Bitcoin Forum

Dear all,
I lost roughly 2000 USD from my MT.Gox account at 08:40 JST on the 31th of may 2012.

BTC was bought for all cash and they were sent to 1JHbG9rHS6dm4oTB4mK4umsWw936zarVNX
where they still are.

When i found out (2 weeks later) i asked MT.GOX for the login times and a login IP-addresses.

First i got the logs to another account (also mine), but no IP-adresses since they could not provide them.

I then got the right logs, but there was no login matching the withdrawal.

   Sat Jun 09 2012
   21:21:28User logging in
   21:21:28Password verified successfully
   Fri Jun 01 2012
   14:44:40User logging in
   14:44:40Password verified successfully
   Tue May 29 2012
   05:16:25User logging in
   05:16:25Password verified successfully

The login on May 29 was mine since i deposited ~1000 USD that day and there was only one login.

When i asked for IP-addresses again (to track the thief) and if they understood no login matched the withdraw
i got the answer:

> Unfortunately, more detailed information can only be provided by our management group to the police for further
> investigation. We apologize for any inconvenience caused. Please file a police report if you wish regarding this case.


I am filing a police report now when i have all information they will give me.


DOES ANYONE HAVE ANY RECOMMENDATION ON WHAT I CAN DO???

//GoK

Do you use two-factor auth?  Yubikey?  How do you think this happened?

Sorry to hear this.

MtGox automatically sends an email when a withdrawal is made, and that includes the ip address used. So check your email.

File a police report.

A lot of that going on.

"MtGox account got cleared out"
 - http://bitcointalk.org/index.php?topic=85533.0

"All BTC disappeared from my Mt. Gox account"
 - http://bitcointalk.org/index.php?topic=88368.0

Another:
 - http://bitcointalk.org/index.php?topic=80562.msg941759#msg941759

And another:
"My mtgox account got compromised, what can I do?"
 - http://bitcointalk.org/index.php?topic=84585.0

And on other services as well.  Here same thing happened to some GLBSE users:
 - http://bitcointalk.org/index.php?topic=84893.0

In none of these was the person using multi-factor authentication.  Mt. Gox has had Yubikey support for a while.  Mt. Gox accounts now support Google Authenticator:
 - https://mtgox.com/press_release_20120605.html

Hey Stephen, I always wonder, how do you do what you do?  ;D

I do not use 2 factor Auth, although i do not think it would matter since there is no login to match the withdraw.

I checked my email account it was sent to a few days back but i was unlucky, 50.0.92.83 belongs to the dynamic
pool of sonic.net.

Sonic.net saves the IP's for 14 days, so they claim they no longer know.

Thats why i wanted to know the IP's of all later logins to see if any of them were less than 14 days old.

But, since no login matches the theft!
Im not sure if knowing the login IP's would do me any good.
But then again MT.Gox wont share them and when/if the police get around to it sonic.net will have removed their logs.

:(

If you trade more than $150 USD it is worth it to invest in a Yubikey, IMHO. I have other issues with MtGox, but getting hacked is the least of my concerns.

I agree with you IF they could show that someone logged in and transferred the money out.

Yet the log they sent me did not include a login prior to the withdraw (and im not sure if it
shows one after since they wont share the IP's).

And they ignore my question about why this is the case.


//GoK

This.  Not using Multifactor Authentication for withdrawals is silly.

Maybe you just forgot to logout on some computers.

Not seeing a login on the 31st is weird.

What about the other two logins on June 1st and 9th? Was that you?

I'm willing to bet these are all windows users. What will it take to dispel the belief that running an Anti-Virus program protects them from trojans.. Even in the reddit AMA with the botnet operator, the guy said he uses techniques to keep his bots FUD (fully un-detectable) from AV programs. Going after mtgox passwords (or passwords for other bitcoin services) from trojan keyloggers is the absolute easiest way for them to get money, easier than credit card numbers, bank logins, or anything else. Probably wasn't that common last year, but by now it must be the first thing any botnet operator would search for in their logs.

