[Emergency ANN] Bitcoinica site is taken offline for security investigation

[guruvan]

Wow. Just wow.

First they won't admit they're the general partners at bitcoinica 9phantomcircuit keeps saying it's too complicated, and that's why they wouldn't tell anyone) - then it comes out that they've completely lost all the data, as previously suspected.

Congratulations.

If you'd follow zhoutong's process, you'd have minimal fraud, and expedite the process. That'll probably save you several lawsuits.

People with BTC may or may not be out of luck with governments and courts (thought Blitz' comment that it's still "property" is quite valid) but the people who had fiat currencies are likely to start taking legal action. Some certainly already have.

[1714004338]

1714004338

[1714004338]

1714004338

[1714004338]

1714004338

[bulanula]

My point still stands : they can refund all the USD and not give one satoshi back and nobody can do a damn thing.

[SgtSpike]

My point still stands : they can refund all the USD and not give one satoshi back and nobody can do a damn thing.

Just because there is no legal precedent for Bitcoins doesn't mean that a legal precedent won't be set.

Also, what's your point?  Why does that matter?  If they give back everyone's BTC, then they give it back.  If they don't, then they don't.  How does that change anything in the discussion here?

[zhoutong]

Your email would be the evidence, but the 0 point is reserved for unknown account holders, like Blitz.
As long as we sent anything to your email, we know that you're a customer and other points criteria should apply.

Also Mt. Gox codes can prove your account ownership as well. We have all deposit records since February.

Makes sense. Has anyone using gmail found bitcoinica emails marked as spam?
Didn't notice I was "missing" emails before today. Still a little worried.

It shouldn't. We use a 3rd party emailing service to ensure deliverability and we have proper DKIM signatures and SPF records set up.

Mt. Gox deposit never sends emails. Only for Bitcoin and Wire deposits, all withdrawals and orders that you request for notification by default.

A fool's reliance on certification and a false belief in easy to get signatures. Means shit if your content looks like spam. Those signatures just prove the domain owner is sending the mail, *nothing* about its content -- and in light of recent hacks maybe not even that.

I know first hand that a mail server running dspam put all my bitcoinica mails into spam. Training was/is done with personal data and a few spamtrap adresses.

-coinft

I'm sure that the vast majority of the emails have been delivered successfully. Our email service provider (Postmark) has very strict rules about emails, and we are not even allowed to send newsletters through their platform. Bitcoinica's transactional emails all originate from trusted IPs.  

The content isn't like spam either. The HTML email template was professionally designed and the content is has a transactional nature (i.e. not sent in bulk).

I'm not sure about the support emails though.

[XVacant]

--- Disclaimer: Pure suggestion. NOT OFFICIAL ---

- Your bitcointalk.org profile or Bitcoin-OTC rating shows you as reputable and trustworthy. (50 Points)
- You can supply at least one transactional email you have received which perfectly matches our outgoing transactional email records. (30 Points)
- You can provide passport scans and you have provided to Bitcoinica (even if it's pending verification). (40 Points)
- The order of magnitude of your reported balance is consistent with our outdated accounting records. (30 Points)
- You can recall the balances exactly or very precisely. (20 Points)
- You have reported a losing position, with precise details. (20 Points)
- You have contacted Bitcoinica Support at least once since September 2011. (10 Points)
- Your email can be searched online and matches your identity. (10 Points)
- You can provide proof of Bitcoin address ownership (signature), Mt. Gox code you have used/obtained or accurate details of large transaction records (>2500 BTC) that match our hedging activity. (10 Points each kind of evidence)
- Another reputable member supports your claim. (10 Points)
- You have used wire transfer, BitInstant or AurumXchange to deposit/withdraw funds and they can verify the records. (10 Points)
- You have submitted the claim within the first 24 hours since the announcement. (10 Points)

If there are no transactional emails or support emails ever sent to the claimed address, 0 Points for now.

--- Disclaimer: Pure suggestion. NOT OFFICIAL ---

I have been a Bitcoinica customer for the last several months.

I made a number of deposits to Bitcoinica from Mt.Gox, using Mt.Gox codes.
I executed dozens of trades, won some, lost some, made no withdrawals.
I never had any issues with the service so I made no complaints and sent no emails to support.

I don't seem to have received  _any_ emails from *@bitcoinica.com prior to the claims form.
I had a smooth, clean, entirely trouble free relationship with bitcoinica to the day of the last hack.

