Bitcoinica MtGox account compromised

[bitcoinBull]

And yeah, if you look at the early business histories of some well known entrepreneurs, you'll find some shocking failures among them as well as downright illegal activity.  Nobody even remembers them now - in the wake of subsequent success, they've become campfire stories to be chuckled over.

I don't really care about my reputation now even. If I start a bank or investment firm in my 30s, I think not many people will still mind putting their money on my hand. And I'm not going to build anything Bitcoin-related in the foreseeable future. I'll simply go back to my SaaS business.

The big problem is the criminal charge. Bitcoin is a big unknown in the legal world and anything can happen if the police touches this case (unlicensed market operation? terrorism? money laundering?). It makes possible things like migration in the future way harder than they should be.

Contact Tihan or Wendon (or whoever) and find out how they plan to move forward.

At this point, if they can return just 70% of the BTC, that would IMO be reasonable given the recent price increase. Arguably, its roughly comparable to closing all positions and returning people's funds in USD (BTC valued at $5).

Whatever the final arrangement, the best thing to do now is for the owners to first and foremost announce what their plans are. Hopefully that is return at least the 70% or whatever they have ASAP.

Its going on two weeks now and there has been no word from Tihan other than that "the fund" will pursue legal action against "bitcoinica consultancy". Whatever legal action the fund takes is only indirectly related to depositors' claims, and I personally don't care. I want to know how and when the owners will process claims.

[1713450592]

1713450592

[1713450592]

1713450592

[1713450592]

1713450592

[disclaimer201]

And yeah, if you look at the early business histories of some well known entrepreneurs, you'll find some shocking failures among them as well as downright illegal activity.  Nobody even remembers them now - in the wake of subsequent success, they've become campfire stories to be chuckled over.

I don't really care about my reputation now even. If I start a bank or investment firm in my 30s, I think not many people will still mind putting their money on my hand. And I'm not going to build anything Bitcoin-related in the foreseeable future. I'll simply go back to my SaaS business.

The big problem is the criminal charge. Bitcoin is a big unknown in the legal world and anything can happen if the police touches this case (unlicensed market operation? terrorism? money laundering?). It makes possible things like migration in the future way harder than they should be.

Contact Tihan or Wendon (or whoever) and find out how they plan to move forward.

At this point, if they can return just 70% of the BTC, that would IMO be reasonable given the recent price increase. Arguably, its roughly comparable to closing all positions and returning people's funds in USD (BTC valued at $5).

Whatever the final arrangement, the best thing to do now is for the owners to first and foremost announce what their plans are. Hopefully that is return at least the 70% or whatever they have ASAP.

Its going on two weeks now and there has been no word from Tihan other than that "the fund" will pursue legal action against "bitcoinica consultancy". Whatever legal action the fund takes is only indirectly related to depositors' claims, and I personally don't care. I want to know how and when the owners will process claims.

There'll be no more refunds now I'm afraid. They don't even care anymore. And Zhou will get in legal trouble. And that's the way it should be.

[DarkEmi]

@Bitcoinbulls : I deposited bitcoins, I expect to be paid in bitcoins.

Be payed in USD would be ok ONLY if would have been done in a short time manner. Else, why not in whathever currency is at its lowest right now.

Zhou, I can relate to your unhappiness. Except mine is for financial reasons. Hopefully everything will end well at some point...

And ofc there is no communication and NO updates wathsoever from the intersango guys.
How can 2 of them leave in such horrible circonstances is fucked up. And how can they not communicate is beyond me. They have depressed people here and tehre and they just leave. Come on.

@Bitcoinbulls sorry I probably read you in the wrong way. Yes at this point getting back 70% of the btc would be much better than the current mess. It doesnt mean that all is settled afterwards but everyone would be then much more relaxted and calm.

I would not tell you what some menbers of my familly suggested, they have a rather more "old school" way of handling debtors. Guys from intersango should be pretty happy that all the guys that deposited bitcoin are more civilised than that.

[Vladimir]

To the best of my understanding the position of "Intersango trio" now is:

"FUCK YOU ALL! WE WILL KEEP THE MONEY! SUE US! (but our other businesses such as intersango and bitcoin conference in London are safe and you should use/attend it)"

And I would think the victims here are all the depositors, Tihan/Wendon and Zhou. I think that we all need to get together and bring legal action against Bitcoinica GP, and the "Intersango trio" with intent to breach the veil of limited liability based on their alleged gross negligence.

