Bitcoin Forum
March 19, 2024, 10:52:46 AM *
News: Latest Bitcoin Core release: 26.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 »  All
  Print  
Author Topic: Public STATEMENT Regarding Bitcoinica account hack at MtGox  (Read 72783 times)
Aggro (OP)
Donator
Sr. Member
*
Offline Offline

Activity: 296
Merit: 250



View Profile
July 26, 2012, 04:41:02 AM
 #1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

* On Friday, July 13 I was notified by MtGox that somebody had gain unauthorized access to Bitcoinica's MtGox account. I was also notified that most of the redeemable codes used in the heist were exchanged through AurumXchange on July 12.
* At the time I was on an extended weekend vacation with very limited internet access. I immediately notified Mark Karpeles at MtGox as well as Charlie Shrem at Bitinstant that I would take a closer examination of the situation on Tuesday upon my return.
* Upon closer examination of our database on Tuesday, I discovered that the hacker had indeed exchanged the MtGox coupons to Liberty Reserve through our instant exchange facility. The hacker had also exchanged Liberty Reserve back to MtGox presumably in an effort to conceal and/or "launder" the funds.
* Over all, the hacker exchanged a total of $61,875 USD from MtGox to Liberty Reserve, and a total of $17,500 Liberty Reserve to MtGox, for a grand total of $44,375 MtGox to Liberty Reserve. After our fees, this number amounts to approximately $40,000 USD.
* These orders were placed on our systems between 2012-07-12 11:46:48 and 2012-07-12 19:41:27 UTC.
* The IP addresses used by the hacker belong to TOR exit nodes to my understanding, and are as follows:

31.172.30.1
31.172.30.2
31.172.30.4
77.247.181.165
146.164.91.248
78.108.63.44

* The Liberty Reserve account used by the hacker is U9236056.
* The email address used by the hacker was stevejobs807@gmail.com.
* To my surprise, upon further examination of our order system, I found an order from Zhou Tong to sell Liberty Reserve to us for the amount of USD 40,000, requesting a wire to his bank account in Singapore. The amount for the order closely matches the total USD exchanged through us (after fees) using the MtGox USD codes stolen from the Bitcoinica account.
* This order was placed the next day the hacking attempts occurred. In addition, it should be noted that Zhou Tong has never dealt with us before as an exchange customer.
* This information was immediately sent to our two biggest trusted business partners: MtGox and Bitinstant in an effort to join forces to further investigate this situation.
* Mark Karpeles indicated that there was an account opened at MtGox using the email stevejobs807@gmail.com sometime in 2011.
* Mark replied stating that there was activity on this account, that the account was opened using an IP address belonging to Microsoft Singapore, that Zhou Tong was known to have worked for said company at said location, that the email stevejobs807@gmail.com have been verified, and that ALL activity on this account is linked to the MtGox account belonging to Zhou Tong.
* Mark has also indicated that the very first operation on the MtGox account opened with email stevejobs807@gmail.com was the redeeming of a 10 BTC MtGox code generated from Zhou Tong's account.
* Charlie indicated that Erik Vorhees (a well known member of this community) has emails he exchanged with Zhou using the email address stevejobs807@gmail.com.

At this time, it appears that there is an overwhelming amount of evidence linking Zhou Tong personally to the Bitcoinica account hack at MtGox. Our legal department has advised us to freeze the funds for the exchange order mentioned above until further investigation by the authorities and/or legal proceedings are concluded.

Both Charlie and Mark have informed the current Bitcoinica owners of the situation and advised to start legal proceedings as soon as possible.

Posts corroborating this information from both MtGox and BitInstant will follow. I am technically on vacation until mid august with limited internet access, however, I will attempt to answer any questions the community might have as often as possible. Please understand that some information will not be released until all legal proceedings have been concluded.

Sincerely,

Roberto Gutierrez
General Manager
The AurumXchange Company
https://www.aurumxchange.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG

iQEcBAEBAgAGBQJQEMmpAAoJECR5FGDHgkwDCqMH/Awy/Tjtqw9p/vzVh/ewoYgq
CPCSjWn1OUZGGkCMeA/ZwkPHV8/FgsQqBTfHJKy7OBZPaRyL7KTynFo6/BfUSCiO
tWz4QtRXE8hAV5uJNq6BtUvsSD9LXUFWanSEOZS9mApsmP5jmDc3S7JfBEDHli1w
zE9DXJR5jHQmvloRgafIQNxQq8BK7DKG25LpltXCURpVqWFkmulGsMuCqZ9wV0cb
fP92Hf4U+FnwSiM5TfZDwtOhbub9E6ilzPHBmfOjuneSEN1S49Zq3wl1wv0sHUda
2fJ4jVONpOc6S3pvGN7Jb0pdcUJQtujiOcnc+YbKa1EFBjZYY0WBnJL1EVARy4Q=
=TFJe
-----END PGP SIGNATURE-----
1710845566
Hero Member
*
Offline Offline

Posts: 1710845566

View Profile Personal Message (Offline)

Ignore
1710845566
Reply with quote  #2

1710845566
Report to moderator
1710845566
Hero Member
*
Offline Offline

Posts: 1710845566

View Profile Personal Message (Offline)

Ignore
1710845566
Reply with quote  #2

1710845566
Report to moderator
Make sure you back up your wallet regularly! Unlike a bank account, nobody can help you if you lose access to your BTC.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
1710845566
Hero Member
*
Offline Offline

