Bitcoinica MtGox account compromised

[Phinnaeus Gage]

Posted an update to the OP.

Poof! And he's gone! Funny how he's not been around to post. I guess there's nothing exciting going on with this forum to warrant his presence.

~Bruno~

[bitcoinBull]

What the fuck was 40 000 bitcoins doing sitting at mt gox. After the first hack it was claimed 80% of funds were sitting in cold storage.

Someone told lies about this too. Can someone dig up the original thread where they promised the coins were in cold storage ?

Good question. And when the 18k were stolen, genjix's first response was "There shouldn't even be that much money in the live wallet." And we see Patrick's comments on #bitcoin-dev talking about "amateur hour" while probing bitcoinica, and demanding respect just a few days ago.

Then they were put in control of bitcoinica's MtGox account (Tihan confirmed this, he gave them all the passwords in the info@bitcoinica.com LastPass account), and in the months since they didn't even turn on 2-factor auth.

Its literally a miracle that Intersango is still in business (at least they did accidentally leak all Intersango users e-mail addresses).

[Transisto]

Posted an update to the OP.

Poof! And he's gone! Funny how he's not been around to post. I guess there's nothing exciting going on with this forum to warrant his presence.

Genjix is attending Hackaton in Berlin.

I bet they're busy providing tech support for intersango.

[Phinnaeus Gage]

What the fuck was 40 000 bitcoins doing sitting at mt gox. After the first hack it was claimed 80% of funds were sitting in cold storage.

Someone told lies about this too. Can someone dig up the original thread where they promised the coins were in cold storage ?

You are so delusional! No such thing was ever said. But if it had, it would look like the below.

you have access!!!
Just send my 60-70btc to 19PKMheiAr2Lxm2YN67pTUpTmwTW96PGvF .

lol trying to jump the line. Try not to be an idiot.

Im not jumping the line. I suggested that zhou got rid of the bureaucracy.
We have waited long enough, and im getting impatient.

It's not how things work. The owner of the account is not Bitcoinica LP, and I never have authority to touch the money in that account.

I can just confirm that the fund injection (from cold storage) has been done, and technically Patrick (and maybe others) can already access the funds.

Or like this:

Who has the keys to the offline cold storage wallet?

I don't have. I don't even know how much we have in cold storage before the hack.

[repentance]

Copied and paste from a random website:

What are the banking hours in Japan? Most banks are open Monday to Friday, 9:00am to 3:00pm. Most are closed on Saturday's and Sunday's.

TGIF comes to mind. In this case, TGIF13.

As of an hour ago, Mt Gox has yet to file a report. Neither has those (maybe no longer plural) over at Bitcoinica.

~Bruno~

Bank hours have nothing to do with it.  I was just giving a bank as an example of who would normally file the report with law enforcement if a depositor's funds are taken from an account with a financial institution.

We actually don't know exactly what contact MtGox may or may not have had with the authorities and it is no-one's best interest for them to reveal that information at this stage.  On the other hand, the failure of those associated with Bitcoinica to make reports to law enforcement is inexcusable and simply cannot be justified.

ZhouTong wasn't paid employee compensation.

In the other thread it was stated that Zhoutong continued to receive $8000 per month until recently.  It is not clear whether he received that money as an employee or as a consultant, although his posts following the May intrusion indicated that he regarded himself as an employee.  Generally when companies become insolvent, employee entitlements take precedence over those of unsecured creditors but there is little indication that any of the "management" people were being paid following the Linode hack.  In fact, if Zhou is to be believed, funds were being injected into Bitcoinica at that time (by Tihan and perhaps others) to cover the initial losses.

Zhou was being paid $8000 a month for operating Bitcoinica in his part time while Tihan was scrambling to get the site working. During the last month, Zhou was not taking pay, to refund the money stolen by the Linode compromise. Tihan was rushing to get the paperwork finished because Zhou is attending school. We kept sending the paperwork back saying it's incomplete and there's problems, so when the initial compromise happened, the company was not yet fully formed. The initial confusion was over who is responsible as the GP - the part time owner devoting maybe 5 hours a week? The new owners who had no experience operating the site? The middleman who acts on behalf of the owner and has no technical knowledge? That's why payments were initially complicated and delayed.

[zhoutong]

What the fuck was 40 000 bitcoins doing sitting at mt gox. After the first hack it was claimed 80% of funds were sitting in cold storage.

Someone told lies about this too. Can someone dig up the original thread where they promised the coins were in cold storage ?

The funds were in the cold storage. But apparently someone transferred that to Mt. Gox account to be ready for refunds.

[Bitcoin Oz]

What the fuck was 40 000 bitcoins doing sitting at mt gox. After the first hack it was claimed 80% of funds were sitting in cold storage.

Someone told lies about this too. Can someone dig up the original thread where they promised the coins were in cold storage ?

You are so delusional! No such thing was ever said. But if it had, it would look like the below.

you have access!!!
Just send my 60-70btc to 19PKMheiAr2Lxm2YN67pTUpTmwTW96PGvF .

lol trying to jump the line. Try not to be an idiot.

