Title: Tracing Mt. Gox Hack Post by: bgok on June 20, 2011, 12:43:39 AM I was interested to see how the perpetrators of the Mt. Gox hack would try to hide the money. Since every transaction is publicly visible, you really can't. It's not possible to get the BTC back, but you can try to figure out where it ended up. This is what I found.
Here's a suspicious looking set of transactions: http://blockexplorer.com/tx/84f96975ea88d317676771a482c71f39ff53beda790c89c07ae82e427b4d090f (can anyone confirm that the timestamp is about the time of the hack? This transaction would have happened very close to the moment BTC went to US$.01) Here's the history of the receiving address: http://blockexplorer.com/address/18T3AFPJ2sTu6ti7gGj5x52uzJNmVFw9y9 Most of the BTC were sent to: http://blockexplorer.com/address/1LceqX2YsnmuhfkUePV6M2hJP9zMoWphn Keep following the chain like this and the BTC is broken up into 50K chunks. It's fairly easy to follow the money all the way to the end of the chain and get a fairly small set of addresses where it ended up. I'd publish all of the addresses from this chain of transactions, but some of the chains have already been extended. It would also be interesting to search Google and all bitcoin forums for the addresses in these transactions. Is it possible to write a quick mod to the client that will refuse transactions rooted in the transaction listed above? Or maybe start a new block chain that accepts transfers from the current chain, but excludes BTC originating from that transaction? Title: Re: Tracing Mt. Gox Hack Post by: BitcoinPorn on June 20, 2011, 12:53:53 AM I love it, Bitcoins are the most non anonymous form of currency, however I still like it more than cash.
Title: Re: Tracing Mt. Gox Hack Post by: dev^ on June 20, 2011, 01:03:37 AM Here you have a log of all Mt. Gox trades between 19:15:36 and 20:13:51 (GMT +2). Maybe it's usefull in some way.
The file was produced by the debug output from some of my monitoring tools. https://rapidshare.com/files/624965338/history.txt Title: Re: Tracing Mt. Gox Hack Post by: elk-tamer on June 20, 2011, 01:07:57 AM Is it possible to write a quick mod to the client that will refuse transactions rooted in the transaction listed above? Or maybe start a new block chain that accepts transfers from the current chain, but excludes BTC originating from that transaction? Title: Re: Tracing Mt. Gox Hack Post by: Big Time Coin on June 20, 2011, 01:11:22 AM Thanks for the info, it looks like it all happened in one second, all the trades cleared in one second. Tux really has his work cut out for him. Anyway, someone called "Ross" posted this on the mtgox comments today:
Quote Are you certain that an account was compromised or that the account itself was a collection of compromised BTC? Some time should be spent thinking about the result of when/how you determine intervention should be applied to the market. See: http://blockexplorer.com/address/1KLahQtqDNAXvrjNyfvgSBtAhwco5ZxLp4 For what i'm talking about. This address received large sums of BTC from many different addresses all at one time a week ago. That BTC was then transfered to MtGox and dumped on the market at once. I can't read blockexplorer too well, but it does deter from the theory proposed by mtgox that this was a "hack". I mean, if someone consolidated 400k+ bitcoins all at once a week ago from several address and then transferred to mtgox all those coins, then the same day sold them all. That's not a hack, that is something else. Title: Re: Tracing Mt. Gox Hack Post by: Wildvest on June 20, 2011, 01:15:23 AM very interesting
Title: Re: Tracing Mt. Gox Hack Post by: darkgamer on June 20, 2011, 02:35:21 AM new spam email being sent out
Delivered-To: my email Received: by 10.204.49.86 with SMTP id u22cs24977bkf; Sun, 19 Jun 2011 18:17:15 -0700 (PDT) Received: by 10.150.63.12 with SMTP id l12mr5078373yba.120.1308532635049; Sun, 19 Jun 2011 18:17:15 -0700 (PDT) Return-Path: <bittrader566@yahoo.com> Received: from mail.daveblood.com (li9-33.members.linode.com [67.18.176.33]) by mx.google.com with SMTP id n19si6525878ybm.84.2011.06.19.18.17.14; Sun, 19 Jun 2011 18:17:15 -0700 (PDT) Received-SPF: neutral (google.com: 67.18.176.33 is neither permitted nor denied by best guess record for domain of bittrader566@yahoo.com) client-ip=67.18.176.33; Authentication-Results: mx.google.com; spf=neutral (google.com: 67.18.176.33 is neither permitted nor denied by best guess record for domain of bittrader566@yahoo.com) smtp.mail=bittrader566@yahoo.com Received: (qmail 22898 invoked by uid 500); 20 Jun 2011 01:17:14 -0000 Date: 20 Jun 2011 01:17:14 -0000 Message-ID: <20110620011714.22897.qmail@mail.daveblood.com> From: bittrader566@yahoo.com To: myemail Subject: Was this the last straw with Mt Gox? The latest in a string of hacks to Mt Gox has made me move to Trade Hill. Use this referral code to get 10% off all trade fees: TH-R13698 Sign up at Trade Hill today! http://www.tradehill.com/?r=TH-R13698 Title: Re: Tracing Mt. Gox Hack Post by: bgok on June 20, 2011, 04:23:20 AM new spam email being sent out Be sure to report it as spam. Title: Re: Tracing Mt. Gox Hack Post by: Big Time Coin on June 20, 2011, 04:55:13 AM can someone familiar with blockexplorer PLEASE get the ip address(es) used to do the big transfers mentioned above? Trace it, like OP suggested.