Posts: 1710845566

View Profile Personal Message (Offline)

Ignore
1710845566
Reply with quote  #2

1710845566
Report to moderator
MagicalTux
VIP
Hero Member
*
Offline Offline

Activity: 608
Merit: 501


-


View Profile
July 26, 2012, 04:43:43 AM
Last edit: July 26, 2012, 05:09:23 AM by MagicalTux
 #2

As representative of MtGox, I do confirm the following facts:

  • Upon hack of Bitcoinica's account on our platform, a large number of redeemable codes have been issued. Seeing a large volume of codes emitted by Bitcoinica didn't alert us at first as we assumed those were funds returned to Bitcoinica customers, however we were made aware it was not the case upon posting on this forum by Genjix about the account hack. We noticed that most of those codes were sent to AurumXchange.
  • Codes were all generated from IP 184.22.31.180 (184-22-31-180.static.hostnoc.net)
  • During the investigation, AurumXchange asked us if we knew anything about email address stevejobs807@gmail.com which was used by the hacker according to AurumXchange. We found an account under this email which had some activity back in 2011, with access from both an IP at Microsoft Singapore then an IP at Amazon EC2 and which initial funds are deposited from an account known to belong to Zhou Tong.
.
While we have no definitive proof at this time, there is a definitive need for a proper investigation of what happened there. We have got no reply at this time from Bitcoinica LP and its representatives/owners regarding this matter despite many requests.
Yankee (BitInstant)
Legendary
*
Offline Offline

Activity: 1078
Merit: 1000


Charlie 'Van Bitcoin' Shrem


View Profile WWW
July 26, 2012, 04:44:56 AM
Last edit: July 26, 2012, 06:12:44 AM by Yankee (BitInstant)
 #3

We would like to make a few points:

  • I want to thank Roberto for leading the investigation on this one with Mark and myself. We pooled together our resources to connect the dots and paper trail. This just shows that even competitors can work together for the better of the Bitcoin community.
  • I can confirm that both Tihan from Bitcoinica LP and Patrick from Bitcoin Consultancy were both alerted about this investigation personally face-to-face by me. I urged them to seek legal action and request clarification from Zhou. I also requested that they decline him further access to any funds in any of the accounts.
  • Both assured me separately that action is being taken on this front and on the claims front. They assured me that the claims process will continue pending legal clarifications.
  • As you can imagine, we had to keep this information to ourselves for 10 days or so until we can completely verify all the information we presented here.

As more information comes to light and verified, we will release it to you as soon as possible.

Thanks,

Charlie, Bitinstant.

Bitcoin pioneer. An apostle of Satoshi Nakamoto. A crusader for a new, better, tech-driven society. A dreamer.

More about me: http://CharlieShrem.com
LightRider
Legendary
*
Offline Offline

Activity: 1500
Merit: 1021


I advocate the Zeitgeist Movement & Venus Project.


View Profile WWW
July 26, 2012, 04:46:54 AM
Last edit: July 26, 2012, 07:39:40 PM by LightRider
 #4

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

* On Friday, July 13 I was notified by MtGox that somebody had gain unauthorized access to Bitcoinica's MtGox account. I was also notified that most of the redeemable codes used in the heist were exchanged through AurumXchange on July 12.
* At the time I was on an extended weekend vacation with very limited internet access. I immediately notified Mark Karpeles at MtGox as well as Charlie Shrem at Bitinstant that I would take a closer examination of the situation on Tuesday upon my return.
* Upon closer examination of our database on Tuesday, I discovered that the hacker had indeed exchanged the MtGox coupons to Liberty Reserve through our instant exchange facility. The hacker had also exchanged Liberty Reserve back to MtGox presumably in an effort to conceal and/or "launder" the funds.
* Over all, the hacker exchanged a total of $61,875 USD from MtGox to Liberty Reserve, and a total of $17,500 Liberty Reserve to MtGox, for a grand total of $44,375 MtGox to Liberty Reserve. After our fees, this number amounts to approximately $40,000 USD.
* These orders were placed on our systems between 2012-07-12 11:46:48 and 2012-07-12 19:41:27 UTC.
* The IP addresses used by the hacker belong to TOR exit nodes to my understanding, and are as follows:

31.172.30.1
31.172.30.2
31.172.30.4
77.247.181.165
146.164.91.248
78.108.63.44

* The Liberty Reserve account used by the hacker is U9236056.
* The email address used by the hacker was stevejobs807@gmail.com.
* To my surprise, upon further examination of our order system, I found an order from Zhou Tong to sell Liberty Reserve to us for the amount of USD 40,000, requesting a wire to his bank account in Singapore. The amount for the order closely matches the total USD exchanged through us (after fees) using the MtGox USD codes stolen from the Bitcoinica account.
* This order was placed the next day the hacking attempts occurred. In addition, it should be noted that Zhou Tong has never dealt with us before as an exchange customer.
* This information was immediately sent to our two biggest trusted business partners: MtGox and Bitinstant in an effort to join forces to further investigate this situation.
* Mark Karpeles indicated that there was an account opened at MtGox using the email stevejobs807@gmail.com sometime in 2011.
* Mark replied stating that there was activity on this account, that the account was opened using an IP address belonging to Microsoft Singapore, that Zhou Tong was known to have worked for said company at said location, that the email stevejobs807@gmail.com have been verified, and that ALL activity on this account is linked to the MtGox account belonging to Zhou Tong.
* Mark has also indicated that the very first operation on the MtGox account opened with email stevejobs807@gmail.com was the redeeming of a 10 BTC MtGox code generated from Zhou Tong's account.
* Charlie indicated that Erik Vorhees (a well known member of this community) has emails he exchanged with Zhou using the email address stevejobs807@gmail.com.

