Bitcoinica MtGox account compromised

[Bitcoin Oz]

Well I hope they have changed all the intersango passwords and are using 2 factor auth on any exchange accounts. They have done this havent they.........

[Bitcoin Oz]

I think the probability is about the same as finding a sha-256 collision in bitcoin  

So its probably silly to imagine it happened. Compare the chance of an inside job (someone told the thief where to look or told them the actual password) or a keylogger (etc) type attack was used to discover it, in such cases the fact one can find it in the source code is merely a red herring, whether deliberately dyed red or merely accidentally happening to be red.

-MarkM-

I didnt see a "lastpass master pasword " label on that string.

[Mt.Gox Support]

As far as Mt.Gox is concerned and as Genjix explained, we did not suffer any breach or any hack, all other account are safe and the thief only targeted Bitconica's account. Mark (MagicalTux) has been in contact with many Bitcoin players since this announcement and offered any help we can give, but unfortunately all funds (USD & BTC) are no longer within our reach.

Once again, someone with a US IP succeed to get Bitcoinica's account credential which did not trigger any alarms since they were fully identified. Since Bitconica's account was a verified account the owner of this account asked (This happened when Zhou was still controlling Bitconica) to have his limits lifted to the maximum possible, giving the possibility to the thief to move Bitcoinica's assets to another external account (External to MtGox).

Despite our effort on securing Mt.Gox and protecting everyone's asset I would like to remind everyone that it is also your responsibility to secure your account with a very strong password and use either a Yubikey or Google Auth (You can even use both at the same time).

Mt.Gox

-- EDIT --

We would like to stress that Mt.Gox Verified Bitconica as a Company and NOT as an Individual.

to what (bank-)account was the usd sent to? ie. where can we find the guy, and beat him?

We wish things could be so simple, unfortunately they are not! But if you read a little further we explain that we know how and where the money goes and we will give all these details to the appropriate authorities to get this done right. Despite what some want to believe we are at Mt.Gox extremely furious about this situation a lot of good people and very close friends lost a LOT of money. We have of course nothing to do with what happen and will help the community has much as we can on this matter.

[Mt.Gox Support]

Once again, someone with a US IP succeed to get Bitcoinica's account credential which did not trigger any alarms since they were fully identified. Since Bitconica's account was a verified account the owner of this account asked (This happened when Zhou was still controlling Bitconica) to have his limits lifted to the maximum possible, giving the possibility to the thief to move Bitcoinica's assets to another external account (External to MtGox).

-- EDIT --

We would like to stress that Mt.Gox Verified Bitconica as a Company and NOT as an Individual.

it would not be plausible for mt. gox to not know about the change in ownership in april.

did mt. gox really allow this new company to use an account at mt. gox that did not belong to them (i.e., use an account that was verfied under a different name)?

after the change in ownership, there should have been a new account created (and verified) by the new owner.  because the old company didn't have any other source of income, deposits to the old company's account should have dropped towards zero.  

the kyc of aml/kyc is to know the source of the funds the customer is depositing.  mt. gox wouldn't know the source of funds if the verified owner of the account sold the business and has no other business.  these further deposits to "the bitcoinica account" should not have been made available for transfer or withdrawal until the source of the funds could be verified as truly belonging to the previously verified owner of the account.

it looks like there were multiple changes in ownership.  first was xwaylab (delaware), then [opaque change well known] then the bitcoinica lp of new zealand.

bitcoinica lp should not have been allowed to deposit to and withdaw funds from an account where the verified owner is anything other than bitcoinica lp.

here is some history:

• On 2012/01/30 Bitcoin Consultancy became Bitcoinica Consultancy Ltd. (*1)
• On 2012/03/22 Bitcoinica Consultancy Ltd became the General Partner of the newly formed Bitcoinica Limited Partnership (*2)
• On 2012/03/27 Bitcoin Consultancy was retained to perform a comprehensive security audit. (*3)
• On 2012/04/24 Bitcoin Consultancy took over ownership and daily operations of Bitcoinica from Zhou (*4)
• On 2012/05/11 Bitcoinica was hacked due to a root password reset via a compromised email server (belonging to a member of Bitcoin Consultancy). (*5)

