Bitcoin Forum
August 21, 2017, 10:05:57 PM *
News: Latest stable version of Bitcoin Core: 0.14.2  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Tracing Mt. Gox Hack  (Read 1463 times)
bgok
Newbie
*
Offline Offline

Activity: 8

Personal account -- Posts are endorsed by no one


View Profile
June 20, 2011, 12:43:39 AM
 #1

I was interested to see how the perpetrators of the Mt. Gox hack would try to hide the money. Since every transaction is publicly visible, you really can't. It's not possible to get the BTC back, but you can try to figure out where it ended up. This is what I found.

Here's a suspicious looking set of transactions:

http://blockexplorer.com/tx/84f96975ea88d317676771a482c71f39ff53beda790c89c07ae82e427b4d090f
(can anyone confirm that the timestamp is about the time of the hack? This transaction would have happened very close to the moment BTC went to US$.01)

Here's the history of the receiving address:

http://blockexplorer.com/address/18T3AFPJ2sTu6ti7gGj5x52uzJNmVFw9y9

Most of the BTC were sent to:

http://blockexplorer.com/address/1LceqX2YsnmuhfkUePV6M2hJP9zMoWphn

Keep following the chain like this and the BTC is broken up into 50K chunks. It's fairly easy to follow the money all the way to the end of the chain and get a fairly small set of addresses where it ended up. I'd publish all of the addresses from this chain of transactions, but some of the chains have already been extended.

It would also be interesting to search Google and all bitcoin forums for the addresses in these transactions.

Is it possible to write a quick mod to the client that will refuse transactions rooted in the transaction listed above? Or maybe start a new block chain that accepts transfers from the current chain, but excludes BTC originating from that transaction?


Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
BitcoinPorn
Hero Member
*****
Offline Offline

Activity: 574


Posts: 69


View Profile WWW
June 20, 2011, 12:53:53 AM
 #2

I love it, Bitcoins are the most non anonymous form of currency, however I still like it more than cash.

dev^
Newbie
*
Offline Offline

Activity: 28


View Profile
June 20, 2011, 01:03:37 AM
 #3

Here you have a log of all Mt. Gox trades between 19:15:36 and 20:13:51 (GMT +2). Maybe it's usefull in some way.
The file was produced by the debug output from some of my monitoring tools.

https://rapidshare.com/files/624965338/history.txt
elk-tamer
Member
**
Offline Offline

Activity: 70


View Profile
June 20, 2011, 01:07:57 AM
 #4



Is it possible to write a quick mod to the client that will refuse transactions rooted in the transaction listed above? Or maybe start a new block chain that accepts transfers from the current chain, but excludes BTC originating from that transaction?

I for one wouldn't want a client that had that mod. If you block some transactions it means you can block others. The real problem here is mtgox, not the bitcoin client.
Big Time Coin
Sr. Member
****
Offline Offline

Activity: 332



View Profile
June 20, 2011, 01:11:22 AM
 #5

Thanks for the info, it looks like it all happened in one second, all the trades cleared in one second.  Tux really has his work cut out for him.  Anyway, someone called "Ross" posted this on the mtgox comments today:

Quote
Are you certain that an account was compromised or that the account itself was a collection of compromised BTC? Some time should be spent thinking about the result of when/how you determine intervention should be applied to the market.

See: http://blockexplorer.com/address/1KLahQtqDNAXvrjNyfvgSBtAhwco5ZxLp4  For what i'm talking about. This address received large sums of BTC from many different addresses all at one time a week ago. That BTC was then transfered to MtGox and dumped on the market at once.

I can't read blockexplorer too well, but it does deter from the theory proposed by mtgox that this was a "hack".  I mean, if someone consolidated 400k+ bitcoins all at once a week ago from several address and then transferred to mtgox all those coins, then the same day sold them all.  That's not a hack, that is something else.

Big time, I'm on my way I'm making it, big time, oh yes
- Peter Gabriel
Wildvest
Jr. Member
*
Offline Offline

Activity: 40


View Profile WWW
June 20, 2011, 01:15:23 AM
 #6

very interesting

WildVest LLC - Blockchain Investments - http://www.wildvest.com
darkgamer
Jr. Member
*
Offline Offline

Activity: 54


View Profile
June 20, 2011, 02:35:21 AM
 #7

new spam email being sent out                                                                                                                                                                                                                 
Delivered-To: my email
Received: by 10.204.49.86 with SMTP id u22cs24977bkf;
        Sun, 19 Jun 2011 18:17:15 -0700 (PDT)
Received: by 10.150.63.12 with SMTP id l12mr5078373yba.120.1308532635049;
        Sun, 19 Jun 2011 18:17:15 -0700 (PDT)
Return-Path: <bittrader566@yahoo.com>
Received: from mail.daveblood.com (li9-33.members.linode.com [67.18.176.33])
        by mx.google.com with SMTP id n19si6525878ybm.84.2011.06.19.18.17.14;
        Sun, 19 Jun 2011 18:17:15 -0700 (PDT)
Received-SPF: neutral (google.com: 67.18.176.33 is neither permitted nor denied by best guess record for domain of bittrader566@yahoo.com) client-ip=67.18.176.33;
Authentication-Results: mx.google.com; spf=neutral (google.com: 67.18.176.33 is neither permitted nor denied by best guess record for domain of bittrader566@yahoo.com) smtp.mail=bittrader566@yahoo.com
Received: (qmail 22898 invoked by uid 500); 20 Jun 2011 01:17:14 -0000
Date: 20 Jun 2011 01:17:14 -0000
Message-ID: <20110620011714.22897.qmail@mail.daveblood.com>
From: bittrader566@yahoo.com
To: myemail
Subject: Was this the last straw with Mt Gox?