[disclaimer201]

To the best of my understanding the position of "Intersango trio" now is:

"FUCK YOU ALL! WE WILL KEEP THE MONEY! SUE US! (but our other businesses such as intersango and bitcoin conference in London are safe and you should use/attend it)"

And I would think the victims here are all the depositors, Tihan/Wendon and Zhou. I think that we all need to get together and bring legal action against Bitcoinica GP, and the "Intersango trio" with intent to breach the veil of limited liability based on their alleged gross negligence.

I really hope the Bitcoin conference fails miserably this year. The majority of people who were asked for the location didn't even want it to be in London to begin with, but that was just done away with. What's the point of having a BTC conference in the UK, a well known police-state? To be close to and hook up with banksters? This really was the main argument, you will need big 'traditional' finance to support BTC. I believe Bitcoin needs exactly the opposite. Are we sleeping with the enemy now? Who is running this BTC shit anyways? Just some thoughts here on my side. Meanwhile, genjix is doing the conference schedule.  Really?

[repentance]

I think that we all need to get together and bring legal action against Bitcoinica GP, and the "Intersango trio" with intent to breach the veil of limited liability based on their alleged gross negligence.

That's only worthwhile if you suspect that they have personal assets which could be used to pay creditors.  A liquidator would examine whether the directors of the GP have any personal liability anyway.

[lonelyminer (Peter Šurda)]

Vladimir,

To the best of my understanding the position of "Intersango trio" now is:

"FUCK YOU ALL! WE WILL KEEP THE MONEY! SUE US! (but our other businesses such as intersango and bitcoin conference in London are safe and you should use/attend it)"

It's actually more complicated than that. It appears that a significant proportion of Bitcoinica's deposits are on Mt. Gox, and Mt. Gox froze the account (and are unlikely to unfreeze it until there is significant development).

And I would think the victims here are all the depositors, Tihan/Wendon and Zhou. I think that we all need to get together and bring legal action against Bitcoinica GP, and the "Intersango trio" with intent to breach the veil of limited liability based on their alleged gross negligence.

And that's what we're trying to do in the Bitcoinica Fund Recovery Initiative, unfortunately as you know it's not easy. I'm not a legal specialist, I just try to get as many of the big creditors on board as possible.

[Vladimir]

It's actually more complicated than that. It appears that a significant proportion of Bitcoinica's deposits are on Mt. Gox, and Mt. Gox froze the account (and are unlikely to unfreeze it until there is significant development).

I bet desire to pay depositors some money would be exactly the development mtgox considers as significant.

And that's what we're trying to do in the Bitcoinica Fund Recovery Initiative, unfortunately as you know it's not easy. I'm not a legal specialist, I just try to get as many of the big creditors on board as possible.

"Big creditors", contact lonelyminer.

[lonelyminer (Peter Šurda)]

I bet desire to pay depositors some money would be exactly the development mtgox considers as significant.

Sure, but my point was that Intersango can't actually keep the money for the time being. So it's more like "F*** you, we're not giving you your money back, but we're also not benefiting from it in any way whatsoever". It's like the ludicrous speed in Spaceballs.

"Big creditors", contact lonelyminer.

Yes, you can also email our initiative to info@bitcoinica-recovery.org (which is for the time being also handled by me). Please do not provide any claim IDs, just a forum alias, full name, claimed amounts in BTC/USD.

[defxor]

Unbeknownst to us, Tihan was using the mtgox api key as the password for a website called LastPass.

Tihan and Zhou knew that the LastPass password was the MtGox API key. genjix' claim that no one else did is somewhat strange, it requires three persons where at least one of them claim to be a security expert not to recognize a clearly non-random string for what it is.

I may have my facts wrong on some of this, so (those who actually know) please feel free to correct me?

2. Keyrings like LastPass are great for fools who refuse to take responsibility for their own data/account security. But for a programmer or system administrator to provide one attack vector (externally sourced, no less!) that gives access to all parts of the system isn't just negligent, its deliberate and wilful.

LastPass does not contain your passwords. It contains an encrypted version of your passwords - and only you have the encryption key. Storing passwords in LastPass does not make them any more insecure than any other form of password storage you can use - while allowing you to use purely random and very long passwords, no duplicates, for all your other services.

Of course, it requires you to have a good master password (and/or use two factor authentication). LastPass go out of their way in making sure you understand the importance of that, and as I've already written before in a reply to Tihan, you have to be either completely unaware of any security practices or willfully ignorant to select something like an API key (a "known string") as password.