At this time, it appears that there is an overwhelming amount of evidence linking Zhou Tong personally to the Bitcoinica account hack at MtGox. Our legal department has advised us to freeze the funds for the exchange order mentioned above until further investigation by the authorities and/or legal proceedings are concluded.

Both Charlie and Mark have informed the current Bitcoinica owners of the situation and advised to start legal proceedings as soon as possible.

Posts corroborating this information from both MtGox and BitInstant will follow. I am technically on vacation until mid august with limited internet access, however, I will attempt to answer any questions the community might have as often as possible. Please understand that some information will not be released until all legal proceedings have been concluded.

Sincerely,

Roberto Gutierrez
General Manager
The AurumXchange Company
https://www.aurumxchange.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG

iQEcBAEBAgAGBQJQEMmpAAoJECR5FGDHgkwDCqMH/Awy/Tjtqw9p/vzVh/ewoYgq
CPCSjWn1OUZGGkCMeA/ZwkPHV8/FgsQqBTfHJKy7OBZPaRyL7KTynFo6/BfUSCiO
tWz4QtRXE8hAV5uJNq6BtUvsSD9LXUFWanSEOZS9mApsmP5jmDc3S7JfBEDHli1w
zE9DXJR5jHQmvloRgafIQNxQq8BK7DKG25LpltXCURpVqWFkmulGsMuCqZ9wV0cb
fP92Hf4U+FnwSiM5TfZDwtOhbub9E6ilzPHBmfOjuneSEN1S49Zq3wl1wv0sHUda
2fJ4jVONpOc6S3pvGN7Jb0pdcUJQtujiOcnc+YbKa1EFBjZYY0WBnJL1EVARy4Q=
=TFJe
-----END PGP SIGNATURE-----


As representative of MtGox, I do confirm the following facts:

  • Upon hack of Bitcoinica's account on our platform, a large number of redeemable codes have been issued. Seeing a large volume of codes emitted by Bitcoinica didn't alert us at first as we assumed those were funds returned to Bitcoinica customers, however we were made aware it was not the case upon posting on this forum by Genjix about the account hack. We noticed that most of those codes were sent to AurumXchange.
  • Codes were all generated from IP 184.22.31.180 (184-22-31-180.static.hostnoc.net)
  • During the investigation, AurumXchange asked us if we knew anything about email address stevejobs807@gmail.com which was used by the hacker according to AurumXchange. We found an account under this email which had some activity back in 2011, with access only from an IP at Microsoft Singapore and which initial funds are deposited from an account known to belong to Zhou Tong.
While we have no definitive proof at this time, there is a definitive need for a proper investigation of what happened there. We have got no reply at this date from Bitcoinica LP and its representatives/owners regarding this matter despite many requests.


We would like to make a few points:

  • I want to thank Roberto for leading the investigation on this one with Mark and myself. We pooled together our resources to connect the dots and paper trail. This just shows that even competitors can work together for the better of the Bitcoin community.
  • I can confirm that both Tihan from Bitcoinica LP and Patrick from Bitcoin Consultancy were both alerted about this investigation personally face-to-face by me. I urged them to seek legal action and request clarification from Zhou. I also requested that they decline him further access to any funds in any of the accounts.
  • Both assured me separately that action is being taken on this front and on the claims front. They assured me that the claims process will continue pending legal clarifications.
  • As you can imagine, we had to keep this information to ourselves for 10 days or so until we can completely verify all the information we presented here.

As more information comes to light and verified, we will release it to you as soon as possible.

Thanks,

Charlie, Bitinstant.

Wow.

How long until Zhou claims gmail account hack?

I'm gathering some information and a statement will be posted soon.

stevejobs807@gmail.com was indeed my email account used for anonymous testing purpose, however I haven't been using it for a long time. I'm logging in the account to check the suspicious activity and I'll post relevant details as well.

The $40,000 I exchanged at AurumXchange was indeed from a friend. Later I can also post proof that I exchanged another $30,000 at other exchanges during the same period. The total amount far exceeds the stolen amount claimed in the OP. My own Liberty Reserve account number is U7097615.

My email stevejobs807@gmail.com was last accessed from 62.113.219.5 on July 13. The password has not been changed by the hacker (but I have changed just now).

There was an auto-forwarding to ryan@xwaylab.com (which is another email address of mine). However it has been changed to bitcoinicasucks@hotmail.com (which is the email that was used to send the "Bitcoinica is done" email to verify@bitcoinica.com). Of course I couldn't be notified about any email since the change.

The email account had a heavily-reused password (for the sites that I don't intend to share any private data), *at least* it was used on LinkedIn and many other websites.

I have several email communications between stevejobs807@gmail and other email accounts controlled by me, including a testing ticket for Bitcoinica's ZenDesk trial. The email address has never been publicised.

Important discovery in recent emails (all times are in UTC+8):

The hacker registered a Liberty Reserve account U9236056 at Jul 12, 2012 9:42 PM.

There was several emails from Liberty Reserve mentioning "Verification PIN". It can be seen that the liberty reserve account was accessed by at least: 78.108.63.44, 212.84.206.250 and 31.172.30.1.

