No, that is first few. Waiting for some confirms. 1 confirm on the withdraws. Still 20 bid for 13.45, but able to sleep now. If it is true that there is no cold wallet, you should definitely get all BTC back (as long as there was no fractional reserve). There shouldn't be a shortage of BTC because none was hacked in. USD, on the other hand, was injected. It's a race to sell the USD as fast as possible now. OMG... I had 180 Bitcoins there... Jesus...
My latest withdraw at btc-e webpage says "confirmed", but nothing reached my wallet yet.
40 Bitcoins was "sold" there... And 140 Bitcoins are stucked at some point there... In Russia... Damn!
Jesus no, please no... Please... no... Oh God... lol My documentation: https://bitcointalk.org/index.php?topic=40889.msg1066779#msg1066779I have screenshots... To remember... Damn... :-/ Your bitcoin, as long as you withdraw it, should still arrive. Good luck. Unfortunately, you might have to write off your USD, or sell it at a massive loss. There is no way BTC-E has enough to pay out the USD. |
|
|
|
Hmmm. Let's see. What's the time zone in Russia. I'm guessing about 4AM roughly.
Anyone know who to call to wake them up and freeze the exchange?
It is 6:37 in Moscow. |
|
|
|
Assuming the chat image pasted earlier was the real hacker comments, then the entire database is going to get purged. So if BTC-e didn't back up regularly, this is going to burn a ton of people.
They are probably not. I believe this was a SQL injection. There are a few telltale signs: - The event was sudden.
- The hacking was weak. If the hacker had access to the server, they may be able to empty the hot wallet directly. Instead, the hacker had to rely on BTC-E withdrawal.
- The hacking seemed to involve a simple UPDATE of the USD value.
|
|
|
|
They wouldn't be able to withdraw any USD since it's fake. Saying you have 500000 fake BTC on BTC-e doesn't mean anything if you don't actually have the keys to those coins in an actual wallet. They used fake USD to buy real BTC then ride off into the sunset laughing.
Dude. All exchanges use a pooled wallet. There is no such things "your" BTC or "your BTC" wallet on BTC-E, MtGox or any other exchange. The exchange simply has one (or more) hot and/or cold wallets. Then they maintain a database of each user's balance, and trades change those balance. One could withdraw "fake" BTC just as easily as selling "fake" USD for BTC and withdrawing that. The likely reason for faking USD is simply because that is the exploit the hacker founds. Hacker found a way to add USD to his USD balance. Once had had that why try hacking any further. Give yourself huge amounts of USD, buy BTC and remove them from the exchange. If it was a SQL injection (extremely likely), it should have been just as easy to add BTC. I suspect the hacker may be intentionally messing with the exchange. |
|
|
|
From the BTC-E chat box: MrWubbles: now logging in as support to troll more
MrWubbles: dev account has been deleted
MrWubbles: dev account has been deleted
MrWubbles: support is being deleted now
MrWubbles: dumping everyone's wallets
MrWubbles: bitinstant reserves have been leaked for days
MrWubbles: all your base
MrWubbles: I'm Mr Wubbles of wub fame
MrWubbles: Expect Mass Database Leak Soon
MrWubbles: wub database destroyed That can't be good, but how do we know he wasn't just trollololing? There is no reason not to suspect a database leak. The hacker must have gotten the fake USD in either through remote execution or SQL injection. Both these allow access to the database. What confuses me is why they did not simply hack the BTC in. They wouldn't be able to withdraw fake BTC. Why not? They wouldn't be able to withdraw any USD since it's fake. Saying you have 500000 fake BTC on BTC-e doesn't mean anything if you don't actually have the keys to those coins in an actual wallet. They used fake USD to buy real BTC then ride off into the sunset laughing. There's no practical difference between "fake" and "real" BTC or USD on an exchange. It can be withdrawn regardless. USD usually is more easily traceable, freezable, and is more dangerous, which is why the hacker could not withdraw that way. |
|
|
|
From the BTC-E chat box: MrWubbles: now logging in as support to troll more
MrWubbles: dev account has been deleted
MrWubbles: dev account has been deleted
MrWubbles: support is being deleted now
MrWubbles: dumping everyone's wallets
