Bitcoinica MtGox account compromised

[Phinnaeus Gage]

did anyone else find it ironic that this happened on friday the 13th?  

I did, hence one of my over-the-size-limit Readers Digest Large Print posts. (though at the time I was bringing attention to the time of day [local] that Mt Gox support was posting)

~Bruno~

PS: BRB, all. Making a fresh pot of coffee. Anybody want some?

[Mistafreeze]

And now everyone imagine that it is year 2020 and 1 BTC worth 1 000 000 USD 1kg of gold.

First we need the americans to realise what a kilogram is.

Imperial units 4 life!!

 

[davout]

PS: BRB, all. Making a fresh pot of coffee. Anybody want some?

Count me in baby

[Vladimir]

@DarkEmi @hatshepsut  and all others.
Sorry to put you up front with the hard truth, buth...
Rule #1: Don't invest money you cannot afford to lose.
I am pretty sure iam not the first one that tells you this right?

Blame the victim is never a good argument.

[hazek]

@DarkEmi @hatshepsut  and all others.
Sorry to put you up front with the hard truth, buth...
Rule #1: Don't invest money you cannot afford to lose.
I am pretty sure iam not the first one that tells you this right?

Blame the victim is never a good argument.

Will you say the same to those who will experience a loss once pirateat40 runs?

[bitcoinBull]

Tihan is right.. patrick/amir/donald should've changed the LastPass master password, if not created a whole new account (using a different e-mail, not info@bitcoinica.com which is a big red flag). Not to mention securing the MtGox account. Hell, zhoutong should've revoked those API keys that day long ago (he even said the hacker could've used them).

[...]
While the initial hacker had the ability to cause this breach it is likely that it was not taken advantage of until many users had access to the sourcecode in a recent leak:

Code:

genjix:~/tmp/bitcoinica_legacy/config/initializers$ cat mtgox_credentials.rb 
if Rails.env.production?
  MtGox.configure do |config|
    config.key = "c02e1a27-5524-449f-ba65-aff9581ddedc"
    config.secret = '83U1ROG++O3vwBqFrxpcdyLIoChpgnowImy1oMVQwBLalaLevZDmWeCPJFTrYW00OQ7XUgG53LsIL2pBZ2PQgA=='
    end
end

Sourcecode download link: http://depositfiles.com/files/2p6zvadzs
[...]

Had anyone heard of this source code leak? This is the first time I'm hearing of it..

[davout]

Will you say the same to those who will experience a loss once pirateat40 runs?

lol

[davout]

Tihan is right.. patrick/amir/donald should've changed the LastPass master password, if not created a whole new account (using a different e-mail, not info@bitcoinica.com which is a big red flag). Not to mention securing the MtGox account. Hell, zhoutong should've revoked those API keys that day long ago (he even said the hacker could've used them).

The API keys *were* revoked.

[rdponticelli]

Two things are infinite, the universe and human stupidity, and I am not yet completely sure about the universe.

By malice, negligence or whatever, the sad truth is that this is already nothing but a huge scam.

Doesn't make sense to stay kicking this dead body, lets just move on...

[rjk]

Tihan is right.. patrick/amir/donald should've changed the LastPass master password, if not created a whole new account (using a different e-mail, not info@bitcoinica.com which is a big red flag). Not to mention securing the MtGox account. Hell, zhoutong should've revoked those API keys that day long ago (he even said the hacker could've used them).

The API keys were revoked immediately, read the beginning of the last "hack" thread. The problem this time is that the withdrawal was via a normal login, which wasn't protected with 2 factor authentication.

As for the API-key-as-a-master-password fuckup, well I don't have enough info on that to make a judgement. Was that password implemented in the assumption that the source would not be released? Perhaps that's what it was set to AFTER the previous hack (stupid)? Maybe no one correlated it with the API key, and didn't realize the significance?

[markm]

That still doesn't explain how the attacker knew that specific password should be tried at all.

We are talking about the password needed to convince LastPass to hand over your encrypted passwords right, not the passphrases needed to actually decrypt those passwords once having gotten a copy of them from LastPass?

-MarkM-

[Vladimir]

@DarkEmi @hatshepsut  and all others.
Sorry to put you up front with the hard truth, buth...
Rule #1: Don't invest money you cannot afford to lose.
I am pretty sure iam not the first one that tells you this right?

Blame the victim is never a good argument.

Will you say the same to those who will experience a loss once pirateat40 runs?

In general, yes.

BUT, with ponzi schemes this is a bit different. Coz some of the "victims" are more like co-conspirators.

[hazek]

@DarkEmi @hatshepsut  and all others.
Sorry to put you up front with the hard truth, buth...
Rule #1: Don't invest money you cannot afford to lose.
I am pretty sure iam not the first one that tells you this right?

Blame the victim is never a good argument.

Will you say the same to those who will experience a loss once pirateat40 runs?

In general, yes.

BUT, with ponzi schemes this is a bit different. Coz some of the "victims" are more like co-conspirators.

I think you're stretching it a bit.. If you truly want to blame anyone (the concept of blame is stupid anyway since I don't believe we have such a thing as free will) meaning you want to find the cause of the effect then you can't really ignore the actions of the victim. Like with a ponzi even here they must have seen ample red flags and warnings by other skeptics and yet decided to risk their money. And once you are in a risk vs reward scenario and the reward doesn't pan out and instead you experience the risk event you were expecting some of the time I don't see how you don't carry partial blame for losing your money.

[paraipan]

...

lol


This is amazing..  wow...  

Companies like this will ruin bitcoin..

Don't be so sure about that, this is the wild west and bitcoin (read digital gold) is our business...

Quite dramatic change when comparing present comments with the ones you were making a few months back.

