Bitcoin Forum

I seriously believe that the only account being compromised is Mt.Gox's.

See the psychological side here:
ANYONE LOSING 500,000 BTC (more or less worth $8,500,000 USD) WOULD BE GOING APESHIT INSANE.
Anyone would be twitting about it, shouting about it, ranting about it, talking to the press, talking shit about Mt.Gox, and cursing God, the Devil, the Archangels and his own mother.

This is the critical factor I consider since I am a psychology major I am way more attentive on behavioral cues.
It is totally abnormal this silence from the account owner.
Either this user doesn't exist or he is a Buddhist monk with the lowest neuroticism level in the history of mankind.

According to Mt.Gox 500,000 BTC were stolen from ONE account, and that not only that such accumulation of wealth in a eWallet account is highly implausible, but observing the calmness of that supposed owner I am inclined to believe that that owner is non-existent.
The only one going bananas is Mt.Gox. Obviously you can claim Mt. Gox is simply protecting the credibility of his exchange site, but what is really interesting is that he insists on reverting back when actually there are other options.

Why would an exchange protect the interests of only ONE user? When accounts got hacked in the past, MtGox took the bullet and reimbursed partially to the hacked user, but never reverted back a whole history of transactions.
Also why is MtGox so adamant in defending this single affected user?

If that doesn't make sense then, we have three options left:
1) The REAL Account Owner: The hacked account "single user" account are Mt.Gox's or it belongs to someone closely related to Mt.Gox.
2) The PWNAGE Cover Up:The "single user account" is a cover story to hide the fact that actually the site got compromised much deeper than they are willing to admit. (loss of credibility would be the death of Mt.Gox)
If the auditor/attacker got access to the passwd file, he could have cracked hundred of accounts in hours.
I am currently testing that idea out, I've been trying to crack the hashes for 3 hours and I neared 600 accounts cracked, all of them from salted hashes and weak passwords. A simple script could have siphoned all the bitcoins out when the attack wasn't yet detected (maybe salami sliced, that's why nobody really noticed any thievery).
The worst case scenario is that the attacker has been in control of the site from a long time and he actually didn't need to crack any password, he simply got them all in plaintext.
3) The STOOPID Cover Up: We can never leave out the most stupid causes, since stupid mistakes happens everytime, maybe it was a typing mistake, a new employee, a girlfriend playing with the admin panel, etc...

These three possibilities makes Mt.Gox's claims understandable, it would be humilliating and his credibility would be completely stained forever. He wouldn't be able to admit such stupid mistakes.

But one thing is definitive: The argument about a single user being hacked makes NO SENSE AT ALL.

And your point is?

What difference does it make whether the account belongs to MtGox or Elmer Fudd..

The point is Mt.Gox reputation is on the line.
If it is lying, as he probably is, then it is not reliable anymore.
We can't tell the real story behind it, we can't make a damage assessment from it.
We can't rely on Mt. Gox.

Neither the best case scenario (they are trying to save face) nor the worst (they got fucked very deep up to the colon) are really comforting.
Mt Gox CAN'T be trusted.

Often I agree with you Oldminer, and I'm not looking to pick a fight.

1) Despite the huge overload of Gox threads, this one has a new twist. The Monk idea is clever, IMO.
2) This is also pretty valid, "The single hacked user account makes NO SENSE AT ALL.". I'm OK with the idea of a single account doing the damage, but there is no way any "Old Miner" or big investor would have ever placed that much into a single account, unleass they intended to crash the market, IMO.

Because if it is Elmer Fudd, then Bugs Bunny will be getting the bitcoins vewy vewy soon.

Uhm, that is a possibility I haven't considered.
But who would be willing to lose 8 Millions? What is their gain by crashing the market?

passwd file != exchange user database

riddle me this

What is that old Latin phrase for "who benefits?"

What is their gain by crashing the market?
I try not to be a conspiracy kook

CIA/NSA
If you are a Government who is threatened by BTC, and can print unlimited supplies of USD, would you have been a bug buyer either early on or the night it jumped from 14 to 19, then 19 to 24 in huge buy moves?


Much of this daily BTC drama is really being written in a Gov office somewhere, and then presented to us*?  

*HI, I'm Kevin Your New Guest Star In The Bitcoin Wars!   :D

perhaps the 500,000 BTC were transferred in from the stolen wallet files obtained via the trojan that's been circulating?  Not sure that makes total sense, but it might explain why someone with 500,000 BTC would have them all in mtgox.

Don't be such a nerd, don't troll about terminologies, you know what I meant.
I am cracking the FreeBSD MD5 hashes of the leaked userbase from MtGox. Happy now?

