Bitcoin Forum
December 10, 2016, 06:43:45 PM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 [16] 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 »
  Print  
Author Topic: Bitcoinica MtGox account compromised  (Read 145948 times)
koin
Legendary
*
Offline Offline

Activity: 874


View Profile
July 13, 2012, 09:01:44 PM
 #301

Once again, someone with a US IP succeed to get Bitcoinica's account credential which did not trigger any alarms since they were fully identified. Since Bitconica's account was a verified account the owner of this account asked (This happened when Zhou was still controlling Bitconica) to have his limits lifted to the maximum possible, giving the possibility to the thief to move Bitcoinica's assets to another external account (External to MtGox).

-- EDIT --

We would like to stress that Mt.Gox Verified Bitconica as a Company and NOT as an Individual.


it would not be plausible for mt. gox to not know about the change in ownership in april.

did mt. gox really allow this new company to use an account at mt. gox that did not belong to them (i.e., use an account that was verfied under a different name)?

after the change in ownership, there should have been a new account created (and verified) by the new owner.  because the old company didn't have any other source of income, deposits to the old company's account should have dropped towards zero.  

the kyc of aml/kyc is to know the source of the funds the customer is depositing.  mt. gox wouldn't know the source of funds if the verified owner of the account sold the business and has no other business.  these further deposits to "the bitcoinica account" should not have been made available for transfer or withdrawal until the source of the funds could be verified as truly belonging to the previously verified owner of the account.

it looks like there were multiple changes in ownership.  first was xwaylab (delaware), then [opaque change well known] then the bitcoinica lp of new zealand.

bitcoinica lp should not have been allowed to deposit to and withdaw funds from an account where the verified owner is anything other than bitcoinica lp.

here is some history:

  • On 2012/01/30 Bitcoin Consultancy became Bitcoinica Consultancy Ltd. (*1)
  • On 2012/03/22 Bitcoinica Consultancy Ltd became the General Partner of the newly formed Bitcoinica Limited Partnership (*2)
  • On 2012/03/27 Bitcoin Consultancy was retained to perform a comprehensive security audit. (*3)
  • On 2012/04/24 Bitcoin Consultancy took over ownership and daily operations of Bitcoinica from Zhou (*4)
  • On 2012/05/11 Bitcoinica was hacked due to a root password reset via a compromised email server (belonging to a member of Bitcoin Consultancy). (*5)

References:
1) http://www.business.govt.nz/companies/app/ui/pages/companies/3715077
2) http://www.business.govt.nz/fsp/app/ui/fsp/version/searchSummaryCompanyFSP/FSP207625/4.do?noReturn=true
3) https://bitcointalk.org/index.php?topic=81045.msg919130#msg919130 (Tihan's post)
4) http://bitcoinmedia.com/first-licensed-advanced-trading-platform-for-bitcoin/ (written by Donald, CEO of Bitcoin Consultancy)
5) http://bitcoinica.com (post-mortem)

Your analysis is not only wrong but straight up defamation.

Bitcoin Consultancy LTD is a UK Limited company which is neither owned nor owns any other company.
Intersango LTD is a UK Limited company which is neither owned nor owns any other company.
Bitcoinica LP is a New Zealand Limited Partnership.
Core Credit LTD is a New Zealand Limited Company and the General Partner of Bitcoinica LP.
Core Credit LTD was renamed to Bitcoinica Consultancy LTD significantly after the events occurred.

disclaimer: i am not a lawyer
1481395425
Hero Member
*
Offline Offline

Posts: 1481395425

View Profile Personal Message (Offline)

Ignore
1481395425
Reply with quote  #2

1481395425
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481395425
Hero Member
*
Offline Offline

Posts: 1481395425

View Profile Personal Message (Offline)

Ignore
1481395425
Reply with quote  #2

1481395425
Report to moderator
davout
Legendary
*
Offline Offline

Activity: 1358


1davout


View Profile WWW
July 13, 2012, 09:10:43 PM
 #302

disclaimer: i am not a lawyer
but your point sounds about right

caveden
Legendary
*
Offline Offline

Activity: 1106



View Profile
July 13, 2012, 09:15:57 PM
 #303

Blame the victim is never a good argument.

That's what this whole thread is about, blaming the victim. Assuming OP is true, then Bitcoinica is the victim of a theft. Everybody here is blaming Bitcoinica, not the thief.

If this is really a theft, and the thief wired money to accounts of his own, I really hope all this AML crap is for once put to good use and this asshole is caught, and forced to return everything he's stolen.
If it's not a theft*, then MtGox at least would know. I hope in this case they break the silence, otherwise they would be accomplices.

