I have to say that it's not a good choice for AurumXchange to not include me in the investigation in the first place. I skipped a few classes this afternoon to deal with this mess. However, I have to admit that their intentions are understandable. It's just the fact that 90% of people believing me to be the hacker is driving me mad.
Initially we were supposed to see legal action started by Bitcoinica, however nothing moved there. I do hope that something is started soon before all those wild assumptions coming up from everywhere end causing even more harm. This means that the victims (Tihan, Bitcoin Consultancy, Bitcoinica LP, Bitcoinica users) must do the first step to declare themselves as victims before the legal machine can start moving. Unfortunately it seems that at this point, nobody has started anything. I really appreciate your effort and I'm definitely co-operating with you in this matter. |
|
|
|
Doesn't Mike Hearn, a bitcoiner himself, work for Account Security at Google?
Maybe ask him for help with the Gmail access logs, Zhou Tong?
The hacker used Tor for all online communications. I'm looking for alternative ways to locate the person. I have to say that it's not a good choice for AurumXchange to not include me in the investigation in the first place. I skipped a few classes this afternoon to deal with this mess. However, I have to admit that their intentions are understandable. It's just the fact that 90% of people believing me to be the hacker is driving me mad. Zhou, you are not going to convince people of your innocence with forum posts. Worry about getting exonerated by the legal system instead of trying to prove people on the internet wrong. For now, I don't have to convince people of my innocence. Just like what I have always been, I'm taking real actions to solve the puzzle. I discovered that the hacker used my email on various sites, including many e-commerce sites to attempt credit card fraud. It shouldn't be too hard to get his name and address because I control the email anyway. |
|
|
|
Doesn't Mike Hearn, a bitcoiner himself, work for Account Security at Google?
Maybe ask him for help with the Gmail access logs, Zhou Tong?
The hacker used Tor for all online communications. I'm looking for alternative ways to locate the person. I have to say that it's not a good choice for AurumXchange to not include me in the investigation in the first place. I skipped a few classes this afternoon to deal with this mess. However, I have to admit that their intentions are understandable. It's just the fact that 90% of people believing me to be the hacker is driving me mad. Which classes? Just curious. Math and Accounting. I scored 98% in both subjects for the previous exam, so my teachers won't be angry about this. |
|
|
|
If criminal charges are brought against him and the Australian government/embassy is informed then they might cancel his visa.
Our government would not cancel someone's visa simply because they've been charged with a crime, especially a non-violent crime. Half the time we refuse to extradite when requested. Apparently everyone wants someone else to involve law enforcement. Unfortunately, that means that Zhou is going to be tried in the court of public opinion rather than have the weight of the evidence against him determined by disinterested outsiders. About him attending college in Australia. Is there any proof of that besides him stating such. The phone number in the AurumXchange transaction which Zhou says is his is a landline in the state of Victoria. It would certainly be possible to ring it and find out the relationship of the person answering to Zhou. It is utterly ridiculous that people are making threats of personal harm over this. Make a police report and let the legal process take it's course. Taking the law into your own hands will cause more harm to the acceptance of Bitcoin and its supporters than any theft ever will. Plus, Australian police agencies will take assassination threats very seriously if Zhou does return here. Regarding the phone number: The $40K transaction is mine and it's entirely legitimate. The phone number is also mine (but please don't call, I need to calm down.) |
|
|
|
Doesn't Mike Hearn, a bitcoiner himself, work for Account Security at Google?
Maybe ask him for help with the Gmail access logs, Zhou Tong?
The hacker used Tor for all online communications. I'm looking for alternative ways to locate the person. I have to say that it's not a good choice for AurumXchange to not include me in the investigation in the first place. I skipped a few classes this afternoon to deal with this mess. However, I have to admit that their intentions are understandable. It's just the fact that 90% of people believing me to be the hacker is driving me mad. |
|
|
|
|
I hope everyone can comment with more reasoning and less assumptions. I'm trying my best to calm down and attempt to get more information about the hacker, because he also used my email for a credit card fraud case. It's possible to discover something at that direction.
I have also listed a few people who know this secret email of mine. And I'm going to question them one by one tonight.
I'm definitely on the side of Bitcoinica customers and I believe that if the real hacker really had ties with me personally like what MagicalTux said, I may be able to recover majority of the amount back if the hacker can be warned. This issue is very serious and if I'm the hacker, I would definitely return the full amount back to reduce the criminal punishment.