There were many transactions done at F1ex.com, possibly used to launder Bitcoin. (I checked just now, F1ex.com provides anonymous fixed-rate BTC exchange service.)

The hacker signed up for OKPAY, with IP 31.172.30.1.

The hacker requested a sell-order on AurumXchange, totalling $5000, using the suspicious Liberty Reserve account mentioned by OP. A Chinese bank account was used (Account name: LIU HAIPENG, Account number: 6222020903006086032, Bank: INDUSTRIAL AND COMMERCIAL BANK OF CHINA).

Order link: https://www.aurumxchange.com/order/view/34011/e5b466248e041ebdf2ae793181a840dc

The hacker has also opened a ticket under his own name: https://www.aurumxchange.com/help/ticket.php?track=NLY-9AG-E468&Refresh=24195

He mentioned that I sold him the Mt. Gox codes at half price, which is absolutely not true. It seems that the hacker was trying to relate this event to me as an individual, and this possibly explains the reason that he wanted to "hijack" the email account. All my other email accounts did not have any suspicious access records and their passwords are all secure and different.

This is my *own* genuine transaction at AurumXchange: https://www.aurumxchange.com/order/view/33100/3c05a9a572379bf91620302cc9dd7d22

And my ticket to question the funds: https://www.aurumxchange.com/help/ticket.php?track=J6W-EY3-ZY2U&Refresh=47091

It's important to note that the first time I gained any knowledge about the email being misused is through this thread. Neither AurumXchange nor Mt. Gox has provided me any specific information about the suspicion. Otherwise I could have checked that email account earlier.

I'm willing to co-operate with any ongoing investigation and obviously I'm not trying to run away from this. I have already provided Mt. Gox with my certified copy of passport in an attempt to unlock my account with some Bitcoin balance.


Not long at all!

I have located a suspect, his name is 陈建海(Chen Jianhai). He's NOT my friend and we have never met in person. He was one of my previous business associates because he's very familiar with credit card fraud and he advised me a lot (in terms of fraud prevention, of course) when I built my virtual goods payment processor in late 2010.

He has knowledge of my secret gmail address and I have once re-used the password in his web shop

His English is not very proficient and I'm sure that he's not reading this forum at the moment. I'm giving him a call now to persuade him to admit his wrong-doing and return the funds.

I'll post another thread soon.

An interesting development.

Bitcoin combines money, the wrongest thing in the world, with software, the easiest thing in the world to get wrong.
Visit www.thevenusproject.com and www.theZeitgeistMovement.com.
John (John K.)
Global Troll-buster and
Legendary
*
Offline Offline

Activity: 1288
Merit: 1225


Away on an extended break


View Profile
July 26, 2012, 04:48:56 AM
Last edit: July 26, 2012, 12:25:19 PM by John (johnthedong)
 #5

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

* On Friday, July 13 I was notified by MtGox that somebody had gain unauthorized access to Bitcoinica's MtGox account. I was also notified that most of the redeemable codes used in the heist were exchanged through AurumXchange on July 12.
* At the time I was on an extended weekend vacation with very limited internet access. I immediately notified Mark Karpeles at MtGox as well as Charlie Shrem at Bitinstant that I would take a closer examination of the situation on Tuesday upon my return.
* Upon closer examination of our database on Tuesday, I discovered that the hacker had indeed exchanged the MtGox coupons to Liberty Reserve through our instant exchange facility. The hacker had also exchanged Liberty Reserve back to MtGox presumably in an effort to conceal and/or "launder" the funds.
* Over all, the hacker exchanged a total of $61,875 USD from MtGox to Liberty Reserve, and a total of $17,500 Liberty Reserve to MtGox, for a grand total of $44,375 MtGox to Liberty Reserve. After our fees, this number amounts to approximately $40,000 USD.
* These orders were placed on our systems between 2012-07-12 11:46:48 and 2012-07-12 19:41:27 UTC.
* The IP addresses used by the hacker belong to TOR exit nodes to my understanding, and are as follows:

31.172.30.1
31.172.30.2
31.172.30.4
77.247.181.165
146.164.91.248
78.108.63.44

* The Liberty Reserve account used by the hacker is U9236056.
* The email address used by the hacker was stevejobs807@gmail.com.
* To my surprise, upon further examination of our order system, I found an order from Zhou Tong to sell Liberty Reserve to us for the amount of USD 40,000, requesting a wire to his bank account in Singapore. The amount for the order closely matches the total USD exchanged through us (after fees) using the MtGox USD codes stolen from the Bitcoinica account.
* This order was placed the next day the hacking attempts occurred. In addition, it should be noted that Zhou Tong has never dealt with us before as an exchange customer.
* This information was immediately sent to our two biggest trusted business partners: MtGox and Bitinstant in an effort to join forces to further investigate this situation.
* Mark Karpeles indicated that there was an account opened at MtGox using the email stevejobs807@gmail.com sometime in 2011.
* Mark replied stating that there was activity on this account, that the account was opened using an IP address belonging to Microsoft Singapore, that Zhou Tong was known to have worked for said company at said location, that the email stevejobs807@gmail.com have been verified, and that ALL activity on this account is linked to the MtGox account belonging to Zhou Tong.
* Mark has also indicated that the very first operation on the MtGox account opened with email stevejobs807@gmail.com was the redeeming of a 10 BTC MtGox code generated from Zhou Tong's account.
* Charlie indicated that Erik Vorhees (a well known member of this community) has emails he exchanged with Zhou using the email address stevejobs807@gmail.com.

