Hello Everyone I created mtgox on a lark after reading about bitcoins last summer. It has been interesting and fun to do. I’m still very confident that bitcoins have a bright future. But to really make mtgox what it has the potential to be would require more time than I have right now. So I’ve decided to pass the torch to someone better able to take the site to the next level. MagicalTux has already contributed a lot to the bitcoin community and in many ways he will be better at running the site than I was. He has much more experience with web programming, system administration and integrating with banks and other payment processors than I do.
Everything will still work the same as always for the time being. But expect a lot of positive changes after he takes over including: Automatic (and free) funding from Euro accounts. Automatic ACH deposit and withdrawal. Margin trading. Interface redesign. Lifting the $1000 a day withdrawal limit.
Thanks to everyone that has supported mtgox so far. Can’t wait to see BTC hit $10!
I can still be reached on the forum as "jed" or through fivegrinder.com
|
|
|
Yeah the new server is up. The DNS will just take awhile to update. If you are in a hurry you can try flushing your DNS or put 174.121.74.59 in your hosts file
|
|
|
TheKoziTwo: I checked the IRC logs. There is nothing in there about this trade. Here is my post for a 3rd time since it keeps getting buried and people keep asking why I haven't posted. Here is a more complete rundown of what happened with the baron account. Person A had their account compromised by Person B. Day1: Person B sent ~3000BTC (the mtgox $1000 a day limit at the time) to an address owned by baron. Day2: Person B sent ~3000BTC (the mtgox $1000 a day limit at the time) to an address owned by baron. Day3: Person B sent ~3000BTC (the mtgox $1000 a day limit at the time) to an address owned by baron. Day4: Person A logs into their account and notices the missing BTC. They change their password and contact me about the theft. DayX: Person B finds an exploit in my LR code and manages to send himself a good deal of LR from the site. DayY: Person B steals money from 2 other mtgox accounts after compromising them with a dictionary attack. This is discussed elsewhere.
I have talked to Person A on the phone extensively both before and after the theft. He had much more in his account than what was stolen.
baron claims that he bought the BTC in question from someone on IRC with Liberty Reserve (LR). He hasn’t been able to provide any evidence of this transfer. I see nothing even close in the IRC logs of bitcoin-otc about this transfer. To believe baron’s story we have to believe: 1) A thief would trust a random person on IRC they have never met before and no one else on the channel knows to send them $3000. 2) The thief would transfer directly from mtgox to the buyer before knowing how much BTC they would end up stealing from mtgox. 3) baron can’t remember his nick, the thief’s nick, or the IRC channel that was used for the trade. 4) baron can no longer find the record of the LR transaction. 5) baron is unable to talk to me on the phone because according to him he is mute.
baron also refuses to provide proof of who he is or where he lives.
We are left having to assume that baron is in fact person B. baron’s account on mtgox holds less than the sum of theft by person B.
As I have said previously we don’t want to be the bitcoin police and this will hopefully not be necessary in the future since we have fixed these security issues that allowed Person B to steal from us and other users in the first place.
|
|
|
BCEmporium: He was withdrawing $1000 a day since he first deposited.
|
|
|
ShadowOfHarbringer: What more do you want me to say then this: Here is a more complete rundown of what happened with the baron account. Person A had their account compromised by Person B. Day1: Person B sent ~3000BTC (the mtgox $1000 a day limit at the time) to an address owned by baron. Day2: Person B sent ~3000BTC (the mtgox $1000 a day limit at the time) to an address owned by baron. Day3: Person B sent ~3000BTC (the mtgox $1000 a day limit at the time) to an address owned by baron. Day4: Person A logs into their account and notices the missing BTC. They change their password and contact me about the theft. DayX: Person B finds an exploit in my LR code and manages to send himself a good deal of LR from the site. DayY: Person B steals money from 2 other mtgox accounts after compromising them with a dictionary attack. This is discussed elsewhere.
I have talked to Person A on the phone extensively both before and after the theft. He had much more in his account than what was stolen.
baron claims that he bought the BTC in question from someone on IRC with Liberty Reserve (LR). He hasn’t been able to provide any evidence of this transfer. I see nothing even close in the IRC logs of bitcoin-otc about this transfer. To believe baron’s story we have to believe: 1) A thief would trust a random person on IRC they have never met before and no one else on the channel knows to send them $3000. 2) The thief would transfer directly from mtgox to the buyer before knowing how much BTC they would end up stealing from mtgox. 3) baron can’t remember his nick, the thief’s nick, or the IRC channel that was used for the trade. 4) baron can no longer find the record of the LR transaction. 5) baron is unable to talk to me on the phone because according to him he is mute.
baron also refuses to provide proof of who he is or where he lives.
We are left having to assume that baron is in fact person B. baron’s account on mtgox holds less than the sum of theft by person B.
