darkmule
Legendary
Offline
Activity: 1176
Merit: 1005
|
|
March 10, 2014, 03:13:31 AM |
|
Someone should probably create another clean torrent without the malware and distribute that instead. I know anyone dumb enough to run an executable in something like this basically has it coming, but there's no good purpose to be served by knowingly distributing malware.
|
|
|
|
Phinnaeus Gage
Legendary
Offline
Activity: 1918
Merit: 1570
Bitcoin: An Idea Worth Spending
|
|
March 10, 2014, 03:31:54 AM |
|
Well, ain't this motherfuckin' special! I waited till the all clear prior to downloading the file and unzipping it. Now, I learn that that wasn't a good idea. What am I up against here, guys?
|
|
|
|
Remember remember the 5th of November
Legendary
Offline
Activity: 1862
Merit: 1011
Reverse engineer from time to time
|
|
March 10, 2014, 03:54:06 AM |
|
Well, ain't this motherfuckin' special! I waited till the all clear prior to downloading the file and unzipping it. Now, I learn that that wasn't a good idea. What am I up against here, guys? Missing bitcoins, possible suicide.
|
BTC:1AiCRMxgf1ptVQwx6hDuKMu4f7F27QmJC2
|
|
|
joesmoe2012
|
|
March 10, 2014, 03:59:43 AM |
|
Well, ain't this motherfuckin' special! I waited till the all clear prior to downloading the file and unzipping it. Now, I learn that that wasn't a good idea. What am I up against here, guys? If you just unzipped it you should be fine. Just don't open the .exe or .pdf
|
|
|
|
usabitcoinbuyer
Newbie
Offline
Activity: 57
Merit: 0
|
|
March 10, 2014, 04:24:06 AM Last edit: March 10, 2014, 04:54:18 PM by usabitcoinbuyer |
|
I'm trying to do some datamining on the files. Here are some interesting initial observations:
- There are 88267 accounts with BTC balances; I was under the impression there should be more than that. - There appear to be wallet ids in the transaction history that aren't in the mtgox_balances file. This would explain the above. - Some accounts have negative BTC balances (-85 BTC!). Oops!
Edit: it looks like 0 balance accounts aren't in mtgox_balances, so you can't xref user ids with wallet ids for those.
Edit2: There are 39905 accounts with only fiat balances, for a total of 128172 unique user accounts in the mtgox_balances file. The btc_xfer_report has 147079 unique wallet ids that have either deposited or withdrawn bitcoin. That implies at least 18907 users who have shown BTC deposit/withdrawal activity got all their funds out. I haven't yet gone through the trade history logs, so this is just a lower bound.
|
|
|
|
Bit_Happy
Legendary
Offline
Activity: 2114
Merit: 1040
A Great Time to Start Something!
|
|
March 10, 2014, 04:26:29 AM |
|
Top 10 (apparent) account balances in the leaked database dump:
711a4e9d-e183-... 44547.7 BTC 34fcda44-5832-... 43768.2 BTC c0b24126-f199-... 19985.0 BTC 92d047e9-9f2b-... 11500.6 BTC ff84fc35-b22a-... 11007.8 BTC 0afba433-817e-... 9819.2 BTC 19b38844-b58b-... 8752.6 BTC 945e5a15-4100-... 8000.0 BTC 4339257e-4b12-... 6051.3 BTC 0766852e-9187-... 5199.9 BTC
Ouch, I don't feel too bad now about losing single-digit quantities of BTC. I'd assume that at least some of these accounts are Mark however (depending whether or not one believes he took the BTC himself).
Whale blubber got trimmed, ouch.
|
|
|
|
Phinnaeus Gage
Legendary
Offline
Activity: 1918
Merit: 1570
Bitcoin: An Idea Worth Spending
|
|
March 10, 2014, 04:27:02 AM |
|
Well, ain't this motherfuckin' special! I waited till the all clear prior to downloading the file and unzipping it. Now, I learn that that wasn't a good idea. What am I up against here, guys? If you just unzipped it you should be fine. Just don't open the .exe or .pdf Too late! I opened the CV-Mark_Karpeles...... one. I guess that explains why the the page deal for blank. Now what? Besides any wallets that a person may have stored on their computer, of which is not the case with me, luckily, can the malware perform any other tasks like sniff for keystrokes, passwords, etc. I truly don't know anything on this regard, that's why I had 1,132 BTC stored on InstaWallet last year, because the general consensus is that they could be trusted. It's also why I told a guy here in Sandwich, IL, that Bitcoinica was okay, so he put in $10K USD (I have strong reason to believe that's the correct figure considering the sources, though he claims it's a lot more)--because I trusted them. I told the guy not to use Mt Gox, so he didn't. Guess what happened? Sick! But I digress, and look forward to an answer to the earlier question in this post. Thanks in advance, from me and any others that the answers may help.