At this time, it appears that there is an overwhelming amount of evidence linking Zhou Tong personally to the Bitcoinica account hack at MtGox. Our legal department has advised us to freeze the funds for the exchange order mentioned above until further investigation by the authorities and/or legal proceedings are concluded.

Both Charlie and Mark have informed the current Bitcoinica owners of the situation and advised to start legal proceedings as soon as possible.

Posts corroborating this information from both MtGox and BitInstant will follow. I am technically on vacation until mid august with limited internet access, however, I will attempt to answer any questions the community might have as often as possible. Please understand that some information will not be released until all legal proceedings have been concluded.

Sincerely,

Roberto Gutierrez
General Manager
The AurumXchange Company
https://www.aurumxchange.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG

iQEcBAEBAgAGBQJQEMmpAAoJECR5FGDHgkwDCqMH/Awy/Tjtqw9p/vzVh/ewoYgq
CPCSjWn1OUZGGkCMeA/ZwkPHV8/FgsQqBTfHJKy7OBZPaRyL7KTynFo6/BfUSCiO
tWz4QtRXE8hAV5uJNq6BtUvsSD9LXUFWanSEOZS9mApsmP5jmDc3S7JfBEDHli1w
zE9DXJR5jHQmvloRgafIQNxQq8BK7DKG25LpltXCURpVqWFkmulGsMuCqZ9wV0cb
fP92Hf4U+FnwSiM5TfZDwtOhbub9E6ilzPHBmfOjuneSEN1S49Zq3wl1wv0sHUda
2fJ4jVONpOc6S3pvGN7Jb0pdcUJQtujiOcnc+YbKa1EFBjZYY0WBnJL1EVARy4Q=
=TFJe
-----END PGP SIGNATURE-----


We would like to make a few points:

  • I want to thank Roberto for leading the investigation on this one with Mark and myself. We pooled together our resources to connect the dots and paper trail. This just shows that even competitors can work together for the better of the Bitcoin community.
  • I can confirm that both Tihan from Bitcoinica LP and Patrick from Bitcoin Consultancy were both alerted about this investigation personally face-to-face by me. I urged them to seek legal action and request clarification from Zhou. I also requested that they decline him further access to any funds in any of the accounts.
  • Both assured me separately that action is being taken on this front and on the claims front. They assured me that the claims process will continue pending legal clarifications.
  • As you can imagine, we had to keep this information to ourselves for 10 days or so until we can completely verify all the information we presented here.

As more information comes to light and verified, we will release it to you as soon as possible.

Thanks,

Charlie, Bitinstant.

As representative of MtGox, I do confirm the following facts:

  • Upon hack of Bitcoinica's account on our platform, a large number of redeemable codes have been issued. Seeing a large volume of codes emitted by Bitcoinica didn't alert us at first as we assumed those were funds returned to Bitcoinica customers, however we were made aware it was not the case upon posting on this forum by Genjix about the account hack. We noticed that most of those codes were sent to AurumXchange.
  • Codes were all generated from IP 184.22.31.180 (184-22-31-180.static.hostnoc.net)
  • During the investigation, AurumXchange asked us if we knew anything about email address stevejobs807@gmail.com which was used by the hacker according to AurumXchange. We found an account under this email which had some activity back in 2011, with access from both an IP at Microsoft Singapore then an IP at Amazon EC2 and which initial funds are deposited from an account known to belong to Zhou Tong.
.
While we have no definitive proof at this time, there is a definitive need for a proper investigation of what happened there. We have got no reply at this time from Bitcoinica LP and its representatives/owners regarding this matter despite many requests.


My email stevejobs807@gmail.com was last accessed from 62.113.219.5 on July 13. The password has not been changed by the hacker (but I have changed just now).

There was an auto-forwarding to ryan@xwaylab.com (which is another email address of mine). However it has been changed to bitcoinicasucks@hotmail.com (which is the email that was used to send the "Bitcoinica is done" email to verify@bitcoinica.com). Of course I couldn't be notified about any email since the change.

The email account had a heavily-reused password (for the sites that I don't intend to share any private data), *at least* it was used on LinkedIn and many other websites.

I have several email communications between stevejobs807@gmail and other email accounts controlled by me, including a testing ticket for Bitcoinica's ZenDesk trial. The email address has never been publicised.

Important discovery in recent emails (all times are in UTC+8):

The hacker registered a Liberty Reserve account U9236056 at Jul 12, 2012 9:42 PM.

There was several emails from Liberty Reserve mentioning "Verification PIN". It can be seen that the liberty reserve account was accessed by at least: 78.108.63.44, 212.84.206.250 and 31.172.30.1.

There were many transactions done at F1ex.com, possibly used to launder Bitcoin. (I checked just now, F1ex.com provides anonymous fixed-rate BTC exchange service.)

The hacker signed up for OKPAY, with IP 31.172.30.1.

The hacker requested a sell-order on AurumXchange, totalling $5000, using the suspicious Liberty Reserve account mentioned by OP. A Chinese bank account was used (Account name: LIU HAIPENG, Account number: 6222020903006086032, Bank: INDUSTRIAL AND COMMERCIAL BANK OF CHINA).