The hacker seems to be a Chinese because he used Chinese punctuations in his English messages in the Aurumxchange ticket.
I will provide any information needed to the police once Bitcoinica files a police report.
|
|
|
|
I'll try to ask my friend if he's okay with publicizing the related transactions, or I can wait until the investigation is concluded (or the real hacker being found).
Anyway I have already sent out the certified copy of my AML documents and they should arrive in 2-3 days. I hope my Mt. Gox account can be unblocked then.
No offense, you should shut up and get a lawyer? Well, if you're still posting after that, I doubt no advice will help you now. I requested the corporate address of AurumXchange so that I can possibly engage a lawyer to deal with their investigation. However they released this "statement" without notifying me. I was totally shocked because I didn't have a single clue about their investigation. It's really unfair that they are willing to release information to the public but not me. |
|
|
|
Damn. I have trust in ZT for reason still. Innocent until proven guilty, IMO. There is a chance there could be someone close to him fucking him over. It would have to be someone real close, perhaps the person you were giving this money to? He would know this would look suspicious because he timed it as such.
If there is a way for GMail to get involved to hash out the IP situation that would be ideal.
ZT- if you did this buddy, best thing to do is to seriously pay everyone back and accept whatever leaner penalties come your way. Way too much ahead in your life to be messing around with $200,000. In your best years ahead that would be a monthly take home easy. I am still giving you the benefit of the doubt, but if you really did man, well seriously, it is time to give up and return it all now. You can still salvage your life.
There's no reason that I'd forgo my integrity and all the reputation for just $200,000 at such a young age. I was working very hard for my new project (and a new homepage design will be deployed today) and it's simply outside my attention to commit such a thing. I'll commit any reasonable effort to get justice back. |
|
|
|
I must be extremely stupid to hack the Mt. Gox account and cash out the very next day at an exchange with very close ties with Bitcoin community. (Isn't that shooting myself?) I used three different exchangers because some of them didn't have sufficient reserves in their bank and I didn't fully trust them either. AurumXchange was the exchange I trusted the most because Bitcoinica had a close business partnership with you previously.
There's nothing coincidental about your evidence.
Also, if you shared this with me earlier in the ticket instead of posting a "statement" like this I could co-operate with the investigation much better. I didn't have a single clue that you are indeed correlating the hack with my private transaction at your exchange.
Whatever the circumstances may be, AurumXchange deemed the situation too dangerous to decide to unlock the funds. As long as you can prove the origin of the funds you've been transferring, there shouldn't be any issue. I'll try to ask my friend if he's okay with publicizing the related transactions, or I can wait until the investigation is concluded (or the real hacker being found). Anyway I have already sent out the certified copy of my AML documents and they should arrive in 2-3 days. I hope my Mt. Gox account can be unblocked then. |
|
|
|
So are you saying that you used a different email when you sold the LR for your friend?
How would a hacker benefit from using the SJ email to have a wire sent to your bank account?
I use my own Liberty Reserve account for all my own transactions, including those on behalf of my friend. I placed the order from my own LR to send to my own bank account, and it's a genuine transaction unrelated to the hack. The hacker has attempted to withdraw money from the SJ email to his bank account or another bank account that he controls. I have posted the detailed information in the statement. Let me see if I understand this correctly. You are claiming that the VERY next day from the hack, you exchanged an ungodly amount of Liberty Reserve "for a friend" using three different well known Liberty Reserve exchangers (as per your own admission on our ticket system), and yet, this is totally unrelated and purely coincidental? By the way, you have stated on a previous post that the amount exchanged in Liberty Reserve is "far superior" to the one stated in the OP. What you failed to mention is that BTC were also stolen from the Bitcoinica account, and that those bitcoins can be easily converted to LR using a plethora of services online (including the one that the "hacker" who allegedly hacked your email account) used. We have been in business since 2007 and have never froze a single payment. Believe me when I say that the information (both publicized and some kept private for legal reason) is absolutely overwhelming. I must be extremely stupid to hack the Mt. Gox account and cash out the very next day at an exchange with very close ties with Bitcoin community. (Isn't that shooting myself?) I used three different exchangers because some of them didn't have sufficient reserves in their bank and I didn't fully trust them either. AurumXchange was the exchange I trusted the most because Bitcoinica had a close business partnership with you previously. There's nothing coincidental about your evidence. Also, if you shared this with me earlier in the ticket instead of posting a "statement" like this I could co-operate with the investigation much better. I didn't have a single clue that you are indeed correlating the hack with my private transaction at your exchange. |
|
|
|
could Z have also been behind the other bitcoina "hacks"?
