Bitcoin Forum

We didn't have the opportunity to scan our whole system for suspicious transactions that were not initiated from our customers because we had to shut down the system immediately after we've discovered the huge loss. We did get a rough estimate and we published a press release to warn our users about the deposit address replacement.

However, now we have concluded that we lost 43,554 BTC from this incident and we will reimburse our customers for the full amount. For transparency, we would like to disclose all the suspicious transaction ids in this incident:

{
        "account" : "",
        "address" : "1F3czt4VGUGdmrXW4qbh8hbQZ1hcHpwFGT",
        "category" : "send",
        "amount" : -1999.00000000,
        "fee" : -0.01750000,
        "confirmations" : 99,
        "txid" : "5a09f4ef0e91bc7bc044365cd27236fe4ac3c02088ac21ab51c93c8a11d33d4b",
        "time" : 1330584607
    },
    {
        "account" : "",
        "address" : "1DMuVKe9PKpx3dbs2b2MnXuVmLfA4drHif",
        "category" : "send",
        "amount" : -20555.00000000,
        "fee" : 0.00000000,
        "confirmations" : 99,
        "txid" : "7b45c1742ca9f544cccd92d319ef8a5e19b7dcb8742990724c6a9c2f569ae732",
        "time" : 1330584607
    },
    {
        "account" : "",
        "address" : "13CmJpbAueuWiPKw3UYU4vXEcZ4WzP6nxt",
        "category" : "send",
        "amount" : -3000.00000000,
        "fee" : 0.00000000,
        "confirmations" : 99,
        "txid" : "901dbcef30a541b8b55fae8f7ad9917ef0754bda5b643705f3773e590785c4d3",
        "time" : 1330584607
    },
    {
        "account" : "",
        "address" : "1978kFf3WKYiZsy89WX6qJ8vxWAbRWFGLq",
        "category" : "send",
        "amount" : -0.01002773,
        "fee" : 0.00000000,
        "confirmations" : 99,
        "txid" : "901dbcef30a541b8b55fae8f7ad9917ef0754bda5b643705f3773e590785c4d3",
        "time" : 1330584607
    },
    {
        "account" : "",
        "address" : "1JL7vc2Ecn8QeeBYdpAP22pVpaSP6Cni3J",
        "category" : "send",
        "amount" : -3000.00000000,
        "fee" : 0.00000000,
        "confirmations" : 99,
        "txid" : "a57132e2cbc580ac262aa3f7bac1e441d6573f9633118bc48009618585a0967e",
        "time" : 1330584607
    },
    {
        "account" : "",
        "address" : "13CmJpbAueuWiPKw3UYU4vXEcZ4WzP6nxt",
        "category" : "send",
        "amount" : -3000.00000000,
        "fee" : 0.00000000,
        "confirmations" : 99,
        "txid" : "a82ad85286c68f37a2feda1f5e8a4efa9db1e642b4ef53cb9fd86170169e5e68",
        "time" : 1330584607
    },
    {
        "account" : "",
        "address" : "15WoJ7L4AUfGHWdGj45NY9rFNiwU48woX2",
        "category" : "send",
        "amount" : -0.01002644,
        "fee" : 0.00000000,
        "confirmations" : 99,
        "txid" : "a82ad85286c68f37a2feda1f5e8a4efa9db1e642b4ef53cb9fd86170169e5e68",
        "time" : 1330584607
    },
    {
        "account" : "",
        "address" : "1NRy8GbX56MymBhDYMyqsNKwW9VupqKVG7",
        "category" : "send",
        "amount" : -2000.00000000,
        "fee" : 0.00000000,
        "confirmations" : 99,
        "txid" : "ff04763e3e8c93e43799dbbca833e183faad7e2611f20f136f47c2f1049481ae",
        "time" : 1330584607
    },
   {
        "account" : "",
        "address" : "1AaXeH5DuP6FpPxdCn9RGXKWhSG4r9Hq9q",
        "category" : "send",
        "amount" : -10000.00000000,
        "fee" : 0.00000000,
        "confirmations" : 99,
        "txid" : "0268b7285b95444808753969099f7ae43fb4193d442e3e0deebb10e2bb1764d0",
        "time" : 1330584607
    }

Again, we would like to reassure that trading will not be in any way affected and we are already in the process of contacting Linode regarding this incident. The Bitcoinica system has not been compromised and our reserves are more than sufficient for regular trading activities.

