Public STATEMENT Regarding Bitcoinica account hack at MtGox

[repentance]

For now, I don't have to convince people of my innocence. Just like what I have always been, I'm taking real actions to solve the puzzle. I discovered that the hacker used my email on various sites, including many e-commerce sites to attempt credit card fraud. It shouldn't be too hard to get his name and address because I control the email anyway.

And then you can give his name and address to the police when you report the credit card fraud.

Seriously, nobody involved with the Bitcoinica clusterfuck has done themselves any favours whatsoever by refusing to report these incidents to law enforcement.  Playing Nancy Drew is well and good but after all these incidents it actually starts to damage everyone's credibility because it make it appear like you're all afraid of outside investigation of these events or giving someone time to cover their tracks.

[1713565663]

1713565663

[1713565663]

1713565663

[markm]

I am not surprised that the hacker sent the money to Zhou, as soon as I heard that USD had been moved out my first thought was that the obvious place to move USD was to some sucker you want to incriminate, being as how USD is not all that easy to hide the movements of. Surely no sane hacker would move the USD to their own account? Maybe to some stolen accounts if they have a bunch, but do stolen accounts last long enough to move USD through them? Seems dubious. Far better to send them to Gavin's bank account if you know it, or who-ever's you do know that would be really lulzworthy to incriminate...

-MarkM-

[Phinnaeus Gage]

I hope everyone can comment with more reasoning and less assumptions. I'm trying my best to calm down and attempt to get more information about the hacker, because he also used my email for a credit card fraud case. It's possible to discover something at that direction.

I have also listed a few people who know this secret email of mine. And I'm going to question them one by one tonight.

I'm definitely on the side of Bitcoinica customers and I believe that if the real hacker really had ties with me personally like what MagicalTux said, I may be able to recover majority of the amount back if the hacker can be warned. This issue is very serious and if I'm the hacker, I would definitely return the full amount back to reduce the criminal punishment.

The hacker seems to be a Chinese because he used Chinese punctuations in his English messages in the Aurumxchange ticket.

I will provide any information needed to the police once Bitcoinica files a police report.

The hacker has now been warned and has returned all the stolen funds in 5...4...3...

(I have no idea how I got two pages behind in such a short period of time, so if the above has for real happened already, forgive me)

[zhoutong]

I am not surprised that the hacker sent the money to Zhou, as soon as I heard that USD had been moved out my first thought was that the obvious place to move USD was to some sucker you want to incriminate, being as how USD is not all that easy to hide the movements of. Surely no sane hacker would move the USD to their own account? Maybe to some stolen accounts if the have a bunch, but do stolen accounts last long enough to move USD through them? Seems dubious. Far better to send them to Gavin's bank account if you know it, or who-ever's you do know that would be really lulzworthy to incriminate...

-MarkM-

The hacker didn't send the funds to me.

The hacker has done a transaction, sending $5000 to a Chinese bank account.

I have done another transaction, sending $40K to my own account, and it's perfectly legitimate and totally unrelated.

The popular confusion is pretty serious now...

[zhoutong]

I hope everyone can comment with more reasoning and less assumptions. I'm trying my best to calm down and attempt to get more information about the hacker, because he also used my email for a credit card fraud case. It's possible to discover something at that direction.

I have also listed a few people who know this secret email of mine. And I'm going to question them one by one tonight.

I'm definitely on the side of Bitcoinica customers and I believe that if the real hacker really had ties with me personally like what MagicalTux said, I may be able to recover majority of the amount back if the hacker can be warned. This issue is very serious and if I'm the hacker, I would definitely return the full amount back to reduce the criminal punishment.

The hacker seems to be a Chinese because he used Chinese punctuations in his English messages in the Aurumxchange ticket.

I will provide any information needed to the police once Bitcoinica files a police report.

The hacker has now been warned and has returned all the stolen funds in 5...4...3...

(I have no idea how I got two pages behind in such a short period of time, so if the above has for real happened already, forgive me)

He probably doesn't know that. I have received another email just now and it seems that the hacker isn't aware of this thread at all:

https://www.aurumxchange.com/help/ticket.php?track=Y72-1AN-3Y4H&Refresh=32888

[blakdawg]

Is there anyway someone could "spoof" an IP Address to make it seem like it was coming from somewhere it really wasn't?