*EDIT: If it's not a theft done by a third party. Either way the costumers' money was stolen.

18rZYyWcafwD86xvLrfuxWG5xEMMWUtVkL
dancingnancy
Sr. Member
****
Offline Offline

Activity: 407


View Profile
July 13, 2012, 09:19:56 PM
 #304

Blame the victim is never a good argument.


If this is really a theft, and the thief wired money to accounts of his own, I really hope all this AML crap is for once put to good use


I was thinking the same thing.  If the hacker gets away with wiring money to wherever he wants and gets away with it this AML shit is truly ridiculous.
bitcoinBull
Legendary
*
Offline Offline

Activity: 826


rippleFanatic


View Profile
July 13, 2012, 09:20:07 PM
 #305

On ycombinator zhoutong claims he didn't set the LastPass password:

http://news.ycombinator.com/item?id=4240408
Quote
Well I do agree with you that Bitcoinica was not 100% secure. This hack really has nothing to do with the app or its infrastructure.
- I didn't set the password. - I didn't have the power to change the password. - I shouldn't have access to the account.
The root cause is LastPass account being stolen.

Then who chose to set the LastPass password as the mtgox api key? Tihan?

College of Bucking Bulls Knowledge
sadpandatech
Hero Member
*****
Offline Offline

Activity: 504



View Profile
July 13, 2012, 09:25:23 PM
 #306

On ycombinator zhoutong claims he didn't set the LastPass password:

http://news.ycombinator.com/item?id=4240408
Quote
Well I do agree with you that Bitcoinica was not 100% secure. This hack really has nothing to do with the app or its infrastructure.
- I didn't set the password. - I didn't have the power to change the password. - I shouldn't have access to the account.
The root cause is LastPass account being stolen.

Then who chose to set the LastPass password as the mtgox api key? Tihan?
I'm wondering the same. And very much wondering why bother changing all the other passwords except the one that protects all the other fucking passwords?? :/

BUT, the other thing I am wondering is, how can they know the current Gox user/pass was found out from LastPass? I guess to them it would seem obvious of the gox acct was a new pass that only the current controller of the gox acct had. But, these are still questions that all need to have answers to them in order to make better determinations.

the whole thing is sad. Seems Bitcoinica was in safer hands with Zhou Tong.....


@Genjix - Stressing about it is not gonna help you, your company or anyone else, m8. Hindsight is 20/20, should have changed LastPass too and not put source code on a public github repo(assuming it or the bitcoinica one were public). But, add those to the list of 'yea we should haev known better' and move on. Button up what you need to, get with Gox about where the USD went, since it will be easier to track and then walk away for a few days. Come back and friggin disperse what the company still holds and then move on from there.


If you're not excited by the idea of being an early adopter 'now', then you should come back in three or four years and either tell us "Told you it'd never work!" or join what should, by then, be a much more stable and easier-to-use system. - GA
It is being worked on by smart people. -DamienBlack
Phinnaeus Gage
Legendary
*
Offline Offline

Activity: 1302


Bitcoin: An Idea Worth Spending


View Profile
July 13, 2012, 09:27:19 PM
 #307

Once again, someone with a US IP succeed to get Bitcoinica's account credential which did not trigger any alarms since they were fully identified. Since Bitconica's account was a verified account the owner of this account asked (This happened when Zhou was still controlling Bitconica) to have his limits lifted to the maximum possible, giving the possibility to the thief to move Bitcoinica's assets to another external account (External to MtGox).

-- EDIT --

We would like to stress that Mt.Gox Verified Bitconica as a Company and NOT as an Individual.


it would not be plausible for mt. gox to not know about the change in ownership in april.

did mt. gox really allow this new company to use an account at mt. gox that did not belong to them (i.e., use an account that was verfied under a different name)?

after the change in ownership, there should have been a new account created (and verified).  because the old company didn't have any other source of income, deposits to the old company's accounts should have dropped towards zero.  

the kyc of aml/kyc is to know the source of the funds the customer is depositing.  mt. gox wouldn't know the source of funds if the verified owner of the account sold the business and has no other business.  these further deposits to "the bitcoinica account" should not have been made available for transfer or withdrawal until the source of the funds could be verified as truly belonging to the previously verified owner of the account.

it looks like there were multiple changes in ownership.  first was xwaylab (delaware), then [opaque change well known] then the bitcoinica lp of new zealand.

bitcoinica lp should not have been allowed to deposit and withdaw funds in an account where the verified owner is anything other than bitcoinica lp.

here is some history:

