-----BEGIN PGP SIGNED MESSAGE-----
* On Friday, July 13 I was notified by MtGox that somebody had gain unauthorized access to Bitcoinica's MtGox account. I was also notified that most of the redeemable codes used in the heist were exchanged through AurumXchange on July 12.
* At the time I was on an extended weekend vacation with very limited internet access. I immediately notified Mark Karpeles at MtGox as well as Charlie Shrem at Bitinstant that I would take a closer examination of the situation on Tuesday upon my return.
* Upon closer examination of our database on Tuesday, I discovered that the hacker had indeed exchanged the MtGox coupons to Liberty Reserve through our instant exchange facility. The hacker had also exchanged Liberty Reserve back to MtGox presumably in an effort to conceal and/or "launder" the funds.
* Over all, the hacker exchanged a total of $61,875 USD from MtGox to Liberty Reserve, and a total of $17,500 Liberty Reserve to MtGox, for a grand total of $44,375 MtGox to Liberty Reserve. After our fees, this number amounts to approximately $40,000 USD.
* These orders were placed on our systems between 2012-07-12 11:46:48 and 2012-07-12 19:41:27 UTC.
* The IP addresses used by the hacker belong to TOR exit nodes to my understanding, and are as follows:
* The Liberty Reserve account used by the hacker is U9236056.
* The email address used by the hacker was email@example.com
* To my surprise, upon further examination of our order system, I found an order from Zhou Tong to sell Liberty Reserve to us for the amount of USD 40,000, requesting a wire to his bank account in Singapore. The amount for the order closely matches the total USD exchanged through us (after fees) using the MtGox USD codes stolen from the Bitcoinica account.
* This order was placed the next day the hacking attempts occurred. In addition, it should be noted that Zhou Tong has never dealt with us before as an exchange customer.
* This information was immediately sent to our two biggest trusted business partners: MtGox and Bitinstant in an effort to join forces to further investigate this situation.
* Mark Karpeles indicated that there was an account opened at MtGox using the email firstname.lastname@example.org
sometime in 2011.
* Mark replied stating that there was activity on this account, that the account was opened using an IP address belonging to Microsoft Singapore, that Zhou Tong was known to have worked for said company at said location, that the email email@example.com
have been verified, and that ALL activity on this account is linked to the MtGox account belonging to Zhou Tong.
* Mark has also indicated that the very first operation on the MtGox account opened with email firstname.lastname@example.org
was the redeeming of a 10 BTC MtGox code generated from Zhou Tong's account.
* Charlie indicated that Erik Vorhees (a well known member of this community) has emails he exchanged with Zhou using the email address email@example.com
At this time, it appears that there is an overwhelming amount of evidence linking Zhou Tong personally to the Bitcoinica account hack at MtGox. Our legal department has advised us to freeze the funds for the exchange order mentioned above until further investigation by the authorities and/or legal proceedings are concluded.
Both Charlie and Mark have informed the current Bitcoinica owners of the situation and advised to start legal proceedings as soon as possible.
Posts corroborating this information from both MtGox and BitInstant will follow. I am technically on vacation until mid august with limited internet access, however, I will attempt to answer any questions the community might have as often as possible. Please understand that some information will not be released until all legal proceedings have been concluded.
The AurumXchange Companyhttps://www.aurumxchange.com
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
We would like to make a few points:
- I want to thank Roberto for leading the investigation on this one with Mark and myself. We pooled together our resources to connect the dots and paper trail. This just shows that even competitors can work together for the better of the Bitcoin community.
- I can confirm that both Tihan from Bitcoinica LP and Patrick from Bitcoin Consultancy were both alerted about this investigation personally face-to-face by me. I urged them to seek legal action and request clarification from Zhou. I also requested that they decline him further access to any funds in any of the accounts.
- Both assured me separately that action is being taken on this front and on the claims front. They assured me that the claims process will continue pending legal clarifications.
- As you can imagine, we had to keep this information to ourselves for 10 days or so until we can completely verify all the information we presented here.
As more information comes to light and verified, we will release it to you as soon as possible.
As representative of MtGox, I do confirm the following facts:
- Upon hack of Bitcoinica's account on our platform, a large number of redeemable codes have been issued. Seeing a large volume of codes emitted by Bitcoinica didn't alert us at first as we assumed those were funds returned to Bitcoinica customers, however we were made aware it was not the case upon posting on this forum by Genjix about the account hack. We noticed that most of those codes were sent to AurumXchange.
- Codes were all generated from IP 18.104.22.168 (184-22-31-180.static.hostnoc.net)
- During the investigation, AurumXchange asked us if we knew anything about email address firstname.lastname@example.org which was used by the hacker according to AurumXchange. We found an account under this email which had some activity back in 2011, with access from both an IP at Microsoft Singapore then an IP at Amazon EC2 and which initial funds are deposited from an account known to belong to Zhou Tong.
While we have no definitive proof at this time, there is a definitive need for a proper investigation of what happened there. We have got no reply at this time from Bitcoinica LP and its representatives/owners regarding this matter despite many requests.