As I have said previously we don’t want to be the bitcoin police and this will hopefully not be necessary in the future since we have fixed these security issues that allowed Person B to steal from us and other users in the first place. You want me to just keep posting that over and over? There wont be anything new to say until baron gives me more info.
|
|
|
Here is a more complete rundown of what happened with the baron account. Person A had their mtgox account compromised by Person B. Day1: Person B sent ~3000BTC (the mtgox $1000 a day limit at the time) from person A's account to an address owned by baron. Day2: Person B sent ~3000BTC (the mtgox $1000 a day limit at the time) from person A's account to an address owned by baron. Day3: Person B sent ~3000BTC (the mtgox $1000 a day limit at the time) from person A's account to an address owned by baron. Day4: Person A logs into their account and notices the missing BTC. They change their password and contact me about the theft. DayX: Person B finds an exploit in my LR code and manages to send himself a good deal of LR from the site. DayY: Person B steals money from 2 other mtgox accounts after compromising them with a dictionary attack. This is discussed elsewhere.
I have talked to Person A on the phone extensively both before and after the theft. He had much more in his account than what was stolen.
baron claims that he bought the BTC in question from someone on IRC with Liberty Reserve (LR). He hasn’t been able to provide any evidence of this transfer. I see nothing even close in the IRC logs of bitcoin-otc about this transfer. To believe baron’s story we have to believe: 1) A thief would trust a random person on IRC they have never met before and no one else on the channel knows to send them $3000. 2) The thief would transfer directly from mtgox to the buyer before knowing how much BTC they would end up stealing from mtgox. 3) baron can’t remember his nick, the thief’s nick, or the IRC channel that was used for the trade. 4) baron can no longer find the record of the LR transaction. 5) baron is unable to talk to me on the phone because according to him he is mute.
baron also refuses to provide proof of who he is or where he lives.
We are left having to assume that baron is in fact person B. baron’s account on mtgox holds less than the sum of theft by person B.
---- As I have said previously we don’t want to be the bitcoin police and this will hopefully not be necessary in the future since we have fixed these security issues that allowed Person B to steal from us and other users in the first place.
|
|
|
Bimmerhead: I'm waiting for him. He isn't waiting for me. I've been trying to get him on the phone since this happened.
|
|
|
Also I'm not holding his funds because I think he bought stolen BTC. I'm holding them because there is a chance he stole BTC.
|
|
|
BCEmporium: How can you say what you would do when you don't know what is really happening? If I allow him to trade and he is a scammer it is very easy to send the majority of his money to another account just by clearing out the order book and then trading with another account he makes.
And of course I have talked to the victim and am convinced his account was stolen from. I don't enjoy just blocking random people's accounts. I wouldn't do it unless there really was no other option.
|
|
|
wow 16 pages!
Guys I really don't want to go into details about this until it is resolved. If baron is in fact a scammer the less he knows about what I know the better. I'm still talking to baron and trying to get to the bottom of this.
|
|
|
There is pretty strong evidence that this guy was involved in some theft of BTC. I'm trying to talk to him to make absolutely certain.
|
|
|
Just post this on criagslist. Someone will do it for sure.
|
|
|
sgornick: is that number of nodes online at that time? That is way more than I expected.
|
|
|
People keep asking me so...
The only accounts that were compromised were cryptofo and one other who I emailed. No other accounts were compromised. If you are still worried about it simply change your password.
I've paid out a lot to fraudsters since I started mtgox. But I admit I should have had something in place to prevent successive login attempts. But also a password such as abcd1234 is 4 letters and 4 numbers but would be found very quickly by any attack like this. Anyway it seems fair to restore half your coins.
|
|
|
Almost everyone had transactions from "united". It does NOT mean that your account was compromised. It does mean that the attacker has your username. It was just them using the merchant API to send you 0 BTC.
There were only two accounts that had money stolen from them as far as I can tell.
It was a dictionary attack since I saw it happening.
I plugged the vulnerability that allowed them to run the attack so your weak passwords will be safe again.
I'm still working out with cryptofo if/how to reimburse him.
Ideally Liberty Reserve would help us since they can easily fix the issue. But they don't seem to be cooperating. Anyone have ideas there?
|
|
|
> Any news from mtgox and getting his bitcoins back?
Yeah it is unfortunate. I've contacted Liberty Reserve about it. I fixed it so they can't use this attack anymore. I think his and one other account (I've emailed you) were the only two compromised. Anyone with a decent password would be safe.
|
|
|
strule: I can handle some Euro withdrawals now.
|
|
|
strule: yes you should be able to withdraw Euros middle of next week.
|
|
|
I had to do this also. They seem fine to me I've bought a lot from them.
|
|
|
I'm just going to convert EUR -> USD right now to keep things simple. I might set up EUR <-> BTC later if the volume is big enough. I'll use this exchange rate: http://xurrency.com/api/eur/usd/1
|
|
|
|