Bitcoinica MtGox account compromised

[Bitcoin Oz]

I still dont understand why they even needed Mt Gox in the first place at least for the bitcoin side of things. Why pay all the fees when you can just transfer bitcoin directly ?

[1714213070]

1714213070

[1714213070]

1714213070

[1714213070]

1714213070

[1714213070]

1714213070

[repentance]

I still dont understand why they even needed Mt Gox in the first place at least for the bitcoin side of things. Why pay all the fees when you can just transfer bitcoin directly ?

Because they needed to make those transfers from a hot wallet and ever since the Linode hack people had been screaming at them about keeping their hot wallet on their own servers (and suggesting that it should be kept on MtGox for security).  Doing it through MtGox would also help give them a better record of the transactions if something went wrong with their own systems.  Remember that people were also asking to be paid in MtGox codes.

[Phinnaeus Gage]

Even if it was the original hacker, according to genjix the LastPass PW was not compromised. The password was the MtGox API key and that key was stored in the source that the Rackspace hacker would have had access to, but how likely is it that if you had 5 guesses you would choose an API key buried in the source vs attempting one of the other passwords that you did compromised to see if it was a duplicate of those?

Which is what most people assume they did.  You get 5 attempts before it locks you out for 5 minutes and sends an email.  If the list of compromised passwords the hacker had wasn't especially long, then they didn't have a lot to lose by trying the duplicates - if one of them was right, there was every chance they'd be into the LastPass account before anyone read the email.

Any time a hacking fiasco happens, it basically turns into a witchhunt, because people feel extremely powerless.

This is equally true when conventional companies go out of business.

How would the hacker know beforehand it it was even worth getting into the account to get a look-see. First, he would have to know the account existed then, by happenstance, find the PW(s), then try them, all the long not only hoping that it works, but that it was all worth his time.

~Bruno~

[Phinnaeus Gage]

I just tried the LastPass account. I didn't expect to be able to log in, but I was able to using the original credentials!

And LastPass didn't log the IP that reverted the master password. It's so weird.

07/12/2012 22:17:04
LastPass.com
 
67.188.9.35
Master Password Changed
07/17/2012 08:30:52
LastPass.com
 
0.0.0.0
Master Password Reverted

I've read this post, then reread it. Then again. Then stared at it, thinking of something to pen (not this post), but couldn't come up with anything substantial. I truly am shocked at what I have just read. Thanks, ZT.

~Bruno~

[repentance]

How would the hacker know beforehand it it was even worth getting into the account to get a look-see. First, he would have to know the account existed then, by happenstance, find the PW(s), then try them, all the long not only hoping that it works, but that it was all worth his time.

~Bruno~

We know that an email account was breached in order to effect the Rackspace compromise.  That would have given the Rackspace hacker to the email communications for the mailing list, among other things.  I have little doubt that the existence of the LastPass account has probably been discussed in internal emails.

Again, Zhou has already said that whoever perpetrated the Rackspace hack had enough information to compromise the MtGox account.  They may have waited to make an attempt until they knew funds had been moved there (which was obvious once refunds were being made).  Just because you assume that people will change credentials after an attack doesn't mean it will happen, and there's nothing to be lost by seeing if the credentials you've obtained will work.  The source code leak confirmed that the MtGox API key hadn't been changed - this could have encouraged the Rackspace hacker (or someone else with whom he shared the information he'd obtained during the hack) to see what else hadn't been changed.

To a large extent, exploiting vulnerabilities involves a lot of poking around for holes you don't expect to find rather than creating sophisticated means to overcome security measures which do exist.

[Vladimir]

yep, the mindset of a good attacker often starts with "let's imagine that the target is stupid beyond reason and does all kinds of idiotic things that no sane person would ever do".

[repentance]

yep, the mindset of a good attacker often starts with "let's imagine that the target is stupid beyond reason and does all kinds of idiotic things that no sane person would ever do".

People are often creatures of habit, too.  If you know one mistake they've made, you can often take an educated guess at other mistakes they may have made.

[zhoutong]

Guys, I'm not happy, constantly worried and possibly scared. I didn't have a nice sleep since long time ago.

I'm really afraid of the possible criminal charges if things don't work out well. It'll be devastating to my life, considering the permanent record and inconvenience in every single official activity, even if I'm proven innocent. I know some victims are desparate, and they are going to take actions against whatever entity that's ever related to Bitcoinica.

When the General Partners asked for apology, I gave. When they asked for respect, I also gave. I also contributed a significant portion of my personal investment to compensate the victims. I'm trying to cut down the ties but I can't, even though I owned nothing of the company since January and announced the change of management explicitly in April.

And today, there are still people claiming that I hacked the accounts. Both Mt. Gox and AurumXchange froze some of my personal funds without giving specific reasons (they did tell me some generic reasons), persumably related to Bitcoinica. I'm really nervous! (If it's unrelated, please email/PM me so that I'll feel much better.)