My email email@example.com
was last accessed from 22.214.171.124 on July 13. The password has not been changed by the hacker (but I have changed just now).
There was an auto-forwarding to firstname.lastname@example.org
(which is another email address of mine). However it has been changed to email@example.com
(which is the email that was used to send the "Bitcoinica is done" email to firstname.lastname@example.org
). Of course I couldn't be notified about any email since the change.
The email account had a heavily-reused password (for the sites that I don't intend to share any private data), *at least* it was used on LinkedIn and many other websites.
I have several email communications between stevejobs807@gmail and other email accounts controlled by me, including a testing ticket for Bitcoinica's ZenDesk trial. The email address has never been publicised.
Important discovery in recent emails (all times are in UTC+8):
The hacker registered a Liberty Reserve account U9236056 at Jul 12, 2012 9:42 PM.
There was several emails from Liberty Reserve mentioning "Verification PIN". It can be seen that the liberty reserve account was accessed by at least: 126.96.36.199, 188.8.131.52 and 184.108.40.206.
There were many transactions done at F1ex.com, possibly used to launder Bitcoin. (I checked just now, F1ex.com provides anonymous fixed-rate BTC exchange service.)
The hacker signed up for OKPAY, with IP 220.127.116.11.
The hacker requested a sell-order on AurumXchange, totalling $5000, using the suspicious Liberty Reserve account mentioned by OP. A Chinese bank account was used (Account name: LIU HAIPENG, Account number: 6222020903006086032, Bank: INDUSTRIAL AND COMMERCIAL BANK OF CHINA).
Order link: https://www.aurumxchange.com/order/view/34011/e5b466248e041ebdf2ae793181a840dc
The hacker has also opened a ticket under his own name: https://www.aurumxchange.com/help/ticket.php?track=NLY-9AG-E468&Refresh=24195
He mentioned that I sold him the Mt. Gox codes at half price, which is absolutely not true. It seems that the hacker was trying to relate this event to me as an individual, and this possibly explains the reason that he wanted to "hijack" the email account. All my other email accounts did not have any suspicious access records and their passwords are all secure and different.
This is my *own* genuine transaction at AurumXchange: https://www.aurumxchange.com/order/view/33100/3c05a9a572379bf91620302cc9dd7d22
And my ticket to question the funds: https://www.aurumxchange.com/help/ticket.php?track=J6W-EY3-ZY2U&Refresh=47091
It's important to note that the first time I gained any knowledge about the email being misused is through this thread. Neither AurumXchange nor Mt. Gox has provided me any specific information about the suspicion. Otherwise I could have checked that email account earlier.
I'm willing to co-operate with any ongoing investigation and obviously I'm not trying to run away from this. I have already provided Mt. Gox with my certified copy of passport in an attempt to unlock my account with some Bitcoin balance.
The important truths
Truth 1: My $40K LR transaction is legitimate at AurumXchange, associated with a friend in Singapore.
Truth 2: All my assets at Mt. Gox, my wallet balances, my recent Bitcoin transactions and the 5,000 BTC compensation are from legitimate sources.
Truth 3: I had no knowledge of myself being suspicious until the public statement was posted by AurumXchange. There's no possible way of me being involved in the investigation earlier.
Truth 4: Even though there's evidence showing that I'm linked to this hack, I have absolutely no relationship with all previous hacks.
Truth 5: If either AurumXchange or Mt. Gox had communicated their investigation with me earlier, there wouldn't be so many wrong interpretations and assumptions and this thread could have come out much earlier.Truth 6: I didn't steal the money.Who is Chen Jianhai?
Chen Jianhai is my previous business associate. He was very familiar with credit card fraud and by my observations he's quite active in financial black markets. He didn't know much technical stuff personally but he has many technical people working with him everyday. He heard about Bitcoin from me last year from a random chat, and I have not communicated with him this year.Did he admit the wrong-doing?
Surprisingly, yes. He strongly denied at first, but he changed his attitude entirely when I mention that this matter is an international-scale crime, and intelligent netizens from all over the world are actively investigating this matter. And I also told him that the accidentally exposed a bank account number. (He claimed that it was a debit card purchased from black market.)
He used my secret identity because he felt that "it would be impossible to discover the hacker
" and "it would be much easier to deny if the suspect account is an insider because you (Zhou Tong) can always distract people from investigating
". I have repeatedly said that I have zero tolerance in this matter and I will report all his information, including his real bank account number and address to the police once the official investigation has started.How did he do it?
He said one of his co-workers was quite active in Chinese Bitcoin community and he had noticed the source code of Bitcoinica being leaked. The reason that he (the technical guy) knew the correlation between the Mt. Gox API key and the LastPass master password remains unknown. I have only communicated this password in-person with Tihan in Chimelong Hotel (Guangzhou) lobby once in February this year and I'm quite sure that no one else has paid any attention to our conversation.
He was unwilling to share more information about the specifics of the hack, but he remembered that he only thought of using my secret identity *after* he was able to withdraw money from Mt. Gox. It was possible that he only withdrew the Bitcoins first, and then a few moments later, the USD.