How can you reimburse that much? Have you really made that much profit?

unbelievable.  and you're going to be able to reimburse all your customers?

there goes Zhou's tuition.

my mouth dropped  :o

*whew* my coins are still safe on his server.  :D

 :-[ :-[ :-[

Yes, our historical profit is fairly sufficient to cover the loss from this incident, and we believe that it's the best interest for the community to keep running the business. We will take appropriate strategies and implement more security features to prevent this from happening ever again, even with the presence of dishonest partners or employees.

ok, 8 accts:  Zhou, Gavin, Slush.  who are the other 5?

I cant help but know some Linode employee wont be at work tomorrow.

This all is way way way to convenient, seems like an inside job planned overtime with the knowledge of who runs worthwhile bitcoin services and on which VPS accounts.

This is alot of money, please for all of us make its your top priority to get compensation out of Linode otherwise any future losses less than this would be seen acceptable by these crappy hosting companies or other services.

Seems likely an attacker would have or has had a linode account as well...

Bravo to you and slush. I am sure it will come back to you in trust but what a mongrel act that's been committed.

I would hope zhou dosen't keep 40k btc on one server  :o, I assume more than 1 was bitcoinica

zhoutong, thx for being part of the bitcoin community and being a class act.  I hope Linode provides you with all of the compensation.

I just want to note that after MtGox got severely hacked, it became one of the most secure Bitcoin exchanges out there.

Thanks Bitcoinica for keeping cool and maintain your integrity.

But, wtf @ Linode?!!!  Where's that Vice President?!!!  We need him to get on the forum ASAP!!!!!!  This has to be an inside/co-ordinated job.  All these happened at the same time.

Wow that's one heck of an attack.  Terribly sorry to hear about the loss but hopefully you can recouperate in some way with the company or community.  

Is Linode like a version of Linux or server software, or just a hosting company such as 1&1, Dreamhost, GoDaddy etc.?  I suppose whether it is Windows, Linux, or Mac, if someone knows what they are doing it doesn't matter what software runs the wallet.  A user could get to the right files if they know.  

Zhou, talk to Mark at mtgox.  i bet there's something he can do to intercept at least some of these coins as the thief tries to cash out on mtgox.

+1

but I have to ask, is there something I am missing here, why was this wallet with over $200k worth of bitcoins not encrypted with a strong password?

Maybe you should consider reducing your hot wallet? A little inconvenience is a lot better than losing that much money.

i mean seriously, could not this whole thing been prevented if the wallet was just encrypted?

you would think so  ::)

whats the excuse for not doing this?

Looks like Linode is just a hosting company.  Link: http://en.wikipedia.org/wiki/Linode

I heard from Slush's thread that the Super Admin at Linode can login to any of the virtual server/websites, including Slush's mining pool and Bitcoinica.

I think MtGox should take note... possibly migrate to a non-US server??  

I bet there's a team of people, be it insider or outsider, poppin' toasting champagne right now, as this is a concerted effort to bring down bitcoins.

The root password has been changed via the customer service interface at Linode. The ruby gem we were using to process Bitcoin withdrawals did not support encrypted wallets. We have already migrated to a secure hosting with only intranet incoming access.

This doesn't hurt bitcoin. It makes bitcoin stronger. What doesn't kill us makes us stronger, more aware of the danger.

If payments were automated, it would have to decrypt the keys at some point...

What may have prevented this is multi sig transactions.

Obviously the software running against the hot wallet has to have access to it. This means that if someone roots the server, they'll be able to have the same access to the hot wallet. Encryption would not have entered into it.

Zhou, good on you for covering this! I'm having a hard enough time covering the BTCinch theft; I can only imagine how pissed you are at linode.

Zhou could have reduced his loss significantly by reducing the amount of bitcoin that were in the hot wallet. It could be 10,000 bitcoin, for example.

so basically the problem here is no one was using encrypted wallets because the web apps they were connected to were not compatible

damn what a shame thats a lot of money :( props to the OP for doing the right thing.

yeah... no

Not trying to heat up the waves but whats the chances the recent dump is related to these coins.

