[Payout Updates] Bitcoinica site is taken offline for security investigation

[chsados]

30 May 23:30: We're going to proceed with payouts of the few people we have verified hopefully tomorrow for 80% of their claims (the remaining 20% will be refunded later). A more lengthy process will be applied to everyone else.

Have these "few people" gotten paid yet?

Genjix - I had a measly $11 in bitcoinica all transfered via mtgoxUSD code.  It should be very easy to confirm this shouldn't it?  Has MtGox been willing to cooperate?   I'm starting to get annoyed in the lack of updates/ no response from verify@bitcoinica.com, and the fact that we got to come to a forum to get any type of news.  I understand I am not a user with thousands of dollars tied up and they may take precedence.   But this is just starting to get redonkulous.  

[bitlane]

Just take this into consideration....then compare it to what the story changes to by the time this gets taken care of.

Remember, only 20% of total BTC was stolen as noted below...NO OTHER CURRENCY AT RISK, so there shouldn't be any reason for everything NOT to get paid back 100%.

Out of that remaining 80%, I would hope there are enough profits to cover the stolen 20%.....or so one would think.

We have over 80% of our Bitcoins in offline wallets at the moment before the attack. We had to keep a large balance because the withdrawals are huge!

https://bitcointalk.org/index.php?topic=81045.msg894305#msg894305

If zhoutong was being completely upfront (perhaps why he was shunned by the 'powers that be') then the Bitcoinica Consultancy shouldn't be out of pocket any more than say, 10% total at worst ?

[ssaCEO]

Just take this into consideration....then compare it to what the story changes to by the time this gets taken care of.

Remember, only 20% of total BTC was stolen as noted below...NO OTHER CURRENCY AT RISK, so there shouldn't be any reason for everything NOT to get paid back 100%.

Out of that remaining 80%, I would hope there are enough profits to cover the stolen 20%.....or so one would think.

We have over 80% of our Bitcoins in offline wallets at the moment before the attack. We had to keep a large balance because the withdrawals are huge!

https://bitcointalk.org/index.php?topic=81045.msg894305#msg894305

If zhoutong was being completely upfront (perhaps why he was shunned by the 'powers that be') then the Bitcoinica Consultancy shouldn't be out of pocket any more than say, 10% total at worst ?

I do, A. And moreover, what was in USD should never have been online at all.
The more likely explanation was that they had a major position in the market when they were hacked, and were leveraging all their customer funds. Or that the hack was an inside job and the plan was to use a mere $90k theft to cover $1M+ in vanished money.
The difference here is that the money that vanished was not all in Bitcoin, so the story doesn't hold up.

[Raoul Duke]

Just going to leave this here, where it will get more eyes watching it

Well bitlane, I like you so I'll leave you some leads for you to follow...

You can see in this IRC log that BitcoinicaHacker used the usernames B1tcoinz and ageis on IRC http://ibot.rikers.org/20120521.html.gz

Looking for ageis on IRC logs I found some on #postfix IRC channel, which isn't much surprising, given that the dude used an exploited mailserver to pawn Bitcoinica and he's asking questions about, get ready, SASL and authentication stuff.
http://echelog.com/logs/browse/postfix/1321657200
http://echelog.com/logs/browse/postfix/1321743600

Also found an ageis on the IRC Bitcoin dev channel:
http://bitcoinstats.com/irc/bitcoin-dev/logs/2012/04/09/1
http://bitcoinstats.com/irc/bitcoin-dev/logs/2012/04/14/1
And the following that I found on #bitcoin-dev tells me that he's the same ageis on the #postfix

03:08    ageis kevin@ageispolis.net

Keep digging...
Every human makes mistakes and this dude is nothing else but human.

Now, if this helps to catch the guy, I want 10k BTC of reward lol

[bitlane]

The difference here is that the money that vanished was not all in Bitcoin, so the story doesn't hold up.

My point exactly. THEY FUCKED UP....and this 'theft' is nothing more than an 'opportunity'......

Atleast they still 'have' ~75,000 BTC in offline storage, as was stated by ZT....with the theft being the 20% amount of total that is.

[coinjedi]

Just going to leave this here, where it will get more eyes watching it

Well bitlane, I like you so I'll leave you some leads for you to follow...

You can see in this IRC log that BitcoinicaHacker used the usernames B1tcoinz and ageis on IRC http://ibot.rikers.org/20120521.html.gz

Looking for ageis on IRC logs I found some on #postfix IRC channel, which isn't much surprising, given that the dude used an exploited mailserver to pawn Bitcoinica and he's asking questions about, get ready, SASL and authentication stuff.
http://echelog.com/logs/browse/postfix/1321657200
http://echelog.com/logs/browse/postfix/1321743600

Also found an ageis on the IRC Bitcoin dev channel:
http://bitcoinstats.com/irc/bitcoin-dev/logs/2012/04/09/1
http://bitcoinstats.com/irc/bitcoin-dev/logs/2012/04/14/1
And the following that I found on #bitcoin-dev tells me that he's the same ageis on the #postfix

03:08    ageis kevin@ageispolis.net

Keep digging...
Every human makes mistakes and this dude is nothing else but human.

