|
stdset
|
 |
February 16, 2015, 10:41:37 AM |
|
As I said earlier, I had problems withdrawing bitcoins two days prior the hack (had to wait for two hours until my withdrawal request got finally processed), so it may well mean that their cold storage turned into hot wallet...  There were no outgoing transactions from 1M2bv around Feb 12th. Edit: Could you check your incoming transaction, where from the funds were sent? I'm afraid not, at least right now, since I had been transferring funds from Bter to Bittrex, and there I can only see the date and sum of the deposit (and it was on the 14th actually, 12:13:55 AM, I just checked). If you give me an address of some blockchain explorer, I would try to find the transaction...  Update: here's the transaction Your transaction was sent from one of their hot wallet change addresses. |
|
|
|
deisik
Legendary
 Offline
Activity: 3542
Merit: 1280
English ⬄ Russian Translation Services
|
|
February 16, 2015, 10:47:58 AM |
|
Did anyone try to decipher those cryptic messages in the transactions? |
|
|
|
|
dagi
|
|
February 16, 2015, 10:55:35 AM |
|
Did anyone try to decipher those cryptic messages in the transactions? cryptic messages? where? |
|
|
|
|
deisik
Legendary
Offline
Activity: 3542
Merit: 1280
English ⬄ Russian Translation Services
|
|
February 16, 2015, 10:59:56 AM |
|
Did anyone try to decipher those cryptic messages in the transactions? cryptic messages? where? , though they may be irrelevant (or are from Bter trying to get in touch with the thief himself)... Also note one of the thief addresses (1Muse5NL7nDPPHVreF2Gkq5wv5XLbC2Qtz) |
|
|
|
|
dagi
|
|
February 16, 2015, 11:10:23 AM |
|
Did anyone try to decipher those cryptic messages in the transactions? cryptic messages? where? , though they may be irrelevant... Also note one of the thief addresses (1Muse5NL7nDPPHVreF2Gkq5wv5XLbC2Qtz) thx Muse can be just from random key-address generator and message .... i don't know ... just someone send message for the theft |
|
|
|
|
deisik
Legendary
Offline
Activity: 3542
Merit: 1280
English ⬄ Russian Translation Services
|
|
February 16, 2015, 11:20:42 AM |
|
Did anyone try to decipher those cryptic messages in the transactions? cryptic messages? where? , though they may be irrelevant... Also note one of the thief addresses (1Muse5NL7nDPPHVreF2Gkq5wv5XLbC2Qtz) thx Muse can be just from random key-address generator and message .... i don't know ... just someone send message for the theftYes, but it was sent to all 7 (seven) addresses... Bter hand? |
|
|
|
|
dagi
|
|
February 16, 2015, 11:27:28 AM |
|
Did anyone try to decipher those cryptic messages in the transactions? cryptic messages? where? , though they may be irrelevant... Also note one of the thief addresses (1Muse5NL7nDPPHVreF2Gkq5wv5XLbC2Qtz) thx Muse can be just from random key-address generator and message .... i don't know ... just someone send message for the theftYes, but it was sent to all 7 (seven) addresses... Bter hand? probably yes I can't decode these Chinese characters :-( |
|
|
|
|
deisik
Legendary
Offline
Activity: 3542
Merit: 1280
English ⬄ Russian Translation Services
|
|
February 16, 2015, 11:34:03 AM |
|
Did anyone try to decipher those cryptic messages in the transactions? cryptic messages? where? , though they may be irrelevant... Also note one of the thief addresses (1Muse5NL7nDPPHVreF2Gkq5wv5XLbC2Qtz) thx Muse can be just from random key-address generator and message .... i don't know ... just someone send message for the theftYes, but it was sent to all 7 (seven) addresses... Bter hand? probably yes I can't decode these Chinese characters :-( If these symbols represent the message in Chinese, then the recipient should be able to decipher them, which leaves us with an inference that they know (or think to know) who the thief is. Thus more weight to an inside job assumption... |
|
|
|
|
stdset
|
|
February 16, 2015, 11:35:52 AM |
|
The hack transaction emptyed not only 1M2bv6sypZSp6uAEC9U4Gzvgp6jd29F87e, but several other addresses too:
1CZ6jGQ9TPBjixtRkNZ21PNR8gQe7YNydE, 13sswj3bpfyFQby1oJbpjCUe18ZxUygKZt, 1Ni8z1MbaF4ri8GGE67BWtLu66YnXj2BuW, 1AeRVukQNG3qhd3i31pwFa7Z8qc6JnkYEs - the first 3 are all change addresses of their cold wallet, but the last one looks strange. There were no outgoing transactions from this address before the hack, only incoming ones, after the hack there were several incoming and outgoing transactions operating mostly with dust outputs.
|
|
|
|
deisik
Legendary
Offline
Activity: 3542
Merit: 1280
English ⬄ Russian Translation Services
|
|
February 16, 2015, 11:45:00 AM |
|
The hack transaction emptyed not only 1M2bv6sypZSp6uAEC9U4Gzvgp6jd29F87e, but several other addresses too:
1CZ6jGQ9TPBjixtRkNZ21PNR8gQe7YNydE, 13sswj3bpfyFQby1oJbpjCUe18ZxUygKZt, 1Ni8z1MbaF4ri8GGE67BWtLu66YnXj2BuW, 1AeRVukQNG3qhd3i31pwFa7Z8qc6JnkYEs - the first 3 are all change addresses of their cold wallet, but the last one looks strange. There were no outgoing transactions from this address before the hack, only incoming ones, after the hack there were several incoming and outgoing transactions operating mostly with dust outputs.