From reading zhoutongs inane unofficial suggestion I get a sinking feeling in my stomach.

Was transactional emails turned off by default? (I don't like frequent, automated emails cluttering my inbox.)
Am I looking at the wrong email address? Or am I missing something?

*slams head into keyboard*

you got an email when you deposited money (any currency).
i am in a similar situation: i just deleted them immediatly.

but at least i did had a verified account and made a wire transfer (dont know if i am respected member...).

Strange. I got emails when I withdrawal, but no email when I deposit.

[ninjarobot]

Sorry for duplicate posting (I posted this in the newbie forum initially) but I really wanted to share my concerns about the claims process as proposed by Zhou here.

By now it is clear that bitcoinica had their entire db and all records (apart from PII/AML and some outdated records) wiped. This is a worst case scenario. What a royal mess and one that baffles the mind considering they were dealing with a lot of customers money on a daily basis. Having a single point of failure on a virtual server hosted by a 3rd party? Wow. just wow. If I had known I'd never have put as much money into this operation as I did. However that is all in the past so let's move forward.

Zhou suggested the following approach to dealing with claims:

--- Disclaimer: Pure suggestion. NOT OFFICIAL ---

- Your bitcointalk.org profile or Bitcoin-OTC rating shows you as reputable and trustworthy. (50 Points)
- You can supply at least one transactional email you have received which perfectly matches our outgoing transactional email records. (30 Points)
- You can provide passport scans and you have provided to Bitcoinica (even if it's pending verification). (40 Points)
- The order of magnitude of your reported balance is consistent with our outdated accounting records. (30 Points)
- You can recall the balances exactly or very precisely. (20 Points)
- You have reported a losing position, with precise details. (20 Points)
- You have contacted Bitcoinica Support at least once since September 2011. (10 Points)
- Your email can be searched online and matches your identity. (10 Points)
- You can provide proof of Bitcoin address ownership (signature), Mt. Gox code you have used/obtained or accurate details of large transaction records (>2500 BTC) that match our hedging activity. (10 Points each kind of evidence)
- Another reputable member supports your claim. (10 Points)
- You have used wire transfer, BitInstant or AurumXchange to deposit/withdraw funds and they can verify the records. (10 Points)
- You have submitted the claim within the first 24 hours since the announcement. (10 Points)

Couple of points below:

- Your bitcointalk.org profile or Bitcoin-OTC rating shows you as reputable and trustworthy. (50 Points)

Wow. 50 points if you have a reputable bitcointalk.org account. Ranked higher then any verifiable things like transaction IDs, passport data, etc. I'm sorry I didn't know when I signed up with bitcoinica that it's compulsory to go to some unrelated forum and post here daily. Some people have no interest in this and have busy non-BTC related dayjobs (me). To me this is wholly unrelated. Like Bank of America returning money to customers who were good boy scouts or something? Oh you weren't in the boy scouts? tough luck. Putting this item on the top of the list introduces a kind of bias that I wholly disagree with.

I also don't see how the reputation system is workable. For example I am using another username here then on bitcoinica (and this is on purpose). I also chose to hide my email. How can Bitcoinica match Bitoinica users to Bitcointalk.org users? And even if they can how would they establish 'reputation'? (Read all posts by members? I think not). And giving points based on friends supporting your claim... what is this even supposed to mean? Any prudent investor/speculator will keep their deposits and positions private. I don't see how getting supports from friends promotes the claims process in any way apart from allowing you-help-me-i-help-you schemes between people making claims look more legit.

- The order of magnitude of your reported balance is consistent with our outdated accounting records. (30 Points)

The reason this won't work is because your records are outdated. In my case I sent a significant USD wire transfer to Bitcoinica that cleared only days before the hack. Yeah that is money in the bank for Bitcoinica but no 30 points for me. No sir.

- You have reported a losing position, with precise details. (20 Points)

Ah so customers that came in at the time when Bitcoinica started paying interest on deposits and used Bitcoinica as a USD+BTC savings account that had no interest in speculation (like me) will lose out here. Sounds like a great idea.

- You can recall the balances exactly or very precisely. (20 Points)

And you are going to verify this *how* exactly? Basically what you are saying is that if the user picked the 'Exact' option from the dropdown they get a free 20 points instantly. I would argue that because of daily interest on deposits combined with 5 decimals of precision, almost no account holder will know their *exact* balance.