I can be sure that I'm not financially related to Bitcoinica, and I should never be liable for any debt of the company. I am willing to join any lawsuit against Bitcoin/Bitcoinica Consultancy Ltd and/or Bitcoinica LP as a claimant, and I also possess important but secretive documents that can only be revealed in court.

I want to do whatever I can to help you, and help myself.

[stochastic]

Guys, I'm not happy, constantly worried and possibly scared. I didn't have a nice sleep since long time ago.

I'm really afraid of the possible criminal charges if things don't work out well. It'll be devastating to my life, considering the permanent record and inconvenience in every single official activity, even if I'm proven innocent. I know some victims are desparate, and they are going to take actions against whatever entity that's ever related to Bitcoinica.

When the General Partners asked for apology, I gave. When they asked for respect, I also gave. I also contributed a significant portion of my personal investment to compensate the victims. I'm trying to cut down the ties but I can't, even though I owned nothing of the company since January and announced the change of management explicitly in April.

And today, there are still people claiming that I hacked the accounts. Both Mt. Gox and AurumXchange froze some of my personal funds without giving specific reasons (they did tell me some generic reasons), persumably related to Bitcoinica. I'm really nervous! (If it's unrelated, please email/PM me so that I'll feel much better.)

I can be sure that I'm not financially related to Bitcoinica, and I should never be liable for any debt of the company. I am willing to join any lawsuit against Bitcoin/Bitcoinica Consultancy Ltd and/or Bitcoinica LP as a claimant, and I also possess important but secretive documents that can only be revealed in court.

I want to do whatever I can to help you, and help myself.

How much did you make on the sale of Bitcoinica?

[zhoutong]

Guys, I'm not happy, constantly worried and possibly scared. I didn't have a nice sleep since long time ago.

I'm really afraid of the possible criminal charges if things don't work out well. It'll be devastating to my life, considering the permanent record and inconvenience in every single official activity, even if I'm proven innocent. I know some victims are desparate, and they are going to take actions against whatever entity that's ever related to Bitcoinica.

When the General Partners asked for apology, I gave. When they asked for respect, I also gave. I also contributed a significant portion of my personal investment to compensate the victims. I'm trying to cut down the ties but I can't, even though I owned nothing of the company since January and announced the change of management explicitly in April.

And today, there are still people claiming that I hacked the accounts. Both Mt. Gox and AurumXchange froze some of my personal funds without giving specific reasons (they did tell me some generic reasons), persumably related to Bitcoinica. I'm really nervous! (If it's unrelated, please email/PM me so that I'll feel much better.)

I can be sure that I'm not financially related to Bitcoinica, and I should never be liable for any debt of the company. I am willing to join any lawsuit against Bitcoin/Bitcoinica Consultancy Ltd and/or Bitcoinica LP as a claimant, and I also possess important but secretive documents that can only be revealed in court.

I want to do whatever I can to help you, and help myself.

How much did you make on the sale of Bitcoinica?

I want to tell you, but I can't. It's the only thing NDA'd.

All I can say is, the money isn't enough to compensate for my unhappiness and worries during this period.

[flower1024]

I want to tell you, but I can't. It's the only thing NDA'd.

All I can say is, the money isn't enough to compensate for my unhappiness and worries during this period.

i feel you deserve every bitcent/usd of it.
thank you again for your 5k btc.

i dont believe you are the hacker. but as soon as police is involved i am pretty sure they'll have questions for you.

i wish you all the best.

[repentance]

I want to tell you, but I can't. It's the only thing NDA'd.

All I can say is, the money isn't enough to compensate for my unhappiness and worries during this period.

Can you confirm that Wendon owns the Bitcoinica domain and IP (you said a while ago that those were what you sold and Patrick's IRC comments which were quoted here strongly suggest that Wendon was the buyer)?

[stochastic]

Guys, I'm not happy, constantly worried and possibly scared. I didn't have a nice sleep since long time ago.

I'm really afraid of the possible criminal charges if things don't work out well. It'll be devastating to my life, considering the permanent record and inconvenience in every single official activity, even if I'm proven innocent. I know some victims are desparate, and they are going to take actions against whatever entity that's ever related to Bitcoinica.

When the General Partners asked for apology, I gave. When they asked for respect, I also gave. I also contributed a significant portion of my personal investment to compensate the victims. I'm trying to cut down the ties but I can't, even though I owned nothing of the company since January and announced the change of management explicitly in April.

And today, there are still people claiming that I hacked the accounts. Both Mt. Gox and AurumXchange froze some of my personal funds without giving specific reasons (they did tell me some generic reasons), persumably related to Bitcoinica. I'm really nervous! (If it's unrelated, please email/PM me so that I'll feel much better.)