Now, if this helps to catch the guy, I want 10k BTC of reward lol

I think we should be extremely careful not to turn this into an baseless witch hunt.  But in case somebody wants to contact I think this seems to be the person you are trying to reach:
https://plus.google.com/116237107120834353559/posts

[bitlane]

Sub 

Naughty...

Are you an Intersango sock puppet ?

Hello all,
I'll be incorporating here in the UK and setting up bank accounts in England to accept sterling and Ireland to accept Euros. There doesn't seem to be any easy way accept US dollars without substantial wire fees.

...sorry. Had to ask.

[rjk]

psy, I don't think ageis is the guy you are looking for. Just sayin'.

[Raoul Duke]

psy, I don't think ageis is the guy you are looking for. Just sayin'.

Then I guess he will have no problem explaining to us what does this mean

Code:

08:09.44	*** ageis materializes into BitcoinicaHacker
08:09.46	*** BitcoinicaHacker materializes into ageis
08:15.44	*** ageis materializes into B1tcoinz
08:15.51	*** B1tcoinz materializes into ageis

http://ibot.rikers.org/20120521.html.gz

Also:

Last post from him here in the forum: on: April 18, 2012, 12:06:25 AM
https://bitcointalk.org/index.php?topic=76239.msg855980#msg855980

Now for the final touch: https://bitcointalk.org/index.php?action=profile;u=44466
Name:    ageisp0lis
Posts:    11
Position:    Jr. Member
Date Registered:    October 22, 2011, 02:03:34 AM
Last Active:    May 21, 2012, 08:47:58 AM

The same day of that IRC log, 30min after the username mess he made on IRC. How convenient lol

[fivebells]

Anyone heard from Patrick Strateman since this happened?  Anyone know him personally?  It would be interesting to hear his take on how it went down.

[genjix]

03 June 2012 23:20: We're adding extra fields to the claims database (should be finished soon), we have received the funds from Tihan to make the initial payouts. Then once that's done, the first round of payments can be finished.

[zhoutong]

For these reasons, I personally will never use Rackspace Cloud again unless they address all of these issues. AWS is way more secure than them.

But that's still no excuse for not having offline backups. If you weren't online to notice the unauthorized rackspace session, the Rackspace admin "delete servers" bug (unable to disable) would still be an unknown bug/feature.

As for AWS, remember last year when bitomat.pl lost 17k BTC (iirc) in the blink of an eye when their AWS VPS was rebooted? MtGox bought them out and gauranteed depositor funds.

Don't trust a "cloud". (this is opposed to: first I trusted Linode, then I trusted Rackspace, and after getting burnt by Rackspace I finally decided to trust Amazon Web Services). Live and learn.

We have off-site backups in a different DC. It's managed by Rackspace.

If the server crashed, we have no problems of recovering. There are a lot of backups of all our main servers. It's just that these backups were deleted by the hacker.

[dancingnancy]

03 June 2012 23:20: We're adding extra fields to the claims database (should be finished soon), we have received the funds from Tihan to make the initial payouts. Then once that's done, the first round of payments can be finished.

Do you mean there will be another claim form to fill out, or are you just speaking about finalizing the current one?

[zhoutong]

For these reasons, I personally will never use Rackspace Cloud again unless they address all of these issues. AWS is way more secure than them.

Some guys have the fate of repeating the same mistakes over and over and over again.

As I said, I won't engage in Bitcoin-related projects in the foreseeable future, you shouldn't assume that I'm going to operate a hot wallet in AWS.

I can't afford a scalable solution that gives me the same reliability for a bootstrapped startup. All financial transactions will be handled by payment gateways who will be responsible for their own security. Apart from that, no money is involved so I just want to consider scalability, performance, availability and cost. For me, I think AWS's EC2 instance with Load Balancer handling SSL termination (can't be DDOS'd) + RDS with snapshots and binary logs recoverable to 5 minutes ago are more than enough for me.

Most people choose to outsource security, it's just that in Bitcoin world everything is DIY.

[repentance]

03 June 2012 23:20: We're adding extra fields to the claims database (should be finished soon), we have received the funds from Tihan to make the initial payouts. Then once that's done, the first round of payments can be finished.

That's a bit confusing.  If all that was lost was 20% of Bitcoins on hand it should have been possible to pay everyone out 80% (the initial round of payouts) without receiving funds from Tihan - additional capital should only have been required to replace the lost Bitcoins.  You should have still been in possession of 100% of USD and 100% of Mt Gox deposits.  Or were you still waiting on capital to enable you to replace Bitcoins which were lost in the Linode intrusion as well as additional funds to cover the most recent loss?

[bitcoinBull]

We have off-site backups in a different DC. It's managed by Rackspace.

If the server crashed, we have no problems of recovering. There are a lot of backups of all our main servers. It's just that these backups were deleted by the hacker.

I meant data center of a different company (a different admin panel with a different password, and an append-only configuration). That's what provides a level of actual redudancy. Using a cloud service from one company protects you if a truck crashes into one of their data centers, but offers zero protection if someone gets your admin password!

