Bitcoinica lost 43,554 BTC from Linode compromise, suspicious TXIDs publicized

[zhoutong]

We didn't have the opportunity to scan our whole system for suspicious transactions that were not initiated from our customers because we had to shut down the system immediately after we've discovered the huge loss. We did get a rough estimate and we published a press release to warn our users about the deposit address replacement.

However, now we have concluded that we lost 43,554 BTC from this incident and we will reimburse our customers for the full amount. For transparency, we would like to disclose all the suspicious transaction ids in this incident:

{
        "account" : "",
        "address" : "1F3czt4VGUGdmrXW4qbh8hbQZ1hcHpwFGT",
        "category" : "send",
        "amount" : -1999.00000000,
        "fee" : -0.01750000,
        "confirmations" : 99,
        "txid" : "5a09f4ef0e91bc7bc044365cd27236fe4ac3c02088ac21ab51c93c8a11d33d4b",
        "time" : 1330584607
    },
    {
        "account" : "",
        "address" : "1DMuVKe9PKpx3dbs2b2MnXuVmLfA4drHif",
        "category" : "send",
        "amount" : -20555.00000000,
        "fee" : 0.00000000,
        "confirmations" : 99,
        "txid" : "7b45c1742ca9f544cccd92d319ef8a5e19b7dcb8742990724c6a9c2f569ae732",
        "time" : 1330584607
    },
    {
        "account" : "",
        "address" : "13CmJpbAueuWiPKw3UYU4vXEcZ4WzP6nxt",
        "category" : "send",
        "amount" : -3000.00000000,
        "fee" : 0.00000000,
        "confirmations" : 99,
        "txid" : "901dbcef30a541b8b55fae8f7ad9917ef0754bda5b643705f3773e590785c4d3",
        "time" : 1330584607
    },
    {
        "account" : "",
        "address" : "1978kFf3WKYiZsy89WX6qJ8vxWAbRWFGLq",
        "category" : "send",
        "amount" : -0.01002773,
        "fee" : 0.00000000,
        "confirmations" : 99,
        "txid" : "901dbcef30a541b8b55fae8f7ad9917ef0754bda5b643705f3773e590785c4d3",
        "time" : 1330584607
    },
    {
        "account" : "",
        "address" : "1JL7vc2Ecn8QeeBYdpAP22pVpaSP6Cni3J",
        "category" : "send",
        "amount" : -3000.00000000,
        "fee" : 0.00000000,
        "confirmations" : 99,
        "txid" : "a57132e2cbc580ac262aa3f7bac1e441d6573f9633118bc48009618585a0967e",
        "time" : 1330584607
    },
    {
        "account" : "",
        "address" : "13CmJpbAueuWiPKw3UYU4vXEcZ4WzP6nxt",
        "category" : "send",
        "amount" : -3000.00000000,
        "fee" : 0.00000000,
        "confirmations" : 99,
        "txid" : "a82ad85286c68f37a2feda1f5e8a4efa9db1e642b4ef53cb9fd86170169e5e68",
        "time" : 1330584607
    },
    {
        "account" : "",
        "address" : "15WoJ7L4AUfGHWdGj45NY9rFNiwU48woX2",
        "category" : "send",
        "amount" : -0.01002644,
        "fee" : 0.00000000,
        "confirmations" : 99,
        "txid" : "a82ad85286c68f37a2feda1f5e8a4efa9db1e642b4ef53cb9fd86170169e5e68",
        "time" : 1330584607
    },
    {
        "account" : "",
        "address" : "1NRy8GbX56MymBhDYMyqsNKwW9VupqKVG7",
        "category" : "send",
        "amount" : -2000.00000000,
        "fee" : 0.00000000,
        "confirmations" : 99,
        "txid" : "ff04763e3e8c93e43799dbbca833e183faad7e2611f20f136f47c2f1049481ae",
        "time" : 1330584607
    },
   {
        "account" : "",
        "address" : "1AaXeH5DuP6FpPxdCn9RGXKWhSG4r9Hq9q",
        "category" : "send",
        "amount" : -10000.00000000,
        "fee" : 0.00000000,
        "confirmations" : 99,
        "txid" : "0268b7285b95444808753969099f7ae43fb4193d442e3e0deebb10e2bb1764d0",
        "time" : 1330584607
    }

Again, we would like to reassure that trading will not be in any way affected and we are already in the process of contacting Linode regarding this incident. The Bitcoinica system has not been compromised and our reserves are more than sufficient for regular trading activities.

[theymos]

How can you reimburse that much? Have you really made that much profit?

[cypherdoc]

unbelievable.  and you're going to be able to reimburse all your customers?

[cypherdoc]

there goes Zhou's tuition.

[bbit]

my mouth dropped 

[tonto]

*whew* my coins are still safe on his server. 

[jimbobway]

 

[zhoutong]

How can you reimburse that much? Have you really made that much profit?

Yes, our historical profit is fairly sufficient to cover the loss from this incident, and we believe that it's the best interest for the community to keep running the business. We will take appropriate strategies and implement more security features to prevent this from happening ever again, even with the presence of dishonest partners or employees.