I can be sure that I'm not financially related to Bitcoinica, and I should never be liable for any debt of the company. I am willing to join any lawsuit against Bitcoin/Bitcoinica Consultancy Ltd and/or Bitcoinica LP as a claimant, and I also possess important but secretive documents that can only be revealed in court.

I want to do whatever I can to help you, and help myself.

How much did you make on the sale of Bitcoinica?

I want to tell you, but I can't. It's the only thing NDA'd.

All I can say is, the money isn't enough to compensate for my unhappiness and worries during this period.

Well if that lawsuit comes up then it will probably become public anyway.  You should probably get an attorney if yo have not already, and the attorney will tell you to stop talking on this forum and making public statements.  I know you want to protect your reputation but forget about that.

You should really talk to an attorney that knows a thing about business organization laws.  If you made any mistake during the initial creation of bitcoinica in Delaware and how it was sold then you may still be liable even if you had no access to the financials.

[dancingnancy]

I am not sure of the majority consensus, but I believe ZT.  If you ever find yourself needing money, if I were you, and I am def. not, would just make a new bitcoinica with your new knowledge of past mistakes.  Let's just say you are the scammer/hacker.  If your next exchange got taken like this again and additionally no one gets paid back, well you can believe people will come for you that time.

I would most likely sign up today if I knew you put enough work into making it better than before security wise.

[repentance]

You should really talk to an attorney that knows a thing about business organization laws.  If you made any mistake during the initial creation of bitcoinica in Delaware and how it was sold then you may still be liable even if you had no access to the financials.

Zhou did not sell the Delaware entity (xWaylab Inc).

If you ever find yourself needing money, if I were you, and I am def. not, would just make a new bitcoinica with your new knowledge of past mistakes.

Wouldn't mind betting that there was a covenant in restraint of trade in the sale contract which restrains Zhou from establishing a similar business for a specified period (he sold the IP, so he can't just use that without permission).

And yeah, if you look at the early business histories of some well known entrepreneurs, you'll find some shocking failures among them as well as downright illegal activity.  Nobody even remembers them now - in the wake of subsequent success, they've become campfire stories to be chuckled over.

[stochastic]

You should really talk to an attorney that knows a thing about business organization laws.  If you made any mistake during the initial creation of bitcoinica in Delaware and how it was sold then you may still be liable even if you had no access to the financials.

Zhou did not sell the Delaware entity (xWaylab Inc).

Well whatever it was that was sold.  I remember sometime in Nov or Dec a post by zhoutong stating that he was not interested in partnering or selling the site, yet in the resignation letter the sale already had or was happening.

[zhoutong]

You should really talk to an attorney that knows a thing about business organization laws.  If you made any mistake during the initial creation of bitcoinica in Delaware and how it was sold then you may still be liable even if you had no access to the financials.

Zhou did not sell the Delaware entity (xWaylab Inc).

Well whatever it was that was sold.  I remember sometime in Nov or Dec a post by zhoutong stating that he was not interested in partnering or selling the site, yet in the resignation letter the sale already had or was happening.

I personally trust the buyer and I would bear every responsibility if there were any problems. If Tihan didn't pay for the Linode hack, I would, because it would be my fault to push the responsibility to an unannounced acquirer.

However, I don't trust Patrick, Amir or Donald and I immediately announced it when the change of ownership happens. It's not my decision to contract them either. There is no secret at all in the last change of ownership.

[JoelKatz]

Wouldn't mind betting that there was a covenant in restraint of trade in the sale contract which restrains Zhou from establishing a similar business for a specified period (he sold the IP, so he can't just use that without permission).

I doubt there's any entity remaining with the ability or will to enforce that restriction. Since they're not doing business, what would their damages be?

[zhoutong]

And yeah, if you look at the early business histories of some well known entrepreneurs, you'll find some shocking failures among them as well as downright illegal activity.  Nobody even remembers them now - in the wake of subsequent success, they've become campfire stories to be chuckled over.

I don't really care about my reputation now even. If I start a bank or investment firm in my 30s, I think not many people will still mind putting their money on my hand. And I'm not going to build anything Bitcoin-related in the foreseeable future. I'll simply go back to my SaaS business.

The big problem is the criminal charge. Bitcoin is a big unknown in the legal world and anything can happen if the police touches this case (unlicensed market operation? terrorism? money laundering?). It makes possible things like migration in the future way harder than they should be.

[zhoutong]

Wouldn't mind betting that there was a covenant in restraint of trade in the sale contract which restrains Zhou from establishing a similar business for a specified period (he sold the IP, so he can't just use that without permission).

I doubt there's any entity remaining with the ability or will to enforce that restriction. Since they're not doing business, what would their damages be?

It's legal for me to start a Bitcoinica clone today. I'm quite sure about that. The non-competitive clause was a gentleman agreement and it's not enforceable.

But I'm not in need of money. I still have my Bitcoin and AUD savings and I'm still doing business. I'm just no happy.