Both logins are after the withdraw was made, and i do not know if it was me, since they wont give me the IP's
and i do not remember if i logged on at at those dates or not.


And no, no one else can log on to the computer i use, automatic screen lock after 3 minutes inactivity,
(defense contract) industrial strength security, from disk encryption to whatnot.

Making this comment is silly since, according to Mt.Gox, noone was logged on at the time of the withdraw.

//GoK

It would have forced whomever got in, however they got in, to use multiple auth's to transfer anything out.  It looks like you still had a live login (since logouts are not shown) and someone hijacked those credentials (or session) and initiated the transfer.  If there had been another auth required at withdrawal (like google, or yubikey), it would have been much more difficult to pull off.

Whatever the case, I'd say Gox owes you a bit more information.

Ok Phraust,

I was a bit quick to write that comment, you do have a point.

I am just frustrated that i do not know how the thiefs got in.
And they, for some reason, protect whomever did it by not
even revealing to me which logins i made and which someone
else might have done (IP-addresses).

Anyway there is no login at the time of the withdraw so
all are probably mine?


//GoK

No worries, I'd be just as pissed if it happened to me.  Without complete logs, it's really hard to say.  I hope they are working with you on this.

Thats one of they problems,

They are NOT working with me on this, and do not answer any question about why there is no login at the time of the transfer.

I get the same reply from MT.Gox every time:

> Unfortunately, more detailed information can only be provided by our management group to the police for further
> investigation. We apologize for any inconvenience caused. Please file a police report if you wish regarding this case.

Its very frustrating and very - unprofessional -


//GoK

This is silly. GMail allows me to see every IP I use to log in to their service. Facebook makes me go through extra identity checks when I log with an unusual IP. Why can't MtGox do the same?

Btw, saying "file a police report" to me is like saying "you got screwed and we won't help you anyhow, move over". I've seen police being utterly useless for much more serious cases.

And another report.  Mt. Gox now has Google Authenticator support, for mobile (Android, iPhone/iPad/iPod Touch (any iOS), BlackBerry).  Use it, love it!

BTCSYN reports a $12k (1,852 BTC) theft
 - http://bitcointalk.org/index.php?topic=92142.0

Someone is having a whale of a time with MtGox it seems. It's like watching someone smack a pinata.

My sympathies to those who were stolen from.

Mt Gox is one of the worst companies I've ever had the displeasure in dealing with. They're extortionate, obfuscated, and utterly unprofessional.

So who do you use for exchanges if you don't use Gox? I agree, Gox service is terrible, and they aren't very professional.

Sorry to hear about your loss OP. I know it doesn't help you much but your plight has encouraged me to purchase a Yubi Key just last week, so for that, I thank you.

Thanx,

Im wondering if a yubikey would have helped since there are no signs of the thief ever logging on to Gox, and if he/she can transfer money out w/o Gox noticing that he logged on. Maybe he/she could have transferred the money anyway?

However, a yubikey might stop it.

GL

And which service should one use?

Good luck on that police report. It will be just as useful as filing a missing person's report for your imaginary friend!

If you have a police report you can request us to forward the details to the police. We'll need a case number and details on the law enforcement in charge (person in charge, etc) to forward the appropriate details.

+1

http://en.wikipedia.org/wiki/Doe_subpoena

It's a bit like insurance companies requiring a police report number before you can claim for stolen items.  They know that the police aren't going to investigate petty theft but they also know that many people who'd be willing to make false insurance claims won't be willing to make false police reports.

Let's suppose that MtGox did give the OP the IP information.  How does that really help establish that this was an actual theft? 

Probably wouldn't help, but the guy wants to know, let him know. It's his account after all. What's the big deal in knowing which IPs were used to access your own account?

If Gox treats its users like this, like children, I should of really stuck to buying elsewhere.

Getting the IP-address wouldnt help me one bit.

But getting a "null" response when asking why/how money dissapeared from my account w/o me (or anyone else)
logging in is fradulent.