Why do you assume that it is someone that knows they lost a bunch of bitcoins?

Why can't it be some dude that gathered up a shitload of coins when they were worth less than belly button lint, and has long since forgotten about the whole project?

I'm almost certain MtGox did not exist during the days of the 20,000BTC pizza, so the funds could not have been transferred then.

What if...



just...

WHAT IF....



the account was owned by the hacker!!! oMG revelation!!


hack account -> withdraw -> add fund to hacker's own account
hack account -> withdraw -> add fund to hacker's own account
hack account -> withdraw -> add fund to hacker's own account
hack account -> withdraw -> add fund to hacker's own account
.
.
.
profit

They didn't.  It was only BitcoinMarket back then.

Do you think that 500,000 BTC can be obtained from thin air?
Under the assumption that it really belongs to a single user:

• If they were acquired when Bitcoins where worth 0.01, it would still had been a significant investment: $5000 USD
• If he didn't buy it and farmed it, the farming of 500,000 BTC signifies that he knows the intrinsic value of it, so he was quite dedicated on the project.

Both scenarios make very implausible that the owner would suddenly forget about their generated/purchased bitcoins, it shows interest, dedication, appreciation and/or faith for the bitcoin economy.
In the event of forgetting about it for a while, that hypothetical person wouldn't neglect that the prices increased more than 200,000% from the time he acquired/generated them.
And certainly everyone who is marginally related to bitcoins must have heard about jumping to $30 USD = 1 BTC. IF he had forgotten, that news might have reminded him that he was awesomly rich. Such news sparks interest again towards the bitcoins.

Who ever was/is the hypothetical owner, MUST HAVE KNOWN about his WEALTH.
Considering all above, the "Ignored and abandoned" argument is highly, very highly implausible.

Now, who would put more than 500,000 BTC in one exchange? That really escapes me.
Anyone who has that much in one site must have close relationships with the owner, otherwise I don't see how you would trust such amount in one place.
On the other hand, it would also make sense that it is a government conspiration, but considering that the bitcoin economy is still experimental I wonder if they would take such preventive measures to try to destroy it.

Personally I rather the explanation of the cleaning lady cleaning the keyboard and pressing "Sell 0.01"... would you admit such error if this were true and you were MtGox? LOL

I wish I'd been here then, you folks had a great little group.   :)

Bingo.

My guess is that it was their 'bank' account or something to that effect which actually contained the total funds in BTC of the entire exchange or a sizable portion of it.  I'm about 90% certain that they are insolvent and probably shitting bricks right now trying to determine what to do about it.  It might not be up for quite a while.  If they are insolvent that raises an interesting question:

1) Is it a 'bank run' as soon as the exchange opens?  (expect X lawsuits)
2) Do all MtGox assets get triaged and we get a portion of what we held there?  (expect 10x lawsuits)
3) Does and can MtGox "eat" the loses and then pays to make everyone whole (definitely the best long term solution for them),but do they have the assets?
        a.  If they don't can they raise money to buy BTC over-the-counter to become re-solvent?  Or do they come clean about insolvency and not allow people to withdraw until they gain enough money in fees to make everyone whole.  (this would crush the price of BTC into the ground but probably have the least legal implications).
        b.  Remain insolvent, don't tell this and hope that there isn't a 'bank run' (hopefully nobody over there at MtGox is proposing this, this is a BAD idea)

On a side note should the Exchanges prevent this type of 'dumping'?  I would definitely say yes that a certain account can only sell so much at least making the user have to have multiple accounts in order to dump more, therefore lowering the security risk by having a single user with 500k BTC, if you buy that story.

Lol, I bet the 'free market' fanatics here are starting to see how regulation comes into existence. 

Depending on the actual loses: The $1000/day limit will stop a bank run, or at least slow it down, while people get to trade.

+1

Thanks, I'm tired of all this, and just want a secure MtGox to open soon.


New API @Gox
Changes to the API

Since we will migrate to a new system, I'll announce a few changes to the API so people can be ready. It shouldn't cause any compatibility problem for most people.

    It will be possible to issue API keys for your account, with limited or full access, and revoke those keys. You can however still use the API for full access with login and password
    Trade IDs will be much larger, and no longer in sequence. Old trades will keep their old IDs. New trades will have an ID which correspond to the trade execution time in microseconds, for example: 1308609708628581
    Order IDs will become UUIDs. Old orders will have an UUID assigned to them. An UUID is a 36 characters long string made of hexadecimal characters separated by a dash. Example: 1f0b3734-ddf3-47e8-badb-a85a700c61d9

It should also be noted that the way the whole system works will be a bit different. When an order is placed, it may have a delay before being executed, if the engine is busy. The trade will be put into queue. Additional API parameters will exist to allow trades to be non queued (return failure if engine is busy), have an expiration in queue, do not cause creation of an actual order after being executed if full execution was not possible, or have an expiration as an open order.

