Public STATEMENT Regarding Bitcoinica account hack at MtGox

[Bitcoin Oz]

I'm trying my best to calm down and attempt to get more information about the hacker, because he also used my email for a credit card fraud case.

How can you perform credit card fraud by stealing someone's email account?? How can you even obtain a credit card if you're < 18??

You lie.

[malevolent]

How can you even obtain a credit card if you're < 18??

In some countries it is possible, with a guardian's consent of course.

[Clipse]

New evidence shows that zhoutong is the hacker.

After Bitcoinica MtGox account compromised ,zhoutong sell LR in China.

日期:2012-7-12

Ryan(11853074) 20:03:18
6.2出LR，财付通付款

Ryan(11853074) 20:13:06
要多少有多少

Ryan(11853074) 20:13:12
我帮一个朋友出的

Ryan(11853074) 20:14:06
1万美元之内都没什么问题

Ryan(11853074) 20:17:18

LibertyReserve

And  zhoutong's LR account is :


zhoutong said The hacker registered a Liberty Reserve account U9236056 at Jul 12, 2012 9:42 PM.

So now everyone knows zhoutong is the hacker!!!

I guess we need to requote this over and over since Zhou is ignoring questions regarding this factual evidence, Im guessing he needs more time to make up some bullshit story to cover his ass.

He better start covering it now since there is a good chance someone else would be covering it soon.

[greyhawk]

so, location of his new business is known. why not confronted him directly face2face?

Location: http://goo.gl/maps/TAWM

Office Provider: http://www.thecluster.com.au/

nameterrific.com domain name record

Registrant:
NameTerrific
Tong Zhou
Level 10, 50 Market Street
Melbourne, VIC 3000 AU
+61.390157926

That adress is a mail forwarding and virtual office service.

[Clipse]

New evidence shows that zhoutong is the hacker.

After Bitcoinica MtGox account compromised ,zhoutong sell LR in China.

日期:2012-7-12

Ryan(11853074) 20:03:18
6.2出LR，财付通付款

Ryan(11853074) 20:13:06
要多少有多少

Ryan(11853074) 20:13:12
我帮一个朋友出的

Ryan(11853074) 20:14:06
1万美元之内都没什么问题

Ryan(11853074) 20:17:18

LibertyReserve

And  zhoutong's LR account is :


zhoutong said The hacker registered a Liberty Reserve account U9236056 at Jul 12, 2012 9:42 PM.

So now everyone knows zhoutong is the hacker!!!

I guess we need to requote this over and over since Zhou is ignoring questions regarding this factual evidence, Im guessing he needs more time to make up some bullshit story to cover his ass.

He better start covering it now since there is a good chance someone else would be covering it soon.

Again, until he answers with some bullshit about more coverups and conspiracies.

[Glasswalker]

I'm just going to drop a quick note on here, that my MTGox account was compromised within a matter of days from this hack happening. And I had over 1,800 BTC stolen from me. It may or may not be related, but the timing is a bit too close to ignore completely.

I wonder if any others were compromised as well?

I've contacted aurumxchange and zhoutong directly to see if they have anything to offer, and if they are willing to cooperate with the already open investigation with law enforcement from my end (I have an open investigation by the Cyber Crime division of my local law enforcement here). Regardless, I will be directing the investigators to this information for any potential correlation.

[BCB]

is anyone committing these all of these threads to pastebin or elsewhere ?  As posts seem to be removed from time to time this will all be relevant when these cases go to court.

[sarpar]

is anyone committing these all of these threads to pastebin or elsewhere ?  As posts seem to be removed from time to time this will all be relevant when these cases go to court.

WHAT IF...


...their bitcointalk.org-account got hacked? 

[sadpandatech]

I'm just going to drop a quick note on here, that my MTGox account was compromised within a matter of days from this hack happening. And I had over 1,800 BTC stolen from me. It may or may not be related, but the timing is a bit too close to ignore completely.

I wonder if any others were compromised as well?

I've contacted aurumxchange and zhoutong directly to see if they have anything to offer, and if they are willing to cooperate with the already open investigation with law enforcement from my end (I have an open investigation by the Cyber Crime division of my local law enforcement here). Regardless, I will be directing the investigators to this information for any potential correlation.

Pointing them here for your investigation is going to do nothing other than fill their leads list with a bunch of FUD.

MTGOX account(s) were not compromised!

Someone had the LOGIN credentials for Bitcoinica's account because their LastPass account that held all their MtGox and other logins was BREACHED (not hacked or compromised either).

[Herodes]

I'm just going to drop a quick note on here, that my MTGox account was compromised within a matter of days from this hack happening. And I had over 1,800 BTC stolen from me. It may or may not be related, but the timing is a bit too close to ignore completely.

