Bitcoin Forum
December 03, 2016, 09:42:22 AM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 [24] 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 »
  Print  
Author Topic: Bitcoinica MtGox account compromised  (Read 145644 times)
BitcoinBug
Full Member
***
Offline Offline

Activity: 196


View Profile
July 14, 2012, 01:00:33 PM
 #461

My first post here. I agree that this looks like inside job at worst or incredible negligence (for security counscious group) at best. I hope this all will be handled without too much collateral damage to bitcoin community, specially Roger Ver.

I only have one question for Consultancy: "How do you know the hacker got the MtGox password from LastPass and what its master passsword was?"

As for the lawsuit... I don't think there will be a massive lawsuit, as some believe, if at all. We'll see.

P.S.: When Bitcoinica registered, things looked really well from the outside. I was seriously thinking about depositing some EUR there. I'm glad I didn't.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1480758142
Hero Member
*
Offline Offline

Posts: 1480758142

View Profile Personal Message (Offline)

Ignore
1480758142
Reply with quote  #2

1480758142
Report to moderator
1480758142
Hero Member
*
Offline Offline

Posts: 1480758142

View Profile Personal Message (Offline)

Ignore
1480758142
Reply with quote  #2

1480758142
Report to moderator
Bitcoin Oz
Hero Member
*****
Offline Offline

Activity: 700


Wat


View Profile WWW
July 14, 2012, 01:05:06 PM
 #462

If gox goes down you can always use intersango...

Maged
Legendary
*
Offline Offline

Activity: 1260


View Profile
July 14, 2012, 01:09:46 PM
 #463

I only have one question for Consultancy: "How do you know the hacker got the MtGox password from LastPass and what its master passsword was?"
As always, Zhou is the only one who actually has answers:
I received this email. I was still in the verify@bitcoinica.com mailing list.

I believe that the theft happened much earlier and no one discovered. No one cared about this spammy-look email either (or they don't check their mailbox).


Quote
From: Bitcoinica Sucks <bitcoinicasucks@hotmail.com>
To: verify@bitcoinica.com
Date: Friday, 13 July 2012 3:39:55 AM
Subject: Bitcoinica is done

THANK YOU FOR YOU SOURCE CODE.

BITCONICA IS NOW OFFICALY DONE!

LASTPAS PASWORD: c02e1a27-5524-449f-ba65-aff9581ddedc


davout
Legendary
*
Offline Offline

Activity: 1358


1davout


View Profile WWW
July 14, 2012, 01:11:38 PM
 #464

If gox goes down you can always use intersango...
haha oh god, no

wirmola
Member
**
Offline Offline

Activity: 111


View Profile
July 14, 2012, 01:19:26 PM
 #465

wow, no more news from bitcoinica, no police report, gox don't give many answers(like how they could transfer 40K$ so easily)..
 hmmm.
Bigpiggy01
Hero Member
*****
Offline Offline

Activity: 616



View Profile
July 14, 2012, 02:02:49 PM
 #466

(like how they could transfer 40K$ so easily)..
 hmmm.

Bitinstant and Aurumnexchange other stuff would have raised flags.

Otoh
Donator
Legendary
*
Offline Offline

Activity: 1918



View Profile
July 14, 2012, 02:14:37 PM
 #467

Beyond unbelievable! You just couldn't make this shit up (unless you actually did, did you?) - at least I couldn't anyway Shocked

Node40.com is a leader in DASH hosting, dedicated exclusively to fully managed masternode hosting. Professional, organized, and responsive. I have many dozens of nodes with them.    
BTC = $c²     BTC = 1otohotohMoQoxHuxLBveQiZcV3Pji3Tc      DASH, Digital Cash = www.dash.org   
   CHARITY | MY REP | DICE
ErebusBat
Hero Member
*****
Offline Offline

Activity: 560

I am the one who knocks


View Profile
July 14, 2012, 02:15:26 PM
 #468

I also find it likley that bit floor would have flagged it as well.

Also to the hacker: if you want to taint me feel free.