Order link: https://www.aurumxchange.com/order/view/34011/e5b466248e041ebdf2ae793181a840dc

The hacker has also opened a ticket under his own name: https://www.aurumxchange.com/help/ticket.php?track=NLY-9AG-E468&Refresh=24195

He mentioned that I sold him the Mt. Gox codes at half price, which is absolutely not true. It seems that the hacker was trying to relate this event to me as an individual, and this possibly explains the reason that he wanted to "hijack" the email account. All my other email accounts did not have any suspicious access records and their passwords are all secure and different.

This is my *own* genuine transaction at AurumXchange: https://www.aurumxchange.com/order/view/33100/3c05a9a572379bf91620302cc9dd7d22

And my ticket to question the funds: https://www.aurumxchange.com/help/ticket.php?track=J6W-EY3-ZY2U&Refresh=47091

It's important to note that the first time I gained any knowledge about the email being misused is through this thread. Neither AurumXchange nor Mt. Gox has provided me any specific information about the suspicion. Otherwise I could have checked that email account earlier.

I'm willing to co-operate with any ongoing investigation and obviously I'm not trying to run away from this. I have already provided Mt. Gox with my certified copy of passport in an attempt to unlock my account with some Bitcoin balance.


The important truths

Truth 1: My $40K LR transaction is legitimate at AurumXchange, associated with a friend in Singapore.
Truth 2: All my assets at Mt. Gox, my wallet balances, my recent Bitcoin transactions and the 5,000 BTC compensation are from legitimate sources.
Truth 3: I had no knowledge of myself being suspicious until the public statement was posted by AurumXchange. There's no possible way of me being involved in the investigation earlier.
Truth 4: Even though there's evidence showing that I'm linked to this hack, I have absolutely no relationship with all previous hacks.
Truth 5: If either AurumXchange or Mt. Gox had communicated their investigation with me earlier, there wouldn't be so many wrong interpretations and assumptions and this thread could have come out much earlier.
Truth 6: I didn't steal the money.

Who is Chen Jianhai?

Chen Jianhai is my previous business associate. He was very familiar with credit card fraud and by my observations he's quite active in financial black markets. He didn't know much technical stuff personally but he has many technical people working with him everyday. He heard about Bitcoin from me last year from a random chat, and I have not communicated with him this year.

Did he admit the wrong-doing?

Surprisingly, yes. He strongly denied at first, but he changed his attitude entirely when I mention that this matter is an international-scale crime, and intelligent netizens from all over the world are actively investigating this matter. And I also told him that the accidentally exposed a bank account number. (He claimed that it was a debit card purchased from black market.)

He used my secret identity because he felt that "it would be impossible to discover the hacker" and "it would be much easier to deny if the suspect account is an insider because you (Zhou Tong) can always distract people from investigating". I have repeatedly said that I have zero tolerance in this matter and I will report all his information, including his real bank account number and address to the police once the official investigation has started.

How did he do it?

He said one of his co-workers was quite active in Chinese Bitcoin community and he had noticed the source code of Bitcoinica being leaked. The reason that he (the technical guy) knew the correlation between the Mt. Gox API key and the LastPass master password remains unknown. I have only communicated this password in-person with Tihan in Chimelong Hotel (Guangzhou) lobby once in February this year and I'm quite sure that no one else has paid any attention to our conversation.

He was unwilling to share more information about the specifics of the hack, but he remembered that he only thought of using my secret identity *after* he was able to withdraw money from Mt. Gox. It was possible that he only withdrew the Bitcoins first, and then a few moments later, the USD.

Also he revealed an important piece of information not mentioned in the public statements: He used the Mt. Gox account of Chris Heaslip, which is a verified account, to deposit some Mt. Gox code and buy Bitcoins with the money, and withdrew all of them. This account's credentials were also in the LastPass account.

In the entire process, he used My Wallet (Blockchain.info) with Tor to access the Bitcoins, and he transferred some Bitcoins to his servers in United States as well. The IP 184.22.31.180 (which was used to access Mt. Gox accounts) is actually zeraba.ddns.info. This is actually a public SSH proxy server for some Chinese users to bypass the national firewall with randomly rotating passwords. He had attempted to access the Mt. Gox accounts with Tor and he failed (note: Mt. Gox bans all Tor exit nodes).

How about the money?

He's a multi-millionaire in China living with a family. I'm not sure how much of his money comes from illegal sources but he has a genuine interest in relic collections and he has made a lot of money from speculating precious collections.

After my warning, he seemed unwilling to return the funds. However, I have threatened him with reporting his information to the police. He later more or less agreed to return the funds to Bitcoinica users, under the condition that Bitcoinica will no longer pursue the case (and Bitcoinica isn't pursuing at the moment) and I keep his other personal information secret.

I'm currently in a moral dilemma because even though I don't have definitive proof that Chen Jianhai is indeed a long-time criminal with an active presence in stolen credit cards and possibly other hacks, it might be worthwhile to pursue with police investigation so that justice can be served. However doing that will significantly delay the claiming process of Bitcoinica and the Chinese police may not be willing or capable to effectively investigate or co-operate in this matter. Otherwise I can always get all the stolen funds from him first. The only evidence in my email account was a credit card fraud case of only a few hundred dollars, which isn't very significant compared to the Bitcoinica hack.

Currently I'm very willing to co-operate with any investigation because this is the only way I can completely prove my innocence. However the non-reponse from Bitcoinica side is indeed worrying. I have gathered some data to estimate the amount that can be recovered from Chen Jianhai:

USD: about $140,000 + $5000 frozen at AurumXchange (under SJ account)
BTC: about 20,000 BTC

There's an unknown amount of funds left in Chris Heaslip's account and I have no way of knowing the exact balance.