[cypherdoc]

http://status.linode.com/2012/03/manager-security-incident.html

Manager Security Incident

Ensuring the security of our platform is our top priority. We maintain a strong security policy and aim to communicate openly should it ever be compromised. Thus, we are posting to describe a recent incident affecting the Linode Manager.

Here are the facts:

This morning, an intruder accessed a web-based Linode customer service portal. Suspicious events prompted an immediate investigation and the compromised credentials used by this intruder were then restricted.  All activity via the web portal is logged, and an exhaustive audit has provided the following:

All activity by the intruder was limited to a total of eight customers, all of which had references to "bitcoin".  The intruder proceeded to compromise those Linode Manager accounts, with the apparent goal of finding and transferring any bitcoins.  Those customers affected have been notified.  If you have not received a notification then your account is unaffected.  Again, only eight accounts were affected.

The portal does not have access to credit card information or Linode Manager user passwords.  Only those eight accounts were viewed or manipulated -- no other accounts were viewed or accessed.

Security is our number one priority and has been for over eight years. We depend on and value the trust our customers have placed in us. Now, more than ever, we remain committed to ensuring the safety and security of our customers' accounts, and will be reviewing our policies and procedures to prevent this from ever recurring.

ok, 8 accts:  Zhou, Gavin, Slush.  who are the other 5?

[Clipse]

I cant help but know some Linode employee wont be at work tomorrow.

This all is way way way to convenient, seems like an inside job planned overtime with the knowledge of who runs worthwhile bitcoin services and on which VPS accounts.

This is alot of money, please for all of us make its your top priority to get compensation out of Linode otherwise any future losses less than this would be seen acceptable by these crappy hosting companies or other services.

[jimbobway]

ok, 8 accts:  Zhou, Gavin, Slush.  who are the other 5?

Seems likely an attacker would have or has had a linode account as well...

[Jointops420]

Bravo to you and slush. I am sure it will come back to you in trust but what a mongrel act that's been committed.

[mb300sd]

http://status.linode.com/2012/03/manager-security-incident.html

Manager Security Incident

Ensuring the security of our platform is our top priority. We maintain a strong security policy and aim to communicate openly should it ever be compromised. Thus, we are posting to describe a recent incident affecting the Linode Manager.

Here are the facts:

This morning, an intruder accessed a web-based Linode customer service portal. Suspicious events prompted an immediate investigation and the compromised credentials used by this intruder were then restricted.  All activity via the web portal is logged, and an exhaustive audit has provided the following:

All activity by the intruder was limited to a total of eight customers, all of which had references to "bitcoin".  The intruder proceeded to compromise those Linode Manager accounts, with the apparent goal of finding and transferring any bitcoins.  Those customers affected have been notified.  If you have not received a notification then your account is unaffected.  Again, only eight accounts were affected.

The portal does not have access to credit card information or Linode Manager user passwords.  Only those eight accounts were viewed or manipulated -- no other accounts were viewed or accessed.

Security is our number one priority and has been for over eight years. We depend on and value the trust our customers have placed in us. Now, more than ever, we remain committed to ensuring the safety and security of our customers' accounts, and will be reviewing our policies and procedures to prevent this from ever recurring.

ok, 8 accts:  Zhou, Gavin, Slush.  who are the other 5?

I would hope zhou dosen't keep 40k btc on one server  , I assume more than 1 was bitcoinica

[jimbobway]

zhoutong, thx for being part of the bitcoin community and being a class act.  I hope Linode provides you with all of the compensation.

[Rassah]

I just want to note that after MtGox got severely hacked, it became one of the most secure Bitcoin exchanges out there.

[stick_theman]

Thanks Bitcoinica for keeping cool and maintain your integrity.

But, wtf @ Linode?!!!  Where's that Vice President?!!!  We need him to get on the forum ASAP!!!!!!  This has to be an inside/co-ordinated job.  All these happened at the same time.

[The-Real-Link]

Wow that's one heck of an attack.  Terribly sorry to hear about the loss but hopefully you can recouperate in some way with the company or community.  

Is Linode like a version of Linux or server software, or just a hosting company such as 1&1, Dreamhost, GoDaddy etc.?  I suppose whether it is Windows, Linux, or Mac, if someone knows what they are doing it doesn't matter what software runs the wallet.  A user could get to the right files if they know.  

[cypherdoc]

Zhou, talk to Mark at mtgox.  i bet there's something he can do to intercept at least some of these coins as the thief tries to cash out on mtgox.

[cablepair]

You’re a class act for standing behind your business and accepting the burden of loss yourself.

Your losses can be decreased substantially if you wait to reimburse your clients until after the associated market drop that will follow this event.

+1

but I have to ask, is there something I am missing here, why was this wallet with over $200k worth of bitcoins not encrypted with a strong password?

[kiba]

Maybe you should consider reducing your hot wallet? A little inconvenience is a lot better than losing that much money.