As much as I hate regulation of any kind, I hope Mark can look at the person(s) dumping right now and see if the coins they moved is part of the coins stolen.

yeah .... no?

explain to me how I am wrong.

In this case, encryption would have protected the wallet because the attacker was only able to get root access after a reboot.

thank you.

even if the 'web apps' were compatible, they would need to know the encryption key, so anyone with access would also have the encryption key

as was mentioned before, the wallet would have to be decrypted at some point in time to use it, the attacker had root access so they would see the unencrypted wallet. This means that an encrypted wallet would not have help out at all.

AND mutlisignature

AND low amount of BTC in your hot wallet in case your defense in depth got bypassed.

why would a reboot stop the attacker from seeing the wallet being unencrypted during the next use?

this ^^

You have to enter the wallet password/passphrase after rebooting/restarting bitcoin.

Watch MTGOX, Im telling you someone is dumping these coins right now.

am i missing something here? wouldn't that entry be exactly what the attacker would be waiting for?

This is right . Why not catch the thief at this part of the chain?

Yes, an attack like that could also be done, although it would have to be slightly more sophisticated than today's attack. Likely you would modify bitcoind to log the passphrase to a file somewhere.

Pretty sure such a random suspicious reboot would cause the poolop to review the server before entering any creds anywhere. Especially when his Linode access manager says that there was a login to his account a few minutes before, not caused by him.

The limit for withdrawal is 10K USD for verified account, and he would need to pass fake information to MtGox's money laundering office. So the thief would need to create multiple accounts, multiple identity or compromise several mtgox accounts.


IANASE, but keep in mind that AML increase barrier of entry, reducing competition and privacy of users. Keeping record of user identity is also a security liability if identity thieves get their hand on it.

When you introduced Bitcoinica, you claimed one of your security advantages was that you "did not operate a Bitcoin wallet" and that "all your funds are stored on MtGox". Source: https://bitcointalk.org/index.php?topic=42267.msg514429#msg514429

However this theft makes it apparent that you changed your mind, as you lost a wallet. Why did you change your mind about hosting the wallet on your own servers? You had a great idea, you should have stuck with it.

zhoutong, I do appreciate what your are doing for the community. This is a hell of responsibility your are taking, good job.

But, please, explain me - how could you be keeping the whole bunch of Bitcoins in a single wallet running on the VPS (!!!) in the wild? Having $200,000-250,000 worth customers' funds would make me invest my own money in renting dedicated server at least. Or two. Considering even this not being totally secure - it still would provide much more security at $50/month cost.

But hell, who cares about security at $50/month! Being a hero at $200 grands is much more effective!

If Mark isnt aware of watching for this, he might just let this guy withdraw all the funds over a few days, Im not sure what the endgame is however some individual(yes it was way to coordinated, watch the graphs) solely dumped just over 20k BTC allready.

+1, the idea that this hacker is sitting here watching a packet sniffer or a keylogger and the admin of the server with an encrypted wallet holding $200k+ is not going to think something suspicions is preposterous

it would take multiple fails for this scenario to be successful and the bottom line is an encrypted wallet would likely have saved this money. The problem is these web applications have not been developed to the level where they are able to interact with encrypted wallets. point blank.

and again +200k to the op for being a man and taking care of this in a responsible way, im just trying to bring awareness on how we can secure bitcoin for the future. I have only like 80 bitcoins in my wallet right now but you can damn well better believe it is in encrypted with a completely uncrackable password.

^This. Especially when they are upwards of 1/3rd of MtGox's transaction volume.

The thinking is as someone told me on another thread is these thief(s) steal Bitcoin and spend bitcoin at silkroad etc., etc.,  which seems totally stupid to me then again I'm not a thief. What again happened the allinvain person again - did that thief cash out the BTC  at the $10,000 a mo. @ Mt.Gox ?

Nothing is "uncrackable" given the amount of time.

Most of the coins are still floating around up there in la-la land.

If you don't remember your password, it's as good as lost(Unless you found a way to crack them in a reasonable amount of time). There's a tradeoff between convenience and security.

and its still dumping, will probably create a false panic selloff.

i would hold off on the congrats to Zhou until he actually delivers the coins.  that is a lot to deliver.