Highly unlikely, these are TCP/IP connections we are talking about.

But there's no particular guarantee that the person ultimately in control of the computer system is located in the same place as the computer furthest down the chain - so yes, if an exchange or an E-mail provider participates in a TCP/IP session with a computer that appears to be in China, it's very unlikely that the computer system at the other end of the TCP connection is really in Los Angeles or Moscow.

But we don't know if that computer in China is relaying packets for, or controlled by, someone who's sitting in another city on another continent and using SSH tunnels or VPN service or a rented VPS or an open (or secret) proxy to hide the origin of their activity.

The only way to figure that out is to walk up the chain, find out who was connected to the last server in the chain, then find out where that connection came from, then find out where that connection came from, and so forth.

For all we know it's going to end up at an open WiFi hotspot at some coffee shop or in some suburban neighborhood somewhere with absolutely no record of who was connected.

However, if the unknown person(s) appear to control resources that are known to be controlled by particular individuals, it's a pretty good clue that either that person was involved, or they have shitty security.

How many times will the "I guess the account got compromised, someone guessed/found my password" excuse be used?

[caveden]

If I understand this correctly, the only "missing link" that would definitely prove Zhou to be guilty is the transfer from the LR account the hacker used to withdraw from Aurum to the LR account Zhou used the next day to deposit in Aurum and request the wire.

The only entity which can provide such information with authority is Liberty Reserve itself.
AurumExchange, MtGox and Bitinstant, please, try to contact Liberty Reserve, in an official manner. If they don't respond, try to reach them via lawyers or something. I know it's possible that they'll just ignore the requests, but you'll never be sure if you don't try.

Zhou Thong, if you are innocent as you claim, I guess the best take for you is to abandon your financial privacy and make it clear, at least for the 3 exchanges above, where did the funds come from, and where they were going to. If you can prove a clean source for this money, I guess your fine. Everybody knows you're rich, so you having such money is reasonable. It is just that there are so many coincidences in place that's perfectly natural everyone to be suspicious of you.

[Phinnaeus Gage]

The email account had a heavily-reused password (for the sites that I don't intend to share any private data), *at least* it was used on LinkedIn and many other websites.

I had to back-pedal to hunt something I thought I read, and re-found the above. Here, I believe he's hinting at how his password could have been gleaned--via the LinkedIn hack. Also note he covers up as to why he uses the same password on several accounts because there're not publicly shared. What is stated in Passwords 101 again?

Will you guys quit posting for I can catch up?

~Bruno~

[blakdawg]

About him attending college in Australia. Is there any proof of that besides him stating such.

The phone number in the AurumXchange transaction which Zhou says is his is a landline in the state of Victoria.  It would certainly be possible to ring it and find out the relationship of the person answering to Zhou.

This proves very little in these days of VoIP. It's relatively simple to have any phone number ring anywhere on the planet that's got Internet connectivity.

As I said, +61 3 9015 7926 is mine and the number is posted on NameTerrific.

That's nice - as far as I can tell, if I wanted to have an Australian phone number that rang here on my desk in California it would cost me $7 USD/month for unlimited inbound calls. I'm not going to bother signing up for one, but control of a phone number does very little to prove a person's physical location these days.

[MagicalTux]

The only entity which can provide such information with authority is Liberty Reserve itself.
AurumExchange, MtGox and Bitinstant, please, try to contact Liberty Reserve, in an official manner. If they don't respond, try to reach them via lawyers or something. I know it's possible that they'll just ignore the requests, but you'll never be sure if you don't try.

Unfortunately LR will not reply unless legal action is started, which is what we are also waiting for.

AurumXchange however can (and is actually required to) block funds suspected to be in relation of known criminal activity.

True, if nobody reports anything, there won't be any crime, hacker walks away and everything's fine. Thing is we believe there is a high chance that this time legal action will be started, and within that context funds were blocked.

It is not up to any of us to judge if funds should be unlocked, we should have an actual court with an actual judge do an actual investigation first.