- Your email can be searched online and matches your identity. (10 Points)

Right, because we all know that putting your email address online so they can be harvested by spammers and impersonators is best practice. +10 points.

- You have submitted the claim within the first 24 hours since the announcement. (10 Points)

Yeah sure. Because all 5500 bitcoinica customers have nothing better to do then read 70+ post threads on bitcointalk.org all day. People have families, jobs, vactations, etc. Bitcoinica has not notified any customers by email of the claims process and the main website has been spotty at best (non www. domain did not work. Certificates were invalid suggesting the claims process could be bogus, etc.)

if your user ID is less than 4500, I'll definitely make sure you get your money back

Let's check my user id... hmm 47**. Well I guess I might as well wave bye bye to my money. Again I started using bitcoinica for the interest on deposits back in February. I put a large chunk of my savings here (yeah, shame on me). Please tell me why I am an inferior bitcoinica customer again?

Don't get me wrong - I think Zhou did a lot of good stuff with Bitcoinica and really appreciate the information he shared during this incident given the total lack of info from Bitcoin Consultancy, but he clearly dropped the ball when it came to security and I don't think he is the right person to handle the claims process since he seems to have a personal incentive to protect his reputation that might adversely influence the process.

The claims process should be based on facts. Meaning MTGOX codes, Wire Transfer Codes, Blockchain transfers, AML/PII docs and the like. It is a big Jigsaw but the only way. Bitcoinica should start working with MtGox, BitInstant, ArumXchange and other transfer services pronto. All money (be it BTC or USD) that came into Bitcoinica should be verifiable though other institutions.

And if it sounds like I'm angry - It is because I am.

[coinft]

My point still stands : they can refund all the USD and not give one satoshi back and nobody can do a damn thing.

Just because there is no legal precedent for Bitcoins doesn't mean that a legal precedent won't be set.

Also, what's your point?  Why does that matter?  If they give back everyone's BTC, then they give it back.  If they don't, then they don't.  How does that change anything in the discussion here?

He's campaigning for unpunishable BTC fraud, for selfish reasons.

[bulanula]

My point still stands : they can refund all the USD and not give one satoshi back and nobody can do a damn thing.

Just because there is no legal precedent for Bitcoins doesn't mean that a legal precedent won't be set.

Also, what's your point?  Why does that matter?  If they give back everyone's BTC, then they give it back.  If they don't, then they don't.  How does that change anything in the discussion here?

He's campaigning for unpunishable BTC fraud, for selfish reasons.

I am telling Intersango and Bitcoinica to take the BTC and run !

Only give back the USD and everybody is happy.

Why should they buy up another 18K and raise the price

[tvbcof]

I personally learned from ribuck to do just that too and advise all others to consider as a standard practice to never sign any NDA's ever personally.

yeah, that was a mistake on my part.

An NDA is amongst a class of thing which are worth having on one's side if one has a reasonable expectation of being able to utilize the services of a justice system.  That is to say, I'm open to the suggestion that they are useless in Bitcoin-land (and like Bitcoin that much more for it.)

I personally would not request an NDA for an interview unless I felt I needed one (which is plausible if I had a promising candidate who I wanted to try to interest...in something besides the easy-to-clean tile in the bathroom...)  But it's probably normally company policy.  One way or another, if an interview candidate was giving me grief at that phase of things, I don't even have to summarize how the rest of the interview would go:

  "Thanks for stopping by.  Have an Odwalla for the road."

[disclaimer201]

My point still stands : they can refund all the USD and not give one satoshi back and nobody can do a damn thing.

Just because there is no legal precedent for Bitcoins doesn't mean that a legal precedent won't be set.

Also, what's your point?  Why does that matter?  If they give back everyone's BTC, then they give it back.  If they don't, then they don't.  How does that change anything in the discussion here?

He's campaigning for unpunishable BTC fraud, for selfish reasons.

I am telling Intersango and Bitcoinica to take the BTC and run !

Only give back the USD and everybody is happy.

Why should they buy up another 18K and raise the price

Because for one thing, they can forget their careers and close their shops if they do. In other words:

We don't know what you want. But if you are looking for ransom we can tell you we don't have any Bitcoins anymore.
But what we DO have are a very particularly set of skills, skills we have acquired over a very long career in the Bitcoin forum
Skills that make us a nightmare for people like you. If you let our BtC go now we will not look for you, we will not pursue you.
But if you don't - we will look for you, we will find you, and we will kill your reputation in and outside of the Bitcoin world.