░▒▓█ Coinroll.it - 1% House Edge Dice Game █▓▒░ • Coinroll Thread • *FREE* 100 BTC Raffle

Signup for CEX.io BitFury exchange and get GHS Instantly!  Don't wait for shipping, mine NOW!
ydenys
Member
**
Offline Offline

Activity: 96


View Profile
July 14, 2012, 02:16:13 PM
 #469

I had wiped my mouth quite a while ago after receiving more useless emails from BC. They clearly had not read mine. (Submitted another claim to Zou, out of pure whynotness)

Can someone clarify what sort of people they had refunded in full? So far I know only a few who received half of their recently deposited coins, and it is all just change. They keep ‘allocating’ funds for one or two serious pay outs, but I’m yet to hear any of those are actually being refunded. There was enough money on the books to warrant serious investment via Tihan, plus what you read on the forums, all in all, more than enough to ‘move to Berlin’ and ‘leave’ BC. I have only a couple of p in Intersango, but by association/recommendation had to warn people to get their money off it ASAP. (Looking at their order book, most are left anyway.)

Zou is definitely worried, Tihan, perhaps, had not dealt with ‘uncertain’ funds before. Do we know of any 10k+ refunds so far? Compensation/interest? Just want a clear picture what sort of frisky folk is left with the bag and why they all are so awfully quiet. I mean, one can bend somewhat/thing/one and forget about £1k of ‘play’ money. But it is highly unlikely that 99% of Bitcoinica depositors can.
Jan
Legendary
*
Offline Offline

Activity: 1042



View Profile
July 14, 2012, 02:20:33 PM
 #470

...
What we really need is independent auditing of exchanges, ewallets, and similar services. We need independent third parties who can affirm, on a regular basis, that these businesses have assets that exceed their obligations.

Joel, you are absolutely correct.
The hacks we have had over the last year make it vey plain that many Bitcoin users do not understand the security risks associated with trusting their funds with a third party.
I would like to see a list of Bitcoin services/software that meets some community defined minimum requirements. When someone asks "Is this service X safe to use?" the answer should be "If X is not on the list, then don't use it"

Services/software should be divided into categories such as exchanges/wallets/merchants etc, each with its own set of auditing rules.
Being a Bitcoin wallet developer myself I would be happy to have my code reviewed by a third party, and help set the minimum requirements for trusted Bitcoin wallets.

For Bitcoin wallets the list could look something like this:
  • Code that manages private keys must be open source
  • The source code must be peer reviewed by 2 developers from competing wallets
  • Private keys must only be used by software running on hardware controlled by the user
  • The user must be able to export private keys off a wallet at any time
  • The wallet software must have a well defined release procedure
  • The end user must be in control of when to upgrade
  • The people behind the wallet should be publicly known persons, so you can go kick their ass
  • ...
I know that this list will disqualify a bunch of eWallets (read wallets where you send your BTC to a private key that not controlled by you), but to be honest, I don't think that any Bitcoin company is mature enough to manage large amounts of other people's money.
(Jan tries to dodge the flames thrown by eWallet developers)

Mycelium let's you hold your private keys private.
piuk
Hero Member
*****
Offline Offline

Activity: 910



View Profile WWW
July 14, 2012, 02:26:23 PM
 #471

(Jan tries to dodge the flames thrown by eWallet developers)


ErebusBat
Hero Member
*****
Offline Offline

Activity: 560

I am the one who knocks


View Profile
July 14, 2012, 02:31:34 PM
 #472

(Jan tries to dodge the flames thrown by eWallet developers)

...flames...
Actually wouldn't MyWallet qualify?  Except maybe the user decided when to upgrade?

░▒▓█ Coinroll.it - 1% House Edge Dice Game █▓▒░ • Coinroll Thread • *FREE* 100 BTC Raffle

Signup for CEX.io BitFury exchange and get GHS Instantly!  Don't wait for shipping, mine NOW!
sadpandatech
Hero Member
*****
Offline Offline

Activity: 504



View Profile
July 14, 2012, 03:00:16 PM
 #473

I only have one question for Consultancy: "How do you know the hacker got the MtGox password from LastPass and what its master passsword was?"
As always, Zhou is the only one who actually has answers:
I received this email. I was still in the verify@bitcoinica.com mailing list.