Probably, Bter had to pay someone no matter what and what amount (we see escrowed transactions)... Also, how do you know that these addresses (except for 1M2bv, indeed) belong to Bter at all? |
|
|
|
|
Bitcoin_Mafia_Me
|
|
February 16, 2015, 11:59:09 AM |
|
This stinks. I liked Bter. The daily interest aspect was cool and their support people were always quick to respond
to emails. I really hope that this was a hack and not another mtgox fiasco. Over 7k bitcoin is a LOT of money.
I only had 1.5 BTC on their myself - not a lot compared to most, but it was what I was saving to pay for my kid's
college textbooks next term. Hopefully I'll be able to pick up an extra web dev or SEO gig to cover the loss.
|
|
|
|
|
dagi
|
|
February 16, 2015, 11:59:15 AM |
|
|
|
|
|
|
|
abyrnes81
|
|
February 16, 2015, 12:01:45 PM |
|
No  , I lost 3,4 bitcoin. Now what should I do ? |
|
|
|
|
|
stdset
|
|
February 16, 2015, 12:02:09 PM |
|
Probably, Bter had to pay someone no matter what and what amount (we see escrowed transactions)... Also, how do you know that these addresses (except for 1M2bv, indeed) belong to Bter at all? The first 3 got their balances in hot wallet replenishing transactions, when bter takes 7 of their standard 15 BTC outputs and sends exactly 100 BTC to their hot wallet, the change minus transaction fee goes to one of those addresses. The last address, I'm not sure that it belongs to bter, but it's strange to combine your own funds (or funds of two different victims) in a single hack transaction. |
|
|
|
|
Sarthak
|
|
February 16, 2015, 12:03:56 PM |
|
I guess I had 0.002 BTC left to withdraw from there! RIP 0.002  (Just kidding! But I really have 2 mbtc left there  ) Anyways, I hope the hacker sends back the money and enjoy the bounty! |
|
|
|
alexrossi
Legendary
Offline
Activity: 3962
Merit: 1759
Join the world-leading crypto sportsbook NOW!
|
|
February 16, 2015, 12:17:46 PM |
|
I'm starting to think that bter cold wallet wasn't so cold. Still, in 2015, should an exchange learn in the worst way how to setup a true cold wallet?
|
|
|
|
deisik
Legendary
Offline
Activity: 3542
Merit: 1280
English ⬄ Russian Translation Services
|
|
February 16, 2015, 12:21:01 PM |
|
Probably, Bter had to pay someone no matter what and what amount (we see escrowed transactions)... Also, how do you know that these addresses (except for 1M2bv, indeed) belong to Bter at all? The first 3 got their balances in hot wallet replenishing transactions, when bter takes 7 of their standard 15 BTC outputs and sends exactly 100 BTC to their hot wallet, the change minus transaction fee goes to one of those addresses. The last address, I'm not sure that it belongs to bter, but it's strange to combine your own funds (or funds of two different victims) in a single hack transaction. Now this question seems to be cleared (as to whom belongs 1AeRVukQNG3qhd3i31pwFa7Z8qc6JnkYEs). We see that the last transaction from that address was done at 18:19:12, but the cryptic messages to all seven hacker's addresses were sent at 20:17:08 (assuming they were sent by Bter), i.e. 2 hours later. Is it possible that Bter learned about the thievery only after 18:19:12? As far as I remember, the site stopped operating just about that time... |
|
|
|
|
powersup
|
|
February 16, 2015, 01:01:09 PM |
|
I'm starting to think that bter cold wallet wasn't so cold. Still, in 2015, should an exchange learn in the worst way how to setup a true cold wallet?
Leading up to the hack the "cold wallet" was online almost daily. In fact the whole IO from the wallet looks completely automated. If that was the case perhaps the attacker didn't have direct access to the device holding the cold wallet, but instead a computer which controlled the cold wallet through API commands? Also does anyone know what the small output associated to the larger output is? This small value seems to be transferred to a fresh wallet and slowly diminishes over time. looks like it is in part covering the TX fee. |
|
|
|
|
|
stdset
|
|
February 16, 2015, 01:04:25 PM |
|
Leading up to the hack the "cold wallet" was online almost daily.
What makes you think that it was online almost dayly? |
|
|
|
|
powersup
|
|
February 16, 2015, 01:11:30 PM |
|
Leading up to the hack the "cold wallet" was online almost daily.
What makes you think that it was online almost dayly? Sorry daily was a bit of an exaggeration, but there is a number of outputs from the wallet in January. |
|
|
|
|
|
