mrb (OP)
Legendary
 Offline
Activity: 1512
Merit: 1027
|
 |
June 20, 2011, 02:32:08 AM |
|
http://blog.zorinaq.com/?e=55There is a massive amount of information on IRC and the forum threads. Hopefully I have done an okay job at summarizing the attack..
|
|
|
|
|
|
|
|
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
|
stillfire
|
|
June 20, 2011, 02:43:44 AM |
|
Nice timeline. I hadn't read about that big BTC transaction minutes before the MtGox shutdown yet.
|
|
|
|
unk
Member
Offline
Activity: 84
Merit: 10
|
|
June 20, 2011, 02:58:33 AM |
|
just for argument's sake, what evidence does the public (anyone outside of mt. gox) have that there even was an attack? how would anyone know that it wasn't a large holder of bitcoins who was trying to sell, hoping to get a decent price from large dark pools he or she suspected existed? then, unhappy with the total price received from the bulk sale, this large holder could have then asked or paid mt. gox to roll things back.
i'm not suggesting that happened, but how would anyone know? many following the live data as it was happening assumed that it was simply a large holder of bitcoins selling, and that's not an unreasonable assumption.
the reason i ask is that people who did act on the data were not unreasonable to do so; a rollback for them is a presumably an odd surprise.
|
|
|
|
|
AbeSkray
Member
Offline
Activity: 72
Merit: 10
|
|
June 20, 2011, 03:04:04 AM |
|
Nice timeline. I hadn't read about that big BTC transaction minutes before the MtGox shutdown yet.
I agree! I was also unaware of the 432077.76654321 BTC transaction. Kinda strange that if you read the digits backwards you get a '12345667' sequence. Could that just be a fluke? mrb: I'm curious about this: Many of these hashes, even those that appear to be strong passwords, show up on various websites about password brute-forcing. Notably, 2 days ago, a user named georgeclooney posted requests to crack some of these hashes on the InsidePro password recovery forums. He is almost certainly the same person who attacked MtGox.
Emphasis yours. Can you elaborate on why you think georgeclooney is the attacker? Is that based solely on the fact that he posted some of the hashes before they were publicly leaked? |
|
|
|
|
|
stillfire
|
|
June 20, 2011, 03:08:32 AM |
|
just for argument's sake, what evidence does the public (anyone outside of mt. gox) have that there even was an attack? how would anyone know that it wasn't a large holder of bitcoins who was trying to sell, hoping to get a decent price from large dark pools he or she suspected existed? then, unhappy with the total price received from the bulk sale, this large holder could have then asked or paid mt. gox to roll things back.
That's certainly a thought that could be valid to play with but it seems unlikely. The hacker explanation sounds plausible given the prior reports of accounts being hacked, and the subsequent release of password hashes. If there really was a large seller who legitimately wanted to 'try the waters' and sell off massive amounts of coins at once just to see how much he or she could get, and then somehow could convince MtGox to destroy their own reputation to roll back the transaction - and this sounds implausible already - how likely is it that that would happen at the same time as a massive security breach? Would that be staged too? |
|
|
|
Chick
Member
Offline
Activity: 70
Merit: 10
|
|
June 20, 2011, 03:10:56 AM |
|
Note to self: add support for Unix MD5-based crypt() hashes to whitepixel ) Hahaha. |
|
|
|
mrb (OP)
Legendary
Offline
Activity: 1512
Merit: 1027
|
|
June 20, 2011, 03:13:32 AM |
|
Many of these hashes, even those that appear to be strong passwords, show up on various websites about password brute-forcing. Notably, 2 days ago, a user named georgeclooney posted requests to crack some of these hashes on the InsidePro password recovery forums. He is almost certainly the same person who attacked MtGox.
Emphasis yours. Can you elaborate on why you think georgeclooney is the attacker? Is that based solely on the fact that he posted some of the hashes before they were publicly leaked? Yes, it is based on this fact. |
|
|
|
|
|
nomnomnom
|
|
June 20, 2011, 03:20:17 AM |
|
Nice timeline. I hadn't read about that big BTC transaction minutes before the MtGox shutdown yet.
I agree! I was also unaware of the 432077.76654321 BTC transaction. Kinda strange that if you read the digits backwards you get a '12345667' sequence. Could that just be a fluke? On this show which just ended from onlyonetv, the MT Gox guy said they did this transaction to move the bitcoins to a secure wallet, and that only maybe something like 200 coins got lost. Lets hope this is true... |
|
|
|
|
|
stillfire
|
|
June 20, 2011, 03:22:31 AM |
|
On this show which just ended from onlyonetv, the MT Gox guy said they did this transaction
to move the bitcoins to a secure wallet, and that only maybe something like 200 coins got lost.
Lets hope this is true...
If so the timeline is off by a little since it says Mark Karpeles was only woken up after that transaction had occurred. I do hope it's true. |
|
|
|
bittrader
Jr. Member
Offline
Activity: 42
Merit: 1
|
|
June 20, 2011, 03:34:42 AM |
|
FYI, on The Bitcoin Show tonight, one of the Mt. Gox guys said that the ~400k transfer was them taking security measures by moving their BTC to a different wallet.
|
|
|
|
|
Maged
Legendary
Offline
Activity: 1204
Merit: 1015
|
|
June 20, 2011, 03:58:26 AM |
|
http://blog.zorinaq.com/?e=55There is a massive amount of information on IRC and the forum threads. Hopefully I have done an okay job at summarizing the attack.. Pretty good timeline! As for when the database was leaked, it was at least 5 minutes before you show it at. theymos can look up the exact time, since the post wasn't actually deleted. |
|
|
|
|
|
|
GeniuSxBoY
|
|
June 20, 2011, 04:14:34 AM |
|
Many of these hashes, even those that appear to be strong passwords, show up on various websites about password brute-forcing. Notably, 2 days ago, a user named georgeclooney posted requests to crack some of these hashes on the InsidePro password recovery forums. He is almost certainly the same person who attacked MtGox.