I believe that the theft happened much earlier and no one discovered. No one cared about this spammy-look email either (or they don't check their mailbox).


Quote
From: Bitcoinica Sucks <bitcoinicasucks@hotmail.com>
To: verify@bitcoinica.com
Date: Friday, 13 July 2012 3:39:55 AM
Subject: Bitcoinica is done

THANK YOU FOR YOU SOURCE CODE.

BITCONICA IS NOW OFFICALY DONE!

LASTPAS PASWORD: c02e1a27-5524-449f-ba65-aff9581ddedc


Wasn't that mail after the hack though?  I still have the same question, lastpass has logs that can be checked..

If you're not excited by the idea of being an early adopter 'now', then you should come back in three or four years and either tell us "Told you it'd never work!" or join what should, by then, be a much more stable and easier-to-use system. - GA
It is being worked on by smart people. -DamienBlack
sadpandatech
Hero Member
*****
Offline Offline

Activity: 504



View Profile
July 14, 2012, 03:06:14 PM
 #474

I only have one question for Consultancy: "How do you know the hacker got the MtGox password from LastPass and what its master passsword was?"
As always, Zhou is the only one who actually has answers:
I received this email. I was still in the verify@bitcoinica.com mailing list.

I believe that the theft happened much earlier and no one discovered. No one cared about this spammy-look email either (or they don't check their mailbox).


Quote
From: Bitcoinica Sucks <bitcoinicasucks@hotmail.com>
To: verify@bitcoinica.com
Date: Friday, 13 July 2012 3:39:55 AM
Subject: Bitcoinica is done

THANK YOU FOR YOU SOURCE CODE.

BITCONICA IS NOW OFFICALY DONE!

LASTPAS PASWORD: c02e1a27-5524-449f-ba65-aff9581ddedc


Wasn't that mail after the hack though?  I still have the same question, lastpass has logs that can be checked..

why send mail first, then take coins? im no mastermind but steal first then gloat?

yea, I can see that. The question still stands though. "Who is it that pointed out their lastpass had been breeched and how did they know? Where are the logs?

If you're not excited by the idea of being an early adopter 'now', then you should come back in three or four years and either tell us "Told you it'd never work!" or join what should, by then, be a much more stable and easier-to-use system. - GA
It is being worked on by smart people. -DamienBlack
Clipse
Hero Member
*****
Offline Offline

Activity: 504


View Profile
July 14, 2012, 03:09:17 PM
 #475

If someone did steal the sourcecode, How the hell did that happen?

Did you guys email the sourcode to everyone ?

Seriously, there is no way you can explain your way out of such a leak of the sourcecode to the core of your business.

...In the land of the stale, the man with one share is king... >> Clipse

We pay miners at 130% PPS | Signup here : Bonus PPS Pool (Please read OP to understand the current process)
allten
Sr. Member
****
Offline Offline

Activity: 447



View Profile
July 14, 2012, 03:13:09 PM
 #476

This is possible. Even if Zhoutong received a fair price, he could still theoretically be held liable for negligently transferring control over the assets of his depositors.

From the facts known to me, this seems like an extremely unlikely way for events to turn. It seems, at least to me, that Zhoutong negotiated in good faith, believed the people he were dealing with were more competent than him to run the business, and had no reason to suspect any of the future problems. I don't know whether his compensation was fair or not, but I understand he was motivated to sell, so it's unlikely he was paid more than the business was worth.


It doesn't matter. I'm not talking about theoreticals, the facts you and I know regarding the ownership transfer is slim-to-none and that's one of the fundamental problems. To postulate that he was not paid more than what the company was worth is indicative of illusory self-confidence in knowledge, unless you are privy to non-public facts that have not been disclosed here (if so, I'm sure people that have lost money would love to know).

If I did not make it clear enough, the lack of public knowledge of ownership transfer creates serious potential for negligence claims against Zhoutong (as he has a fiduciary duty to deposit holders). Transfer of a money service to another entity which has different credit risk/security expertise without disclosure, then having the new entity defaulting on debts is an open and shut case of proximate cause, I disagree with the opinion that it's an unlikely avenue of pursuit in the event of actual default.

