Bitcoinica MtGox account compromised

[Maged]

I only have one question for Consultancy: "How do you know the hacker got the MtGox password from LastPass and what its master passsword was?"

As always, Zhou is the only one who actually has answers:

I received this email. I was still in the verify@bitcoinica.com mailing list.

I believe that the theft happened much earlier and no one discovered. No one cared about this spammy-look email either (or they don't check their mailbox).

From: Bitcoinica Sucks <bitcoinicasucks@hotmail.com>
To: verify@bitcoinica.com
Date: Friday, 13 July 2012 3:39:55 AM
Subject: Bitcoinica is done

THANK YOU FOR YOU SOURCE CODE.

BITCONICA IS NOW OFFICALY DONE!

LASTPAS PASWORD: c02e1a27-5524-449f-ba65-aff9581ddedc

[davout]

If gox goes down you can always use intersango...

haha oh god, no

[wirmola]

wow, no more news from bitcoinica, no police report, gox don't give many answers(like how they could transfer 40K$ so easily)..
 hmmm.

[Bigpiggy01]

(like how they could transfer 40K$ so easily)..
 hmmm.

Bitinstant and Aurumnexchange other stuff would have raised flags.

[Otoh]

Beyond unbelievable! You just couldn't make this shit up (unless you actually did, did you?) - at least I couldn't anyway

[ErebusBat]

I also find it likley that bit floor would have flagged it as well.

Also to the hacker: if you want to taint me feel free.

[ydenys]

I had wiped my mouth quite a while ago after receiving more useless emails from BC. They clearly had not read mine. (Submitted another claim to Zou, out of pure whynotness)

Can someone clarify what sort of people they had refunded in full? So far I know only a few who received half of their recently deposited coins, and it is all just change. They keep ‘allocating’ funds for one or two serious pay outs, but I’m yet to hear any of those are actually being refunded. There was enough money on the books to warrant serious investment via Tihan, plus what you read on the forums, all in all, more than enough to ‘move to Berlin’ and ‘leave’ BC. I have only a couple of p in Intersango, but by association/recommendation had to warn people to get their money off it ASAP. (Looking at their order book, most are left anyway.)

Zou is definitely worried, Tihan, perhaps, had not dealt with ‘uncertain’ funds before. Do we know of any 10k+ refunds so far? Compensation/interest? Just want a clear picture what sort of frisky folk is left with the bag and why they all are so awfully quiet. I mean, one can bend somewhat/thing/one and forget about £1k of ‘play’ money. But it is highly unlikely that 99% of Bitcoinica depositors can.

[Jan]

...
What we really need is independent auditing of exchanges, ewallets, and similar services. We need independent third parties who can affirm, on a regular basis, that these businesses have assets that exceed their obligations.

Joel, you are absolutely correct.
The hacks we have had over the last year make it vey plain that many Bitcoin users do not understand the security risks associated with trusting their funds with a third party.
I would like to see a list of Bitcoin services/software that meets some community defined minimum requirements. When someone asks "Is this service X safe to use?" the answer should be "If X is not on the list, then don't use it"

Services/software should be divided into categories such as exchanges/wallets/merchants etc, each with its own set of auditing rules.
Being a Bitcoin wallet developer myself I would be happy to have my code reviewed by a third party, and help set the minimum requirements for trusted Bitcoin wallets.

For Bitcoin wallets the list could look something like this:

• Code that manages private keys must be open source
• The source code must be peer reviewed by 2 developers from competing wallets
• Private keys must only be used by software running on hardware controlled by the user
• The user must be able to export private keys off a wallet at any time
• The wallet software must have a well defined release procedure
• The end user must be in control of when to upgrade
• The people behind the wallet should be publicly known persons, so you can go kick their ass
• ...

I know that this list will disqualify a bunch of eWallets (read wallets where you send your BTC to a private key that not controlled by you), but to be honest, I don't think that any Bitcoin company is mature enough to manage large amounts of other people's money.
(Jan tries to dodge the flames thrown by eWallet developers)

[piuk]

(Jan tries to dodge the flames thrown by eWallet developers)

[ErebusBat]

(Jan tries to dodge the flames thrown by eWallet developers)

...flames...

Actually wouldn't MyWallet qualify?  Except maybe the user decided when to upgrade?

[sadpandatech]

I only have one question for Consultancy: "How do you know the hacker got the MtGox password from LastPass and what its master passsword was?"

As always, Zhou is the only one who actually has answers:

I received this email. I was still in the verify@bitcoinica.com mailing list.

I believe that the theft happened much earlier and no one discovered. No one cared about this spammy-look email either (or they don't check their mailbox).

From: Bitcoinica Sucks <bitcoinicasucks@hotmail.com>
To: verify@bitcoinica.com
Date: Friday, 13 July 2012 3:39:55 AM
Subject: Bitcoinica is done

THANK YOU FOR YOU SOURCE CODE.

BITCONICA IS NOW OFFICALY DONE!

LASTPAS PASWORD: c02e1a27-5524-449f-ba65-aff9581ddedc

Wasn't that mail after the hack though?  I still have the same question, lastpass has logs that can be checked..

[sadpandatech]

I only have one question for Consultancy: "How do you know the hacker got the MtGox password from LastPass and what its master passsword was?"

As always, Zhou is the only one who actually has answers:

I received this email. I was still in the verify@bitcoinica.com mailing list.

I believe that the theft happened much earlier and no one discovered. No one cared about this spammy-look email either (or they don't check their mailbox).

