Bitcoinica MtGox account compromised

[kokjo]

As far as Mt.Gox is concerned and as Genjix explained, we did not suffer any breach or any hack, all other account are safe and the thief only targeted Bitconica's account. Mark (MagicalTux) has been in contact with many Bitcoin players since this announcement and offered any help we can give, but unfortunately all funds (USD & BTC) are no longer within our reach.

Once again, someone with a US IP succeed to get Bitcoinica's account credential which did not trigger any alarms since they were fully identified. Since Bitconica's account was a verified account the owner of this account asked (This happened when Zhou was still controlling Bitconica) to have his limits lifted to the maximum possible, giving the possibility to the thief to move Bitcoinica's assets to another external account (External to MtGox).

Despite our effort on securing Mt.Gox and protecting everyone's asset I would like to remind everyone that it is also your responsibility to secure your account with a very strong password and use either a Yubikey or Google Auth (You can even use both at the same time).

Mt.Gox

-- EDIT --

We would like to stress that Mt.Gox Verified Bitconica as a Company and NOT as an Individual.

Good one!

[1714213688]

1714213688

[1714213688]

1714213688

[1714213688]

1714213688

[aq]

I read the entire TOS, I felt protected.

The level of personal security of each account was an order of magnitude higher than my banks, I had a 24 character password that was essentially a hash key, as well as a google authenticator with my smart phone, best part?
 I was using bitcoinica as an exchange, I just deposited my money in my account and was planning on turning into btc that same day for an investment with starfish BCB, then the hack happened.

I did my due dilligence on the company, and the risk of the company becoming insolvent was low at that time, please don't get angry at me for believing personal security measures was enough.

So it was no issue for you that they had been hacked a few times before?
Slowly I am starting to understand why they still believe that they can continue running Bitcoinica in the future. In a year from now, everyone will say "yes, they got hacked some 20 times, but I feel that it wont happen again".

After the initial hack, I was extremely put off by bitcoinica and completely avoided them, however upon returning to their site I could see that they began (at least facetiously) taking security very seriously, and I

 decided that they had a reputation to match mtgox (another hacked website, however is still widely traded on). I decided to use them for a wire transfer because they had an easier bank name to input at the

bank vs. mtgox's japanese bank, please stop harassing people that lost their shirt in a "semi reputable" business, I don't just throw my money around willy nilly, and your assumption that I do is insulting.

Sorry, did not want to insult anyone. Was just trying to understand how the site got that much trust, after being hacked and once it was public knowledge that it was run by a minor.

[kokjo]

As far as Mt.Gox is concerned and as Genjix explained, we did not suffer any breach or any hack, all other account are safe and the thief only targeted Bitconica's account. Mark (MagicalTux) has been in contact with many Bitcoin players since this announcement and offered any help we can give, but unfortunately all funds (USD & BTC) are no longer within our reach.

Once again, someone with a US IP succeed to get Bitcoinica's account credential which did not trigger any alarms since they were fully identified. Since Bitconica's account was a verified account the owner of this account asked (This happened when Zhou was still controlling Bitconica) to have his limits lifted to the maximum possible, giving the possibility to the thief to move Bitcoinica's assets to another external account (External to MtGox).

Despite our effort on securing Mt.Gox and protecting everyone's asset I would like to remind everyone that it is also your responsibility to secure your account with a very strong password and use either a Yubikey or Google Auth (You can even use both at the same time).

Mt.Gox

-- EDIT --

We would like to stress that Mt.Gox Verified Bitconica as a Company and NOT as an Individual.

to what (bank-)account was the usd sent to? ie. where can we find the guy, and beat him?

[BadBitcoin (James Sutton)]

I read the entire TOS, I felt protected.

The level of personal security of each account was an order of magnitude higher than my banks, I had a 24 character password that was essentially a hash key, as well as a google authenticator with my smart phone, best part?
 I was using bitcoinica as an exchange, I just deposited my money in my account and was planning on turning into btc that same day for an investment with starfish BCB, then the hack happened.