The latest in a string of hacks to Mt Gox has made me move to Trade Hill. Use this referral code to get 10% off all trade fees: TH-R13698

Sign up at Trade Hill today!

http://www.tradehill.com/?r=TH-R13698


bgok
Newbie
*
Offline Offline

Activity: 8

Personal account -- Posts are endorsed by no one


View Profile
June 20, 2011, 04:23:20 AM
 #8

new spam email being sent out                                                                                                                                                                                                                 

Be sure to report it as spam.
Big Time Coin
Sr. Member
****
Offline Offline

Activity: 332



View Profile
June 20, 2011, 04:55:13 AM
 #9

can someone familiar with blockexplorer PLEASE get the ip address(es) used to do the big transfers mentioned above?  Trace it, like OP suggested.

Big time, I'm on my way I'm making it, big time, oh yes
- Peter Gabriel
SomeoneWeird
Hero Member
*****
Offline Offline

Activity: 700


View Profile
June 20, 2011, 04:59:46 AM
 #10

can someone familiar with blockexplorer PLEASE get the ip address(es) used to do the big transfers mentioned above?  Trace it, like OP suggested.

You can't.
linenoise
Full Member
***
Offline Offline

Activity: 195



View Profile WWW
June 20, 2011, 05:49:38 AM
 #11

Am I reading that right, a 300K and a 400K chunk of bitcoins? If so that's a significant portion of the entire pool.


████→→       ● DeepOnion                                                                       ✯✯✯✯✯✯✯✯✯✯✯✯✯✯✯✯✯✯✯✯✯✯✯✯✯✯
████→→       ● Tor integrated, 100% anonymous!                                       Get Your FREE Coins NOW!     
████→→       ● Free Airdrop! (No ICO, No Crowdfund)                       ✯✯✯✯✯✯✯✯✯✯✯✯✯✯✯✯✯✯✯✯✯✯✯✯✯✯
figvam
Jr. Member
*
Offline Offline

Activity: 42


View Profile
June 20, 2011, 07:29:58 AM
 #12

It (a 432k transfer) was Mt.Gox operator's attempt at securing the remaining funds, as they explained somewhere.
lewicki
Sr. Member
****
Offline Offline

Activity: 294



View Profile
April 23, 2013, 01:19:25 AM
 #13

new spam email being sent out                                                                                                                                                                                                                 
Delivered-To: my email
Received: by 10.204.49.86 with SMTP id u22cs24977bkf;
        Sun, 19 Jun 2011 18:17:15 -0700 (PDT)
Received: by 10.150.63.12 with SMTP id l12mr5078373yba.120.1308532635049;
        Sun, 19 Jun 2011 18:17:15 -0700 (PDT)
Return-Path: <bittrader566@yahoo.com>
Received: from mail.daveblood.com (li9-33.members.linode.com [67.18.176.33])
        by mx.google.com with SMTP id n19si6525878ybm.84.2011.06.19.18.17.14;
        Sun, 19 Jun 2011 18:17:15 -0700 (PDT)
Received-SPF: neutral (google.com: 67.18.176.33 is neither permitted nor denied by best guess record for domain of bittrader566@yahoo.com) client-ip=67.18.176.33;
Authentication-Results: mx.google.com; spf=neutral (google.com: 67.18.176.33 is neither permitted nor denied by best guess record for domain of bittrader566@yahoo.com) smtp.mail=bittrader566@yahoo.com
Received: (qmail 22898 invoked by uid 500); 20 Jun 2011 01:17:14 -0000
Date: 20 Jun 2011 01:17:14 -0000
Message-ID: <20110620011714.22897.qmail@mail.daveblood.com>
From: bittrader566@yahoo.com
To: myemail
Subject: Was this the last straw with Mt Gox?

The latest in a string of hacks to Mt Gox has made me move to Trade Hill. Use this referral code to get 10% off all trade fees: TH-R13698

Sign up at Trade Hill today!

http://www.tradehill.com/?r=TH-R13698




How's the volume over there? Their front page makes it look pretty iffy.
Jason101
Newbie
*
Offline Offline

Activity: 9


View Profile
April 23, 2013, 08:48:51 AM
 #14

you are quoting something from 2011

it's a a totally new site now
eco
Newbie
*
Offline Offline

Activity: 12



View Profile
April 23, 2013, 08:56:44 AM
 #15

yes certainly has changed quite a bit since then..no doubt.
Darkcoins
Jr. Member
*
Offline Offline

Activity: 45


View Profile
April 23, 2013, 09:38:46 AM
 #16

Someone munched a lot of coins.. Nom Nom..  Cheesy

EDM ALBUM OUT NOW 0.03 BTC - Digital Download
1HWJ2ci7ZYuu3pBsSgxy89XESisHCN8kcZ
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!