Maybe the attacker will pull an "Omar" and sell the coins back to him for 40 cents on the dollar.  :o

bananas

B-A-N-A-N-A-S

3k was one thing, but 44k? damn

We are not discontinuing the service. Trading, deposits and withdrawals will all go back to normal in a few hours (once our new Bitcoin server has caught up with the current block).

We are honoring every single withdrawal request, large or small. No account had any balance deductions resulted from this incident.

glad to hear you reiterate this.

Let just hope you don't store 40K bitcoin of your customer's money on your red hot wallet next time.

Keeping this many BTC in a "hot" wallet is just nutty. I wonder if MtGox keeps that qty online? If the transfer volume really requires so much instantly available then I'd be looking at ways to use offline wallets and cron based transfers to move money between them as needed. Bitcoin has a lot of flexibility in how transactions are created and posted or batched so I think it would be wise for any business doing high volume transfers to seriously look at ways to keep account depth highly controlled.

Your ability to bounce back despite how hard hit is pretty astounding. Profits must be very worthwhile!

This is quite insane, this thief is probably follow these threads thats why he started to dump as quickly as possible now.

I still dont see the current dumping as just a phase, its way to linear.

We are developing a customized Bitcoin client for sever use, with hard-coded security designed specifically for web apps.

That's what I'm talking about!  Fighting back like Rockie already.

Mt.gox response so far: https://bitcointalk.org/index.php?topic=66986.msg778811#msg778811

It's not customers' money anymore, but his loss.  There's plenty of blame to go around (starting with Linode), but I have enough confidence that zhou can eat the loss, and then make it back.

Can we not follow these coins?

If i was the thief, I would deposit onto silk road and just withdraw into another wallet...there is your free coin mixer...

+1

half on SR the other half on the armoury...

Scarface...

naaassttyyy......

I hope you get insurance next time to account for any losses due to theft.

Not much.

This is very sad to hear. I wish you the best of luck with whatever you decide to do now.

Doesn't exist.

You could only have the USD insured.

Good luck to zhoutong.

http://news.ycombinator.com/item?id=2973301

Sorry for your loss zhoutong!

To be honest, this incident brought Bitcoinica to my attention for the first time.

Really great service, i just registered and made a deposit!

Wish you the best and good luck for the future.

I'm impressed with the way Z has handled this so far.  Sufficiently impressed that I've decided not to withdraw the bitcoin I have in bitcoinica.  Hopefully, like MtGox, bitcoinica will emerge from this more secure than ever.

I'm sincerely impressed by your good behavior here. Congratulations.

Can't you try to sue Linode or something? This is mainly their fault. I wouldn't be surprised at all if the attacker is a rogue employee of theirs.

This comment is oddly prophetic.


I do wonder how an 18 year old is going to come up with $200,000 worth of bitcoins as reimbursement. I don't know how profitable bitcoinica has been, but that much money seems too much to overcome.

Unofficially, already working on it.

Officially, I'm not working with Bitcoinica and can't comment.

The question now is were user passwords compromised?  I would assume an affirmative answer to this, even if they were encrypted - this is only a matter of time.  Just like with the historical MtGox hack bitcoinica now should shutdown and go through a round of account claiming.

are deposits working?  I deposited 0.1btc's from mining a while ago that still aren't showing up, 13confirms so far.

The way I understood it only a machine with the hot wallet was hacked, not machines holding user data.

Zhous got the fucking dough WOW!  :D

Tough hit Zhou! I hope P2SH will leave major hacking incidents behind us, another great lesson learned here.

I actually don't understand why everybody seems to be surprised Zhou is able to cover these losses. If you look at their volume and fees I think they easily covered this, huge hit nonetheless.

I'm a bit surprised that this whole turn of events hasn't hit the market more, to be honest.

Just goes to show how successful a short, directed attack can be. 1/4M from a bunch of accounts in a matter of minutes, and the perp is nowhere to be found...

At the end of the day, a VPS is an untrusted party and you cannot put your private keys there. They stop being private at all. Single point of failure and all that jazz...