Also he revealed an important piece of information not mentioned in the public statements: He used the Mt. Gox account of Chris Heaslip, which is a verified account, to deposit some Mt. Gox code and buy Bitcoins with the money, and withdrew all of them. This account's credentials were also in the LastPass account.
In the entire process, he used My Wallet (Blockchain.info) with Tor to access the Bitcoins, and he transferred some Bitcoins to his servers in United States as well. The IP 18.104.22.168 (which was used to access Mt. Gox accounts) is actually zeraba.ddns.info. This is actually a public SSH proxy server for some Chinese users to bypass the national firewall with randomly rotating passwords. He had attempted to access the Mt. Gox accounts with Tor and he failed (note: Mt. Gox bans all Tor exit nodes). How about the money?
He's a multi-millionaire in China living with a family. I'm not sure how much of his money comes from illegal sources but he has a genuine interest in relic collections and he has made a lot of money from speculating precious collections.
After my warning, he seemed unwilling to return the funds. However, I have threatened him with reporting his information to the police. He later more or less agreed to return the funds to Bitcoinica users, under the condition that Bitcoinica will no longer pursue the case (and Bitcoinica isn't pursuing at the moment) and I keep his other personal information secret.
I'm currently in a moral dilemma because even though I don't have definitive proof that Chen Jianhai is indeed a long-time criminal with an active presence in stolen credit cards and possibly other hacks, it might be worthwhile to pursue with police investigation so that justice can be served. However doing that will significantly delay the claiming process of Bitcoinica and the Chinese police may not be willing or capable to effectively investigate or co-operate in this matter. Otherwise I can always get all the stolen funds from him first. The only evidence in my email account was a credit card fraud case of only a few hundred dollars, which isn't very significant compared to the Bitcoinica hack.
Currently I'm very willing to co-operate with any investigation because this is the only way I can completely prove my innocence. However the non-reponse from Bitcoinica side is indeed worrying. I have gathered some data to estimate the amount that can be recovered from Chen Jianhai:
USD: about $140,000 + $5000 frozen at AurumXchange (under SJ account)
BTC: about 20,000 BTC
There's an unknown amount of funds left in Chris Heaslip's account and I have no way of knowing the exact balance.
It's important to note that the pending $40,000 transaction at AurumXchange is my genuine transaction, so it can be used to offset the USD payment. And also all Bitcoin balances in my Mt. Gox account are mine, and it shouldn't be used to further compensate Bitcoinica customers as well.
However, my previous donation of 5,000 BTC and community donation of 101 BTC were entirely separate from this matter and the claimants can rightfully hold on to the full amount. These funds come from my profits of previous sale at Bitcoinica, and I genuinely feel that Bitcoinica users deserve the early compensation due to them being affected by the inefficiencies of Bitcoinica's operations.
Chen Jianhai was only able to offer the above-mentioned amount due to the cost of his laundering activities and also the significantly lower Bitcoin price when he cashed out. If Bitcoinica or the community wants him to cover the full amount at today's prices, I'm willing to co-operate with any police investigation. But either case, my previous donation should have pretty much covered the difference.
It's up to Bitcoinica to appoint a bank account and also a Bitcoin address so that Chen Jianhai (or possibly I) can return the funds. AurumXchange can either return the $40,000 to me, or send the funds to Bitcoinica's nominated account (in which case another $100,000 will be sent to Bitcoinica from Chen Jianhai or me). About my situation
I'm not asking him to transfer to me or to anyone else the amount today because it can be illegal to possess such funds until Bitcoinica has provided any written form of authorisation and/or agreement (so that I won't be wronged again because of arranging the return of the stolen funds).
It's important to note that I have been, I am and I will always be standing on the side of Bitcoinica customers, regardless of my position and situation at Bitcoinica. I have absolutely no tolerance of illegal activity of any kind, especially those damaging my personal reputation.
I promise that I have honestly reported the amounts and 100% of those recovered from Chen Jianhai will be returned to Bitcoinica's customers. At the same time, I have to emphasise that Bitcoinica should return the amounts to customers as quickly as possible
, so that the company and related people will not get into serious legal troubles. It's my best interest to make Bitcoinica's customers happy so that this issue will not have further impact on my future careers.
I have no problem of either formal police investigation, or returning the funds without police investigation. I would prefer the former so that my name can be cleared, but I guess that some Bitcoinica customers may choose the latter.
Sitenote: I have released an improved design of NameTerrific (https://www.nameterrific.com/
), which I finished during my lunch break, until AurumXchange's statement was posted.
I have located a suspect, his name is 陈建海(Chen Jianhai). He's NOT my friend and we have never met in person. He was one of my previous business associates because he's very familiar with credit card fraud and he advised me a lot (in terms of fraud prevention, of course) when I built my virtual goods payment processor in late 2010.
He has knowledge of my secret gmail address and I have once re-used the password in his web shop
His English is not very proficient and I'm sure that he's not reading this forum at the moment. I'm giving him a call now to persuade him to admit his wrong-doing and return the funds.
I'll post another thread soon.
Updated with notable quotes.