References:
1) http://www.business.govt.nz/companies/app/ui/pages/companies/3715077
2) http://www.business.govt.nz/fsp/app/ui/fsp/version/searchSummaryCompanyFSP/FSP207625/4.do?noReturn=true
3) https://bitcointalk.org/index.php?topic=81045.msg919130#msg919130 (Tihan's post)
4) http://bitcoinmedia.com/first-licensed-advanced-trading-platform-for-bitcoin/ (written by Donald, CEO of Bitcoin Consultancy)
5) http://bitcoinica.com (post-mortem)

Your analysis is not only wrong but straight up defamation.

Bitcoin Consultancy LTD is a UK Limited company which is neither owned nor owns any other company.
Intersango LTD is a UK Limited company which is neither owned nor owns any other company.
Bitcoinica LP is a New Zealand Limited Partnership.
Core Credit LTD is a New Zealand Limited Company and the General Partner of Bitcoinica LP.
Core Credit LTD was renamed to Bitcoinica Consultancy LTD significantly after the events occurred.

disclaimer: i am not a lawyer

We cannot of course give such details here on a public forum, but I can tell you that we have been VERY caution when this particular change of ownership happen. We of course use the advise of our Lawyer and act accordingly. We did not let this change or ownership happen until we were fully satisfied with the document that were send over to us.

[bpd]

I think the probability is about the same as finding a sha-256 collision in bitcoin  

So its probably silly to imagine it happened. Compare the chance of an inside job (someone told the thief where to look or told them the actual password) or a keylogger (etc) type attack was used to discover it, in such cases the fact one can find it in the source code is merely a red herring, whether deliberately dyed red or merely accidentally happening to be red.

-MarkM-

I didnt see a "lastpass master pasword " label on that string.

This.

Was ANYONE here even aware that the bitcoinica source code had been leaked, prior to genjix's OP on this thread?

Plugging the file URL into Google gives only a handful of results, with this thread being the earliest incidence of it, as far as I can tell.

That, plus the fact that the tar file appears to have been packed by username genjix.

Additionally, there's the fact that the lastpass password was supposedly the MtGOX KEY (username) and not the SECRET. A bizarre thing to do, which smells more like it's a fuck-up in an attempt to make up a plausible hack story.

The whole story is just too cute for me.

[Mt.Gox Support]

Which is BS since you can be a level 47 verified and you all will sit on a wire transfer for weeks. Especially a larger transfer.

No BS here. As I said before and as Mark explained, we cannot discuss these details here, however I strongly advise you to read the 20 (pages) of this thread.

PS. We are on your side not against you.

[bitcoinBull]

So, the encoded file has the exact same thing on the /bitcoinica_legacy/.git/logs/HEAD file

Code:

0000000000000000000000000000000000000000 939e877106a5bd479f350adc6d9e4170c62df8f3 genjix <genjix@nite.(none)> 1338505438 +0200	clone: from git@github.com:bitcoinica/bitcoinica_legacy.git

Cloned by Genjix from the bitcoinica private github repo on May 31 2012... Interesting


And look at who packed it... surprise surprise

Code:

drwxr-xr-x genjix/genjix     0 2012-07-07 20:18 bitcoinica_legacy/

That's not the encoded file. You're still looking at genjix's re-pack.

[...]

After, I opened the bit.tar.bz2 file with Ubuntu file manager and navigated to /bitcoinica_legacy/.git/logs/ and opened the HEAD file with gedit.

Try it yourself.

You're right, my mistake.

This line is in the original encoded file.

Code:

0000000000000000000000000000000000000000 939e877106a5bd479f350adc6d9e4170c62df8f3 genjix <genjix@nite.(none)> 1338505438 +0200	clone: from git@github.com:bitcoinica/bitcoinica_legacy.git

This shows that somebody accessed genjix's copy of the bitcoinica source code (maybe it was on that VPS which also had the SSH key which was re-used on the consultancy's e-mail server for the prior breach).