From: Bitcoinica Sucks <bitcoinicasucks@hotmail.com>
To: verify@bitcoinica.com
Date: Friday, 13 July 2012 3:39:55 AM
Subject: Bitcoinica is done

THANK YOU FOR YOU SOURCE CODE.

BITCONICA IS NOW OFFICALY DONE!

LASTPAS PASWORD: c02e1a27-5524-449f-ba65-aff9581ddedc

Wasn't that mail after the hack though?  I still have the same question, lastpass has logs that can be checked..

why send mail first, then take coins? im no mastermind but steal first then gloat?

yea, I can see that. The question still stands though. "Who is it that pointed out their lastpass had been breeched and how did they know? Where are the logs?

[Clipse]

If someone did steal the sourcecode, How the hell did that happen?

Did you guys email the sourcode to everyone ?

Seriously, there is no way you can explain your way out of such a leak of the sourcecode to the core of your business.

[allten]

This is possible. Even if Zhoutong received a fair price, he could still theoretically be held liable for negligently transferring control over the assets of his depositors.

From the facts known to me, this seems like an extremely unlikely way for events to turn. It seems, at least to me, that Zhoutong negotiated in good faith, believed the people he were dealing with were more competent than him to run the business, and had no reason to suspect any of the future problems. I don't know whether his compensation was fair or not, but I understand he was motivated to sell, so it's unlikely he was paid more than the business was worth.

It doesn't matter. I'm not talking about theoreticals, the facts you and I know regarding the ownership transfer is slim-to-none and that's one of the fundamental problems. To postulate that he was not paid more than what the company was worth is indicative of illusory self-confidence in knowledge, unless you are privy to non-public facts that have not been disclosed here (if so, I'm sure people that have lost money would love to know).

If I did not make it clear enough, the lack of public knowledge of ownership transfer creates serious potential for negligence claims against Zhoutong (as he has a fiduciary duty to deposit holders). Transfer of a money service to another entity which has different credit risk/security expertise without disclosure, then having the new entity defaulting on debts is an open and shut case of proximate cause, I disagree with the opinion that it's an unlikely avenue of pursuit in the event of actual default.

To reiterate, assuming that Zhoutong has zero involvement with the theft/loss-of-funds, it is in his personal best interests to ensure/advocate that everyone gets paid back in full.

+10,000,000

Bam! Nice write up. This is why I think any lawsuit should also include Zhou!
There were 3 parties here, the original Bitcoinica team, the Intersango team, and the investors. The ball was dropped in the hand off. It's the perfect scenario for an inside job and to get away with it. The innocent players were blinded by greed and should have been much more cautious. Any reasonable person would have considered limiting funds during the handoff which should have taken months to be done properly - not just a day for some passwords to be transmitted. Like jcp points out, none of the users were told until after the fact. This will be a great lesson to anyone thinking of buying or selling a Bitcoin business.

Good luck to anyone with large stakes. With lawsuits being forced, this slowing moving train wreck just got another 6 to 12 months added to it.

[imanikin]

PS: Please forgive for posting so often in this thread with what looks like on the surface to be nonsense but, because of the nature of this beast, it's warranted.

...
"A wise man speaks because he has something to say; a fool because he has to say something."
...

(+1 It's annoying to follow threads with such posters in it. When someone has 6k+ posts, and has only been in the forum a year, it's likely that most of those posts were brief blurbs of nonsense...

I think Phinnaeus Gage will be the first member on my ignore list.  )

As for the topic, my sympathies for all who were damaged. I was hoping that after the 2011 Magic the Gathering Online Xchange hack, the BtCex.com affair, the MyBitcoin scam, and appearance of things like 2-factor and paper wallets, such incidents would be behind us...

May all of you be well! There is, obviously, more to Life than Bitcoin... 

[Otoh]

BTC : You can still withdraw up to 4,000.00000000 BTC provided you have enough on your account (your limit is 4,000.00000000 BTC per 24 hours )
USD : You can still withdraw up to $10,000.00000 provided you have enough on your account (your limit is $10,000.00000 per 24 hours and $50,000.00000 per 30 days)

I guess the Bitcoinica funds had requested higher withdrawal limits than normal verified accounts, otherwise it would take 10 days to get the coins out & 4 days to drain the $s, or has this siphoning off being going on for a while.

I assume that the $40k were sent to sock puppet accounts by Mt. Gox $ codes & then coins were bought & moved out, rather than being withdrawn in actual $s.

Shout out to the hacker - Don't taint me bro!  1G5apmPvo2iTtmkNWAHTCET7Y842Ufijs8    

[ErebusBat]

Love it... "don't taint me bro"
HACKER:  This ^^^^

Even opens up a while line of shirts: "Bitconica's MtGox got compromised and all I got was this lousy taint..."

[Clipse]

So where is the wallet address of this BTC withdrawal ?

At the very least people can see where it goes and if it moves to an exchange to be sold eventually.

[ErebusBat]

So where is the wallet address of this BTC withdrawal ?

At the very least people can see where it goes and if it moves to an exchange to be sold eventually.

piuk posted the suspected TX in the blockchain.info thread.... It looks like they ran it through his servers.

[Clipse]

So where is the wallet address of this BTC withdrawal ?

At the very least people can see where it goes and if it moves to an exchange to be sold eventually.

piuk posted the suspected TX in the blockchain.info thread.... It looks like they ran it through his servers.

Im not asking for suspected TX, I am asking for the withdrawal address that would be listed in MTGOX. No reason for anyone to speculate over where the funds went.