[bulanula]

My point still stands : they can refund all the USD and not give one satoshi back and nobody can do a damn thing.

Just because there is no legal precedent for Bitcoins doesn't mean that a legal precedent won't be set.

Also, what's your point?  Why does that matter?  If they give back everyone's BTC, then they give it back.  If they don't, then they don't.  How does that change anything in the discussion here?

He's campaigning for unpunishable BTC fraud, for selfish reasons.

I am telling Intersango and Bitcoinica to take the BTC and run !

Only give back the USD and everybody is happy.

Why should they buy up another 18K and raise the price

Because for one thing, they can forget their careers and close their shops if they do. In other words:

We don't know what you want. But if you are looking for ransom we can tell you we don't have any Bitcoins anymore.
But what we DO have are a very particularly set of skills, skills we have acquired over a very long career in the Bitcoin forum
Skills that make us a nightmare for people like you. If you let our BtC go now we will not look for you, we will not pursue you.
But if you don't - we will look for you, we will find you, and we will kill your reputation in and outside of the Bitcoin world.

Funny thing is that now stealing BTC is legal but harassment like what you described above isn't.

Anyway, let's not get sidetracked here. I want my $1 bonus back ! 

[Maged]

In any case you shouldn't trust a database that may have been tampered with.

The suggestions about bounties for the database from the hacker are pointless; there is no way to verify its integrity now. In order to proceed forward, they will simply have to assume on good faith that the hacker is not submitting duplicate claims to poison the process.

They shouldn't absolutely trust the database, sure. But, if it matches their records, it would give them the most precise information. Also, it would give Bitcoinica all of the email addresses for their customers, which is something they could really use right now since they still haven't sent out the legally required notification that they were compromised.

[Otoh]

@Zhou Tong

zhoutong
VIP
Hero Member
*****
Posts: 808

Can you tell me when you changed your forum description here to the above please, I thought that until very recently it still said something like:

zhoutong
VIP
Hero Member
******
Founder & CEO
of Bitcoinica

This is what we continued to take you for until you recent announcement that you had secretly sold the business months ago & that it had been subsequently handed on to Bitcoin Consultancy =~ Bitcoinica Consultancy =~ Intersango

Anyone else remember when this info was changed, thanks

[tvbcof]

Because for one thing, they can forget their careers and close their shops if they do. In other words:

We don't know what you want. But if you are looking for ransom we can tell you we don't have any Bitcoins anymore.
But what we DO have are a very particularly set of skills, skills we have acquired over a very long career in the Bitcoin forum
Skills that make us a nightmare for people like you. If you let our BtC go now we will not look for you, we will not pursue you.
But if you don't - we will look for you, we will find you, and we will kill your reputation in and outside of the Bitcoin world.

Funny thing is that now stealing BTC is legal but harassment like what you described above isn't.

Hacking into computers to steal BTC is theft and is criminal.  The trouble is how society values the loss.  A lot of participants in the Bitcoin economy, myself included, think of Bitcoin as a way to undermine (or at least protect oneself against) the certain corrupt aspects of our current societal structures.  But most justice systems don't share the view that the fiat monetary system as corrupt and shaky, and thus don't place that much value in Bitcoin.  Probably never heard of it in fact.  And they really do have legitimate work to prioritize.  Upshot:  Theft of Bitcoin is simply not as serious a crime in practice as it is in theory, and 'in practice' is where the rubber meets the road for a lot of us.

Now, harassement is a crime and extortion is a more serious one and physical violence more serious yet.  One can throw the other details (like "but Your Honor, he stole my BTC") out the window.  The criminal justice system will and should take an active interest in such things.  I only hope that this situation remains valid for as long as possible.

[Coinoisseur]

Stealing monopoly money is still stealing. But just as you realistically won't get police and prosecutors to bust their butts to convict a monopoly money thief, you will have to sue using civil means to recoup losses. It seems Bitcoinica was mixing currency and BTC along with granting interest, so aggrieved parties could probably attract the interest of the financial regulators of the country they were registered in (NZ?).

My point still stands : they can refund all the USD and not give one satoshi back and nobody can do a damn thing.

Just because there is no legal precedent for Bitcoins doesn't mean that a legal precedent won't be set.