Sorry to hear about this zhoutong,

This will be a test of whether bitcoin is truly anonymous and un-blockable. Will the hacker be able to successfully launder and exchange this volume of stolen coins? I don't know if it is better if they are successful or not.

My condolences for the theft mate :(

People who think the dumps at Mt. Gox is the stolen money, are absolutely clueless about everything. Gox takes money laundering more seriously than any other Bitcoin exchange. The thief would be out of his mind to try selling the coins via Gox, not now or ever.

There are better ways to do it. What we're seeing now at Gox is speculators selling because there has been serious bad news in the Bitcoin world. That's about it.

Good work, Zhou.
 :)

Sure, but if we're going to have some sort of collaborative tracking of coins stolen in big hacks, that kind of information would be very useful. MtGox and other exchanges could also transfer coins to a number of accounts publicly to their name at some point (either to store them or to pass them out) and that would also help.


Since I tend to ignore Paraipan's posts I'm not sure what you're talking about here, to be frank.

It was just an idea. Probably having a public statistical tracking service would not be a great idea. After all, one would only know if the BTC he just received are significantly tainted AFTER receiving them...

You're misguided. We are already helping the 'robbed people' out by asking questions. You are making statements and asking people to break other laws just to make you happy. You're as misguided now as you were when you filed a police report because Zhou Tong didn't answer you quickly enough.

Being honest is important. I am completely honest that Zhou Tong dropped the ball by ignoring our advice to be collocated instead of using the magical cloud he loves so much. I support him and believe since he is covering the costs himself, he has learned his lesson and will move on. He's a bright kid who just needs some polishing.

I am not advocating secrecy, I am advocating common sense. What your asking for doesn't help anyone. What you think is necessary isn't even necessary. Yet, you're not listening to anyone and you can't give a good reason. Why would anyone support you? Start asking questions and giving reasons instead of making demands and statements against things.

Your reputation is not in line with me. You do not work with me. I had held on to you against the recommendation of every-single-participating-party in the Bitcoin Magazine because I didn't believe it was fair to judge you on a single instance of irresponsible behavior (regardless of how large and idiotic it was) for filing a worthless police report against Zhou and bragging about it on the forums. Today however, before this thread was started, I removed you from the magazine completely for continuing to be over-the-top, ignoring facts, and just pushing pushing pushing, like a wannabe cop with no jurisdiction.

Slush and ZhouTong are both in the DCAO with me. Gavin might be too. Other Bitcoiners do business with me. The robber might too (who knows!). I am not on anyones side. I am on the side of common sense, as always. You are not making any sense. Your demands, even if provided, would help no one and hurt people in the process. Your continued denial of this shows your ignorance, your continued lack of self explanation and clarification shows your stubbornness and your continued self important vagaries about how you're going to help when people who are actually helping right now don't even need what you're asking for shows me that you're so out of the loop you should just be ignored.

Why am I responding to you then? Because it's in my nature to care, as obnoxious and vicious as I come across, it is in my nature to never ignore people who need a good punch in the face. I would do it to you, I would do it to my own father. Humans are humans and we all need a good check once in a while. This is your check.

Trust the powers that be or stop supporting them. You are not a shareholder of MtGox. You are not a recognized legal official. You are not representing anyone right now. If you are curious and want to "do your part", then start asking questions and stop asking people to do things for you like you are an all-knowing investigator, ready to file your weekly police reports!

Trust me, I am. You just don't realize it yet.

He said it's not a problem as the companies historical profits are high enough to cover it.  Zhou is a smart guy, smarter than leaving all his profit in bitcoins on a internet-accessible server.  If anything, it's a testament to Bitcoinica's success.  (This is assuming that Zhou does in fact stick to his word)

If he has made enough to cover it, it would certainly seem to be in his best interest to stick to his word.

well said.

it's cliched but "keep calm and carry on" seems to be sage advice right now.

bad stuff happens all the time. its how you deal with it that counts, looks like bitcoinica/zhou is showing exactly what it/he's made of.

good work. keep it up, I'm not withdrawing anything. I don't thank anything has fundamentally changed, and if anything this is a good thing because this can only lead to more security.

Exactly how have you made the assessment of the security of the Mt. Gox platform that allows you to make this claim?