No, none of the hacks was performed by me. |
|
|
|
So are you saying that you used a different email when you sold the LR for your friend?
How would a hacker benefit from using the SJ email to have a wire sent to your bank account?
I use my own Liberty Reserve account for all my own transactions, including those on behalf of my friend. I placed the order from my own LR to send to my own bank account, and it's a genuine transaction unrelated to the hack. The hacker has attempted to withdraw money from the SJ email to his bank account or another bank account that he controls. I have posted the detailed information in the statement. |
|
|
|
My email stevejobs807@gmail.com was last accessed from 62.113.219.5 on July 13. The password has not been changed by the hacker (but I have changed just now). There was an auto-forwarding to ryan@xwaylab.com (which is another email address of mine). However it has been changed to bitcoinicasucks@hotmail.com (which is the email that was used to send the "Bitcoinica is done" email to verify@bitcoinica.com). Of course I couldn't be notified about any email since the change. The email account had a heavily-reused password (for the sites that I don't intend to share any private data), *at least* it was used on LinkedIn and many other websites. I have several email communications between stevejobs807@gmail and other email accounts controlled by me, including a testing ticket for Bitcoinica's ZenDesk trial. The email address has never been publicised. Important discovery in recent emails (all times are in UTC+8): The hacker registered a Liberty Reserve account U9236056 at Jul 12, 2012 9:42 PM. There was several emails from Liberty Reserve mentioning "Verification PIN". It can be seen that the liberty reserve account was accessed by at least: 78.108.63.44, 212.84.206.250 and 31.172.30.1. There were many transactions done at F1ex.com, possibly used to launder Bitcoin. (I checked just now, F1ex.com provides anonymous fixed-rate BTC exchange service.) The hacker signed up for OKPAY, with IP 31.172.30.1. The hacker requested a sell-order on AurumXchange, totalling $5000, using the suspicious Liberty Reserve account mentioned by OP. A Chinese bank account was used (Account name: LIU HAIPENG, Account number: 6222020903006086032, Bank: INDUSTRIAL AND COMMERCIAL BANK OF CHINA). Order link: https://www.aurumxchange.com/order/view/34011/e5b466248e041ebdf2ae793181a840dcThe hacker has also opened a ticket under his own name: https://www.aurumxchange.com/help/ticket.php?track=NLY-9AG-E468&Refresh=24195He mentioned that I sold him the Mt. Gox codes at half price, which is absolutely not true. It seems that the hacker was trying to relate this event to me as an individual, and this possibly explains the reason that he wanted to "hijack" the email account. All my other email accounts did not have any suspicious access records and their passwords are all secure and different. This is my *own* genuine transaction at AurumXchange: https://www.aurumxchange.com/order/view/33100/3c05a9a572379bf91620302cc9dd7d22And my ticket to question the funds: https://www.aurumxchange.com/help/ticket.php?track=J6W-EY3-ZY2U&Refresh=47091It's important to note that the first time I gained any knowledge about the email being misused is through this thread. Neither AurumXchange nor Mt. Gox has provided me any specific information about the suspicion. Otherwise I could have checked that email account earlier. I'm willing to co-operate with any ongoing investigation and obviously I'm not trying to run away from this. I have already provided Mt. Gox with my certified copy of passport in an attempt to unlock my account with some Bitcoin balance. |
|
|
|
I'm gathering some information and a statement will be posted soon. stevejobs807@gmail.com was indeed my email account used for anonymous testing purpose, however I haven't been using it for a long time. I'm logging in the account to check the suspicious activity and I'll post relevant details as well. The $40,000 I exchanged at AurumXchange was indeed from a friend. Later I can also post proof that I exchanged another $30,000 at other exchanges during the same period. The total amount far exceeds the stolen amount claimed in the OP. My own Liberty Reserve account number is U7097615. |
|
|
|
Unbeknownst to us, Tihan was using the mtgox api key as the password for a website called LastPass.