Also, what's your point?  Why does that matter?  If they give back everyone's BTC, then they give it back.  If they don't, then they don't.  How does that change anything in the discussion here?

He's campaigning for unpunishable BTC fraud, for selfish reasons.

I am telling Intersango and Bitcoinica to take the BTC and run !

Only give back the USD and everybody is happy.

Why should they buy up another 18K and raise the price

Because for one thing, they can forget their careers and close their shops if they do. In other words:

We don't know what you want. But if you are looking for ransom we can tell you we don't have any Bitcoins anymore.
But what we DO have are a very particularly set of skills, skills we have acquired over a very long career in the Bitcoin forum
Skills that make us a nightmare for people like you. If you let our BtC go now we will not look for you, we will not pursue you.
But if you don't - we will look for you, we will find you, and we will kill your reputation in and outside of the Bitcoin world.

Funny thing is that now stealing BTC is legal but harassment like what you described above isn't.

Anyway, let's not get sidetracked here. I want my $1 bonus back ! 

[Raoul Duke]

@Zhou Tong

zhoutong
VIP
Hero Member
*****
Posts: 808

Can you tell me when you changed your forum description here to the above please, I thought that until very recently it still said something like:

zhoutong
VIP
Hero Member
******
Founder & CEO
of Bitcoinica

This is what we continued to take you for until you recent announcement that you had secretly sold the business months ago & that it had been subsequently handed on to Bitcoin Consultancy =~ Bitcoinica Consultancy =~ Intersango

Anyone else remember when this info was changed, thanks

It was changed after this thread started. I even remember seeing it on his "I'll leave Bitcoin" thread.

[zhoutong]

Sorry for duplicate posting (I posted this in the newbie forum initially) but I really wanted to share my concerns about the claims process as proposed by Zhou here.

By now it is clear that bitcoinica had their entire db and all records (apart from PII/AML and some outdated records) wiped. This is a worst case scenario. What a royal mess and one that baffles the mind considering they were dealing with a lot of customers money on a daily basis. Having a single point of failure on a virtual server hosted by a 3rd party? Wow. just wow. If I had known I'd never have put as much money into this operation as I did. However that is all in the past so let's move forward.

Zhou suggested the following approach to dealing with claims:

--- Disclaimer: Pure suggestion. NOT OFFICIAL ---

- Your bitcointalk.org profile or Bitcoin-OTC rating shows you as reputable and trustworthy. (50 Points)
- You can supply at least one transactional email you have received which perfectly matches our outgoing transactional email records. (30 Points)
- You can provide passport scans and you have provided to Bitcoinica (even if it's pending verification). (40 Points)
- The order of magnitude of your reported balance is consistent with our outdated accounting records. (30 Points)
- You can recall the balances exactly or very precisely. (20 Points)
- You have reported a losing position, with precise details. (20 Points)
- You have contacted Bitcoinica Support at least once since September 2011. (10 Points)
- Your email can be searched online and matches your identity. (10 Points)
- You can provide proof of Bitcoin address ownership (signature), Mt. Gox code you have used/obtained or accurate details of large transaction records (>2500 BTC) that match our hedging activity. (10 Points each kind of evidence)
- Another reputable member supports your claim. (10 Points)
- You have used wire transfer, BitInstant or AurumXchange to deposit/withdraw funds and they can verify the records. (10 Points)
- You have submitted the claim within the first 24 hours since the announcement. (10 Points)

Couple of points below:

- Your bitcointalk.org profile or Bitcoin-OTC rating shows you as reputable and trustworthy. (50 Points)

Wow. 50 points if you have a reputable bitcointalk.org account. Ranked higher then any verifiable things like transaction IDs, passport data, etc. I'm sorry I didn't know when I signed up with bitcoinica that it's compulsory to go to some unrelated forum and post here daily. Some people have no interest in this and have busy non-BTC related dayjobs (me). To me this is wholly unrelated. Like Bank of America returning money to customers who were good boy scouts or something? Oh you weren't in the boy scouts? tough luck. Putting this item on the top of the list introduces a kind of bias that I wholly disagree with.

I also don't see how the reputation system is workable. For example I am using another username here then on bitcoinica (and this is on purpose). I also chose to hide my email. How can Bitcoinica match Bitoinica users to Bitcointalk.org users? And even if they can how would they establish 'reputation'? (Read all posts by members? I think not). And giving points based on friends supporting your claim... what is this even supposed to mean? Any prudent investor/speculator will keep their deposits and positions private. I don't see how getting supports from friends promotes the claims process in any way apart from allowing you-help-me-i-help-you schemes between people making claims look more legit.