|
|
|
|
Phinnaeus Gage
Legendary
Offline
Activity: 1918
Merit: 1570
Bitcoin: An Idea Worth Spending
|
|
March 10, 2014, 04:35:11 AM |
|
I'm trying to do some datamining on the files. Here are some interesting initial observations:
- There are 88267 accounts with BTC balances; I was under the impression there should be more than that. - There appear to be wallet ids in the transaction history that aren't in the mtgox_balances file. This would explain the above. - Some accounts have negative BTC balances (-85 BTC!). Oops!
88,267 is a far cry from 1M: https://www.facebook.com/MtGoxHoliday Discount to celebrate reaching 1 Million Customers and a new partnership with Mayzus FS
Dear MtGox Customers,
Thank you for your patience and support all throughout 2013. As we noted in our previous update there are many things happening, and we’re proud to announce two more major developments that will make MtGox both easier and more economical for our valued customers:
1) One million MtGox customers and reduced fees for the holidays! BTW, that's 1M customers that should have equated to more accounts. 88,267 accounts equates to lot less fewer customers. InstaWallet pulled the same shit with their 3M customers claim. I can easily add up all the customers they paid out via the blockchain. BTW, they still have ~3000 BTC in that account after the last payout, and 1,132 BTC of it is mine. One more thing: Google Mayzus.
|
|
|
|
Bobsurplus
Legendary
Offline
Activity: 1008
Merit: 1000
Making money since I was in the womb! @emc2whale
|
|
March 10, 2014, 04:42:32 AM |
|
Since the data seems to have been stolen around the time MtGox shutdown or later the question would be ... why would you keep this information on a webserver if you aren't actively using it anymore?
My guess is the db was stolen from a business associate/employee. left from the leaker: <!-- I hated working with you. You deserve everything you get for what you did. --> That's deep. He must have really fucked over everyone around him too.
|
|
|
|
usabitcoinbuyer
Newbie
Offline
Activity: 57
Merit: 0
|
|
March 10, 2014, 04:48:30 AM |
|
It's possible that there were accounts without bitcoin balances.
Although, I still don't trust anything Gox says.
Right. I just realized that. Reference my edited post above... But... then that would mean that 900,000 of the customers either 1) never deposited any BTC or 2) were smart enough to get it all out before the final goxxing. I wasn't that smart, and I'd find it hard to believe that 90% of users who ever had a balance actually got it out. On the other hand, I wouldn't be surprised that Gox would claim any registered account as a customer, even if it never had any deposit/trade activity.
|
|
|
|
smooth
Legendary
Offline
Activity: 2968
Merit: 1198
|
|
March 10, 2014, 04:56:18 AM |
|
It's possible that there were accounts without bitcoin balances.
Although, I still don't trust anything Gox says.
Right. I just realized that. Reference my edited post above... But... then that would mean that 900,000 of the customers either 1) never deposited any BTC or 2) were smart enough to get it all out before the final goxxing. I wasn't that smart, and I'd find it hard to believe that 90% of users who ever had a balance actually got it out. On the other hand, I wouldn't be surprised that Gox would claim any registered account as a customer, even if it never had any deposit/trade activity. I stopped using the site last year and withdrew essentially all of my btc when they stopped paying USD and had other issues. Was a huge red flag to me.
|
|
|
|
bananas
|
|
March 10, 2014, 04:56:33 AM |
|
Well, ain't this motherfuckin' special! I waited till the all clear prior to downloading the file and unzipping it. Now, I learn that that wasn't a good idea. What am I up against here, guys? If you just unzipped it you should be fine. Just don't open the .exe or .pdf Too late! I opened the CV-Mark_Karpeles...... one. I guess that explains why the the page deal for blank. There is no problem if you opened with Acrobat Reader, only the full version of Acrobat may execute some kind of virus.
|
|
|
|
joesmoe2012
|
|
March 10, 2014, 04:57:14 AM |
|
It can't represent all of their customers if there's only 80K or so accounts, that's way too few.