I did my due dilligence on the company, and the risk of the company becoming insolvent was low at that time, please don't get angry at me for believing personal security measures was enough.

So it was no issue for you that they had been hacked a few times before?
Slowly I am starting to understand why they still believe that they can continue running Bitcoinica in the future. In a year from now, everyone will say "yes, they got hacked some 20 times, but I feel that it wont happen again".

After the initial hack, I was extremely put off by bitcoinica and completely avoided them, however upon returning to their site I could see that they began (at least facetiously) taking security very seriously, and I

 decided that they had a reputation to match mtgox (another hacked website, however is still widely traded on). I decided to use them for a wire transfer because they had an easier bank name to input at the

bank vs. mtgox's japanese bank, please stop harassing people that lost their shirt in a "semi reputable" business, I don't just throw my money around willy nilly, and your assumption that I do is insulting.

Sorry, did not want to insult anyone. Was just trying to understand how the site got that much trust, after being hacked and once it was public knowledge that it was run by a minor.

I put zhou in utmost regard, he may have been negligent in a hack, but he certainly would have paid us what is ours within the first WEEK of the hack, not sit around on his hands for 3 MONTHS like the intersango/consultancy guys had done, if I knew there was a change of hands of ownership, I wouldn't have used bitcoinica.

I never trusted intersango with my money, I trusted zhou.

[btcprophet]

I never trusted intersango with my money, I trusted zhou.

And Zhou sold that trust to the highest bidder. At least his mortgage is paid off!

[markm]

I never trusted intersango with my money, I trusted zhou.

And Zhou sold that trust to the highest bidder. At least his mortgage is paid off!

Yeah that is wrong right there. He should have included the full amount of customer money in the sale price, paid the customers all their money and let them decide whether to put any of it back in given that the site had changed ownership.

I said that wrong, but basic idea is, other people's money is theirs to sell or not sell to new owners at their own discretion.

-MarkM-

[iCEBREAKER]

if I knew there was a change of hands of ownership, I wouldn't have used bitcoinica.

I never trusted intersango with my money, I trusted zhou.

Trust?  Feh.

Proof > Trust

Remember that?  It's the conceptual breakthrough that enables Bitcoin to solve the long-standing crypto currency conundrum.

[fatigue]

if I knew there was a change of hands of ownership, I wouldn't have used bitcoinica.

I never trusted intersango with my money, I trusted zhou.

Trust?  Feh.

Proof > Trust

Remember that?  It's the conceptual breakthrough that enables Bitcoin to solve the long-standing crypto currency conundrum.

No, no I just solved 37 blocks guys. Trust me on thus one.

[Bro]

I LOL'ed when i saw this thread. Like last time and the time before that.

[jgarzik]

Some of the reasons why I avoided bitcoinica with a ten foot pole, which were obvious right from the start:

• The big one -- Zero hard evidence they actually had all the funds claimed, or could produce funds if outsized events (big selloff, big withdrawal, etc.) occur
• Opaque ownership structure
• Zero independent source code auditing or visibility
• Zero proof of any experience at securing wealth from virtual and physical threats
• Zero appearance of adhering to any regulatory structure

Therefore I was not surprised when bucket shops were mentioned.

[BadBitcoin (James Sutton)]

Some of the reasons why I avoided bitcoinica with a ten foot pole, which were obvious right from the start:

• The big one -- Zero hard evidence they actually had all the funds claimed, or could produce funds if outsized events (big selloff, big withdrawal, etc.) occur
• Opaque ownership structure
• Zero independent source code auditing or visibility
• Zero proof of any experience at securing wealth from virtual and physical threats
• Zero appearance of adhering to any regulatory structure

Therefore I was not surprised when bucket shops were mentioned.

what is the difference between mtgox and bitcoinica, from your point of view?

[caveden]

Some of the reasons why I avoided bitcoinica with a ten foot pole, which were obvious right from the start:

• The big one -- Zero hard evidence they actually had all the funds claimed, or could produce funds if outsized events (big selloff, big withdrawal, etc.) occur
• Opaque ownership structure
• Zero independent source code auditing or visibility
• Zero proof of any experience at securing wealth from virtual and physical threats
• Zero appearance of adhering to any regulatory structure

Can't you apply most or all of these items to pretty much every bitcoin business available?
AFAIK, none of the exchanges had their source code audited, for ex.