[kiba]

I think you're stretching it a bit.. If you truly want to blame anyone (the concept of blame is stupid anyway since I don't believe we have such a thing as free will) meaning you want to find the cause of the effect then you can't really ignore the actions of the victim. Like with a ponzi even here they must have seen ample red flags and warnings by other skeptics and yet decided to risk their money. And once you are in a risk vs reward scenario and the reward doesn't pan out and instead you experience the risk event you were expecting some of the time I don't see how you don't carry partial blame for losing your money.

On closer inspection, I don't like people's money going into a very large ponzi scheme that will impact the confidence and the economy at large. I can only say "I warn ya".

[Aseras]

How exactly did they get 40K out of Gox without having to wait 2 weeks?

[Vladimir]

hazek, it is getting way off topic. let's stop this discussion in this thread.

But it is either my English so bad, or your reading comprehension is below average today. You are arguing exactly my point and then saying that I am wrong. WTF?

[bitcoinBull]

Tihan is right.. patrick/amir/donald should've changed the LastPass master password, if not created a whole new account (using a different e-mail, not info@bitcoinica.com which is a big red flag). Not to mention securing the MtGox account. Hell, zhoutong should've revoked those API keys that day long ago (he even said the hacker could've used them).

The API keys were revoked immediately, read the beginning of the last "hack" thread. The problem this time is that the withdrawal was via a normal login, which wasn't protected with 2 factor authentication.

As for the API-key-as-a-master-password fuckup, well I don't have enough info on that to make a judgement. Was that password implemented in the assumption that the source would not be released? Perhaps that's what it was set to AFTER the previous hack (stupid)? Maybe no one correlated it with the API key, and didn't realize the significance?

Ah, somebody downloaded LastPass and sync'd it with an accoung using info@bitcoinica.com as the log-in using the revoked mtGox API key as the password. This gave them all the passwords for that account, including the regular MtGox password (no 2-factor auth).

And it sounds like three separate people/groups had full access to the info@bitcoinica.com LastPass account: zhoutong (who presumably set it up), Tihan (who passed it to "bitcoin consultancy"), and bitcoin consultancy.

That still doesn't explain how the attacker knew that specific password should be tried at all.

We are talking about the password needed to convince LastPass to hand over your encrypted passwords right, not the passphrases needed to actually decrypt those passwords once having gotten a copy of them from LastPass?

-MarkM-

I don't think there is a separate encryption passphrase for LastPass, the master password is the encryption passphrase.

https://lastpass.com/features_free.php

Your sensitive data is encrypted on your PC. Only your LastPass password can unlock your data and only YOU have it.

[koin]

Once again, someone with a US IP succeed to get Bitcoinica's account credential which did not trigger any alarms since they were fully identified. Since Bitconica's account was a verified account the owner of this account asked (This happened when Zhou was still controlling Bitconica) to have his limits lifted to the maximum possible, giving the possibility to the thief to move Bitcoinica's assets to another external account (External to MtGox).

-- EDIT --

We would like to stress that Mt.Gox Verified Bitconica as a Company and NOT as an Individual.

it would not be plausible for mt. gox to not know about the change in ownership in april.

did mt. gox really allow this new company to use an account at mt. gox that did not belong to them (i.e., use an account that was verfied under a different name)?

after the change in ownership, there should have been a new account created (and verified) by the new owner.  because the old company didn't have any other source of income, deposits to the old company's account should have dropped towards zero.  

the kyc of aml/kyc is to know the source of the funds the customer is depositing.  mt. gox wouldn't know the source of funds if the verified owner of the account sold the business and has no other business.  these further deposits to "the bitcoinica account" should not have been made available for transfer or withdrawal until the source of the funds could be verified as truly belonging to the previously verified owner of the account.

it looks like there were multiple changes in ownership.  first was xwaylab (delaware), then [opaque change well known] then the bitcoinica lp of new zealand.

bitcoinica lp should not have been allowed to deposit to and withdaw funds from an account where the verified owner is anything other than bitcoinica lp.

here is some history:

• On 2012/01/30 Bitcoin Consultancy became Bitcoinica Consultancy Ltd. (*1)
• On 2012/03/22 Bitcoinica Consultancy Ltd became the General Partner of the newly formed Bitcoinica Limited Partnership (*2)
• On 2012/03/27 Bitcoin Consultancy was retained to perform a comprehensive security audit. (*3)
• On 2012/04/24 Bitcoin Consultancy took over ownership and daily operations of Bitcoinica from Zhou (*4)
• On 2012/05/11 Bitcoinica was hacked due to a root password reset via a compromised email server (belonging to a member of Bitcoin Consultancy). (*5)

References:
1) http://www.business.govt.nz/companies/app/ui/pages/companies/3715077
2) http://www.business.govt.nz/fsp/app/ui/fsp/version/searchSummaryCompanyFSP/FSP207625/4.do?noReturn=true
3) https://bitcointalk.org/index.php?topic=81045.msg919130#msg919130 (Tihan's post)
4) http://bitcoinmedia.com/first-licensed-advanced-trading-platform-for-bitcoin/ (written by Donald, CEO of Bitcoin Consultancy)
5) http://bitcoinica.com (post-mortem)

Your analysis is not only wrong but straight up defamation.

Bitcoin Consultancy LTD is a UK Limited company which is neither owned nor owns any other company.
Intersango LTD is a UK Limited company which is neither owned nor owns any other company.
Bitcoinica LP is a New Zealand Limited Partnership.
Core Credit LTD is a New Zealand Limited Company and the General Partner of Bitcoinica LP.
Core Credit LTD was renamed to Bitcoinica Consultancy LTD significantly after the events occurred.

disclaimer: i am not a lawyer

[davout]

disclaimer: i am not a lawyer

but your point sounds about right