MrWubbles: bitinstant reserves have been leaked for days
MrWubbles: all your base
MrWubbles: I'm Mr Wubbles of wub fame
MrWubbles: Expect Mass Database Leak Soon
MrWubbles: wub database destroyed That can't be good, but how do we know he wasn't just trollololing? There is no reason not to suspect a database leak. The hacker must have gotten the fake USD in either through remote execution or SQL injection. Both these allow access to the database. What confuses me is why they did not simply hack the BTC in. They wouldn't be able to withdraw fake BTC. Why not? |
|
|
|
From the BTC-E chat box: MrWubbles: now logging in as support to troll more
MrWubbles: dev account has been deleted
MrWubbles: dev account has been deleted
MrWubbles: support is being deleted now
MrWubbles: dumping everyone's wallets
MrWubbles: bitinstant reserves have been leaked for days
MrWubbles: all your base
MrWubbles: I'm Mr Wubbles of wub fame
MrWubbles: Expect Mass Database Leak Soon
MrWubbles: wub database destroyed That can't be good, but how do we know he wasn't just trollololing? There is no reason not to suspect a database leak. The hacker must have gotten the fake USD in either through remote execution or SQL injection. Both these allow access to the database. What confuses me is why they did not simply hack the BTC in. |
|
|
|
|
Notice: this post is outdated and kept for archival purposes. The hack has been roughly added to the chronological history of the OP. Do not trust what you read.
New hack in progress: BTC-E.com
I'm actively monitoring this right now. This looks like it will be a disaster.
So far, the fraudulent volume is 61196.73 BTC. This is all the fraudulent volume (it's all the "extra" BTC poofed into the system). The attack is still ongoing, but more BTC poofed into the system will likely never make it out of the exchange.
This fraudulent volume, or official figures on how much was withdrawn, will be the value listed for amount stolen from btc-e. I will also list the amount btc-e did not compensate its customers for, as the amount stolen passed on to customers.
Because the attack was through a modification of USD, it was likely a SQL injection (or possible something more severe). Expect a database leak.
A lower bound has been established based on blockchain activity: 20000 BTC. The upper bound of around ~60000 BTC in volume remains. Either way, this hack would be a disaster for Bitcoin, easily ranking in the top ten.
The hacker is unknown. A character by the name of MrWubbles, claiming to be supa, someone infuriated with the BTC-E exchange, claims responsibility. This point is disputed, as MrWubbles has almost certainly lied about being able to delete the database. The most likely entry point was a SQL injection.
For all victims of the hack, I sympathize with you. Although security should have been higher, the BTC-E team will still likely absorb much of this loss (as well as lose their past profits), and deserve sympathy as well.
Instructions for best recovery:
1. Sell ALL USD immediately. There is definitely not enough USD to pay out.
2. Withdraw ALL BTC immediately. Unless fractional reserve or cold storage was employed, there should be enough. This is confirmed by one of DeathAndTaxes's experiments.
3. Change passwords for other websites immediately. The database is likely to leak, if a SQL injection was the culprit.
Best of luck to all victims.
|
|
|
|
Why is Psy a staff member?
He makes personal attacks, harasses posters and shits-up threads to such an extent that he has a protection-racket pay-off address in his signature which he uses to regularly solicit donations to get him to stop. He also has a bright-orange ignore button, clearly indicating the number of people who are sick of his crap.
Why is he granted a privileged position on this board? He would be considered a troll anywhere else.
How about searching a little bit before posting a duplicate thread/complaint? The answer is that he is only a moderator in the Spanish (or Portugese?) section because he speaks that language. "Staff" has no meaning outside of the sections that he moderates. Portuguese and Newbies. Actually, "Staff" does have meaning outside of those sections. Staff members have access to a special "Staff" board where forum moderation is discussed. |
|
|
|
Actually I think it would be useful if the forum software would enable that automatically upon account creation, although that could lead to ballooning disk space.