By "willfully ignorant" in this case I do mean that doing so creates a possibility where you can exploit that knowledge to claim a hack where no hack took place, later.

I'm still interested in why, and how, the source code got leaked. That provided the excuse needed for an inside job.

I just tried the LastPass account. I didn't expect to be able to log in, but I was able to using the original credentials!

And LastPass didn't log the IP that reverted the master password. It's so weird.

07/12/2012 22:17:04
LastPass.com
 
67.188.9.35
Master Password Changed
07/17/2012 08:30:52
LastPass.com
 
0.0.0.0
Master Password Reverted

Since you've referenced that email before. Zhou, what's the X-Originating-IP header in the email you got from the claimed hacker that referenced your LastPass account password? Does it match any IP listed in the LastPass log?

(I assume it will turn out to be a anon VPN or TOR exit node)

I believe the "LastPass" hack to be an inside job, from someone being fed up with having to deal with the Bitcoinica mess. I'm less sure the other hacks where.

[zhoutong]

Unbeknownst to us, Tihan was using the mtgox api key as the password for a website called LastPass.

Tihan and Zhou knew that the LastPass password was the MtGox API key. genjix' claim that no one else did is somewhat strange, it requires three persons where at least one of them claim to be a security expert not to recognize a clearly non-random string for what it is.

I may have my facts wrong on some of this, so (those who actually know) please feel free to correct me?

2. Keyrings like LastPass are great for fools who refuse to take responsibility for their own data/account security. But for a programmer or system administrator to provide one attack vector (externally sourced, no less!) that gives access to all parts of the system isn't just negligent, its deliberate and wilful.

LastPass does not contain your passwords. It contains an encrypted version of your passwords - and only you have the encryption key. Storing passwords in LastPass does not make them any more insecure than any other form of password storage you can use - while allowing you to use purely random and very long passwords, no duplicates, for all your other services.

Of course, it requires you to have a good master password (and/or use two factor authentication). LastPass go out of their way in making sure you understand the importance of that, and as I've already written before in a reply to Tihan, you have to be either completely unaware of any security practices or willfully ignorant to select something like an API key (a "known string") as password.

By "willfully ignorant" in this case I do mean that doing so creates a possibility where you can exploit that knowledge to claim a hack where no hack took place, later.

I'm still interested in why, and how, the source code got leaked. That provided the excuse needed for an inside job.

I just tried the LastPass account. I didn't expect to be able to log in, but I was able to using the original credentials!

And LastPass didn't log the IP that reverted the master password. It's so weird.

07/12/2012 22:17:04
LastPass.com
 
67.188.9.35
Master Password Changed
07/17/2012 08:30:52
LastPass.com
 
0.0.0.0
Master Password Reverted

Since you've referenced that email before. Zhou, what's the X-Originating-IP header in the email you got from the claimed hacker that referenced your LastPass account password? Does it match any IP listed in the LastPass log?

(I assume it will turn out to be a anon VPN or TOR exit node)

I believe the "LastPass" hack to be an inside job, from someone being fed up with having to deal with the Bitcoinica mess. I'm less sure the other hacks where.

My access to the ryan@bitcoinica.com has been revoked a few hours ago. (I don't know who did that.) I can't load the source for the email any more.

[ssaCEO]

I just tried the LastPass account. I didn't expect to be able to log in, but I was able to using the original credentials!

And LastPass didn't log the IP that reverted the master password. It's so weird.

07/12/2012 22:17:04
LastPass.com
 
67.188.9.35
Master Password Changed
07/17/2012 08:30:52
LastPass.com
 
0.0.0.0
Master Password Reverted

This seems to confirm what we believe - that Tihan and/or Patrick sent the money to themselves and claimed a hack.

My claim - StrikeSapphire's claim - for $981.18 which was entirely in USD should have been processed months ago. You had all my documentation, including my passport. I spoke personally with Zhou, and with Patrick on separate occasions and was assured that it would be handled quickly.

I'll address Genjix here, because Zhou was out of the process at that point: There was absolutely no reason for you not to have paid back my USD long before your MtGox account was 'compromised'. It didn't involve any Bitcoins. The money was there in your account; you know who I am. You took my money.

There was also no reason to continue to ignore my emails. Long before this "theft" from your MtGox account, we began to suspect that the Bitcoin Consultancy (in particular, Patrick) was planning to take our money and run. I have a chat log with him where he denies he's planning to do that, and then immediately and rudely adds that I need to know that "Bitcoinica Consultancy" is not the same as "Bitcoin Consultancy". It was such transparent hedging, it was clear to me at that point he was a crook.