Title: Re: Tracing Mt. Gox Hack Post by: SomeoneWeird on June 20, 2011, 04:59:46 AM can someone familiar with blockexplorer PLEASE get the ip address(es) used to do the big transfers mentioned above? Trace it, like OP suggested. You can't. Title: Re: Tracing Mt. Gox Hack Post by: linenoise on June 20, 2011, 05:49:38 AM Am I reading that right, a 300K and a 400K chunk of bitcoins? If so that's a significant portion of the entire pool.
Title: Re: Tracing Mt. Gox Hack Post by: figvam on June 20, 2011, 07:29:58 AM It (a 432k transfer) was Mt.Gox operator's attempt at securing the remaining funds, as they explained somewhere.
Title: Re: Tracing Mt. Gox Hack Post by: lewicki on April 23, 2013, 01:19:25 AM new spam email being sent out Delivered-To: my email Received: by 10.204.49.86 with SMTP id u22cs24977bkf; Sun, 19 Jun 2011 18:17:15 -0700 (PDT) Received: by 10.150.63.12 with SMTP id l12mr5078373yba.120.1308532635049; Sun, 19 Jun 2011 18:17:15 -0700 (PDT) Return-Path: <bittrader566@yahoo.com> Received: from mail.daveblood.com (li9-33.members.linode.com [67.18.176.33]) by mx.google.com with SMTP id n19si6525878ybm.84.2011.06.19.18.17.14; Sun, 19 Jun 2011 18:17:15 -0700 (PDT) Received-SPF: neutral (google.com: 67.18.176.33 is neither permitted nor denied by best guess record for domain of bittrader566@yahoo.com) client-ip=67.18.176.33; Authentication-Results: mx.google.com; spf=neutral (google.com: 67.18.176.33 is neither permitted nor denied by best guess record for domain of bittrader566@yahoo.com) smtp.mail=bittrader566@yahoo.com Received: (qmail 22898 invoked by uid 500); 20 Jun 2011 01:17:14 -0000 Date: 20 Jun 2011 01:17:14 -0000 Message-ID: <20110620011714.22897.qmail@mail.daveblood.com> From: bittrader566@yahoo.com To: myemail Subject: Was this the last straw with Mt Gox? The latest in a string of hacks to Mt Gox has made me move to Trade Hill. Use this referral code to get 10% off all trade fees: TH-R13698 Sign up at Trade Hill today! http://www.tradehill.com/?r=TH-R13698 How's the volume over there? Their front page makes it look pretty iffy. Title: Re: Tracing Mt. Gox Hack Post by: Jason101 on April 23, 2013, 08:48:51 AM you are quoting something from 2011
it's a a totally new site now Title: Re: Tracing Mt. Gox Hack Post by: eco on April 23, 2013, 08:56:44 AM yes certainly has changed quite a bit since then..no doubt.
Title: Re: Tracing Mt. Gox Hack Post by: Darkcoins on April 23, 2013, 09:38:46 AM Someone munched a lot of coins.. Nom Nom.. :D
|