Bitcoinica MtGox account compromised

[aq]

Mt. Gox reported me to the police when my wife tried to send me funds...

Because usually it is the other way around
SCNR

[1714003254]

1714003254

[1714003254]

1714003254

[1714003254]

1714003254

[1714003254]

1714003254

[rjk]

Guys.
This is LastPass:


LastPass free version supports Google Authenticator:


It also supports grid authentication:


For only $12 PER YEAR, it also supports Yubikeys:


How to add a Yubikey to LastPass (won't work with a MtGox Yubikey):


How to authenticate to LastPass with a Yubikey:


Longer passwords are not more secure if they are stored anywhere!

This is MtGox:


MtGox supports Google Authenticator:


They also support Yubikey, via a custom-branded device:


I think you get the idea. It's FUCKING SIMPLE to enable one or all of these options!

I have one other beef: MtGox needs to offer an option to require telephone confirmation of large withdrawals. This can be automated. If the withdrawal is unusual (40+k BTC or USD or whatever), DON'T FUCKING APPROVE IT INSTANTLY!

[BadBitcoin (James Sutton)]

Why not just give the funds to Pirate, wait a month and have it back to 100%.

Hahaha, no

 

I recommend patrick.

[guruvan]

Just like the 18k BTC theft, this one is also very convenient.

I imagine no police report also on this one.

Bullshit. You guys(Bitcoinica customers) are being taken for a ride.

Seriously  - the story is no longer plausible. You guys are clearly acting with criminal intent, or negligence. I'm finding negligence harder and harder to believe.

MODS - SCAMMER TAGS ARE NOW NECESSARY!!! This is BEYOND a scam.

The theft that closed bitcoinica was a farce, and too convenient, especially after watching all of the red flags leading up to that event.

I'm truly surprised it too this long for them to repay funds to all their friends and then steal the rest of the money.

[iamapi]

Can I say dirty words?
If not, I have nothing to say!

[proudhon]

Can I say dirty words?
If not, I have nothing to say!

Go on...

[Maged]

Why not just give the funds to Pirate, wait a month and have it back to 100%. Also after that month let Pirate keep it to give out to who he thinks is owed. I trust him way better than intersango at this point.

Fuck it, they might as well at this point. The remaining funds will be hacked shortly, otherwise. Better to invest in a (suspected) ponzi than to just give it away to the hackers. Because they WILL get it. The Bitcoinica team is just too incompetent not to give it to the hackers.

[muyuu]

Mt. Gox reported me to the police when my wife tried to send me funds...

Because usually it is the other way around
SCNR

That's fair enough Never had a bird send me money. Suspicious activity.

[Maria]

https://bitcointalk.org/index.php?topic=53315.msg635291#msg635291

I thought you needed a YUBIKEY to withdrawal that amount!

PLAN B

[proudhon]

Why not just give the funds to Pirate, wait a month and have it back to 100%. Also after that month let Pirate keep it to give out to who he thinks is owed. I trust him way better than intersango at this point.

Fuck it, they might as well at this point. The remaining funds will be hacked shortly, otherwise. Better to invest in a (suspected) ponzi than to just give it away to the hackers. Because they WILL get it. The Bitcoinica team is just too incompetent not to give it to the hackers.

What's the total that bitoinica related ventures have given to hackers so far?

[ElectricMucus]

Hacked, no backup and then hacked again?



This is a scam, i no more believe the hacking bullshit  

+1 for scam

I'm glad I haven't had any money there to speak of.

[BadBear]

This is like a parody at this point. Monty Pythons Life in Bitcoinica.

It's almost hard to believe that anyone can make so many mistakes, makes me wonder if it's an inside job.

[iddo]

Ok, fine.  But such details do exist, yes?  I'm not asking you to disclose that information here.  I just want to confirm that you can track where the USD went.

As I said we know how and where the USD moved, so yes.

Do the Bitcoinica people also know where the 40K USD went, or MtGox requires police subpoena before they could provide the details to the owners of Bitcoinica ?

[allten]

Bitcoins ok, but how 40k dollars disappear? how withdrawn? I do not know how mtgox codes work, but you can not really know where are redeemed? Other options dwolla? OKPAY? Bitinstant? LR? I really can't believe that you can move dollars without knowing where, how and to whom.

We know how and where the USD moved, but unfortunately those funds are not under our control anymore.

Well, no shit they're not under your control, but you do know to whose account they moved, right?

Last thing I heard was it took weeks to transfer 1000.00 dwolla, weeks for SEPA transfers.. When did you start processing INSTANT 40K USD withdrawals? That is a hell of a nice feature to announce!

Roberto, keep your eyes open amigo, I think they are going to drop the shitbag on you.

Maria.

+1000. It took forever to my USD out. And I mean forever. Verified account and all between both ends.

[vampire]

Why not just give the funds to Pirate, wait a month and have it back to 100%. Also after that month let Pirate keep it to give out to who he thinks is owed. I trust him way better than intersango at this point.

Fuck it, they might as well at this point. The remaining funds will be hacked shortly, otherwise. Better to invest in a (suspected) ponzi than to just give it away to the hackers. Because they WILL get it. The Bitcoinica team is just too incompetent not to give it to the hackers.