- The order of magnitude of your reported balance is consistent with our outdated accounting records. (30 Points)

The reason this won't work is because your records are outdated. In my case I sent a significant USD wire transfer to Bitcoinica that cleared only days before the hack. Yeah that is money in the bank for Bitcoinica but no 30 points for me. No sir.

- You have reported a losing position, with precise details. (20 Points)

Ah so customers that came in at the time when Bitcoinica started paying interest on deposits and used Bitcoinica as a USD+BTC savings account that had no interest in speculation (like me) will lose out here. Sounds like a great idea.

- You can recall the balances exactly or very precisely. (20 Points)

And you are going to verify this *how* exactly? Basically what you are saying is that if the user picked the 'Exact' option from the dropdown they get a free 20 points instantly. I would argue that because of daily interest on deposits combined with 5 decimals of precision, almost no account holder will know their *exact* balance.

- Your email can be searched online and matches your identity. (10 Points)

Right, because we all know that putting your email address online so they can be harvested by spammers and impersonators is best practice. +10 points.

- You have submitted the claim within the first 24 hours since the announcement. (10 Points)

Yeah sure. Because all 5500 bitcoinica customers have nothing better to do then read 70+ post threads on bitcointalk.org all day. People have families, jobs, vactations, etc. Bitcoinica has not notified any customers by email of the claims process and the main website has been spotty at best (non www. domain did not work. Certificates were invalid suggesting the claims process could be bogus, etc.)

if your user ID is less than 4500, I'll definitely make sure you get your money back

Let's check my user id... hmm 47**. Well I guess I might as well wave bye bye to my money. Again I started using bitcoinica for the interest on deposits back in February. I put a large chunk of my savings here (yeah, shame on me). Please tell me why I am an inferior bitcoinica customer again?

Don't get me wrong - I think Zhou did a lot of good stuff with Bitcoinica and really appreciate the information he shared during this incident given the total lack of info from Bitcoin Consultancy, but he clearly dropped the ball when it came to security and I don't think he is the right person to handle the claims process since he seems to have a personal incentive to protect his reputation that might adversely influence the process.

The claims process should be based on facts. Meaning MTGOX codes, Wire Transfer Codes, Blockchain transfers, AML/PII docs and the like. It is a big Jigsaw but the only way. Bitcoinica should start working with MtGox, BitInstant, ArumXchange and other transfer services pronto. All money (be it BTC or USD) that came into Bitcoinica should be verifiable though other institutions.

And if it sounds like I'm angry - It is because I am.

--- Disclaimer: Assume that the suggestion is used without modification. ---

Well, none of these measures work individually, for sure. That's why we need 100 Points for full refunds.

If you are reputable on this forum, submitted passport scan and at least one other proof, you can get 100 points.
If you're not active on forums or OTC and never verified. Never mind. If you honestly reported a losing position (and we have pretty current position reports), sent an email to us ever, gave accurate balances up to two decimal points (20+30 points) and used Mt. Gox and Bitcoin to deposit. Full refund!

Even if you can't give us exact details, we can offer a partial payment for you and the remainder will come later. We are not eating your money.

--- Disclaimer: Assume that the suggestion is used without modification. ---

EDIT:

I'd like to add one criterion for the suggested plan: Reported very close balances and positions (less than 0.5% upwards or 1% downwards) compared to our non-current records. (50 Points, but disqualify the orders of magnitude criterion)

We're not telling you the date of our record, so if there're no balance changes after that date, we'll give the most recognition. This applies to interest-earning accounts with not many activities.

The fact is, we have all kinds of records, so it's very hard to submit false claims without contradictions. I have spent about 100 hours in total monitoring orders execution, user balances change, deposits, withdrawals, support requests and position liquidations since the launch of Bitcoinica. The memory itself can prove something. And I have a previous project selling virtual goods and facing a lot of credit card fraud - I have trained myself identifying fraud.