Im not jumping the line. I suggested that zhou got rid of the bureaucracy.
We have waited long enough, and im getting impatient.

It's not how things work. The owner of the account is not Bitcoinica LP, and I never have authority to touch the money in that account.

I can just confirm that the fund injection (from cold storage) has been done, and technically Patrick (and maybe others) can already access the funds.

Or like this:

Who has the keys to the offline cold storage wallet?

I don't have. I don't even know how much we have in cold storage before the hack.

https://bitcointalk.org/index.php?topic=81045.msg894305#msg894305   maybe I imagined someone said it.....

[Bitcoin Oz]

What the fuck was 40 000 bitcoins doing sitting at mt gox. After the first hack it was claimed 80% of funds were sitting in cold storage.

Someone told lies about this too. Can someone dig up the original thread where they promised the coins were in cold storage ?

The funds were in the cold storage. But apparently someone transferred that to Mt. Gox account to be ready for refunds.

Mt Gox != cold storage for those playing at home.

[Phinnaeus Gage]

Posted an update to the OP.

Poof! And he's gone! Funny how he's not been around to post. I guess there's nothing exciting going on with this forum to warrant his presence.

Genjix is attending Hackaton in Berlin.

I bet they're busy providing tech support for intersango.

Let me get this straight. The poor guy is not eating well, isn't sleeping well, there's a major debacle going on, and he's the key player making sure that people get their money back with the use of an outdated computer. But he's able to attend a hacking convention in Berlin which, if I still remember my geography, is not in the UK. And Zhou Tong is in Singapore which is not in Australia. How many of the other key players of Bitcoinica are on holiday? It looks like I may be canceling my fishing trip to Wisconsin again this year to clean up the mess I have here in Sandwich, due in part because of all this.

Please, Jehovah, at least let Satoshi Nakamoto be of legal drinking age. I want to believe!

~Bruno~

[bitcoinBull]

What the fuck was 40 000 bitcoins doing sitting at mt gox. After the first hack it was claimed 80% of funds were sitting in cold storage.

Someone told lies about this too. Can someone dig up the original thread where they promised the coins were in cold storage ?

You are so delusional! No such thing was ever said. But if it had, it would look like the below.

It's not how things work. The owner of the account is not Bitcoinica LP, and I never have authority to touch the money in that account.

I can just confirm that the fund injection (from cold storage) has been done, and technically Patrick (and maybe others) can already access the funds.

Shit.. June 06 zhoutong confirms that funds were moved from cold storage. The source was leaked approximately June July 08. And the withdrawal made on June July 12. That's at least 36 days on MtGox without two-factor auth.

edit: fixed dates

[Phinnaeus Gage]

What the fuck was 40 000 bitcoins doing sitting at mt gox. After the first hack it was claimed 80% of funds were sitting in cold storage.

Someone told lies about this too. Can someone dig up the original thread where they promised the coins were in cold storage ?

The funds were in the cold storage. But apparently someone transferred that to Mt. Gox account to be ready for refunds.

I wish I took a picture of myself after reading the above, for I caught myself doing a real life epic facepalm.

Me: Hey, Joe. I got the $20 I owe you.
Joe: Great!
Me: First I have to take it out of my wallet and put it in Myra's purse. Then she'll take it out and give it to you.
Joe: Cool!
Joe: Waiting!
Joe: Still waiting!
Me: And poof! It's gone!
Joe: Wait, what?
Me: Next!

[Phinnaeus Gage]

What the fuck was 40 000 bitcoins doing sitting at mt gox. After the first hack it was claimed 80% of funds were sitting in cold storage.

Someone told lies about this too. Can someone dig up the original thread where they promised the coins were in cold storage ?

The funds were in the cold storage. But apparently someone transferred that to Mt. Gox account to be ready for refunds.

Mt Gox != cold storage for those playing at home.

I can't take this anymore! My face just cramped up from laughing so hard.

Let's see if I can play just as well as you.

For those playing at home, the powers that be, prior to attending a hacking convention, put a sizable sum of bitcoins in Mt Gox (a.k.a. cold storage) so that many people owed funds to will soon receive half of what is rightfully owed them. It's the safest and best option for all concerns.

But if anything should happen, which we here in Studio A don't see anything nefarious afoot, there is a backup plan. (Zhou, are you ready in studio B?)

~Bruno~

[Transisto]

...
Mt Gox != cold storage for those playing at home.

I can't take this anymore! My face just cramped up from laughing so hard.
...

We got the facepalm part a while ago,

Please go easy on the humor, Some people are really stressed out over this.

[zhoutong]

What the fuck was 40 000 bitcoins doing sitting at mt gox. After the first hack it was claimed 80% of funds were sitting in cold storage.

Someone told lies about this too. Can someone dig up the original thread where they promised the coins were in cold storage ?

The funds were in the cold storage. But apparently someone transferred that to Mt. Gox account to be ready for refunds.

Mt Gox != cold storage for those playing at home.

I can't take this anymore! My face just cramped up from laughing so hard.

Let's see if I can play just as well as you.