What's the total that bitoinica related ventures have given to hackers so far?

Feb ~ 200k USD
May ~ 91k USD
Today ~ 300k USD

[jcp]

Occam's Razor says some shady stuff is going down.

It's fairly obvious that the money should've been returned to bitcoinica deposit clients a long time ago. It doesn't take this long to verify account information. Zhoutong's passive aggressive missives on this board shows that there might be something weird going down behind the scenes.

Currently we have no clear indication of who the owners are, I believe in the interest of transparency, the ownership structure as well as all roles of individuals involved for Bitcoinica should be made clear. This has near-zero security implications, and people holding balances are owed that much after this security breach.

Quite frankly, unless the ownership structure is made clear, there is a non-zero probability that non-principals that are involved may be unwitting accomplices to a scam. Assuming Zhoutong is an independent actor, he should ask himself whether he received payment for selling full equity where assets are strip-mined and stolen after transfer of the equity stake -- I'd be especially curious if he received a payment relative to the NPV seems a little too good to be true (unless of course, he did not realize that client funds were to be stolen upon ownership transfer). Assuming genjix / Bitcoin Consultancy et al are independent actors, they should be asking hard questions about their relative independent agency with regards to payment distribution and the worth of their association with this and the material risk if the owner is scamming them.

Storing your lastpass password as an API key in plaintext is beyond bizarre, no one in their right mind would do such a thing. This isn't SQL injection level incompetence we're talking about here, that happens all the time. Using an incredibly important password that gives access to all your online account and placing it in a plain-text API key is a poor excuse and isn't plausible at all.

Last bit of advice: Bitcoinica should put all their USD deposits in a real bank account, with real bankers. You have enough funds to have a personal relationship with a banker that will give you a courtesy call when large withdrawals are made. Mt Gox should consider locking all accounts even remotely associated with Bitcoinica. If they have more funds in other mtgox accounts, they should be locked due to material risks of bitcoinica ownership not acting in good faith.

Waiting far too long to return money plus now a claimed hacking with partial default implies that they needed time to transfer money elsewhere. This is a very serious accusation, but until we have a clear picture on why it is taking so long, who the owners are, and the bizarre use of a master password as a plaintext API key, Occam's Razor says the odds of the owner acting in good faith is not perfect.

[rjk]

And now the forum is absolutely crawling to a standstill. Are we being slashdotted or something? Or is some basement dwelling fuckup using a DDoS against an innocent messenger?

[muyuu]

Do we have a link to the actual transaction(s)?

I've spent some time reading through the rants but couldn't find it.

Cheers.

[proudhon]

Remember this:

To be honest, your age isn't a problem, because the average above-average developer is still not competent to write this sort of software. If you had been doing security and financial software since birth, I might consider putting a bit of trust in the kitty to start.

I'm going to pitch a different take than a few others: Yes, great initiative, please keep trying things and building things, but end this project now. There are no probable outcomes where you do not end up having to explain where thousands of dollars of other people's money went to some angry people. There's also very nontrivial odds of being on the wrong end of armed Federal agents, based on some of the other comments you've made here. This is a horrible, horrible first-project sort of project.

Let me put it this way: Would you be willing to convert the BitCoins in your system into cash, put it in your front window, and post daily pictures of the pile of cash to your Facebook account, set to public visibility? Because that's roughly what you're doing.

+1 to this guy.

[guruvan]

Why not just give the funds to Pirate, wait a month and have it back to 100%. Also after that month let Pirate keep it to give out to who he thinks is owed. I trust him way better than intersango at this point.

Fuck it, they might as well at this point. The remaining funds will be hacked shortly, otherwise. Better to invest in a (suspected) ponzi than to just give it away to the hackers. Because they WILL get it. The Bitcoinica team is just too incompetent not to give it to the hackers.

Yeah. The hackers will get it. Alas, the hackers are likely the people who set the password to the API key so that a "hack" could be later perpetrated.

Is there really any more money to give to pirate? Oh - but never mind. They'll make sure to use a password  that's easily compromised, and the payout address will get changed, and the money will be sent to the same blackhole that the rest of our money went to (probably Patrick's offshore account - funny he walked away, isn't it?)

Yeah - I trust pirate WAY more than these clowns. At this point, it certainly looks like MtGox has at least one complicitous employee that provided support for this theft. really - regular customers can hardly withdraw $1000USD and a thief bails with $40grand? Fuck you. Either MtGox is lying about all the slow withdrawals the past several weeks (and is not solvent as some suggest) or they're likely to be acting in concert with the thief.  I'm glad my MtGox account is now empty. I suspect there will be more problems there from now on. this has spiraled out of control.

Yeah - I stand by my ORIGINAL statements from right after the closure of bitcoinica. ZT knew that it was going to close, and this is why he was cashing out via forums before hand. This was very carefully planned from the get go. The changed ToS, leading to the lost funds and closure, leading to friends being repayed, and non-friends being delayed, leading to the compromise the MtGox account with the money for the rest of the customers.

This case shows a pattern of premeditated security lapses resulting in significant "losses" to be born by the customers. I cannot see how this is not criminal.

Someone belongs in prison. Want to take a guess who that should be?