[naima53]

I found a lot of evidence on the email .. . numbers transaction, the date, time .. It sounds promising .. In order to prove ownership of email - I can sign the message key. similarly to wallet

[disclaimer201]

Because for one thing, they can forget their careers and close their shops if they do. In other words:

We don't know what you want. But if you are looking for ransom we can tell you we don't have any Bitcoins anymore.
But what we DO have are a very particularly set of skills, skills we have acquired over a very long career in the Bitcoin forum
Skills that make us a nightmare for people like you. If you let our BtC go now we will not look for you, we will not pursue you.
But if you don't - we will look for you, we will find you, and we will kill your reputation in and outside of the Bitcoin world.

Funny thing is that now stealing BTC is legal but harassment like what you described above isn't.

Hacking into computers to steal BTC is theft and is criminal.  The trouble is how society values the loss.  A lot of participants in the Bitcoin economy, myself included, think of Bitcoin as a way to undermine (or at least protect oneself against) the certain corrupt aspects of our current societal structures.  But most justice systems don't share the view that the fiat monetary system as corrupt and shaky, and thus don't place that much value in Bitcoin.  Probably never heard of it in fact.  And they really do have legitimate work to prioritize.  Upshot:  Theft of Bitcoin is simply not as serious a crime in practice as it is in theory, and 'in practice' is where the rubber meets the road for a lot of us.

Now, harassement is a crime and extortion is a more serious one and physical violence more serious yet.  One can throw the other details (like "but Your Honor, he stole my BTC") out the window.  The criminal justice system will and should take an active interest in such things.  I only hope that this situation remains valid for as long as possible.

You noticed the famous Liam Neeson quote from the movie Taken, I hope? While I fully agree that actual harrassment is unacceptable you need to see that people will do what is legally possible for them to make sure someone who they entrusted with value, be it BTC or USD, does not deny their accountability, or starts fingerpointing to others and blaming them. This entire crisis resolution has been a farce all along. Calling someones' reputation into question is all that customers have to defend themselves from such losses and gross incompetence in the future.

[S3052]

Sorry for duplicate posting (I posted this in the newbie forum initially) but I really wanted to share my concerns about the claims process as proposed by Zhou here.

By now it is clear that bitcoinica had their entire db and all records (apart from PII/AML and some outdated records) wiped. This is a worst case scenario. What a royal mess and one that baffles the mind considering they were dealing with a lot of customers money on a daily basis. Having a single point of failure on a virtual server hosted by a 3rd party? Wow. just wow. If I had known I'd never have put as much money into this operation as I did. However that is all in the past so let's move forward.

Zhou suggested the following approach to dealing with claims:

--- Disclaimer: Pure suggestion. NOT OFFICIAL ---

- Your bitcointalk.org profile or Bitcoin-OTC rating shows you as reputable and trustworthy. (50 Points)
- You can supply at least one transactional email you have received which perfectly matches our outgoing transactional email records. (30 Points)
- You can provide passport scans and you have provided to Bitcoinica (even if it's pending verification). (40 Points)
- The order of magnitude of your reported balance is consistent with our outdated accounting records. (30 Points)
- You can recall the balances exactly or very precisely. (20 Points)
- You have reported a losing position, with precise details. (20 Points)
- You have contacted Bitcoinica Support at least once since September 2011. (10 Points)
- Your email can be searched online and matches your identity. (10 Points)
- You can provide proof of Bitcoin address ownership (signature), Mt. Gox code you have used/obtained or accurate details of large transaction records (>2500 BTC) that match our hedging activity. (10 Points each kind of evidence)
- Another reputable member supports your claim. (10 Points)
- You have used wire transfer, BitInstant or AurumXchange to deposit/withdraw funds and they can verify the records. (10 Points)
- You have submitted the claim within the first 24 hours since the announcement. (10 Points)

Couple of points below:

- Your bitcointalk.org profile or Bitcoin-OTC rating shows you as reputable and trustworthy. (50 Points)

Wow. 50 points if you have a reputable bitcointalk.org account. Ranked higher then any verifiable things like transaction IDs, passport data, etc. I'm sorry I didn't know when I signed up with bitcoinica that it's compulsory to go to some unrelated forum and post here daily. Some people have no interest in this and have busy non-BTC related dayjobs (me). To me this is wholly unrelated. Like Bank of America returning money to customers who were good boy scouts or something? Oh you weren't in the boy scouts? tough luck. Putting this item on the top of the list introduces a kind of bias that I wholly disagree with.