  • On 2012/01/30 Bitcoin Consultancy became Bitcoinica Consultancy Ltd. (*1)
  • On 2012/03/22 Bitcoinica Consultancy Ltd became the General Partner of the newly formed Bitcoinica Limited Partnership (*2)
  • On 2012/03/27 Bitcoin Consultancy was retained to perform a comprehensive security audit. (*3)
  • On 2012/04/24 Bitcoin Consultancy took over ownership and daily operations of Bitcoinica from Zhou (*4)
  • On 2012/05/11 Bitcoinica was hacked due to a root password reset via a compromised email server (belonging to a member of Bitcoin Consultancy). (*5)

References:
1) http://www.business.govt.nz/companies/app/ui/pages/companies/3715077
2) http://www.business.govt.nz/fsp/app/ui/fsp/version/searchSummaryCompanyFSP/FSP207625/4.do?noReturn=true
3) https://bitcointalk.org/index.php?topic=81045.msg919130#msg919130 (Tihan's post)
4) http://bitcoinmedia.com/first-licensed-advanced-trading-platform-for-bitcoin/ (written by Donald, CEO of Bitcoin Consultancy)
5) http://bitcoinica.com (post-mortem)

Your analysis is not only wrong but straight up defamation.

Bitcoin Consultancy LTD is a UK Limited company which is neither owned nor owns any other company.
Intersango LTD is a UK Limited company which is neither owned nor owns any other company.
Bitcoinica LP is a New Zealand Limited Partnership.
Core Credit LTD is a New Zealand Limited Company and the General Partner of Bitcoinica LP.
Core Credit LTD was renamed to Bitcoinica Consultancy LTD significantly after the events occurred.

disclaimer: i am not a lawyer

You, my friend, don't have the slightest idea what you're talking about. If I wanted to hand over my account to Al the Alpaca, Mt Gox wouldn't have a single problem with it because...(give me a sec!) And if Al were sold to somebody else and changed his name, still no problem, because...(give me another sec!). And if Al, now Alice, the Alpaca were to go solo--no owner--still no problem because Alice is...(I think I got it!) an icon--a trusted icon.

But if my cousin were to put 100 BTC into Mt Gox and then tried to withdraw at a later date, he's fucked.

Mt Gox, I now feel the poster above has a point and, in the voice of some iconic Cugan, some splainin is warranted.

~Bruno~
beckspace
Sr. Member
****
Offline Offline

Activity: 385


Aimed at Jupiter


View Profile
July 13, 2012, 09:28:58 PM
 #308




You guys have really come up with somethin'
wareen
Millionaire
Hero Member
*****
Offline Offline

Activity: 742

bitcoin-austria.at


View Profile
July 13, 2012, 09:38:56 PM
 #309

@DarkEmi @hatshepsut  and all others.
Sorry to put you up front with the hard truth, buth...
Rule #1: Don't invest money you cannot afford to lose.
I am pretty sure iam not the first one that tells you this right?
Blame the victim is never a good argument.
Will you say the same to those who will experience a loss once pirateat40 runs?
In general, yes.
BUT, with ponzi schemes this is a bit different. Coz some of the "victims" are more like co-conspirators.

I can remember you not being that sympathetic towards the victims of the MyBitcoin incident (you basically called them insane). What made you change your mind?
Vladimir
Hero Member
*****
Offline Offline

Activity: 812


-


View Profile
July 13, 2012, 09:39:59 PM
 #310

Blame the victim is never a good argument.

That's what this whole thread is about, blaming the victim. Assuming OP is true, then Bitcoinica is the victim of a theft. Everybody here is blaming Bitcoinica, not the thief.

If this is really a theft, and the thief wired money to accounts of his own, I really hope all this AML crap is for once put to good use and this asshole is caught, and forced to return everything he's stolen.
If it's not a theft*, then MtGox at least would know. I hope in this case they break the silence, otherwise they would be accomplices.

*EDIT: If it's not a theft done by a third party. Either way the costumers' money was stolen.

I disagree. The victims here are the people, Bitcoinica's depositors, who have their money "evaporated". Bitcoinica it appears at least complicit due to gross negligence if not worse, as some allege.