For those playing at home, the powers that be, prior to attending a hacking convention, put a sizable sum of bitcoins in Mt Gox (a.k.a. cold storage) so that many people owed funds to will soon receive half of what is rightfully owed them. It's the safest and best option for all concerns.

But if anything should happen, which we here in Studio A don't see anything nefarious afoot, there is a backup plan. (Zhou, are you ready in studio B?)

~Bruno~

Bruno, I got 8.0 for IELTS, but I can't seem to understand your language.

[Phinnaeus Gage]

What the fuck was 40 000 bitcoins doing sitting at mt gox. After the first hack it was claimed 80% of funds were sitting in cold storage.

Someone told lies about this too. Can someone dig up the original thread where they promised the coins were in cold storage ?

You are so delusional! No such thing was ever said. But if it had, it would look like the below.

It's not how things work. The owner of the account is not Bitcoinica LP, and I never have authority to touch the money in that account.

I can just confirm that the fund injection (from cold storage) has been done, and technically Patrick (and maybe others) can already access the funds.

Shit.. June 06 zhoutong confirms that funds were moved from cold storage. The source was leaked approximately June July 08. And the withdrawal made on June July 12. That's at least 36 days on MtGox without two-factor auth.

edit: fixed dates

WTF! And only two posts down from the above we have the following:

Since nobody seems to be reading the verify@bitcoinica emails I agree with Kokjo and kindly remind you to send me my 101 BTC  to: 1ET2ps7BRrZnDeq7bVNc8bS9ZmgN8DxUXy   - consider the BTC pocket change you owe me and my 3 cents USD a going away gift.

I respectfully do not care who pays for it, and this is not a trivial amount to me. You're not the only one with tuition fees to pay.

Afterwards, I promise to stop asking you on this forum for what is rightfully mine. Thank you.

[Transisto]

I'll post this again, seems nobody read it,

30% cut ?
How can 40k BTC be untraceable or easily spendable ?

Why don't we instead agree to give the hacker an honest and untainted 30% of the BTC he moved ?
By honest I mean we know who he is, we know what he did, we're happy with it, and we respect him for both getting into your gox account and returning funds.
This "hacker" is a "somwhat" tech-savvy person that achieved something worth being rewarded for.

This is not a home invasion or a physical robbery, as much as some may hate it, if we get anything stolen because of a weak password or weak security policy then we should have no-one but our-self to blame.

I think this concept should be well understood by this community.

Pro tip,
When I was using Bitcoinica :
I was doing it with an uncompromised PC, Firewall, AV(s) ect. (HARD)
I was closing my Bitcoinica browser sessions every-time I was done,
I had two account to spread the risk, both were secured with Google Authenticator, (phone app)
I had ~14 char randomly created passwords,
 different ones,
 all stored into LastPass,
With a safe lastpass password,
With a 2nd factor Yubikey, (my home pc is not considered safe on LastPass, so I have to push the button every time.)
The LastPass recovery email is dedicated to this, the password is paper stored in a safe place.
My HDD is truecrypted,
My firewire port are disabled,
I don't use a Wireless keyboard
I never leave the PC with an open session, (session autolock after ~10 min.)
...I do not have any felling it is all secure. I'm by no mean a security expert.

I had nowhere near the same value to protect and ... were not someone else assets.[/b]

IMO, This is rather basic protection scheme for a regular "geek" PC user...

Whatever your previous story, ;
In over 2 months...
You failed to disable Mt.Gox API,
You failed to protect mt. Gox with a Yubikey,
You failed to change Lastpass password,
You failed to protect Lastpass with one of their many 2nd factor auth. (some free)

Don't be surprised if people don't believe you.

[repentance]

And Zhou Tong is in Singapore which is not in Australia. How many of the other key players of Bitcoinica are on holiday? It looks like I may be canceling my fishing trip to Wisconsin again this year to clean up the mess I have here in Sandwich, due in part because of all this.


~Bruno~

To be fair, many international students from the Asia-Pacific region who studying at Australian universities go home for the mid-year break.  

[Transisto]

How can 40k BTC + 18k BTC be untraceable or easily spendable ?

Why don't we instead agree to give the hacker an honest and untainted 30% of the BTC he moved ?
By honest I mean we know who he is, we know what he did, we're happy with it, and we respect him for both getting into your gox account and returning funds.
This "hacker" is a "somewhat" tech-savvy person that achieved something worth being rewarded for.

This is not a home invasion or a physical robbery, as much as some may hate it, if we get anything stolen because of a weak password or weak security policy then we should have no-one but our-self to blame.

I think this concept should be well understood by this community.

In all, I'm saying, It's not like the hacker stole BTC from a respected member of the community.

It was completely their fault for not securing enough.

Given what I said, If hacker don't agree to this, it is 90%+ likely an inside job.

[Bitcoin Oz]

[Justin00]

Posted an update to the OP.

Poof! And he's gone! Funny how he's not been around to post. I guess there's nothing exciting going on with this forum to warrant his presence.

Genjix is attending Hackaton in Berlin.

I bet they're busy providing tech support for intersango.

LOL hackathon....... how appropriate