It's important to note that the pending $40,000 transaction at AurumXchange is my genuine transaction, so it can be used to offset the USD payment. And also all Bitcoin balances in my Mt. Gox account are mine, and it shouldn't be used to further compensate Bitcoinica customers as well.

However, my previous donation of 5,000 BTC and community donation of 101 BTC were entirely separate from this matter and the claimants can rightfully hold on to the full amount. These funds come from my profits of previous sale at Bitcoinica, and I genuinely feel that Bitcoinica users deserve the early compensation due to them being affected by the inefficiencies of Bitcoinica's operations.

Chen Jianhai was only able to offer the above-mentioned amount due to the cost of his laundering activities and also the significantly lower Bitcoin price when he cashed out. If Bitcoinica or the community wants him to cover the full amount at today's prices, I'm willing to co-operate with any police investigation. But either case, my previous donation should have pretty much covered the difference.

It's up to Bitcoinica to appoint a bank account and also a Bitcoin address so that Chen Jianhai (or possibly I) can return the funds. AurumXchange can either return the $40,000 to me, or send the funds to Bitcoinica's nominated account (in which case another $100,000 will be sent to Bitcoinica from Chen Jianhai or me).

About my situation

I'm not asking him to transfer to me or to anyone else the amount today because it can be illegal to possess such funds until Bitcoinica has provided any written form of authorisation and/or agreement (so that I won't be wronged again because of arranging the return of the stolen funds).

It's important to note that I have been, I am and I will always be standing on the side of Bitcoinica customers, regardless of my position and situation at Bitcoinica. I have absolutely no tolerance of illegal activity of any kind, especially those damaging my personal reputation.

I promise that I have honestly reported the amounts and 100% of those recovered from Chen Jianhai will be returned to Bitcoinica's customers. At the same time, I have to emphasise that Bitcoinica should return the amounts to customers as quickly as possible, so that the company and related people will not get into serious legal troubles. It's my best interest to make Bitcoinica's customers happy so that this issue will not have further impact on my future careers.

I have no problem of either formal police investigation, or returning the funds without police investigation. I would prefer the former so that my name can be cleared, but I guess that some Bitcoinica customers may choose the latter.

Sitenote: I have released an improved design of NameTerrific (https://www.nameterrific.com/), which I finished during my lunch break, until AurumXchange's statement was posted.

I have located a suspect, his name is 陈建海(Chen Jianhai). He's NOT my friend and we have never met in person. He was one of my previous business associates because he's very familiar with credit card fraud and he advised me a lot (in terms of fraud prevention, of course) when I built my virtual goods payment processor in late 2010.

He has knowledge of my secret gmail address and I have once re-used the password in his web shop

His English is not very proficient and I'm sure that he's not reading this forum at the moment. I'm giving him a call now to persuade him to admit his wrong-doing and return the funds.

I'll post another thread soon.

Updated with notable quotes.
sadpandatech
Hero Member
*****
Offline Offline

Activity: 504
Merit: 500



View Profile
July 26, 2012, 04:56:45 AM
 #6

HOLY FUGGIN SHIZ...  Well, that explains why they(reamining Bitcoinica admin) finally decided to lock out some of the access ZT said he still had just a few days ago.



WOW, just speachless.



THANK YOU a thousand times, Roberto Gutierrez and crew!!!!!





Question;  Are you able to query LR for more info on the U9236056 account?




ZT, man. For being such a highly intelligent guy, you are not so bright. And I don't mean for getting caught. I mean for assuming these people aorund here won't travel to your ass.......

If you're not excited by the idea of being an early adopter 'now', then you should come back in three or four years and either tell us "Told you it'd never work!" or join what should, by then, be a much more stable and easier-to-use system.
- GA

It is being worked on by smart people.  -DamienBlack
TheButterZone
Legendary
*
Offline Offline

Activity: 3024
Merit: 1031


RIP Mommy


View Profile WWW
July 26, 2012, 05:00:30 AM
 #7

Quick, someone check if that gmail account has the same pass as the API key!

Saying that you don't trust someone because of their behavior is completely valid.
MrTeal
Legendary
*
Offline Offline

Activity: 1274
Merit: 1004


View Profile
July 26, 2012, 05:01:04 AM
 #8

Sigh... kiba, what say you now?
repentance
Hero Member
*****
Offline Offline

Activity: 868
Merit: 1000


View Profile
July 26, 2012, 05:01:54 AM
 #9

It's good to see the exchanges co-operating with each other for the benefit of the community.

While it's obvious that users won't get their funds back any time soon, if at all, at least people now have a clearer idea of what really went down.  




All I can say is that this is Bitcoin. I don't believe it until I see six confirmations.
phungus
Full Member
***
Offline Offline

Activity: 128
Merit: 100


I'm doin' fine on cloud 9


View Profile
July 26, 2012, 05:02:43 AM
 #10

Oh wowie! I had a feeling!

I can do stuff
kiba
Legendary
*
Offline Offline

Activity: 980
Merit: 1014


View Profile
July 26, 2012, 05:05:47 AM
 #11

Very interesting information.