You didn't notice the first two large MtGox withdrawals? You didn't notice $40k and then $60k going missing, or the emails they must have sent? Tihan's LastPass password after the date of the initial compromise was the MtGox API private key...and still hasn't been changed? How stupid do you think we are? No one in their right mind would believe this bullshit. And it doesn't change the fact that you owe us money.


It's the position of StrikeSapphire that:

1. The Bitcoin("ica") Consultancy 3 and Tihan who financed the heist - never had any intention of returning our USD.

2. The USD withdrawn from their MtGox account into Liberty Reserve has undoubtedly gone right back into the pockets of the BC and Tihan - as will any other money should MtGox unlock their account. Had MtGox not locked their account, we would clearly have seen another "hack" already, since someone asked to have the password reverted. Then there would be another round of "oops, can't believe we were so stupid", and then silence.

3. Tihan gave BC $500k, supposedly for Coinlab. The real purpose of this money was to buy Bitcoinica and drain its users' accounts. All these "hacks" have been his withdrawals.

4. Patrick, Tihan, et. al. personally owe us $981.18... and until that's paid, we consider them thieves.

We recommend that everyone injured by this scam file a criminal complaint against Mr. Seale with the USDOJ. It's very easy to do, and you can file it online here:
http://www.ic3.gov/
It only takes a few minutes.

We will join any organized legal action against Mr. Seale in the United States, where I think there's a good chance of holding him personally accountable for stealing our money, given the trail of public claims to his ownership of Bitcoinica and his direct access to their USD accounts. Finally, we encourage anyone in Washington State who was harmed in Bitcoinica's theft to file in small claims court against Mr. Seale, which is the easiest way to put his involvement in the public record.

[BitBuster]

I may have my facts wrong on some of this, so (those who actually know) please feel free to correct me?

2. Keyrings like LastPass are great for fools who refuse to take responsibility for their own data/account security. But for a programmer or system administrator to provide one attack vector (externally sourced, no less!) that gives access to all parts of the system isn't just negligent, its deliberate and wilful.

LastPass does not contain your passwords. It contains an encrypted version of your passwords - and only you have the encryption key. Storing passwords in LastPass does not make them any more insecure than any other form of password storage you can use - while allowing you to use purely random and very long passwords, no duplicates, for all your other services.

Storing passwords for all system components behind one password/access point is a most obvious and deliberate insecurity. Security is about risk management. LastPass itself may be secure, but it is completely inappropriate to use as a keyring for all of a production system's components. Putting "all your eggs in one basket" and needlessly creating such high risk is unforgivable.

Interesting to see that Intersango were so keen on finding exploits in other exchanges and then grandstand about how they were "warning" people and insisting that they are more qualified to look after your money on their exchange, yet when they were clearly aware of exploits in a system they took (or sought to take) ownership of, they deliberately decided not to fix them or warn the masses. Despicable.


BB.

[lonelyminer (Peter Šurda)]

We will join any organized legal action against Mr. Seale in the United States, where I think there's a good chance of holding him personally accountable for stealing our money, given the trail of public claims to his ownership of Bitcoinica and his direct access to their USD accounts. Finally, we encourage anyone in Washington State who was harmed in Bitcoinica's theft to file in small claims court against Mr. Seale, which is the easiest way to put his involvement in the public record.

Based on on the publicly available in formation that came out during the last two weeks, my personal opinion is that Tihan was not actually supposed to have access to anything, and that (contrary to my original assumption) the reason why the password for LastPass he used was not changed lies with Bitcoinica Consultancy rather than Tihan. I still think that incompetence on part of Bitcoinica Consultancy is the most plausible explanation. In that case, Tihan and Zhou are harmed just like we (the depositors) are, and it is in their interest to cooperate with us.

Edit: another harmed party and a potential ally is Christopher Heaslip, who is still listed as a director of Bitcoinica Consultancy at the New Zealand Company Registry, even though the leaked documents show that BC was taken over by Amir, Patrick and Donald. The NZCR website says that the records needs to be updated within 20 working days of the change, but this didn't happen.

[muyuu]

To the best of my understanding the position of "Intersango trio" now is:

"FUCK YOU ALL! WE WILL KEEP THE MONEY! SUE US! (but our other businesses such as intersango and bitcoin conference in London are safe and you should use/attend it)"

And I would think the victims here are all the depositors, Tihan/Wendon and Zhou. I think that we all need to get together and bring legal action against Bitcoinica GP, and the "Intersango trio" with intent to breach the veil of limited liability based on their alleged gross negligence.