To reiterate, assuming that Zhoutong has zero involvement with the theft/loss-of-funds, it is in his personal best interests to ensure/advocate that everyone gets paid back in full.

+10,000,000

Bam! Nice write up. This is why I think any lawsuit should also include Zhou!
There were 3 parties here, the original Bitcoinica team, the Intersango team, and the investors. The ball was dropped in the hand off. It's the perfect scenario for an inside job and to get away with it. The innocent players were blinded by greed and should have been much more cautious. Any reasonable person would have considered limiting funds during the handoff which should have taken months to be done properly - not just a day for some passwords to be transmitted. Like jcp points out, none of the users were told until after the fact. This will be a great lesson to anyone thinking of buying or selling a Bitcoin business.

Good luck to anyone with large stakes. With lawsuits being forced, this slowing moving train wreck just got another 6 to 12 months added to it.
imanikin
Hero Member
*****
Offline Offline

Activity: 693


¡Sin Salsa no hay paraíso!


View Profile WWW
July 14, 2012, 03:40:05 PM
 #477

PS: Please forgive for posting so often in this thread with what looks like on the surface to be nonsense but, because of the nature of this beast, it's warranted.
...
"A wise man speaks because he has something to say; a fool because he has to say something."
...
(+1 It's annoying to follow threads with such posters in it. When someone has 6k+ posts, and has only been in the forum a year, it's likely that most of those posts were brief blurbs of nonsense...

I think Phinnaeus Gage will be the first member on my ignore list.  Cheesy )

As for the topic, my sympathies for all who were damaged. I was hoping that after the 2011 Magic the Gathering Online Xchange hack, the BtCex.com affair, the MyBitcoin scam, and appearance of things like 2-factor and paper wallets, such incidents would be behind us... Sad

May all of you be well! There is, obviously, more to Life than Bitcoin...  Cool

Otoh
Donator
Legendary
*
Offline Offline

Activity: 1918



View Profile
July 14, 2012, 03:41:08 PM
 #478

BTC : You can still withdraw up to 4,000.00000000 BTC provided you have enough on your account (your limit is 4,000.00000000 BTC per 24 hours )
USD : You can still withdraw up to $10,000.00000 provided you have enough on your account (your limit is $10,000.00000 per 24 hours and $50,000.00000 per 30 days)

I guess the Bitcoinica funds had requested higher withdrawal limits than normal verified accounts, otherwise it would take 10 days to get the coins out & 4 days to drain the $s, or has this siphoning off being going on for a while.

I assume that the $40k were sent to sock puppet accounts by Mt. Gox $ codes & then coins were bought & moved out, rather than being withdrawn in actual $s.

Shout out to the hacker - Don't taint me bro!  1G5apmPvo2iTtmkNWAHTCET7Y842Ufijs8    Wink

Node40.com is a leader in DASH hosting, dedicated exclusively to fully managed masternode hosting. Professional, organized, and responsive. I have many dozens of nodes with them.    
BTC = $c²     BTC = 1otohotohMoQoxHuxLBveQiZcV3Pji3Tc      DASH, Digital Cash = www.dash.org   
   CHARITY | MY REP | DICE
ErebusBat
Hero Member
*****
Offline Offline

Activity: 560

I am the one who knocks


View Profile
July 14, 2012, 03:47:07 PM
 #479

Love it... "don't taint me bro"
HACKER:  This ^^^^

Even opens up a while line of shirts: "Bitconica's MtGox got compromised and all I got was this lousy taint..."

░▒▓█ Coinroll.it - 1% House Edge Dice Game █▓▒░ • Coinroll Thread • *FREE* 100 BTC Raffle

Signup for CEX.io BitFury exchange and get GHS Instantly!  Don't wait for shipping, mine NOW!
Clipse
Hero Member
*****
Offline Offline

Activity: 504


View Profile
July 14, 2012, 04:05:38 PM
 #480

So where is the wallet address of this BTC withdrawal ?

At the very least people can see where it goes and if it moves to an exchange to be sold eventually.

...In the land of the stale, the man with one share is king... >> Clipse

We pay miners at 130% PPS | Signup here : Bonus PPS Pool (Please read OP to understand the current process)
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 [24] 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 »
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!