[stochastic]

I hope everyone can comment with more reasoning and less assumptions. I'm trying my best to calm down and attempt to get more information about the hacker, because he also used my email for a credit card fraud case. It's possible to discover something at that direction.

I have also listed a few people who know this secret email of mine. And I'm going to question them one by one tonight.

I'm definitely on the side of Bitcoinica customers and I believe that if the real hacker really had ties with me personally like what MagicalTux said, I may be able to recover majority of the amount back if the hacker can be warned. This issue is very serious and if I'm the hacker, I would definitely return the full amount back to reduce the criminal punishment.

The hacker seems to be a Chinese because he used Chinese punctuations in his English messages in the Aurumxchange ticket.

I will provide any information needed to the police once Bitcoinica files a police report.

The hacker has now been warned and has returned all the stolen funds in 5...4...3...

(I have no idea how I got two pages behind in such a short period of time, so if the above has for real happened already, forgive me)

He probably doesn't know that. I have received another email just now and it seems that the hacker isn't aware of this thread at all:

https://www.aurumxchange.com/help/ticket.php?track=Y72-1AN-3Y4H&Refresh=32888

just easy simple or the biggest fake ever!!

So this superhacker is able to break into his computer yet he is this dumb now?  the hacker is smart enough to steal all this money but not smart enough to not even bother framing people as it leaves more evidence?  Come on.... or maybe steal a lot of bitcoins and make it seem like you are being framed.  It is like Basic Instinct, write a book of a crime before it occurs then it becomes the person's alibi.

[lonelyminer (Peter Šurda)]

I've asked this before (I believe twice), but never got an answer: Has anybody ever met Zhou Tong in person?

In the past I emailed with an operator of another Singaporean exchange, https://dgtmkt.com/ , and he said that even though he does not know Zhou in person, they have mutual friends.

[sadpandatech]

I hope everyone can comment with more reasoning and less assumptions. I'm trying my best to calm down and attempt to get more information about the hacker, because he also used my email for a credit card fraud case. It's possible to discover something at that direction.

I have also listed a few people who know this secret email of mine. And I'm going to question them one by one tonight.

I'm definitely on the side of Bitcoinica customers and I believe that if the real hacker really had ties with me personally like what MagicalTux said, I may be able to recover majority of the amount back if the hacker can be warned. This issue is very serious and if I'm the hacker, I would definitely return the full amount back to reduce the criminal punishment.

The hacker seems to be a Chinese because he used Chinese punctuations in his English messages in the Aurumxchange ticket.

I will provide any information needed to the police once Bitcoinica files a police report.

The hacker has now been warned and has returned all the stolen funds in 5...4...3...

(I have no idea how I got two pages behind in such a short period of time, so if the above has for real happened already, forgive me)

He probably doesn't know that. I have received another email just now and it seems that the hacker isn't aware of this thread at all:

https://www.aurumxchange.com/help/ticket.php?track=Y72-1AN-3Y4H&Refresh=32888

So a hacker compromised this gmail account of yours?
How long ago did you notice someone else was using the email account?
Why did you not contact services that this email account was used for to inform them?

I would really like a better timeline on this email account..??

[defxor]

What was Zhou's "secret" email account needed for? If new exchange accounts were opened (that is, no password resets on existing ones) then the only reason would be to incriminate Zhou - unless he's guilty.

Since it added an extra step on top on everything else (gaining access to the LastPass account being one) it skews the primary purpose of all this from gaining wealth to destroying someone personally.

Of interest: The earlier Bitcoinica hack statements indicated that the purpose was to destroy Bitcoinica as being bad for Bitcoin.

Btw, Zhou's email is not in the public list of stolen LinkedIn password hashes at least. I botched that, and don't know. I found it interesting that Zhou pointed out LinkedIn specifically.

If people only understood to never, ever, re-use passwords. Anywhere. For any purpose.

[Rarity]

It is not up to any of us to judge if funds should be unlocked, we should have an actual court with an actual judge do an actual investigation first.