-
Littleshop
Legendary
*
Offline Offline

Activity: 1316



View Profile WWW
July 13, 2012, 09:41:23 PM
 #311

  • On 2012/01/30 Bitcoin Consultancy became Bitcoinica Consultancy Ltd. (*1)
  • On 2012/03/22 Bitcoinica Consultancy Ltd became the General Partner of the newly formed Bitcoinica Limited Partnership (*2)
  • On 2012/03/27 Bitcoin Consultancy was retained to perform a comprehensive security audit. (*3)
  • On 2012/04/24 Bitcoin Consultancy took over ownership and daily operations of Bitcoinica from Zhou (*4)
  • On 2012/05/11 Bitcoinica was hacked due to a root password reset via a compromised email server (belonging to a member of Bitcoin Consultancy). (*5)

References:
1) http://www.business.govt.nz/companies/app/ui/pages/companies/3715077
2) http://www.business.govt.nz/fsp/app/ui/fsp/version/searchSummaryCompanyFSP/FSP207625/4.do?noReturn=true
3) https://bitcointalk.org/index.php?topic=81045.msg919130#msg919130 (Tihan's post)
4) http://bitcoinmedia.com/first-licensed-advanced-trading-platform-for-bitcoin/ (written by Donald, CEO of Bitcoin Consultancy)
5) http://bitcoinica.com (post-mortem)

Your analysis is not only wrong but straight up defamation.

Bitcoin Consultancy LTD is a UK Limited company which is neither owned nor owns any other company.
Intersango LTD is a UK Limited company which is neither owned nor owns any other company.
Bitcoinica LP is a New Zealand Limited Partnership.
Core Credit LTD is a New Zealand Limited Company and the General Partner of Bitcoinica LP.
Core Credit LTD was renamed to Bitcoinica Consultancy LTD significantly after the events occurred.

If someone actually does file a lawsuit (s) they are simply going to sue all of the above and the individuals involved that live in each of the jurisdictions that they sue in.   They will have to file lawsuits in the UK and New Zealand for maximum effectiveness.  

The way it works in the real world, name everyone and see what sticks.  

What makes this very different then the other hacks, is that what was stolen as USD.

Vladimir
Hero Member
*****
Offline Offline

Activity: 812


-


View Profile
July 13, 2012, 09:42:18 PM
 #312

@DarkEmi @hatshepsut  and all others.
Sorry to put you up front with the hard truth, buth...
Rule #1: Don't invest money you cannot afford to lose.
I am pretty sure iam not the first one that tells you this right?
Blame the victim is never a good argument.
Will you say the same to those who will experience a loss once pirateat40 runs?
In general, yes.
BUT, with ponzi schemes this is a bit different. Coz some of the "victims" are more like co-conspirators.

I can remember you not being that sympathetic towards the victims of the MyBitcoin incident (you basically called them insane). What made you change your mind?

I still think anyone who gives lots of money to some anonymous stranger on the internet for safekeeping is insane. I do not blame them for the theft however. These are different things. And.. well... insane in Bitcoin (and on this forum) is like a wast majority of population anyway, so this might be even a compliment.


-
sadpandatech
Hero Member
*****
Offline Offline

Activity: 504



View Profile
July 13, 2012, 09:42:30 PM
 #313

What makes this very different then the other hacks, is that what was stolen as USD.


aye, the fiat stolen changes things a lot...


I still think anyone who gives lots of money to some anonymous stranger on the internet for safekeeping is insane. I do not blame them for the theft however. These are different things.


me too..  Oh, btw, keep an eye out for my new venture.  Tongue

If you're not excited by the idea of being an early adopter 'now', then you should come back in three or four years and either tell us "Told you it'd never work!" or join what should, by then, be a much more stable and easier-to-use system. - GA
It is being worked on by smart people. -DamienBlack
Phinnaeus Gage
Legendary
*
Offline Offline

Activity: 1302


Bitcoin: An Idea Worth Spending


View Profile
July 13, 2012, 09:45:32 PM
 #314

Blame the victim is never a good argument.

That's what this whole thread is about, blaming the victim. Assuming OP is true, then Bitcoinica is the victim of a theft. Everybody here is blaming Bitcoinica, not the thief.

If this is really a theft, and the thief wired money to accounts of his own, I really hope all this AML crap is for once put to good use and this asshole is caught, and forced to return everything he's stolen.
If it's not a theft*, then MtGox at least would know. I hope in this case they break the silence, otherwise they would be accomplices.

*EDIT: If it's not a theft done by a third party. Either way the costumers' money was stolen.

I disagree. The victims here are the people, Bitcoinica's depositors, who have their money "evaporated". Bitcoinica it appears at least complicit due to gross negligence if not worse, as some allege.


Surely this ain't the guy responsible for both hacks: http://www.youtube.com/watch?v=pb3n0g2NenI (watch all the way through to get full impact and enjoyment)

~Cackling Bear~ (quick comic relief)
sd
Hero Member
*****
Offline Offline

Activity: 730



View Profile
July 13, 2012, 09:52:52 PM
 #315




This a thousand times. This last 'hack', if it happened at all, was the remnants of bitcoinica giving money away.