I doubt it will. It will make it harder, no doubt about that, but theft will never be prevented. All we can hope for is a reduction in these occurrences, a lower profit to work ratio (how much work the thief has to put in for a certain amount of profit). But as soon as the price of Bitcoins double, the profit to reward ratio will double as well.

Their word that they rewrote the code for it from scratch, closed down all access they could, and are now storing most coins in offline storage. Also them putting limits on all withdrawals, requiring some type of ID for anyone wishing to withdraw substantial funds, and being the first to use two factor authentication. Plus the part about them still being the top exchange by volume by far, and yet not being hacked since that last incident almost 9 months ago. Also, I wouldn't be surprised if a lot of the common sense ideas everyone uses now (cold storage, withdrawal limits, two factor option) were things people didn't care about until MtGox incident, and which they got from MtGox since then. I wouldn't be surprised if Bitcoinica came up with new security procedures that everyone else six months from now would look back on as a no-brainer, and at the very least this would emphasize the urgency of implementing multi-sig security, whereas without it people would have greeted the change with a "meh." In fact, I'd go as far as to say we were about due for another major security breach to get people to learn more about or invent better security measures. The more that happens during Bitcoin's development stage the better.

In reality we have one true measure regarding to security and its perception in the Bitcoin community: time passed since last big fuck-up.

It was just reset to zero yesterday. In the particular case of MtGox, we have it running at under a year still.

i agree with this.

It's not really a "fuck-up" if the server provider is compromised. the mtgox breach was caused by a employee that had access to the db, which is totally different.

Common sense is just common, not sensical. What MtGox and Bitcoinica were doing before they got hacked was common sense  8)

It doesn't matter who fucked up. It's a combination of things. Criminals have stashed a big amount of coins from important figureheads in the community. For the layman this translates as "BTC are insecure, even their gurus get stolen."

Notice I was talking about security and its perception.

Personally I think one should never store his private keys anywhere it can be seen in any form they can possibly be seen, so the responsibility would be shared.

True enough, VPS's are nice and cheap. I use them. But I don't put any private keys in them, or anything that can be directly stolen.

Hopefully this is a learnt lesson now.

Bitcoin is definitely not yet ready for prime time when it comes to large companies where several people have access to the money with no paper trail if it goes missing.

Your writing style has improved exceptionally since the beginning! Keep it up!

From bitcoinica right now:


73661.62 BTC * 1.152 / 100 = 848.581862400 BTC

From Thursday, 1 September 2011 to Friday, 2 March 2012: 183 days.

If bitcoinica grew linearly (unlikely, but for the sake of argument)

848.581862400 * 183 / 2 = 77645.240409600 BTC, or less than twice the 43k lost.

Basically Zhou is putting most of this revenue to cover for this loss, which shows real mettle. To all the people going "o, he's a 17 yo kid": no. He's a 17 yo man.

He has a nice little business going, eventually he can hire staff to run it while he focuses on other things, using the profits as capital. So he's definitely gonna wanna keep it going.

As the business owner he set the volume of his hot wallet based on what he believed to be his transactional needs. Hard to fault a businessman for trying to handle his customers needs well. He got ripped off and is standing behind his reputation and his service with his own money. Hard to fault a guy for being honest and showing some backbone in adversity.

Sounds like he may be getting some valuable advice about who should be the responsible party here... absolutely inexcusable that Linode permitted this vulnerability, and the responsibility is theirs to make good on all losses, irrespective of whatever exclusionary language they might have pasted into their service agreements. It is called fiduciary responsibility, and they failed.

Indeed. It seems rather odd that a random hacker would systematically probe linode for security flaws, and then magically find 8 customers related to bitcoin, and methodically empty their wallets. This is clearly somebody from the inside.

I don't know, I hacked VizVideo's phone banks and the St. Joseph county library network both using the method you just described --stumbling upon it.

Any insurance can exist.  It is just a contract.  Of course if these thefts keeps happening then the premiums are going to be expensive.

I didn't say it won't ever exist, I said it doesn't exist. Now provide your link to the only service in the world that will insure bitcoins (because I've checked to London and back and there isn't one) or stop daydreaming outloud.

