Tracing Mt. Gox Hack

[bgok]

I was interested to see how the perpetrators of the Mt. Gox hack would try to hide the money. Since every transaction is publicly visible, you really can't. It's not possible to get the BTC back, but you can try to figure out where it ended up. This is what I found.

Here's a suspicious looking set of transactions:

http://blockexplorer.com/tx/84f96975ea88d317676771a482c71f39ff53beda790c89c07ae82e427b4d090f
(can anyone confirm that the timestamp is about the time of the hack? This transaction would have happened very close to the moment BTC went to US$.01)

Here's the history of the receiving address:

http://blockexplorer.com/address/18T3AFPJ2sTu6ti7gGj5x52uzJNmVFw9y9

Most of the BTC were sent to:

http://blockexplorer.com/address/1LceqX2YsnmuhfkUePV6M2hJP9zMoWphn

Keep following the chain like this and the BTC is broken up into 50K chunks. It's fairly easy to follow the money all the way to the end of the chain and get a fairly small set of addresses where it ended up. I'd publish all of the addresses from this chain of transactions, but some of the chains have already been extended.

It would also be interesting to search Google and all bitcoin forums for the addresses in these transactions.

Is it possible to write a quick mod to the client that will refuse transactions rooted in the transaction listed above? Or maybe start a new block chain that accepts transfers from the current chain, but excludes BTC originating from that transaction?

[BitcoinPorn]

I love it, Bitcoins are the most non anonymous form of currency, however I still like it more than cash.

[dev^]

Here you have a log of all Mt. Gox trades between 19:15:36 and 20:13:51 (GMT +2). Maybe it's usefull in some way.
The file was produced by the debug output from some of my monitoring tools.

https://rapidshare.com/files/624965338/history.txt

[elk-tamer]

Is it possible to write a quick mod to the client that will refuse transactions rooted in the transaction listed above? Or maybe start a new block chain that accepts transfers from the current chain, but excludes BTC originating from that transaction?

I for one wouldn't want a client that had that mod. If you block some transactions it means you can block others. The real problem here is mtgox, not the bitcoin client.

[Big Time Coin]

Thanks for the info, it looks like it all happened in one second, all the trades cleared in one second.  Tux really has his work cut out for him.  Anyway, someone called "Ross" posted this on the mtgox comments today:

Are you certain that an account was compromised or that the account itself was a collection of compromised BTC? Some time should be spent thinking about the result of when/how you determine intervention should be applied to the market.

See: http://blockexplorer.com/address/1KLahQtqDNAXvrjNyfvgSBtAhwco5ZxLp4  For what i'm talking about. This address received large sums of BTC from many different addresses all at one time a week ago. That BTC was then transfered to MtGox and dumped on the market at once.

I can't read blockexplorer too well, but it does deter from the theory proposed by mtgox that this was a "hack".  I mean, if someone consolidated 400k+ bitcoins all at once a week ago from several address and then transferred to mtgox all those coins, then the same day sold them all.  That's not a hack, that is something else.

[Wildvest]

very interesting

[darkgamer]

new spam email being sent out                                                                                                                                                                                                                 
Delivered-To: my email
Received: by 10.204.49.86 with SMTP id u22cs24977bkf;
        Sun, 19 Jun 2011 18:17:15 -0700 (PDT)
Received: by 10.150.63.12 with SMTP id l12mr5078373yba.120.1308532635049;
        Sun, 19 Jun 2011 18:17:15 -0700 (PDT)
Return-Path: <bittrader566@yahoo.com>
Received: from mail.daveblood.com (li9-33.members.linode.com [67.18.176.33])
        by mx.google.com with SMTP id n19si6525878ybm.84.2011.06.19.18.17.14;
        Sun, 19 Jun 2011 18:17:15 -0700 (PDT)
Received-SPF: neutral (google.com: 67.18.176.33 is neither permitted nor denied by best guess record for domain of bittrader566@yahoo.com) client-ip=67.18.176.33;
Authentication-Results: mx.google.com; spf=neutral (google.com: 67.18.176.33 is neither permitted nor denied by best guess record for domain of bittrader566@yahoo.com) smtp.mail=bittrader566@yahoo.com
Received: (qmail 22898 invoked by uid 500); 20 Jun 2011 01:17:14 -0000
Date: 20 Jun 2011 01:17:14 -0000
Message-ID: <20110620011714.22897.qmail@mail.daveblood.com>
From: bittrader566@yahoo.com
To: myemail
Subject: Was this the last straw with Mt Gox?

The latest in a string of hacks to Mt Gox has made me move to Trade Hill. Use this referral code to get 10% off all trade fees: TH-R13698

Sign up at Trade Hill today!

http://www.tradehill.com/?r=TH-R13698

[bgok]

new spam email being sent out                                                                                                                                                                                                                 

Be sure to report it as spam.

[Big Time Coin]

can someone familiar with blockexplorer PLEASE get the ip address(es) used to do the big transfers mentioned above?  Trace it, like OP suggested.

[SomeoneWeird]

can someone familiar with blockexplorer PLEASE get the ip address(es) used to do the big transfers mentioned above?  Trace it, like OP suggested.

You can't.

[linenoise]

Am I reading that right, a 300K and a 400K chunk of bitcoins? If so that's a significant portion of the entire pool.

[figvam]

It (a 432k transfer) was Mt.Gox operator's attempt at securing the remaining funds, as they explained somewhere.

[lewicki]

new spam email being sent out                                                                                                                                                                                                                 
Delivered-To: my email
Received: by 10.204.49.86 with SMTP id u22cs24977bkf;
        Sun, 19 Jun 2011 18:17:15 -0700 (PDT)
Received: by 10.150.63.12 with SMTP id l12mr5078373yba.120.1308532635049;
        Sun, 19 Jun 2011 18:17:15 -0700 (PDT)
Return-Path: <bittrader566@yahoo.com>
Received: from mail.daveblood.com (li9-33.members.linode.com [67.18.176.33])
        by mx.google.com with SMTP id n19si6525878ybm.84.2011.06.19.18.17.14;
        Sun, 19 Jun 2011 18:17:15 -0700 (PDT)
Received-SPF: neutral (google.com: 67.18.176.33 is neither permitted nor denied by best guess record for domain of bittrader566@yahoo.com) client-ip=67.18.176.33;
Authentication-Results: mx.google.com; spf=neutral (google.com: 67.18.176.33 is neither permitted nor denied by best guess record for domain of bittrader566@yahoo.com) smtp.mail=bittrader566@yahoo.com
Received: (qmail 22898 invoked by uid 500); 20 Jun 2011 01:17:14 -0000
Date: 20 Jun 2011 01:17:14 -0000
Message-ID: <20110620011714.22897.qmail@mail.daveblood.com>
From: bittrader566@yahoo.com
To: myemail
Subject: Was this the last straw with Mt Gox?

The latest in a string of hacks to Mt Gox has made me move to Trade Hill. Use this referral code to get 10% off all trade fees: TH-R13698

Sign up at Trade Hill today!

http://www.tradehill.com/?r=TH-R13698

How's the volume over there? Their front page makes it look pretty iffy.

[Jason101]

you are quoting something from 2011

it's a a totally new site now

[eco]

yes certainly has changed quite a bit since then..no doubt.

[Darkcoins]

Someone munched a lot of coins.. Nom Nom..