Cyber Incident Victim: KeepKey
Date:
Dec 2016
Location:
United States of America
Summary
A hardware bitcoin wallet provider experienced a security incident where an attacker temporarily compromised the founder's phone and email, enabling unauthorized password resets for some accounts. The breach exposed customer addresses, emails, and phone numbers through third-party sales and logistics vendor accounts, though no customer funds were jeopardized due to the offline nature of the devices. The company swiftly contained the incident by disabling the compromised email domain, reversing unauthorized account changes, and engaging law enforcement with collected evidence. While most accounts were recovered during a phone interaction with the attacker, one social media account remained temporarily affected. The firm extended refund policies for all customers and offered a cryptocurrency reward for information leading to the attacker's arrest, emphasizing no financial negotiations occurred.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On December 25, 2016, between approximately 9:00 PM and 10:00 PM PST, an attacker compromised the Verizon account of KeepKey's founder by activating a new phone under the PIN-protected account. This access enabled the attacker to initiate an account recovery process for the founder's email account, which they then used to reset passwords for multiple accounts linked to that email. KeepKey detected the unauthorized email activity at 10:00 PM PST and responded by shutting down all email services for their entire domain within 30 minutes. By 11:00 PM PST, the company had established a secured, limited-capability email server to systematically reverse the account resets performed by the attacker. During containment efforts, the attacker contacted KeepKey via phone, demanding 30 BTC in exchange for disclosing their intrusion methods, destroying accessed data, returning control of accounts, and maintaining secrecy about the breach. KeepKey engineers engaged the caller under the pretense of negotiation while continuing account recovery operations, successfully regaining control of all compromised accounts except the @bitcoinkeepkey Twitter handle, where email linkage changes slowed restoration. The company publicly disclosed the incident via Reddit and direct outreach to prominent cryptocurrency community members after the attacker issued a two-hour compliance ultimatum.
The attacker temporarily accessed KeepKey’s sales distribution channel, shipping logistics vendor account, and email marketing software, exposing customer addresses, emails, and phone numbers for an undetermined subset of users. KeepKey confirmed its internal computers, servers, network infrastructure, and customer support portal remained uncompromised, with no risk to cryptocurrency funds stored on offline hardware wallets due to their design preventing remote access to private keys. The company notified potentially affected customers about the exposure of personal data while emphasizing that transaction histories and wallet balances were never accessible to the attacker or company personnel. On December 26, KeepKey filed two FBI Cyber Division reports containing attacker-related data including IP addresses, phone numbers, browser details, and email headers, acknowledging the likelihood that obfuscation techniques were employed. In response to the incident, KeepKey extended its standard 30-day refund policy to all customers regardless of impact status and initiated revisions to its data retention policies to minimize future data exposure risks. The company implemented measures to prevent email account compromises through carrier vulnerabilities and decoupled business emails from third-party accounts containing sensitive information. KeepKey offered a 30 BTC reward for information leading to the attacker’s arrest, matching the ransom demand amount but requiring arrest rather than silence as the condition for payment.