What I am saying is a person needs to call a specialist insurance company and they will figure it out.  Did you call Lloyd's (http://www.lloyds.com/)?

Ironically, I was going to pen a similar sentiment, but you, goodlord666, beat me to it.

Are you kidding? They're the first I thought of!

Given the lack of assurance to the location of the bitcoins, the fact that the keys can be copied and moved, the volatility of the market value, and the inability to hold the only physical copies in any medium, they won't insure.

If it had a fixed price, I'd imagine they would insure it for more than it's spot value in fees, but what's the point of that?

Just a thought to share with Zhou and others trying to locate the thief...

Approximately a week ago on the SR forums, there was someone who put out a $30,000 offer to anyone who would submit ID info and such to Mt Gox to enable him/her to withdraw from a large account without giving up his/her real information. Perhaps this was the hacker trying to cover his identity for his future 'endeavor'. Figured I would let people know.

Link?

Insure for a certain amount of USD/Fiat based on business risks, instead of a specific BTC value. To be safe, the Bitcoin business operator can insure for more than they actually have in case they get more. It's doable. Just stupid expensive.

Can't access from work, will try to post it later if nobody else does. It was in the discussion section on the SR forums.

I think insurance companies would get a lot of cases on their hands if they started insuring bitcoins. I mean, how can you insure something that can be stolen without leaving any trace?

i pretty much saw this coming.

Awesome. Hope that you guys solve this problem with a little troubles.

Thanks god I'm not mining at Bitcoinica, but i'm with you.

Bitcoinica is far from a mining pool ;)

They could have been observing bitcoin node ip addresses and found that 8 of them belonged to linode.  Could have observed that the transaction broadcasts of bitcoinica withdrawals were originating from one of those 8.  Then concluded that bitcoinica's hot wallet was on a linode VPS.

Yes, but would it not be likely that he/they would need intimiate knowledge of the linode systems, meaning they would need to be a customer or already a sysadmin at Linode ?

No, this is exactly how hackers work. They explore and try tons of different attack vectors until they find ones that work. Whether this was an insider or not I don't know but certainly a hacker wouldn't need to be an insider. This is what they do. They find flaws and dig in deeper until they can leverage the flaws. (I'm saying hacker but a more correct term would be "cracker".)

Bitcoinica was also in Rackspace, right?

Well, this just in http://www.rackspace.com/knowledge_center/content/slicehost-forum-archive-migration-and-conversion

Rackspace's slicehost forum user DB compromised. They are a bit unclear on how and what exactly was compromised, and why do they know it.

This shouldn't in theory affect rackspace users but is a fair warning on not reusing passwords and also not having your passwords anywhere near "the cloud"...

I remember seeing that post on SR as well.

this is hard to believe. It takes MtGox around 2 months to earn that much and their volume is way larger then yours.

I am wondering why somemany bitcoin people used that hoster. There are thousands of hoster.

Bitcoinica is leveraged as compared to MtGox.  I have a lot of respect for you, ZT.

I was wondering about that, being one of the people whose account was hacked.  How do you know this?

Mt. Gox only charges (at most) 0.6% in fees. Bitcoinica currently charges the equivalent of 1.168%
in fees (https://www.bitcoinica.com/ bottom page) and allows leveraged trading (buying/selling more bitcoins/dollars than you actually have). So when a guy like this (https://bitcointalk.org/index.php?topic=59969.0;all) short sells for $130,000 worth of bitcoins, Bitcoinica makes around $1500 in, quite literally, no time.

I would argue that he doesn't know this. This is his reasoning: https://bitcointalk.org/index.php?topic=66979.msg779780#msg779780
I'm not saying Mt. Gox isn't secure though, please don't misunderstand me. I'm just saying we have no way of knowing - with absolute certainty - if they are. I think this is a relevant point.

Many people thought the Titanic was unable to sink. Until it sank.

Bitcoinica spreads take the market depth into account. We don't charge fees directly. Most of the time, trading on Bitcoinica is just slightly more expensive than Mt. Gox for heavy traders (who pay 0.3% at Mt. Gox), and usually cheaper for infrequent traders.

+1 to zhoutong. Respect.

Given the community collectively has a massive amount of skilled IT resource available. Why not put up some kind of community raised bounty for those 'skilled enough' to expose the thief.