I wonder if any others were compromised as well?

I've contacted aurumxchange and zhoutong directly to see if they have anything to offer, and if they are willing to cooperate with the already open investigation with law enforcement from my end (I have an open investigation by the Cyber Crime division of my local law enforcement here). Regardless, I will be directing the investigators to this information for any potential correlation.

1800 BTC ?

No two-factor identification ?

Good luck on the investigation, if you can, please update the community.

Any knowledge about which attack vector was used to get into your account ?

[paulie_w]

i just want to say that it makes me sad to see this thread every time i login here

please don't kill bitcoin with all of this stupidity.

on the one hand, i hope you guys figure it out so there is some notion of accountability within the community.

but on the other hand, i feel like any conclusion is going to be inconclusive, and you're just going to ruin good reputations and good people by wasting all this time on a witch hunt.

next time some great new bitcoin web app develops, i hope you will not all be so quick to deposit your entire cache of 'coin...

[Clipse]

i just want to say that it makes me sad to see this thread every time i login here

please don't kill bitcoin with all of this stupidity.

on the one hand, i hope you guys figure it out so there is some notion of accountability within the community.

but on the other hand, i feel like any conclusion is going to be inconclusive, and you're just going to ruin good reputations and good people by wasting all this time on a witch hunt.

next time some great new bitcoin web app develops, i hope you will not all be so quick to deposit your entire cache of 'coin...

Since you are new I will forgive you for wanting this to get out of the limelight however this needs to stay in the limelight until there is closure.

Closure on this disease is far more likely to save bitcoin than destroy it, we saw heists such as this with the mybitcoin fiasco last year and it lost limelight far too early without anyone held accountable and that needs to change immediately.

[Glasswalker]

Pointing them here for your investigation is going to do nothing other than fill their leads list with a bunch of FUD.

MTGOX account(s) were not compromised!

Someone had the LOGIN credentials for Bitcoinica's account because their LastPass account that held all their MtGox and other logins was BREACHED (not hacked or compromised either).

I never said they were, the same method was used to access my account within a few days of this one. I simply stated the timing is close enough to warrant looking into it. Since in this case they have more evidence than was able to be gathered in my case (for example check some of the IPs logged by these individuals and confirm them against the IPs used in my case, if any coincide, it MAY imply a relationship). I'm not jumping to conclusions, but it is a potential valid lead.

1800 BTC ?

No two-factor identification ?

Good luck on the investigation, if you can, please update the community.

Any knowledge about which attack vector was used to get into your account ?

It could be noted that in this case the individual didn't have 2factor either, in order for someone to be able to up and withdraw their funds using an "aquired" login credential. And they were sitting on MUCH more funds than my 1800.

And yes I hope the investigation turns up something, dealing with law enforcement is a slow process though, so it's slow gaining traction.

I do fully intend to update the community as I get more info.

As for an attack vector, no, I have yet to identify where they got the login credentials.

Thanks!

[paulie_w]

i just want to say that it makes me sad to see this thread every time i login here

please don't kill bitcoin with all of this stupidity.

on the one hand, i hope you guys figure it out so there is some notion of accountability within the community.

but on the other hand, i feel like any conclusion is going to be inconclusive, and you're just going to ruin good reputations and good people by wasting all this time on a witch hunt.

next time some great new bitcoin web app develops, i hope you will not all be so quick to deposit your entire cache of 'coin...

Since you are new I will forgive you for wanting this to get out of the limelight however this needs to stay in the limelight until there is closure.

Closure on this disease is far more likely to save bitcoin than destroy it, we saw heists such as this with the mybitcoin fiasco last year and it lost limelight far too early without anyone held accountable and that needs to change immediately.

you're probably right, and i guess every great project has its growing pains, but it's still awful to watch.

i really love bitcoin and think it can change the world. if it ends up never being able to climb out of obscurity because of stuff like this (read: the bad publicity that it causes), then i think that's a real shame.

[BCB]

This is just like any good train wreck or bad traffic accident.  Everyone is rubbernecking because this is where all the drama is.  However there are a lot of smart and talented people doing incredible and useful and helpful things in the community, fortunately, they don't spend their days reading and analyzable and responding to every post in some of these sections.

But as someone said, this is better then cable television.

[1QaZxSw2]

EDIT: Moved to separate thread here https://bitcointalk.org/index.php?topic=96086.0

If any of us want bitcoin to succeed, we need to achieve the following:

Establish security and auditing standards that bitcoin companies and comply with. This can be publicly posted and edited and companies can post a statement of compliance such as: Complies with bitcoin security standard V2.1

The goal of this is to ensure bitcoin can self-regulate instead of running to the government and begging to be saved from the bad guys. I'm not anti-government regulations per se, but calling in the government to regulate a brand new industry will most certainly stifle innovation.