I really hope the Bitcoin conference fails miserably this year. The majority of people who were asked for the location didn't even want it to be in London to begin with, but that was just done away with. What's the point of having a BTC conference in the UK, a well known police-state? To be close to and hook up with banksters? This really was the main argument, you will need big 'traditional' finance to support BTC. I believe Bitcoin needs exactly the opposite. Are we sleeping with the enemy now? Who is running this BTC shit anyways? Just some thoughts here on my side. Meanwhile, genjix is doing the conference schedule.  Really?

Germany is also a police-state, so there's that
They also ran the conference in Prague last year. If you want to organise something in Germany, I don't think anyone would complain.

First 100 tickets are €40, hurry up http://www.bitcoin2012.com/tickets

[kiba]

We will join any organized legal action against Mr. Seale in the United States, where I think there's a good chance of holding him personally accountable for stealing our money, given the trail of public claims to his ownership of Bitcoinica and his direct access to their USD accounts. Finally, we encourage anyone in Washington State who was harmed in Bitcoinica's theft to file in small claims court against Mr. Seale, which is the easiest way to put his involvement in the public record.

The only reasonable crime you could charge them is extreme negligence, not theft. You don't have any evidence for theft except your suspicion that this is an inside job.

There should be a proper investigation before we can speak about charging somebody, or did you lose your rationality when you lost your money?

[kiba]

Its going on two weeks now and there has been no word from Tihan other than that "the fund" will pursue legal action against "bitcoinica consultancy". Whatever legal action the fund takes is only indirectly related to depositors' claims, and I personally don't care. I want to know how and when the owners will process claims.

It may be the reason why you guys are not getting refunded. They may be embroiled in a legal civil war each other trying to blame each other, rather than doing what's right for the customers. In said legal civil war, nobody will touch the funds because their lawyers said so.

And nobody will be talking until the legal dispute is a done deal.

But this is just speculation, and there's no messenger telling us what's going on.

[Phinnaeus Gage]

Guys, I'm not happy, constantly worried and possibly scared. I didn't have a nice sleep since long time ago.

I told you guys that ZT wasn't real. Now here's proof that ZT is Genjix.

Seriously, I have major shit going on in my life right now, some of it caused by this Bitcoinica fiasco (EPA/lead paint). And I have no problem sleeping. I dream weird shit, but do sleep well. A good friend (no longer with us) used to always say, "This too shall pass." I guess I live by those words. The other thing he used to say (before those book(s) ever came out) was, "Don't sweat the small stuff.". (Note to self: Google to learn where those fuckin' periods go when using quotes)

~Bruno~

[Phinnaeus Gage]

You should really talk to an attorney that knows a thing about business organization laws.  If you made any mistake during the initial creation of bitcoinica in Delaware and how it was sold then you may still be liable even if you had no access to the financials.

Zhou did not sell the Delaware entity (xWaylab Inc).

If you ever find yourself needing money, if I were you, and I am def. not, would just make a new bitcoinica with your new knowledge of past mistakes.

Wouldn't mind betting that there was a covenant in restraint of trade in the sale contract which restrains Zhou from establishing a similar business for a specified period (he sold the IP, so he can't just use that without permission).

And yeah, if you look at the early business histories of some well known entrepreneurs, you'll find some shocking failures among them as well as downright illegal activity.  Nobody even remembers them now - in the wake of subsequent success, they've become campfire stories to be chuckled over.

+1 (I don't pluses often)

Damn good point, repentance.

~Bruno~

[defxor]

Storing passwords for all system components behind one password/access point is a most obvious and deliberate insecurity.

No. The easiest way to understand why that is so is to explore the alternatives. It's a lot easier to keep one password (which might include two factor auth) provably secure than several. I don't have to plan for my LastPass password getting broken since it's heat-death-of-the-universe-unfeasable for someone to break it. Thus the risk management is at an optimum.

You don't gain security if you split it up - only obscurity. Increasing the number of different passwords someone needs to remember also increases the risk for people to invent "password schemes", which all lessen security due to lowering entropy.

A lot of people who should know better fail at understanding entropy. I recently had a debate with someone whose current job position is "security architect" (my own background is in crypto and security, but I don't work with it today) who didn't like our choice of 128 bit UUIDs as authentication tokens in URLs. He believed we should add a unique string for our specific service in front of the UUID, to lessen the risk for clashes with other services.

Bitcoinica using LastPass wasn't a problem. Using a known string as master password was.