Other changes will also be made in the future, however they should be compatible with existing implementations.
https://support.mtgox.com/entries/20208658-changes-to-the-api

Why the fuck would the exchange have an account in their own system that signified the collected accounts of all of their users?

Don't you understand that their site doesn't operate by moving bitcoins around?  When you make a trade on the site, no fucking bitcoins change hands or change wallets or anything of the sort.


Yes, 500,000 BTC can be obtained from thin air.  In fact, more than 10 times that amount has been created from thin air.  A good portion of it by people that screwed around with the project for a while and then left, never to be seen again.

You don't know a damn thing about bitcoins, nor about how an exchange market works, so maybe if you repeat your assertions bigger, they'll seem less stupid

Didn't know that anyone still thought that these all came from 1 person (not affiliated with MtGox).  Thought we had buried that myth.

Tell me who in his right mind would spend 500,000 away NOW just to fool around.
Think again, they weren't in a wallet, they were in MtGox.
I see it is simply a logical gap in your brain, unfortunately there are no patches for faulty brains.

Which is interesting to see that MtGox still doesn't acknowledge it.
They are sticking to their version and that raises even more suspicion.

The standard story so far is that the person that spent the 500,000 now just to fool around was not their legitimate owner.
I have no idea what you are referring to in your wallet comment.  As far as I can tell, you think that I think that the coins were in a wallet, and the wallet was lost.  Which is silly, because not long ago I was trying to explain to you and niemivh that wallets and mtgox accounts are totally different and unrelated concepts.

Precisely, that's my point.

Huh?  What is your point?  Which part?

With regard to the 500'000 bitcoins........these weren't necessarily real bitcoins, it could have been the BTC units within MtGox's own system....which suggests more was hacked then they are admitting.......which actually makes sense because they don't have a fucking clue anyway......hence the long delay while they get some kind of Sec infrastructure in place.

Since the sell off happened on mtgox's order books, the 500,000 coins could not have been real bitcoins.  They were accounting units internal to their system.  I still haven't figured out why people think it was some sort of master wallet, or collective account that was involved.  It was purely an internal representation, and this is obvious because only their internal representation can participate in their order matching.

Moderators, feel free to delete this comment, but I would say that no website developed with php can be trusted.

In my view php is inherently insecure and it encourages unsafe coding style. It's easy to code and "neat" at the expense of being very prone to unintended results. Take the php "require" directive as a case point. (I know experiensed php coders do not fall for this trap, but it demonstrates php's lack of safety.) It takes a url as an argument without so much as a shrug, making it a very attractive target for code injection attacks. The whole language is riddled with this kind of stuff. You have to be very careful when working with php, and even if you really know what you're doing it's still likely that there are big security holes left in your code.

Because MtGox officially stated it. And it is a massive bullshit, as you reasoned by yourself.
The thing is that they don't want to acknowledge that they were hacked. According to them, they weren't hacked ever.
Here is the citation:


1st) The $17.5 it is arbitrary. That concerns me.
2nd) The One account story is being insisted by MtGox in several threads in the forum.
3rd) Rollback sounds like a game. There is no rollback in life. Shit happens, people lose, people win. Move on. Compensate for your mistakes, honor it.

Since this statement wasn't satisfying for the people who actually got a hold of the userbase with all the emails, usernames and passwords of all the users in MtGox.
So another statement was released:


So here you see how they insist that they weren't hacked.
And Mark from MtGox keeps insisting:


As you can see, by insisting the story of the "single user account hacked" they want to free themselves from all responsability, save their faces and blame their incompetence to the users.
There are stupid users with simple passwords (still cracking: more than 800 passwords already cracked) but someone with 500,000 BTC in a single account with a lame password doesn't seem to be probable (although it is totally possible).

Considering the reasons I detailed in my first post in the creation of this thread, I think everything is a lousy attempt of a cover up to hide their asses to not be held responsible.
This lie would save them money (from compensations) and somehow it would cause tranquility to some of their users since they would be relieved that "their systems weren't compromised", which I bet it is totally untrue.

We got all our usernames, passwords hashes and email addresses exposed. All of us are now in spammers' databases.
Most of us got really stressed out because we shared the same password in several accounts.
And some of us realized that their worst fears became true: they got victimized in other exchanges.