I wonder if any of the 'anonymous' crowd would like some work...

Here is my question. Why was it ever a good idea to be running a site like this where someone else has access to your machine? These types of operations should be run from locked up racks.

I don't know if this is related, but I just received a very strange, very small amount of bitcoin that I was not expecting. Is anyone else out there receiving such transactions?

http://blockchain.info/tx-index/3059769/de3177f4e929d4deb1984889aa7ad79fd2e78075e41babbda23315bb5135e71f

Edit: It looks like someone is sending out small amounts of bitcoin to a large number of public addresses in alphabetical order...I think I just got tainted...

Nevermind, I am unduely paranoid.

But those coins aren't tainted.  At least not from the linode theft.

'Only' these 1062 addresses contain coins from the linode theft: http://privatepaste.com/ce5905880d

My guess would be that this transaction was made by http://dailybitcoins.org/ - do you use them?

dailybitcoins.org:
* sends out their payments around 3am (your transaction was at 2012-03-06 03:55:43)
* mostly sends out 0.001 bitcoins, almost never less, with a few bigger (yours has 55 of 0.001, 24 of 0.005, 1 of 0.015 and some change)
* puts the addresses in alphabetical order
* usually has 81 outputs in their transactions (your transaction in blockexplorer: http://blockexplorer.com/tx/de3177f4e929d4deb1984889aa7ad79fd2e78075e41babbda23315bb5135e71f - has 81 outputs)

I think it's a pretty good guess that it's them.

The more layers of complexity, the less people will use Bitcoins. And remember that the average Joe's Bitcoin client doesn't allow you to select the addresses you are sending from.

Yes, that is it, thanks! Totally forgot that I tried that site. Apologies for the undue paranoia.

I use a different receiving address for every site I use.  Then when coins arrive in my wallet I can instantly tell who sent them.  For example, only sealswithclubs.org knows the address I use when I'm withdrawing from sealswithclubs.org, and it's labelled in my wallet as "sealswithclubs.org".  The address in my signature here is only ever in my signature, and is labelled "bitcointalk forum donation".

Out of curiosity, I analyzed some of the transactions on the blockchain following the theft.  It's my opinion that a small amount of tainted coins (100) were moved to the Virwox exchange shortly after the theft.  Being a Virwox customer, I deduced this through knowledge of typical Virwox transactions, and not with any actual confirmation, so I could be mistaken. 

This is what I first thought when I heard about the Linode hack. It stunned me that people would run these kinds of things from low-end virtual servers. But it just happened that I always worked for companies that were ISPs, had ISP businesses, or had server infrastructure that pre-dated easy virtualization. I was quite surprised to find that use of virtual servers for business-critical infrastructure and highly-sensitive information is now quite common. I'm still not sure how I feel about it.

It's not just low-end or high-end VPS. The cloud is just as susceptible to a crime like this, no matter how expensive your instance is.

People seem to have forgotten that some info is private beyond stamping an EULA and saying "you cannot copy this." Let's not get started about the cloud and social networks... the stupidity of the mass is just astonishing. You just have to make something look normal on the surface and they will stop questioning it.

I wrote how to avoid such sutuations:

https://bitcointalk.org/index.php?topic=67787.0

Your hindsight is remarkable sir!

Hahahahaha.  Thanks for the tips.  Should be bookmarked and stickied!

Sorry to necro a topic but I have had to block Off Topic due to all the rubbish so just wanted to find a topic that mentioned Linode as it is not specific otherwise to this post.

I have recently moved ciyam.org to Linode and have found in doing so that if I attempt Google searches from ciyam.org that they are being blocked by Google.

This is apparently because Linode is blanket banned by Google due to web-scrapers using them, yet Linode denies this (despite many links you can find showing this) and Linode instead blames their customers for any problems that they have trying to use Google (so it should be believable that one is blocked making one single query via Google through a Linode for "some reason" when one is able to do the identical query through other VPS services without being blocked?).

Personally it is not surprising to now see why so much BTC was lost to Linode as this is a company that fails to take *any responsibility* itself but tries to push that all onto its clients.

Lol the irony.

Isn't it a little early for Halloween boys?