Emphasis yours. Can you elaborate on why you think georgeclooney is the attacker? Is that based solely on the fact that he posted some of the hashes before they were publicly leaked? Yes, it is based on this fact. HAHAHAHAHA. DUDE IS HILARIOUS. CALLED HIMSELF GEORGE CLOONEY BECAUSE OF OCEANS 11. Definitely suave. |
Be humble!
|
|
|
mrb (OP)
Legendary
Offline
Activity: 1512
Merit: 1027
|
|
June 20, 2011, 04:24:02 AM |
|
FYI, on The Bitcoin Show tonight, one of the Mt. Gox guys said that the ~400k transfer was them taking security measures by moving their BTC to a different wallet.
Someone else said it was a certain "Adam" on the show who said the 432k BTC txfer was MtGox transferring as a security precaution. "Adam" is not related to MtGox. (Sorry I forget where I heard about this Adam. I'll try to get clarification about this transfer.) But regardless, it worries that it was made (a minute) before MagicalTux appeard on IRC, where he was clearly just discovering the selloff, and hadn't started his investigation yet. Also it doesn't make sense that a "single account" was compromised and had hundreds of thousands of BTC in it. No one in his right mind keeps this amount of coins on MtGox (other than MagicalTux himself?), ask knightmb how he secures his 370k BTC  |
|
|
|
|
Maged
Legendary
Offline
Activity: 1204
Merit: 1015
|
|
June 20, 2011, 04:28:17 AM |
|
FYI, on The Bitcoin Show tonight, one of the Mt. Gox guys said that the ~400k transfer was them taking security measures by moving their BTC to a different wallet.
Someone else said it was a certain "Adam" on the show who said the 432k BTC txfer was MtGox transferring as a security precaution. "Adam" is not related to MtGox. (Sorry I forget where I heard about this Adam. I'll try to get clarification about this transfer.) But regardless, it worries that it was made (a minute) before MagicalTux appeard on IRC, where he was clearly just discovering the selloff, and hadn't started his investigation yet. Also it doesn't make sense that a "single account" was compromised and had hundreds of thousands of BTC in it. No one in his right mind keeps this amount of coins on MtGox (other than MagicalTux himself?), ask knightmb how he secures his 370k BTC Adam works at MtGox. I think he's fairly new. |
|
|
|
jibjabz
Newbie
Offline
Activity: 59
Merit: 0
|
|
June 20, 2011, 04:28:43 AM |
|
What's the exact amount of the large transaction? Is this article accurate on that part? If so then that's not an internal Mt. Gox transaction making it even more likely than it already is that they're lying about the extent of this.
|
|
|
|
|
dana.powers
Newbie
Offline
Activity: 21
Merit: 0
|
|
June 20, 2011, 04:40:00 AM |
|
the input to the large transaction came entirely from the other large mtgox transaction of June 12th, which Tux explained at the time as being a security move to put majority of mtgox BTCs offline. So we can be fairly confident the transfer was from MtGox offline storage. Also, based on the numbers the full offline balance was moved. So that makes sense. I don't believe those BTC were available for withdrawal from mtgox. For example, when I withdrew from mtgox a few days ago (spooked about increasing account compromise reports), the trx inputs were from 5 separate addresses. I assume those are the online accounts and are the ones available for withdrawal, subject to daily limit. I think it actually makes a lot of sense that he would re-secure the 400,000 offline BTC storage first thing when he woke up - before logging into IRC - even if he wasn't yet sure if an attack was in progress.
|
|
|
|
|
|
|
mrb (OP)
Legendary
Offline
Activity: 1512
Merit: 1027
|
|
June 20, 2011, 06:39:02 AM |
|
Thanks, I did add the info.
I got confirmation from MagicalTux that the 432k BTC transfer was MtGox moving coins to a safer location.
|
|
|
|
|
|
bitrebel
|
|
June 20, 2011, 07:01:50 AM |
|
FYI, on The Bitcoin Show tonight, one of the Mt. Gox guys said that the ~400k transfer was them taking security measures by moving their BTC to a different wallet.
Only problem is, just previously he stated they had their bitcoins spread out into different accounts. Contradictions |
Why does Bitrebel have 65+ Ignores?
Because Bitrebel says things that some people do not want YOU to hear.
|
|
|
|
stillfire
|
|
June 20, 2011, 02:54:51 PM |
|
Presumably they have multiple wallets so there's nothing contradictory about it. They can be spread out and there can still be large transfers - maybe this is a secondary wallet.
|
|
|
|
|
BitterTea
|
|
June 21, 2011, 05:13:45 AM |
|
So, I've got a theory, and here are some interesting tidbits... - I created an account a few days before the hack and it appears in the export (57051,"bigshot").
- Around the same time around 6000 random looking accounts were created (from 52709,"hyquoshy" to 59354,"crostypa"). Was that part of a DDoS attempt, or some sort of known-text attack?
- Kevin says that he attempted to raise his withdrawal limit prior to the attack.
- MagicalTux says that Kevin logged in 3 minutes before the sell off and placed a large order at $0.01
|
|
|
|
|
mrb (OP)
Legendary
Offline
Activity: 1512
Merit: 1027
|
|
June 21, 2011, 09:19:04 AM
Last edit: June 21, 2011, 09:47:54 AM by mrb |
|
The "Adam" you guys said was on the OnlyOneTV show was not an MtGox employee, he was Adam Stradling, a TradeHill co-founder.
|
|
|
|
|
|