Compared to all the forums posts, PMs shouldn't require significant disk space. True, I suppose so. My sent PM's are slightly less than a tenth of my posts. While small, I wouldn't quite call that insignificant. Is it necessary to add another database entry to keep the PM in the outbox? I don't know how SMF works, but I assume a smart implementation will use no additional disk space. |
|
|
|
2073: we're almost at 2100! 
|
|
|
|
This is not a scam. This is just playing on people's stupidity.
Scam. Yes, this is a scam. Some money has been lost as well. I've flagged the video for removal, and suggest others do as well. |
|
|
|
1.001 BTC stolen so far... monitor here. |
|
|
|
Not yet.
Translation: "I want to buy bitcoins at < $10 for the next year" Not really. Not counting my house, most of my net worth is in BTC already. Sure, it would be nice, but we're not there yet. Translation: "I'm thinking about selling my house and buying bitcoins and being homeless for the next year while i await becoming a billionaire"  From homeless to billionaire: the magic of BTC! |
|
|
|
Well, I think you confuse something here. The consultancy kept our funds for a few months, doing basically nothing. Then ZT stepped up and refunded some 5kBTC. Now within days he made more funds available. In my point of view, ZT is the only one that does actually pay back something. If some BitBuster was repaid from this consultancy - fine, however, for all of us still waiting, ZT seems the only one that does not hide behind some delay tactics. Hell, I think, ZT should, if he can, hack the current account of this lame consultancy, so that the funds can be repaid.
I think it is you who are confused. Ryan Zhou was the one that "hacked" into the site in the first place, stole the coins and destroyed the database. It is because the database was destroyed that they are having a hard time paying people back. ZT can't be praised for anything, because he alone willfully caused this mess. There is some evidence that Zhou stole the Mt. Gox funds. I will not deny that. But there is zero evidence, and quite a bit of evidence in the contrary, that Zhou was involved in the Rackspace hack. What makes you believe that? |
|
|
|
2068: 0.00985% We've nearly completed the first leg of 10000. 
|
|
|
|
OK. I'll explain. SHA-256 is used for hashing. Of coz it's used in a variety of applications. But if someone get a quantum computer and manage to falsify a digitally signed contract then only authentic owner of the contract will be harmed. If someone manage to falsify an SSL certificate then only visitors of the site will be harmed. But if someone manage to find block nonces every second, then everyone who uses bitcoins will be in troubles. Quantum computers aren't a magic bullet. Yes using Shor's algorithm the search speed can be increased exponentially however at what cost? For example say once ASICs become mainstream the cost to attack/defend the network using ASICs is $20,000 per TH. Now say a quantum computer which could implement shor's algorithm on 256bit numbers could be built for $50,000 per TH equivelent. Who cares? An attacker is going to take the more economical option. So quantum computer is only a threat if all 5 elements are true a) it is possible to build a quantum computer which can implement shor's algorithm on 256bit numbers b) it is possible to build a quantum computer large enough to 51% attack the network c) it is possible to build a quantum computer that makes such attack more economical than ASIC based brute force d) quantum technology can be restricted so that a computer meeting requirements a,b, c isn't available to "defenders" e) Bitcoin protocol isn't changed to implement quantum resistant block hashing algorithm The idea that a,b,c,d & e will all remain true at the same time is implausible. a & b are technical limitations and currently impossible although they MAY be possible in the future. c is likely only true if quantum computers are being mass produced. If c is true then it is very likely d isn't true. a,b,c &d aren't going to happen overnight so as implausible as that set on conditions is some years or decades before it becomes true Bitcoin could adopt a quantum reistant hashing algorithm making conditon e false. This guy makes Bitcoin seem immortal. Bitcoin as we know it isn't immortal. SHA256 will definitely be broken eventually, stopping Bitcoin mining completely. But the concept behind Bitcoin, future forks of it, and its spirit will likely last until the fall of humanity. |
|
|
|
|
It's clear aurumxchange likely isn't. If an investigation is actually because of money laundering, it should never have been posted publicly.
|
|
|
|
|
Thanks theymos, that deals with most of it. I still believe a security subforum, as well as newbie subfora would be helpful.
|
|
|
|
|
Show Posts