Tihan and Zhou knew that the LastPass password was the MtGox API key. genjix' claim that no one else did is somewhat strange, it requires three persons where at least one of them claim to be a security expert not to recognize a clearly non-random string for what it is. I may have my facts wrong on some of this, so (those who actually know) please feel free to correct me?
2. Keyrings like LastPass are great for fools who refuse to take responsibility for their own data/account security. But for a programmer or system administrator to provide one attack vector (externally sourced, no less!) that gives access to all parts of the system isn't just negligent, its deliberate and wilful.
LastPass does not contain your passwords. It contains an encrypted version of your passwords - and only you have the encryption key. Storing passwords in LastPass does not make them any more insecure than any other form of password storage you can use - while allowing you to use purely random and very long passwords, no duplicates, for all your other services. Of course, it requires you to have a good master password (and/or use two factor authentication). LastPass go out of their way in making sure you understand the importance of that, and as I've already written before in a reply to Tihan, you have to be either completely unaware of any security practices or willfully ignorant to select something like an API key (a "known string") as password. By "willfully ignorant" in this case I do mean that doing so creates a possibility where you can exploit that knowledge to claim a hack where no hack took place, later. I'm still interested in why, and how, the source code got leaked. That provided the excuse needed for an inside job. I just tried the LastPass account. I didn't expect to be able to log in, but I was able to using the original credentials! And LastPass didn't log the IP that reverted the master password. It's so weird. 07/12/2012 22:17:04
LastPass.com
67.188.9.35
Master Password Changed
07/17/2012 08:30:52
LastPass.com
0.0.0.0
Master Password Reverted Since you've referenced that email before. Zhou, what's the X-Originating-IP header in the email you got from the claimed hacker that referenced your LastPass account password? Does it match any IP listed in the LastPass log? (I assume it will turn out to be a anon VPN or TOR exit node) I believe the "LastPass" hack to be an inside job, from someone being fed up with having to deal with the Bitcoinica mess. I'm less sure the other hacks where. My access to the ryan@bitcoinica.com has been revoked a few hours ago. (I don't know who did that.) I can't load the source for the email any more. |
|
|
|
Wouldn't mind betting that there was a covenant in restraint of trade in the sale contract which restrains Zhou from establishing a similar business for a specified period (he sold the IP, so he can't just use that without permission). I doubt there's any entity remaining with the ability or will to enforce that restriction. Since they're not doing business, what would their damages be? It's legal for me to start a Bitcoinica clone today. I'm quite sure about that. The non-competitive clause was a gentleman agreement and it's not enforceable. But I'm not in need of money. I still have my Bitcoin and AUD savings and I'm still doing business. I'm just no happy. |
|
|
|
And yeah, if you look at the early business histories of some well known entrepreneurs, you'll find some shocking failures among them as well as downright illegal activity. Nobody even remembers them now - in the wake of subsequent success, they've become campfire stories to be chuckled over.
I don't really care about my reputation now even. If I start a bank or investment firm in my 30s, I think not many people will still mind putting their money on my hand. And I'm not going to build anything Bitcoin-related in the foreseeable future. I'll simply go back to my SaaS business. The big problem is the criminal charge. Bitcoin is a big unknown in the legal world and anything can happen if the police touches this case (unlicensed market operation? terrorism? money laundering?). It makes possible things like migration in the future way harder than they should be. |
|
|
|
You should really talk to an attorney that knows a thing about business organization laws. If you made any mistake during the initial creation of bitcoinica in Delaware and how it was sold then you may still be liable even if you had no access to the financials.
Zhou did not sell the Delaware entity (xWaylab Inc). Well whatever it was that was sold. I remember sometime in Nov or Dec a post by zhoutong stating that he was not interested in partnering or selling the site, yet in the resignation letter the sale already had or was happening. I personally trust the buyer and I would bear every responsibility if there were any problems. If Tihan didn't pay for the Linode hack, I would, because it would be my fault to push the responsibility to an unannounced acquirer. However, I don't trust Patrick, Amir or Donald and I immediately announced it when the change of ownership happens. It's not my decision to contract them either. There is no secret at all in the last change of ownership. |
|
|
|
|
Show Posts