But how did you get this to claim that he packed it:

Code:

drwxr-xr-x genjix/genjix     0 2012-07-07 20:18 bitcoinica_legacy/

You are implying that genjix intentionally leaked the code. I can't confirm that.

[Bitcoin Oz]

How did the hacker also get access to genjix account on github ?

[sadpandatech]

How did the hacker also get access to genjix account on github ?

that is what I am wondering, with following that part of the thread..

[Raoul Duke]

But how did you get this to claim that he packed it:

Code:

drwxr-xr-x genjix/genjix     0 2012-07-07 20:18 bitcoinica_legacy/

You are implying that genjix intentionally leaked the code. I can't confirm that.

This

Code:

$ tar -jtvf bit.tar.bz2 | head -n1

gives this

Code:

drwxr-xr-x genjix/genjix     0 2012-07-07 20:18 bitcoinica_legacy/

which means that the bitcoinica_legacy folder that was packed to the encrypted file had the owner genjix from group genjix and was last modified at 2012-07-07 20:18

If I unpack the file to my system it will have owner "me" from group "me". If I pack it again and run the above command it will give me a similar line but with my name and the date on which the folder was created/modified on my system when I unpacked it.

I posted all you needed to do to. Not sure why you're asking lol

[Bitcoin Oz]

How did the hacker also get access to genjix account on github ?

I did git pull, looks like genjix's account required public key.


The authenticity of host 'github.com (207.97.227.239)' can't be established.
RSA key fingerprint is 16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'github.com,207.97.227.239' (RSA) to the list of known hosts.
Permission denied (publickey).
fatal: The remote end hung up unexpectedly

If only you needed a public key to withdraw from Gox

[rjk]

LastPass offers this following cool feature: The ability to share a saved password with a third party, while both keeping said password secret and not sharing the rest of your passwords. You can see a screenshot of how it works below.
IF we assume that passwords were being shared using this facility, then we can also reasonably assume that each LastPass user has his own password that is different. Therefore, I would like to know WHOSE LastPass got compromised.

[bitcoinBull]

How did the hacker also get access to genjix account on github ?

that is what I am wondering, with following that part of the thread..

It wasn't from genjix's github account. Genjix cloned the github repo to his own box <genjix@nite.(none)>. It was accessed from there.

But how did you get this to claim that he packed it:

Code:

drwxr-xr-x genjix/genjix     0 2012-07-07 20:18 bitcoinica_legacy/

You are implying that genjix intentionally leaked the code. I can't confirm that.

This

Code:

$ tar -jtvf bit.tar.bz2 | head -n1

gives this

Code:

drwxr-xr-x genjix/genjix     0 2012-07-07 20:18 bitcoinica_legacy/

which means that the bitcoinica_legacy folder that was packed to the encrypted file had the owner genjix from group genjix and was last modified at 2012-07-07 20:18

I posted all you needed to do to. Not sure why you're asking lol

Thanks. So the leaker who accessed genjix's box packed it on his box as him. That's why it says genjix/genjix, genjix's box was hacked.

[Raoul Duke]

How did the hacker also get access to genjix account on github ?

that is what I am wondering, with following that part of the thread..

It wasn't from genjix's github account. Genjix cloned the github repo to his own box <genjix@nite.(none)>. It was accessed from there.

But how did you get this to claim that he packed it:

Code:

drwxr-xr-x genjix/genjix     0 2012-07-07 20:18 bitcoinica_legacy/

You are implying that genjix intentionally leaked the code. I can't confirm that.

This

Code:

$ tar -jtvf bit.tar.bz2 | head -n1

gives this

Code:

drwxr-xr-x genjix/genjix     0 2012-07-07 20:18 bitcoinica_legacy/

which means that the bitcoinica_legacy folder that was packed to the encrypted file had the owner genjix from group genjix and was last modified at 2012-07-07 20:18

I posted all you needed to do to. Not sure why you're asking lol

Thanks. So the leaker who accessed genjix's box packed it on his box as him. That's why it says genjix/genjix, genjix's box was hacked.

genjix's box was hacked? Who told you that?