At one point they were handling thousands of verifications a day weren't they? Or was it all just one big lie...?
|
|
|
|
smooth
Legendary
Offline
Activity: 2968
Merit: 1198
|
|
March 10, 2014, 05:00:51 AM |
|
Now what? Besides any wallets that a person may have stored on their computer, of which is not the case with me, luckily, can the malware perform any other tasks like sniff for keystrokes, passwords, etc.
Bruno your tone is sometimes to read online but if you are serious, my answer would be to never trust that computer again until after wiping it, and be extremely cautious with any "data" files stored there.
|
|
|
|
joesmoe2012
|
|
March 10, 2014, 05:03:36 AM |
|
Now what? Besides any wallets that a person may have stored on their computer, of which is not the case with me, luckily, can the malware perform any other tasks like sniff for keystrokes, passwords, etc.
Bruno your tone is sometimes to read online but if you are serious, my answer would be to never trust that computer again until after wiping it, and be extremely cautious with any "data" files stored there. Opening the zip in an of itself shouldn't be a problem.
|
|
|
|
smooth
Legendary
Offline
Activity: 2968
Merit: 1198
|
|
March 10, 2014, 05:04:39 AM |
|
Opening the zip in an of itself shouldn't be a problem.
Correct (assuming it has been verified to be a valid zip without some hidden executable component), but he said he also opened a PDF file. That's dangerous.
|
|
|
|
joesmoe2012
|
|
March 10, 2014, 05:06:13 AM |
|
Opening the zip in an of itself shouldn't be a problem.
Correct (assuming it has been verified to be a valid zip without some hidden executable component), but he said he also opened a PDF file. That's dangerous. yes, have to be careful with PDF's. Though I don't think that the CV contained a virus.
|
|
|
|
usabitcoinbuyer
Newbie
Offline
Activity: 57
Merit: 0
|
|
March 10, 2014, 05:39:16 AM |
|
Some more interesting info...
The btc_xfer_report shows withdrawals occurring well after the Feb 7 BTC withdrawal suspension. There are 1360 withdrawals dated Feb 10 or later, involving 315 wallet ids, totaling 15541 BTC.
Many of these are paired with deposits to other wallet ids, so this suggests that the xfers document internal non-blockchain transfers as well.
There is a screenshot.png in the bin folder which shows some withdrawals in an admin interface. For whatever reason, they are all associated with wallet id 023e30c1-9c0d-41be-a471-6ac6992f62f1. I wonder if there's something significant about that wallet vs. the others, or it was just a random example. In any case, if this was intended to show that there were "special" external withdrawals after the freeze, that wasn't the case. It looks like all of the withdraws from this account went to wallet id a6acd802-bb4f-412b-be6d-b0bf3f2bb055.
|
|
|
|
joesmoe2012
|
|
March 10, 2014, 05:41:29 AM |
|
Some more interesting info...
The btc_xfer_report shows withdrawals occurring well after the Feb 7 BTC withdrawal suspension. There are 1360 withdrawals dated Feb 10 or later, involving 315 wallet ids, totaling 15541 BTC.
Many of these are paired with deposits to other wallet ids, so this suggests that the xfers document internal non-blockchain transfers as well.
There is a screenshot.png in the bin folder which shows some withdrawals in an admin interface. For whatever reason, they are all associated with wallet id 023e30c1-9c0d-41be-a471-6ac6992f62f1. I wonder if there's something significant about that wallet vs. the others, or it was just a random example. In any case, if this was intended to show that there were "special" external withdrawals after the freeze, that wasn't the case. It looks like all of the withdraws from this account went to wallet id a6acd802-bb4f-412b-be6d-b0bf3f2bb055.
Alot of the internal, off-blockchain transfers were likely people speculating on GoxBTC vs RealBTC, like what bitcoinbuilder had setup. I wonder how many GoxBTC ended up in bitcoinbuilder's account...
|
|
|
|
darkmule
Legendary
Offline
Activity: 1176
Merit: 1005
|
|
March 10, 2014, 06:06:54 AM |
|
yes, have to be careful with PDF's. Though I don't think that the CV contained a virus.
Most virus scanning software is simple pattern matching. It looks for the signature of known viral code. This isn't going to detect something like wallet stealing software that is custom made for one particular purpose, never released into the wild, and which is not technically a virus but a trojan. A virus gets your computer to replicate it to other media. This kind of thing doesn't. Even AV that uses some kind of heuristic method to detect the kind of code that might be viral, i.e. looking for specific kinds of suspicious behavior, is still probably not going to recognize something aimed at a specific application, like Bitcoin wallet software.
|
|
|
|
|