However, I will reserve all judgement as a member of this community until the criminal/civil legal proceeding is complete. The accusation is heavy for a person who have his whole life ahead of him. If Zhou Tong is responsible for the theft, I hope he will do the right thing and return the funds promptly and quickly as possible so that bitcoinica customers can move on with their lives.

theymos
Administrator
Legendary
*
Offline Offline

Activity: 5138
Merit: 12565


View Profile
July 26, 2012, 05:10:19 AM
 #12

It seems proven that Zhou Tong owns stevejobs807@gmail.com, but how did you verify that the hacker controls this email address?

* To my surprise, upon further examination of our order system, I found an order from Zhou Tong to sell Liberty Reserve to us for the amount of USD 40,000, requesting a wire to his bank account in Singapore.

How do you know that Zhou Tong owns this account?

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
sadpandatech
Hero Member
*****
Offline Offline

Activity: 504
Merit: 500



View Profile
July 26, 2012, 05:11:11 AM
 #13

Very interesting information.

However, I will reserve all judgement as a member of this community until the criminal/civil legal proceeding is complete. The accusation is heavy for a person who have his whole life ahead of him. If Zhou Tong is responsible for the theft, I hope he will do the right thing and return the funds promptly and quickly as possible so that bitcoinica customers can move on with their lives.


One can sure preserve their faith in humanity and not be faulted for it. I don't blame you, m8.



Sadly, ZT's little show of guilty conscience by doing that quick 5k claim, oh I feel so bad for everyone here is a mere pitance of what I took, would tell me that he had washed himself of feeling bad and moved one at that point.  Or, it was just a lame attempt at further trying to distance himsself from the suspect spotlight.


The whole thing literally just gave me heartburn. And I lost 0 coins there. :/

If you're not excited by the idea of being an early adopter 'now', then you should come back in three or four years and either tell us "Told you it'd never work!" or join what should, by then, be a much more stable and easier-to-use system.
- GA

It is being worked on by smart people.  -DamienBlack
neofutur
Full Member
***
Offline Offline

Activity: 146
Merit: 100



View Profile
July 26, 2012, 05:13:30 AM
 #14


  • Mark replied stating that there was activity on this account, that the account was opened using an IP address belonging to Microsoft Singapore, that Zhou Tong was known to have worked for said company at said location,
fyi same microsoft ip was used by zhou tong on freenode IRC #bitcoinica since October 19 2011

log extracts from October 2011

Code:
2011-10-19 12:13<  neofutur> zhoutong: I m trying bitcoinica and I like it
2011-10-19 12:13<  neofutur> but . . . i m pretty much afraid by your ip / whois
2011-10-19 12:14<  neofutur> is bitcoinica a microsoft owned or sponsored project ?
2011-10-19 12:18<  neofutur> (12:12) -!- zhoutong [~zhoutong@111.221.80.132]
2011-10-19 21:52-!- zhoutong [~zhoutong@111.221.80.132] has quit [Read error: Connection
                   reset by peer]
2011-10-19 21:54-!- zhoutong [~zhoutong@111.221.80.132] has joined #bitcoinica

kiba
Legendary
*
Offline Offline

Activity: 980
Merit: 1014


View Profile
July 26, 2012, 05:14:18 AM
 #15

Sigh... kiba, what say you now?

You can quibble over my judgement over previous line of evidence, but now I updated my belief about this incident to 80%(and increasing) probability of an inside job.

However, I will assume Zhou Tong innocent until the legal proceeding is resolved or Zhou Tong admit to the theft.

repentance
Hero Member
*****
Offline Offline

Activity: 868
Merit: 1000


View Profile
July 26, 2012, 05:18:58 AM
 #16

It seems proven that Zhou Tong owns stevejobs807@gmail.com, but how did you verify that the hacker controls this email address?

* To my surprise, upon further examination of our order system, I found an order from Zhou Tong to sell Liberty Reserve to us for the amount of USD 40,000, requesting a wire to his bank account in Singapore.

How do you know that Zhou Tong owns this account?

Zhou admitted on here the other day that he sold a large amount of Liberty Reserve following the hack - people had already noticed the transactions and asked him about them.  He said he did it "for a friend".

All I can say is that this is Bitcoin. I don't believe it until I see six confirmations.
kiba
Legendary
*
Offline Offline

Activity: 980
Merit: 1014


View Profile
July 26, 2012, 05:19:55 AM
 #17

Zhou admitted on here the other day that he sold a large amount of Liberty Reserve following the hack - people had already noticed the transactions and asked him about them.  He said he did it "for a friend".

Can you extract the log saying why he did it?

ElectricMucus
Legendary
*
Offline Offline

Activity: 1666
Merit: 1057


Marketing manager - GO MP


View Profile WWW
July 26, 2012, 05:21:25 AM
 #18

To be honest that comes out not as big as a surprise....  Roll Eyes

The only question I have is: Why wasn't that information made public sooner?
Bitcoin Oz
Hero Member
*****
Offline Offline

Activity: 686
Merit: 500


Wat


View Profile WWW
July 26, 2012, 05:23:33 AM
 #19


Zhou Tong has some explaining to do. Perhaps on #bitcoin-court

kiba
Legendary
*
Offline Offline

Activity: 980
Merit: 1014


View Profile
July 26, 2012, 05:23:58 AM
 #20

To be honest that comes out not as big as a surprise....  Roll Eyes

The only question I have is: Why wasn't that information made public sooner?

They were...investigating? I mean, we are talking about a prominent bitcoin community member who have a big reputation(which is now busted). Would you accuse a person who seems so trustworthy without a lot of investigating? I think not.

Pages: [1] 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!