They couldnt show that anyone logged on to my account, and they cant/wont give me the ip-address of the "eledged" person
who took my bitcoins...


Sorry for the late reply, had a long vacation :)

and i didnt want to think about the thief (internet crook or MtGox or bug)

Ghost of Kobra

My discussion with mtGoxx support is approximately the same.

When i saw that the account was empty i checked the withdraws and noted the time of the withdrawal.

Asked mtGoxx for information about logins (because i knew i didnt log in at the time of the withdraw).

Got a list with login's (no IP's) and the list showed that no user was logged on at the time of the withdrawal.

Asked mtGoxx how this could happen and for IP's of the logins.

And all of a sudden i start to get the same answer on every question.
- We only talk to the police.
- Upload your scanned ID and the police report.

If someone "lost" 380 of my bitcoins and refuse to tell me how it happened i sure as hell wont give them my ID.

They claim they cant reimburse me coz i it might attract scammers, and they cant be sure i didnt transfer them out.

LOOK AT YOUR OWN LOGS YOU SENT ME.

I WAS NOT LOGGED ON. and noone else was logged on either....

Sorry for the caps, still get irritated about this.
I think i will scan the police report on monday when i get back to work.

I have a feeling the ID/AML request is because of reporting a loss of over $2,000.

In this modern age, using just a password to secure anything of value is unwise.

I use 2 factor for any account that has over $10 dollars in it. Except those protected by the FDIC.
For my MtGox Account I use (Two) 2 factor accounts on two different devices, they would have to have access to both devices or crack 2 factor.

I also use 2 factor on all email accounts, to prevent password resets.

Did you access your account from a Desktop Or Laptop?

Was it running Windows? Are you up to date?
What AntiVirus are you using? is it up to date?

Have you ever accessed your account using WIFI? Unsecured? WEP?

Most likely your password was stolen from a Keylogger or They were able to login into MtGox by routing thru your Computer Remotely.

Do you download any software from torrents?

Just be aware there is also a virus that has appeared in Asia mostly,that can survive a format of the HD, by hiding inside your BIOS and reinfecting your system after reinstall.

---

File a police report,Verify your AML with MtGox(I don't think it will do any good),and Redeem Free Yubikey Offer

Until I see an account that has 2 factor used get stolen from, your security was the cause of your loss because you were easy picking.

You are missing the point...

mtGox OWN logs show that NOONE was logged on at the moment of the withdrawal.

Dont say my account was "easy picking" or that i should blame myself for not using 2 factor authentication.
When my credentials wasnt used by the thief to log on (whomever it might be).


If someone stole my password (from me and not mtgox) and logged on and withdrew the money, sure.
Then your statements would be valid.

Since noone logged on with my password, my security was not the cause!


I have filed a police report, but im not sure i want to verify my account since i sadly do not trust them, anymore.


/GoK

Seems like you are grasping for straws. Please secure your money next time with one of the many features Mt.Gox offers.

+2

I have to disagree with you saying its not a fair request to disclose how your funds got removed because if there "an easy way" or undisclosed hack they shouldn't release that information to protect other accounts.For the Greater Good of all.

The Lowest hanging fruit are always picked first. Accounts only protected by passwords are easy targets.

Plus sometimes the Japanese to English might not have translated correctly from the people you talked to.

So the account "not logged in" part might be a mistranslated, i've talked with alot of non-native english speakers and sometimes it just comes out wrong.

If this was a hack, the hacker would be getting as many accounts emptied as possible before the hole was closed.


Per MtGox As a reminder we assume no responsibility should your funds be stolen by someone using your own password.

i don't have a yubikey, but my password is something similar to jfdsaMFDasjm#R$MnVMXCL:m43mMVL:XJOP%$#mvc

An unsecured connection would just be too ez....  my guess is it had to do with some porn and malicious javascript

i haven't used any antivirus software in about 15 yrs (when they started to all become incredibly intrusive), though i do scan about once a month with malwarebytes.

sites that pop up a lot of windows = bad

emails with links in them that go to hxxxxxxxxxxxp://us.battle.net.login.en.ei-login.com/login/en/login.html    are bad  (fresh from the junk mail folder, hours old!... wtf, edited link just in case someone was going to click on it)

Use 2-factor to help prevent this from happening to YOU. Its not hard, see my guide here (https://bitcointalk.org/index.php?topic=111943).