So, the simplest explanation is the one you gave and not that genjix himself leaked the source code?

[sadpandatech]

Thanks. So the leaker who accessed genjix's box packed it on his box as him. That's why it says genjix/genjix, genjix's box was hacked.

genjix's box was hacked? Who told you that?

So, the simplest explanation is the one you gave and not that genjix himself leaked the source code?

no one is giving an 'explanation'. We are jsut trying to trace this stuff back as close to 'source' as possible..


@BitcoinBull  I assume by 'box' you mean his personal computer?

[bitcoinBull]

Therefore, I would like to know WHOSE LastPass got compromised.

Tihan created the LastPass account (I believe from reading his post). My guess, Tihan set the password by copy-pasting the mtgox api key, which was in a text file given to him by zhoutong.

Tihan shared the LastPass account and password with Bitcoin Consultancy, who "assumed" it was "secure", so he's blaming them because they didn't tell Tihan to change it. I agree with Tihan, they should have recognized it as the API key and changed it, both because they hyphens are suggestive of an API key and because they should have already seen the same string in the bitcoinica source code (failed to put 1 + 1 together). In any case, they should have changed it.

[proudhon]

Which is BS since you can be a level 47 verified and you all will sit on a wire transfer for weeks. Especially a larger transfer.

No BS here. As I said before and as Mark explained, we cannot discuss these details here, however I strongly advise you to read the 20 (pages) of this thread.

PS. We are on your side not against you.

Just want to pop in and say thanks to MtGox for pursuing this.

[Raoul Duke]

Thanks. So the leaker who accessed genjix's box packed it on his box as him. That's why it says genjix/genjix, genjix's box was hacked.

genjix's box was hacked? Who told you that?

So, the simplest explanation is the one you gave and not that genjix himself leaked the source code?

no one is giving an 'explanation'. We are jsut trying to trace this stuff back as close to 'source' as possible..


@BitcoinBull  I assume by 'box' you mean his personal computer?

I will not give much importance to bitcoinBull's assumptions as 20 minutes ago he was assuming I was looking at the file on the OP and not at the file I had downloaded from the link at the pastebin and decoded with the instructions posted at reddit...

[sadpandatech]

Thanks. So the leaker who accessed genjix's box packed it on his box as him. That's why it says genjix/genjix, genjix's box was hacked.

genjix's box was hacked? Who told you that?

So, the simplest explanation is the one you gave and not that genjix himself leaked the source code?

no one is giving an 'explanation'. We are jsut trying to trace this stuff back as close to 'source' as possible..


@BitcoinBull  I assume by 'box' you mean his personal computer?

I will not give much importance to bitcoinBull's assumptions as 20 minutes ago he was assuming I was looking at the file on the OP and not at the file I had downloaded from the link at the pastebin and decoded with the instructions posted at reddit...

well, in your opinion, did it come from his gihub or his computer? And would it not be easy enough to edit that stuff to make it look like it came from a particular source?

[Raoul Duke]

Thanks. So the leaker who accessed genjix's box packed it on his box as him. That's why it says genjix/genjix, genjix's box was hacked.

genjix's box was hacked? Who told you that?

So, the simplest explanation is the one you gave and not that genjix himself leaked the source code?

no one is giving an 'explanation'. We are jsut trying to trace this stuff back as close to 'source' as possible..


@BitcoinBull  I assume by 'box' you mean his personal computer?

I will not give much importance to bitcoinBull's assumptions as 20 minutes ago he was assuming I was looking at the file on the OP and not at the file I had downloaded from the link at the pastebin and decoded with the instructions posted at reddit...

well, in your opinion, did it come from his gihub or his computer? And would it not be easy enough to edit that stuff to make it look like it came from a particular source?

Anything is possible. I could create a VM and have a user with the name genjix and achieve the same result.
That still doesn't give me a solution to be able to clone a private github repo, much less edit the HEAD file to include genjix name on it, for I would need to clone the repo first