It doesn't matter if it was an external auditor, MtGox is trying to wash their hands from this.
They claim that the CSRF vulnerability discovered by phantomcircuit wasn't exploited because they checked their logs... this type of attack leaves no logs, and it's been confirmed from other users in the forum that it's been used before and after the fix.

This attitude from MtGox isn't acceptable.
It seriously makes me doubt about their moral integrity.
And as I said before: "trust takes a decade to build, and only one second to break"
MtGox, you better work hard to earn our trust again, all these lies/incompetence/negligence are simply not acceptable.

I might be wrong, but he didn't loose all of those monies, technically, only the monies the hacker managed to withdraw....

Also, the account with 8mil in coins could be held by an org, for all we know (and it's quite normal for corporate people to use retarded passwords. Trust me on this one)

Hahaha, true I haven't thought of that.
If the 8mill were held by an organization it would be hardly any bitching publicly.
But considering that the bitcoin market is very volatile and very risky, I doubt that any organization would invest around 8 million dollars in it. This is a groundless assumption... but I really doubt it.

Most probably that "single" account belonged to Mark or one of his partners.

PS: Yes, MtGox didn't "lose" all that money, right now everything is still in their hands (most of it). The problem is what to do with the transacted bitcoins. On paper right now, almost everything belongs to Kevin.
But that is another discussion, the main thread here in this thread is to point out that the "single account hack" is most definitely either bullshit or they are protecting their own accounts or trying to free themselves of responsabilities and compensations.

If it is true that he was a buddhist monk, we can be glad that he has lost the money for the next terrorist attack targeting Tokyo subway.

Here's one more conspiracy theory: The org that held the big account was ... the EFF! That's why they turned cowardly just now. Watch for the remainder of 500.000 BTC turning up at the faucet!

Maybe the owner was on holiday.

OR

maybe santoshi's account was the one hacked and played with.

OR

Didn't this happen like a few days after someone's visit to the CIA? so like...the CIA did it?

If the hacked account truly belongs to a Buddhist Monk, and his account is the only one that got hacked and suffered damage,
The monk would've voted NO ROLLBACKS as the saint he is.  ::)

What makes you think that the organization in question invested those money in the typical financial sense (to gain direct profits from bitcoin exchange)?
Of course, an alternative hypothesis would be that an organization such as, but not limited to, a corporation, would clandestinely move funds into a bitcoin market in order to obtain a fast, thoroughly laundered and plausibly deniable stash of "pseudocash" for blatantly illegal purposes, and most certainly, the idea that a corporation (or other organizational agent), would sink as low as to engage in acts of bribery, sabotage, espionage or other criminal acts, is outright unthinkable. UN-THINK-ABLE I SAY, GOOD SIR  ::)

Or, an even better theory:
given the timing of Gavin's CIA talk, there is distinct possibility that those were CIA money, moved into bitcoin market for laundering and further use as a payment vector for assassinations or some other outrageous acts CIA would rather be able to absolutely deny connection with.
And CIA are hardly beyond using retarded passwords - they are, after all, merely human.

That would neatly explain why Gox folks are so adamant in protecting the interests of the Mysterious Millionaire Client With Lousy Passwords (that is, the Gox folks do not find oxidative phosphorylation to be a burdensome ordeal ;) )

Maybe the owner is dead?  People do die.

I think it's pretty likely that the account that was hacked was not just an ordinary user's account.  It was probably MtGox's account, or one of their owners.  I would also place some possibility in it being owned by the operators of Silk Road, and the hackers might possibly be government agents (auditors?) trying to ferret out those Silk Road operators...

I also think that it is unlikely that one user had 500,000 BTC in one Mt Gox account. However, if it was true, I don't think that user would necessarily come forward. Think about allinvain who claims he lost 25,000 BTC to a hacker. Some sympathize with him as a victim, but a lot of the internet see him as a laughing stock for not taking proper security measures.

I think a lot of people would come forward if they lost 500,000 BTC, but I think that there are a lot more than Buddhist monks who might decide to keep their mouths shut out of embarrassment.

You argue that Mt Gox has a motive to cover up his mistakes to save face. Couldn't the same be true for the alleged user who put 500,000 BTC into one Mt Gox account?

I would just say if I had an exchange and got someone with 9 millions on his account, I would be his personal manager. Actually that's what banks do to people with large stacks; assign them personal managers, as they're VIP customers.

Mt. Gox officially cooperates with authorities.

So the authorities would hardly have to go hax0r on the Mount to attempt tracing drug moneys.