It could have to do with the cuevana plugin leak. Anyways google authenticator is really really nice.

Thats not enough for alot of attacks. You need to use 2-factor authentication

I would bet it was a keylogger on your pc. Malicius software is easy to FUD for about 1-2 weeks. The topic about popup windows is that they could redirect to exploit kits which spawn a keylogger or bot.
If thats true most probably all passwords in your broser have been logged in the time your machine has been compromised.
I see no other option as if mtgox would have been hacked the damage would be known by now, it defenetly seems to be on your end.
Cant often enough recommend to use a virtualbox/vmware for any untrusted applications.

Concerning the reaction from mtgox i dont have an optinion.

Sorry for the late reply.

I disagree with you, if there is a hack they should plug it and then admit it...

The account logged on was not misstranslated since they sent me the login logs (no Ip's but time and dates) for the weeks around the withdrawal.
After i pointed out that there were no login at the time of the withdrawal, they started answering:
  We only talk to the police.

I think it talks for itself that something is not right.

I am sorry that i answered this post so late,
But i am so disgusted with this issue that i done look at this thread.

I filed a police report and got a decision back 2 days before your post.

It is nice of you to offer to forward information but the police did not open an investigation because:

             "The crime can obviously not be investigated."


But if you read this could you please tell me how the money was removed when noone logged on to my account (according to the logs mtGox) sent to me?
And why the support never answered that question and just started referring to "we only give information to the police" as soon as i asked it?
Which is the same as you are doing.


/GoK

These may be trades executed with the API: https://en.bitcoin.it/wiki/MtGox/API/Streaming

One should investigate if API trades do not show a login, and if they don't, then that is likely the method used.

It is very possible that someone found a way to exploit persistent data, cookies, or some other way that a users session or identity can be hijacked in the MtGox interface.

My account was somehow hacked in on the 5th of Oct, where a large number of transactions (2600) occurred within a 30 min window. All of these transactions were for buy & sell orders that ultimately cleared my account down to less than 1c.

As per OP, notifying Mt Gox yields a response requesting me to file  report with police,etc.,and we all know what means.

Except for logging onto the account, 2 factor auth have been used.

I suspect there's some serious flaw in the APIs that could have caused this.

I'm requesting login logs from mt Gox to see what they come back with.

/edit - just to note that I do not have any API keys and have 2 factor auth for withdraw and security center. So if they could execute trades via API without being able to create an API Key then there are some serious flaws!

Beside the api thing, did you guys use a wireless lan connection?
If somebody logged in from your ip its just logical that there cant be logs except for the mac address and even that can be spoofed.
An attacker can indeed hack the wlan network and from there into your pc, and no, this is not fiction.

Totally agree that's no fiction, and whilst I cannot comment for the OP, I find it hard to understand how someone could hack my pc (no PC anyway), hack my iphone, hack google authenticator, change API security, create API keys and then execute 2600 transactions.

Marcus from Mt Gox have responded back saying they are not able to differentiate whether trades are executed via API or not. Given there were 2600 transactions on my account over a mere 30 mins, I cannot see that being executed manually.

I have also asked for login logs for my own account (without saying whether I need to see IP addresses or not), and have been declined due to their privacy policy.

I'm seeking further clarification on exactly which part of the privacy policy is he referring to.

After I posed the question on which part of the privacy policy he's referring to, he's now replied saying he's going to have this checked with their developer and get back to me.


Marcus, Oct 15 20:51 (JST):
Hello Yuhann,

I will have this checked with our developer and we will get back to you.

Thanks,

MtGox.com Team


Yuhann Liu, Oct 15 20:28 (JST):
Hi Marcus,

Sorry to dig further.

This appears to be very inconsistent to others who requested for this information and have received them.