I can't afford a scalable solution that gives me the same reliability for a bootstrapped startup.

Not anymore you can't!

You can make backups for cheap (backups aren't accessed, so they don't scale with the rest of the site).

All financial transactions will be handled by payment gateways who will be responsible for their own security. Apart from that, no money is involved so I just want to consider scalability, performance, availability and cost. For me, I think AWS's EC2 instance with Load Balancer handling SSL termination (can't be DDOS'd) + RDS with snapshots and binary logs recoverable to 5 minutes ago are more than enough for me.

Most people choose to outsource security, it's just that in Bitcoin world everything is DIY.

I'm not going to use your domain service or any other zhoutong "cloud" service because its clear that you don't have plan B (contingencies). What happens when someone deletes your AWS instances and its snapshots and logs? Has the thought even crossed your mind to try and see if its possible on the AWS admin panel?

Its a truism that at the basic level, security can't be outsourced. You have to trust someone eventually (unfortunately for us, you happened to trust bitcoin consultancy), but catastrophes can only be averted by good planning.

[genjix]

03 June 2012 23:20: We're adding extra fields to the claims database (should be finished soon), we have received the funds from Tihan to make the initial payouts. Then once that's done, the first round of payments can be finished.

That's a bit confusing.  If all that was lost was 20% of Bitcoins on hand it should have been possible to pay everyone out 80% (the initial round of payouts) without receiving funds from Tihan - additional capital should only have been required to replace the lost Bitcoins.  You should have still been in possession of 100% of USD and 100% of Mt Gox deposits.  Or were you still waiting on capital to enable you to replace Bitcoins which were lost in the Linode intrusion as well as additional funds to cover the most recent loss?

We don't hold the funds.

03 June 2012 23:20: We're adding extra fields to the claims database (should be finished soon), we have received the funds from Tihan to make the initial payouts. Then once that's done, the first round of payments can be finished.

Do you mean there will be another claim form to fill out, or are you just speaking about finalizing the current one?

Finalising the current one for internal (staff) usage. We need to track the payments we make more accurately for book keeping.

[BadBitcoin (James Sutton)]

03 June 2012 23:20: We're adding extra fields to the claims database (should be finished soon), we have received the funds from Tihan to make the initial payouts. Then once that's done, the first round of payments can be finished.

That's a bit confusing.  If all that was lost was 20% of Bitcoins on hand it should have been possible to pay everyone out 80% (the initial round of payouts) without receiving funds from Tihan - additional capital should only have been required to replace the lost Bitcoins.  You should have still been in possession of 100% of USD and 100% of Mt Gox deposits.  Or were you still waiting on capital to enable you to replace Bitcoins which were lost in the Linode intrusion as well as additional funds to cover the most recent loss?

We don't hold the funds.

03 June 2012 23:20: We're adding extra fields to the claims database (should be finished soon), we have received the funds from Tihan to make the initial payouts. Then once that's done, the first round of payments can be finished.

Do you mean there will be another claim form to fill out, or are you just speaking about finalizing the current one?

Finalising the current one for internal (staff) usage. We need to track the payments we make more accurately for book keeping.

sounds good genjix, let us know if theres anything else we need to fill out, I have some stuff I want to buy D:

[ssaCEO]

We don't hold the funds.

Then WHO HAS ALL THE USD?

And when will you respond to emails? I want to know if my account is among the claims being processed. It's not like I say to my customers "oh sorry, can't give you your money back, Bitcoinica stole it". No. I have to pay it out of my own pocket. But I can tell them, "Bitcoinica stole your money. I was dumb enough to leave your USD with them. That would be Patrick, Zhou, Tihan, and everyone else related to that project. They say they got robbed for 18K BTC, and then all their USD magically disappeared at the same time. If you ever see anything else they do, make sure to avoid it like the plague. Now I'm paying this money personally back to you on their behalf. Hopefully they'll reimburse me, but I doubt it since they haven't responded to a single one of my emails."

[bulanula]

We don't hold the funds.

Then WHO HAS ALL THE USD?

And when will you respond to emails? I want to know if my account is among the claims being processed. It's not like I say to my customers "oh sorry, can't give you your money back, Bitcoinica stole it". No. I have to pay it out of my own pocket. But I can tell them, "Bitcoinica stole your money. I was dumb enough to leave your USD with them. That would be Patrick, Zhou, Tihan, and everyone else related to that project. They say they got robbed for 18K BTC, and then all their USD magically disappeared at the same time. If you ever see anything else they do, make sure to avoid it like the plague. Now I'm paying this money personally back to you on their behalf. Hopefully they'll reimburse me, but I doubt it since they haven't responded to a single one of my emails."

No need to get angry mate. It doesn't reflect well on your business if you don't keep it civil.

I am sure they will pay it back ... at some point.

Anyone up for 4-6 weeks of waiting time

The strangest issue is : why were the USD not paid back immediately ?

I understand the BTC issue is more delicate with an erased balance but the USD should be easy to source as none were stolen !?