[jgarzik]

Some of the reasons why I avoided bitcoinica with a ten foot pole, which were obvious right from the start:

• The big one -- Zero hard evidence they actually had all the funds claimed, or could produce funds if outsized events (big selloff, big withdrawal, etc.) occur
• Opaque ownership structure
• Zero independent source code auditing or visibility
• Zero proof of any experience at securing wealth from virtual and physical threats
• Zero appearance of adhering to any regulatory structure

Therefore I was not surprised when bucket shops were mentioned.

what is the difference between mtgox and bitcoinica, from your point of view?

Everything except source code visibility is different.

[markm]

Difference Gox<->Bitcoinica?

MTBH.

(Mean Time Between Hacks)

-MarkM- (Not to mention minor details such as yubikeys etc etc etc, which might contribute to MTBH.)

[BadBitcoin (James Sutton)]

Difference Gox<->Bitcoinica?

MTBH.

(Mean Time Between Hacks)

-MarkM- (Not to mention minor details such as yubikeys etc etc etc, which might contribute to MTBH.)

gox had yubi keys, bitcoinica had google auth keys, from a laymans point of view both seem identical (I assumed their use functioned in the same way from a security point of view, looks like I was wrong)

[kiba]

Does anybody if MtGox employs pentesters?

[Vladimir]

Some of the reasons why I avoided bitcoinica with a ten foot pole, which were obvious right from the start:

• The big one -- Zero hard evidence they actually had all the funds claimed, or could produce funds if outsized events (big selloff, big withdrawal, etc.) occur
• Opaque ownership structure
• Zero independent source code auditing or visibility
• Zero proof of any experience at securing wealth from virtual and physical threats
• Zero appearance of adhering to any regulatory structure

Therefore I was not surprised when bucket shops were mentioned.

Yep, Jeff, you can say it again. Though, while it was just Zhou it was kind of ok (easier to secure with everything concentrated in one place and having only one principal). As soon as BC bunch got in, it quickly turned into horrendous clusterfuck.

I must admit that, my "resignation" from honorary post of Bitcoinica's "Information Security Advisor" way back in Sep 2011, was probably the smartest move of my "Bitcoin career", in hindsight.

Anyway, I am off to enforcing 2 factor auth for Bitcoin Magazine and others, for everything I can enforce it on (naturally it is on for anything that touches money already).

I hope nobody is going to challenge me now when I repeat again:

1 BTC worth 100$US on entertainment value alone.

[jgarzik]

Some of the reasons why I avoided bitcoinica with a ten foot pole, which were obvious right from the start:

• The big one -- Zero hard evidence they actually had all the funds claimed, or could produce funds if outsized events (big selloff, big withdrawal, etc.) occur
• Opaque ownership structure
• Zero independent source code auditing or visibility
• Zero proof of any experience at securing wealth from virtual and physical threats
• Zero appearance of adhering to any regulatory structure

Can't you apply most or all of these items to pretty much every bitcoin business available?
AFAIK, none of the exchanges had their source code audited, for ex.

The difference is in degrees.  Each is not a binary choice.  MtGox, for example, has been forced by circumstance (trial by fire?) to develop good legal and technical defenses.

Even so, I never trusted any exchange and unknown website -- MtGox included -- to store any significant wealth for any period of time.

That's what paper wallets and bank safety deposit boxes are for.

[aq]

what is the difference between mtgox and bitcoinica, from your point of view?

MtGox has a 1:1 relation of input and output. A coin or USD can only come of of MtGox after it did come in.

Bitcoinica had leverage. So you could "earn" more coins/USD depending on the MtGox rate than there actually where in Bitcoinica. So Bitcoinica had to "play" against you by selling and buying coins on MtGox.

[aq]

That's what paper wallets and bank safety deposit boxes are for.

Paper wallets and bank safety deposit boxes? We store everything at pirate these days