Can you refer me to which part of the privacy policy that states you cannot disclose the login times of my own account? I have it open right now.


Regards,


Sent from my iPad


Marcus, Oct 15 20:10 (JST):
Hello Yuhann,

We will not be able to provide the information as per our privacy policy and we will not be able to differentiate the API trades and you have also advised that this you have not used an API before.

Thanks,

MtGox.com Team


Yuhann Liu, Oct 15 20:04 (JST):
Marcus, are you able to advise reason behind not being able to supply me with access logs of my own account?

Why isn't anybody saying it??

Mt.Gox is the "hacker" here.

Your MAC isn't exactly exposed to websites you connect to.  That's how network work.  If someone logged in from his IP, it would show that someone logged in from his IP, which did not happen.  Also, that is stupid to say that someone can get control of someone's PC just because they "hacked" the wireless network, which you said wasn't secured in this example so not a lot of hacking would go on, lol.  Windows 7 has network discovery and file sharing turned off by default so no, it's not quite that simple.  Plus, the PC would still have an antivirus.  Plus, two people that live within wireless range of each and one being a "hacker" and both using bitcoins is astronomically improbable.

Havent been into this soo much but not so long ago you could exploit wps routers with a reaver attack bruteforcing the key what exactly took 16 hours. WEP takes 15 minutes, idk but i can imagine there are ways nowadays to bruteforce wpa2 effectively. One minute on google got me this: http://technicdynamic.com/2011/12/hacking-wpa-2-key-evil-twin-no-bruteforce/

So much about win 7 is safe: http://arstechnica.com/security/2012/09/critical-zero-day-bug-in-microsoft-internet-explorer/

There have been Mac and Linux viruses.  There have been Firefox and Chrome vulnerabilities.  If you're not an idiot, you won't catch a virus in Windows.  I use Firefox with noscript for most surfing and keep my plugins updated.  I actually disabled the Adobe Reader plugin completely so it uses FTP to load a PDF file like it should.  If a virus does manage to jump onto my system, my AV will likely catch it as it executes.  If it doesn't, I pretty much remove viruses for a living so no problem there.  If it damages my system irreparably in the process, I have a system image backup that's never very old.  Tada, safe.

This smells like a borrowed browser session. Someone is probably getting access to your sessions using a virus (or less likely over your own wireless connection) and therefore they never did log in to your account, you logged in and they held onto that session and then used it later. Because of this, for all intents and purposes as far as MtGox could possibly tell it was you who withdrew the funds.

Most sites which deal with money (like online banking) protect against this by having forced log off of your account if you are inactive for more than a few minutes. That way even if someone tried to hijack your session it would be far too late to actually use it.

After a bit of back & forth eventually MtGox gave in and shown me the login logs. Whoever hacked in has managed to logon after 3 attempts, so I suspect they've drawn from the passwords I have used on one of the Bitcoin sites which I won't name here. It seems that they could either 1) withdraw funds from my account if it wasn't protected or 2) use my account to somehow manipulate the market or 3) simply to trade the account "out".  (2600 transactions in 30 mins can't be manual).

I haven't really dug into the info that much, but can someone tell me whether it's possible to trade using API without generating an API code on Mt Gox?

Some pool is probably exploited and doesn't know it. There have been several sites that have previously disclosed intrusions. Where else did you use your mtgox password, you must discover the source of the hack (and not use the same password twice!)

I've got no money or coins on Mt. Gox at the moment, but this thread reminded me to turn on two factor authentication.

I'll feel much safer for my next transaction.

Yeah, learn from mistakes eh? I thought I did that when I learnt the importance of backing up stuff. (oh, better reset passwords to the backups too, hehe, j/k)

Anyhow, it's probably too late to bait them which is a bit annoying. I've tried and asked Mt Gox for info around the 2-3 failed logons to see whether they can supply the passwords used or the hash generated (assuming they don't store passwords in clear text). I wasn't surprised when the request was denied - until I have filed a police report.

*boggles mind*

What i don't understand is why you hide behind the police.