were stolen.
At the time, NiceHash immediately took all necessary steps to ensure a complete and thorough investigation of the incident. We urgently reported the incident to law enforcement in Slovenia and promptly hired LIFARS, the global leader in incident response, digital forensics, ransomware mitigation and cyber resiliency services based in New York. In the days and months following the incident, we cooperated with EU law enforcement, including Europol, and U.S. law enforcement agencies, including the Secret Service, DHS and FBI, while having LIFARS specialists to identify the origin of the breach and attempt to recover the misappropriated funds.
While the official investigation, led by U.S. law enforcement agencies, is still in progress, we wanted to shed some light on the origin of the breach.
It is clear that the threat actor gained persistent access to the NiceHash internal network through a spear phishing email and was able to perform lateral movement within our data center via the stolen VPN credentials. The Indicators of the Compromise (IoCs), recovered in the digital forensic analysis of the breach, indicated similarities with techniques, tactics and procedures (TTPs) of a known nation-state threat actor. Based on the method and procedures of intrusion, this attack resembles TTPs used by the LAZARUS group, though the full threat actor attribution is still under investigation by the U.S. Law Enforcement Agencies.
“The threat actor performed a technically flawless compromise of the NiceHash systems, and with military precision executed the transfer of bitcoins. This attack was targeted, and the threat actor was highly skilled, organized and acted with high speed”, commented Ondrej Krehel, CEO of LIFARS.
Due to international limitation of freezing and operating with bitcoin wallets, NiceHash was not able to recover any stolen funds but we remain fully committed to our Repayment program. NiceHash has created the Repayment program for NiceHash internal wallet users and external wallet users that were affected by the security breach. The Repayment program started on Friday, February 2, 2018, and 69% of the old balance amount was already reimbursed successfully to all users that were impacted by the security breach.
Thank you for your support,
Your NiceHash team.
NiceHash is the world’s largest crypto-mining marketplace. It is based on the concept of a sharing economy by connecting sellers and buyers of computing power from all over the world. Buyers rent computing (hash) power through NiceHash online platform. Sellers or miners provide hash power by connecting to the NiceHash marketplace with NiceHash own mining software - NiceHash Miner.
LIFARS is a trusted elite digital security solutions company. Established in 2012 with an abundance of experience in the field of cybersecurity they provide cutting-edge digital forensics, security, advisory services providing managed detection, advisory consulting response tools, risk assessment for enterprise-wide digital security. The team consists of analysts and engineers that have worked with the US Intelligence Community, FBI, DHS, US Secret Service, Interpol, Europol and NATO Offensive Unit. LIFARS resiliency experts are natural masters in emergency incident response containment, penetration testing, incident prevention and recovery.