I also don't see how the reputation system is workable. For example I am using another username here then on bitcoinica (and this is on purpose). I also chose to hide my email. How can Bitcoinica match Bitoinica users to Bitcointalk.org users? And even if they can how would they establish 'reputation'? (Read all posts by members? I think not). And giving points based on friends supporting your claim... what is this even supposed to mean? Any prudent investor/speculator will keep their deposits and positions private. I don't see how getting supports from friends promotes the claims process in any way apart from allowing you-help-me-i-help-you schemes between people making claims look more legit.

- The order of magnitude of your reported balance is consistent with our outdated accounting records. (30 Points)

The reason this won't work is because your records are outdated. In my case I sent a significant USD wire transfer to Bitcoinica that cleared only days before the hack. Yeah that is money in the bank for Bitcoinica but no 30 points for me. No sir.

- You have reported a losing position, with precise details. (20 Points)

Ah so customers that came in at the time when Bitcoinica started paying interest on deposits and used Bitcoinica as a USD+BTC savings account that had no interest in speculation (like me) will lose out here. Sounds like a great idea.

- You can recall the balances exactly or very precisely. (20 Points)

And you are going to verify this *how* exactly? Basically what you are saying is that if the user picked the 'Exact' option from the dropdown they get a free 20 points instantly. I would argue that because of daily interest on deposits combined with 5 decimals of precision, almost no account holder will know their *exact* balance.

- Your email can be searched online and matches your identity. (10 Points)

Right, because we all know that putting your email address online so they can be harvested by spammers and impersonators is best practice. +10 points.

- You have submitted the claim within the first 24 hours since the announcement. (10 Points)

Yeah sure. Because all 5500 bitcoinica customers have nothing better to do then read 70+ post threads on bitcointalk.org all day. People have families, jobs, vactations, etc. Bitcoinica has not notified any customers by email of the claims process and the main website has been spotty at best (non www. domain did not work. Certificates were invalid suggesting the claims process could be bogus, etc.)

if your user ID is less than 4500, I'll definitely make sure you get your money back

Let's check my user id... hmm 47**. Well I guess I might as well wave bye bye to my money. Again I started using bitcoinica for the interest on deposits back in February. I put a large chunk of my savings here (yeah, shame on me). Please tell me why I am an inferior bitcoinica customer again?

Don't get me wrong - I think Zhou did a lot of good stuff with Bitcoinica and really appreciate the information he shared during this incident given the total lack of info from Bitcoin Consultancy, but he clearly dropped the ball when it came to security and I don't think he is the right person to handle the claims process since he seems to have a personal incentive to protect his reputation that might adversely influence the process.

The claims process should be based on facts. Meaning MTGOX codes, Wire Transfer Codes, Blockchain transfers, AML/PII docs and the like. It is a big Jigsaw but the only way. Bitcoinica should start working with MtGox, BitInstant, ArumXchange and other transfer services pronto. All money (be it BTC or USD) that came into Bitcoinica should be verifiable though other institutions.

And if it sounds like I'm angry - It is because I am.

--- Disclaimer: Assume that the suggestion is used without modification. ---

Well, none of these measures work individually, for sure. That's why we need 100 Points for full refunds.

If you are reputable on this forum, submitted passport scan and at least one other proof, you can get 100 points.
If you're not active on forums or OTC and never verified. Never mind. If you honestly reported a losing position (and we have pretty current position reports), sent an email to us ever, gave accurate balances up to two decimal points (20+30 points) and used Mt. Gox and Bitcoin to deposit. Full refund!

Even if you can't give us exact details, we can offer a partial payment for you and the remainder will come later. We are not eating your money.

--- Disclaimer: Assume that the suggestion is used without modification. ---

EDIT:

I'd like to add one criterion for the suggested plan: Reported very close balances and positions (less than 0.5% upwards or 1% downwards) compared to our non-current records. (50 Points, but disqualify the orders of magnitude criterion)

We're not telling you the date of our record, so if there're no balance changes after that date, we'll give the most recognition. This applies to interest-earning accounts with not many activities.

The fact is, we have all kinds of records, so it's very hard to submit false claims without contradictions. I have spent about 100 hours in total monitoring orders execution, user balances change, deposits, withdrawals, support requests and position liquidations since the launch of Bitcoinica. The memory itself can prove something. And I have a previous project selling virtual goods and facing a lot of credit card fraud - I have trained myself identifying fraud.

Is this now the official procedure? If yes, please make it official properly. If not, sort it out and make the criteria official in the next 24 hours. Lock it , decide it, move on and dont continue with this hell of a confusion. BASTA