Agreed, although it is clear Zhou Tong is innocent this case should be handled by the government.  The beauty of having government to solve issues like this is that they have the best interests of everyone involved at heart and only seek to find the truth of the matter and arrange to punish the guilty and give whatever restitution is possible to the victims.  A greater partnership between governments and the Bitcoin community is essential for assuring a positive outcome for this amazing currency.  

[sadpandatech]

It is not up to any of us to judge if funds should be unlocked, we should have an actual court with an actual judge do an actual investigation first.

Agreed, although it is clear Zhou Tong is innocent

no it is not clear...

And please respond to this, ZT;

I hope everyone can comment with more reasoning and less assumptions. I'm trying my best to calm down and attempt to get more information about the hacker, because he also used my email for a credit card fraud case. It's possible to discover something at that direction.

I have also listed a few people who know this secret email of mine. And I'm going to question them one by one tonight.

I'm definitely on the side of Bitcoinica customers and I believe that if the real hacker really had ties with me personally like what MagicalTux said, I may be able to recover majority of the amount back if the hacker can be warned. This issue is very serious and if I'm the hacker, I would definitely return the full amount back to reduce the criminal punishment.

The hacker seems to be a Chinese because he used Chinese punctuations in his English messages in the Aurumxchange ticket.

I will provide any information needed to the police once Bitcoinica files a police report.

The hacker has now been warned and has returned all the stolen funds in 5...4...3...

(I have no idea how I got two pages behind in such a short period of time, so if the above has for real happened already, forgive me)

He probably doesn't know that. I have received another email just now and it seems that the hacker isn't aware of this thread at all:

https://www.aurumxchange.com/help/ticket.php?track=Y72-1AN-3Y4H&Refresh=32888

So a hacker compromised this gmail account of yours?
How long ago did you notice someone else was using the email account?
Why did you not contact services that this email account was used for to inform them?

I would really like a better timeline on this email account..??

where else was this email account even known?  Who knew you used this email account for anything?

[caveden]

The only entity which can provide such information with authority is Liberty Reserve itself.
AurumExchange, MtGox and Bitinstant, please, try to contact Liberty Reserve, in an official manner. If they don't respond, try to reach them via lawyers or something. I know it's possible that they'll just ignore the requests, but you'll never be sure if you don't try.

Unfortunately LR will not reply unless legal action is started, which is what we are also waiting for.

They've already said that explicitly to one of you?
I imagined that AurumExchange being an important client of Liberty Reserve, they would be OK with at least saying Yes or No to the "Did such transfer happen?" question.
Anyways... guess the way is to start a criminal complaint then.

It is not up to any of us to judge if funds should be unlocked, we should have an actual court with an actual judge do an actual investigation first.

Seriously, you 3 together have done a much better investigation than any "actual investigation" most official judges or police bureaus in the world would. The only think you lack is "authority".

[caveden]

The beauty of having government to solve issues like this is that they have the best interests of everyone involved at heart and only seek to find the truth of the matter and arrange to punish the guilty and give whatever restitution is possible to the victims.

LOL

[MagicalTux]

It is not up to any of us to judge if funds should be unlocked, we should have an actual court with an actual judge do an actual investigation first.

Seriously, you 3 together have done a much better investigation than any "actual investigation" most official judges or police bureaus in the world would. The only think you lack is "authority".

We'd need details that can't be pulled out without authority to get definitive evidence.

[btcx]

Relevant?

Session Time: Fri Jul 13 00:00:00 2012
[00:49] * phantomcircuit (~phantomci@c-67-188-9-35.hsd1.ca.comcast.net) has joined #intersango
[00:49] * ChanServ sets mode: +o phantomcircuit
[01:01] * phantomcircuit sets mode: -o phantomcircuit
[01:01] * phantomcircuit is now known as steve_bobs

Session Time: Fri Jul 13 00:00:00 2012
[00:49] * phantomcircuit (~phantomci@c-67-188-9-35.hsd1.ca.comcast.net) has joined #bitcoinconsultancy
[01:01] * phantomcircuit is now known as steve_bobs

Session Time: Fri Jul 13 00:00:00 2012
[00:49] * phantomcircuit (~phantomci@c-67-188-9-35.hsd1.ca.comcast.net) has joined #bitcoinica
[01:01] * phantomcircuit is now known as steve_bobs