No-one could be so stupid as to get publicly hacked and not change all their passwords afterwards. It's just unbelievable anyone could be that dumb and still manage to dress themselves in the morning.


This reeks of misdirection to avoid or delay paying back the victims. Time to stop listening to excuses and look up a good lawyer in Singapore. If Zhou Tong can pass the buck at least he will have to tell you who the buck is passed to.
caveden
Legendary
*
Offline Offline

Activity: 1106



View Profile
July 13, 2012, 09:55:42 PM
 #316

Blame the victim is never a good argument.

That's what this whole thread is about, blaming the victim. Assuming OP is true, then Bitcoinica is the victim of a theft. Everybody here is blaming Bitcoinica, not the thief.

If this is really a theft, and the thief wired money to accounts of his own, I really hope all this AML crap is for once put to good use and this asshole is caught, and forced to return everything he's stolen.
If it's not a theft*, then MtGox at least would know. I hope in this case they break the silence, otherwise they would be accomplices.

*EDIT: If it's not a theft done by a third party. Either way the costumers' money was stolen.

I disagree. The victims here are the people, Bitcoinica's depositors, who have their money "evaporated". Bitcoinica it appears at least complicit due to gross negligence if not worse, as some allege.

Criminal negligence (unintended crime) normally applies when your negligent action directly caused the crime. Like, if instead of paying attention to the road while driving you prefer to look to the tiny skirts of some lady passing by and you end up hitting someone, that's criminal negligence. If you are watching some woman's purse on an outside restaurant, and a thief grabs it and run away, you're not the criminal, the thief is. At least that's how I see it. It's not a crime to be stupid/naive or not to know good security practices. It's a crime to steal.

Anyways, I don't feel like defending Bitcoinica either. This was way too much fail.
I just hope the actual criminal is caught. If he withdrew USD, he did leave a clearer trail.

18rZYyWcafwD86xvLrfuxWG5xEMMWUtVkL
Vod
Legendary
*
Offline Offline

Activity: 1862


Licking my boob since 1970


View Profile WWW
July 13, 2012, 10:02:53 PM
 #317

MtGox support reminds me a lot of eGold support... they knew when the scams were going on, but they would never tell you cause they were in on them.

I'm into creating universes, smiting people, writing holy books and listening to prayers.
If you want your prayers answered, you must donate to 1CDyx8AUTiYXS1ThcBU3vy4SJWQq6pdFMH
JoelKatz
Legendary
*
Offline Offline

Activity: 1386


Democracy is vulnerable to a 51% attack.


View Profile WWW
July 13, 2012, 10:06:08 PM
 #318

Blame the victim is never a good argument.

That's what this whole thread is about, blaming the victim. Assuming OP is true, then Bitcoinica is the victim of a theft. Everybody here is blaming Bitcoinica, not the thief.

If I'm holding $100 that is yours and I get robbed, I'm the victim if I pay you back your $100 out of my own money. But if I say to you, "sorry buddy, your $100 is gone, I got robbed", then *you* are the victim.

Unless Bitcoinica repays depositors from their own funds, Bitcoinca is not the victim of the theft. The depositors are. It was their money that was stolen, not Bitcoinica's.

The victim is whoever ultimately suffers the loss.



I am an employee of Ripple.
1Joe1Katzci1rFcsr9HH7SLuHVnDy2aihZ BM-NBM3FRExVJSJJamV9ccgyWvQfratUHgN
Vladimir
Hero Member
*****
Offline Offline

Activity: 812


-


View Profile
July 13, 2012, 10:11:41 PM
 #319

Companies like this will ruin bitcoin..

More accurate would be to say

Quote from: Vladmir
Bitcoin will ruin companies like these.

-
Stephen Gornick
Legendary
*
Offline Offline

Activity: 2002



View Profile
July 13, 2012, 10:13:23 PM
 #320

how can they know the current Gox user/pass was found out from LastPass? I guess to them it would seem obvious of the gox acct was a new pass that only the current controller of the gox acct had. But, these are still questions that all need to have answers to them in order to make better determinations.

I see that LastPass has a way to view history, which if that showed login from an unknown IP address, that would be a pretty good clue.

I just tried to view the history but the LastPass UI for the date picker is so horrible I could not use it successfully.  (Top-right is the Lastpass asterisk (starfish, ironically  Smiley ) , then click History)

Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 [16] 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 »
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!