While there seems to be circumstantial evidence to suggest ZT may have either been a naughty boy or just plain stupid, we need to proceed judiciously. Note that accusations are easy, and tomorrow anyone here with any business could be accused of wrong doing should something go wrong.

We need to put in place transparency and self-regulation so that rampant speculation will have no place.

For example:
V0.1 of Bitcoin Operations & Security Standard (BOSS 0.1)

Users:
1. Every account has 2-factor authentication. [This prevents fraudulent claims of password theft etc]
2. All passwords are salted and hashed. [Mitigates loss due to/claim of lost password db]
3. All users who store more than 1000BTC or $10000 USD need to provide scanned copy of govt id. [Large amounts attract theft. Disclosing your identity may be the only way to protect yourself. Prevents Govt coming after corporations for money laundering.]
4. Maximum daily withdrawals are set based on corporate policy. 1000BTC and $10000 recommended. Larger amounts may be allowed after a phone call and verification. [This prevents large losses in case of password theft]
4.a. Optional: withdrawals should go to the same wallet deposits were made from. Customer can always withdraw full amount to the originating wallet, change the designated outgoing wallet and replace the funds as necessary for financial privacy and security. [For some businesses such as mixing services, this makes no sense]

Companies:
5. All Corporate funds are strictly separated from Customer funds. [This makes embezzlement easy to detect and prevents accidental losses]
6. Most BTC are stored in cold wallets. [Prevents large losses due to root privilege compromise]
7. The cold wallets containing more than 1000BTC keys are split among at least 2 officers of the company, so that no one person can withdraw from a cold wallet. Steps should be taken to ensure that these keys portions are not shared and not lost if one of the officers dies or exits the company.
8. Other cold wallets have a maximum amount of 1000BTC beyond which it should split into two cold wallets. [This puts an upper limit on loss from actions of an unscrupulous officer of a company.]
9. Companies will take user privacy very seriously and will not air issues in a public forum. As appropriate, resolve issues with the customer or contact law enforcement. [This will build confidence in bitcoin businesses and prevent slander/accusations of slander]
10. Where appropriate, companies should insure against losses of user funds from theft, loss of keys, disruption of operations, etc. This does not apply to trading losses caused by user's own actions. [Builds confidence and permits outside entity, i.e. the insurance company to audit security procedures]

[1QaZxSw2]

The goals of BOSS are:


1. Set a standard expectation regarding security and operating procedures.
2. Eliminate, reduce and mitigate losses due to theft or corporate wrongdoing
3. Eliminate, reduce and mitigate losses due to customer action or fraud.
4. Ensure the most up to date security mechanisms are in place.

The fiat financial world is heavily regulated because they had to learn all their lessons the hard way. We don't need to. We should simply apply the lessons here and make BTC a far better product.

[sadpandatech]

Pointing them here for your investigation is going to do nothing other than fill their leads list with a bunch of FUD.

MTGOX account(s) were not compromised!

Someone had the LOGIN credentials for Bitcoinica's account because their LastPass account that held all their MtGox and other logins was BREACHED (not hacked or compromised either).

I never said they were, the same method was used to access my account within a few days of this one. I simply stated the timing is close enough to warrant looking into it. Since in this case they have more evidence than was able to be gathered in my case (for example check some of the IPs logged by these individuals and confirm them against the IPs used in my case, if any coincide, it MAY imply a relationship). I'm not jumping to conclusions, but it is a potential valid lead.

My point was simply that your case and the Bitcoinica case are no more similar than if a car got stolen in Texas and a car got stolen in the UK and both times the thieves had the keys to the cars. Pointing an investigator to one car theft is in no way helpful in solving the other. Nither one would answer the investigator's main questions; "How did the thief gain the keys?", "And where did the thief take the car to?"

[check_status]

The goals of BOSS are:


1. Set a standard expectation regarding security and operating procedures.
2. Eliminate, reduce and mitigate losses due to theft or corporate wrongdoing
3. Eliminate, reduce and mitigate losses due to customer action or fraud.
4. Ensure the most up to date security mechanisms are in place.

The fiat financial world is heavily regulated because they had to learn all their lessons the hard way. We don't need to. We should simply apply the lessons here and make BTC a far better product.

Are you going to set up the agile and scrum?

[1QaZxSw2]

Are you going to set up the agile and scrum?

I was thinking more like a GPL type process. A publicly known standard that can be referred to, complied with and audited against.