BTC-E.COM NICE RECOVERY FROM THE HACK! =)

[dree12]

From the BTC-E chat box:

MrWubbles: now logging in as support to troll more
MrWubbles: dev account has been deleted
MrWubbles: dev account has been deleted
MrWubbles: support is being deleted now
MrWubbles: dumping everyone's wallets
MrWubbles: bitinstant reserves have been leaked for days
MrWubbles: all your base
MrWubbles: I'm Mr Wubbles of wub fame
MrWubbles: Expect Mass Database Leak Soon
MrWubbles: wub database destroyed

That can't be good, but how do we know he wasn't just trollololing?

There is no reason not to suspect a database leak.

The hacker must have gotten the fake USD in either through remote execution or SQL injection. Both these allow access to the database.

What confuses me is why they did not simply hack the BTC in.

They wouldn't be able to withdraw fake BTC.

Why not?

[Bitcoin Oz]

Site is down now.

[jwzguy]

Um... no. 2.18 of it to: 12JGzgb7ezdp5UT4EoJN3Spcn3P8fyyFav

http://blockexplorer.com/address/12JGzgb7ezdp5UT4EoJN3Spcn3P8fyyFav
0BTC
Did you get any out successfully?

[hazek]

Site is down now.

Not for me.

[tiberiandusk]

From the BTC-E chat box:

MrWubbles: now logging in as support to troll more
MrWubbles: dev account has been deleted
MrWubbles: dev account has been deleted
MrWubbles: support is being deleted now
MrWubbles: dumping everyone's wallets
MrWubbles: bitinstant reserves have been leaked for days
MrWubbles: all your base
MrWubbles: I'm Mr Wubbles of wub fame
MrWubbles: Expect Mass Database Leak Soon
MrWubbles: wub database destroyed

That can't be good, but how do we know he wasn't just trollololing?

There is no reason not to suspect a database leak.

The hacker must have gotten the fake USD in either through remote execution or SQL injection. Both these allow access to the database.

What confuses me is why they did not simply hack the BTC in.

They wouldn't be able to withdraw fake BTC.

Why not?

They wouldn't be able to withdraw any USD since it's fake. Saying you have 500000 fake BTC on BTC-e doesn't mean anything if you don't actually have the keys to those coins in an actual wallet. They used fake USD to buy real BTC then ride off into the sunset laughing.

[terrytibbs]

I think it's time for the anonymous Russians to abandon ship!

[BkkCoins]

Isn't the BTC-E exchange the one I reported here and said beware some months ago? Or maybe I'm getting mixed up.

Another one of these, "oops we were hacked" scams. Someone there is selling people's BTC on them and the USD will vanish soon. Any users have BTC there that seem to be missing from their account now?

[dree12]

From the BTC-E chat box:

MrWubbles: now logging in as support to troll more
MrWubbles: dev account has been deleted
MrWubbles: dev account has been deleted
MrWubbles: support is being deleted now
MrWubbles: dumping everyone's wallets
MrWubbles: bitinstant reserves have been leaked for days
MrWubbles: all your base
MrWubbles: I'm Mr Wubbles of wub fame
MrWubbles: Expect Mass Database Leak Soon
MrWubbles: wub database destroyed

That can't be good, but how do we know he wasn't just trollololing?

There is no reason not to suspect a database leak.

The hacker must have gotten the fake USD in either through remote execution or SQL injection. Both these allow access to the database.

What confuses me is why they did not simply hack the BTC in.

They wouldn't be able to withdraw fake BTC.

Why not?

They wouldn't be able to withdraw any USD since it's fake. Saying you have 500000 fake BTC on BTC-e doesn't mean anything if you don't actually have the keys to those coins in an actual wallet. They used fake USD to buy real BTC then ride off into the sunset laughing.

There's no practical difference between "fake" and "real" BTC or USD on an exchange. It can be withdrawn regardless. USD usually is more easily traceable, freezable, and is more dangerous, which is why the hacker could not withdraw that way.

[finkleshnorts]

OMG... I had 180 Bitcoins there... Jesus...

My latest withdraw at btc-e webpage says "confirmed", but nothing reached my wallet yet.

40 Bitcoins was "sold" there... And 140 Bitcoins are stucked at some point there... In Russia... Damn!

Jesus no, please no...

[Yankee (BitInstant)]

The part of BitInstant reserves being leaked is false, our books are accurate

[AndrewBUD]

The excitement around here never ends

[DeathAndTaxes]

They wouldn't be able to withdraw any USD since it's fake. Saying you have 500000 fake BTC on BTC-e doesn't mean anything if you don't actually have the keys to those coins in an actual wallet. They used fake USD to buy real BTC then ride off into the sunset laughing.

Dude.  All exchanges use a pooled wallet.  There is no such things "your" BTC or "your BTC" wallet on BTC-E, MtGox or any other exchange.  The exchange simply has one (or more) hot and/or cold wallets.  Then they maintain a database of each user's balance, and trades change those balance.     One could withdraw "fake" BTC just as easily as selling "fake" USD for BTC and withdrawing that.

The likely reason for faking USD is simply because that is the exploit the hacker founds.  Hacker found a way to add USD to his USD balance.  Once had had that why try hacking any further.  Give yourself huge amounts of USD, buy BTC and remove them from the exchange.

[TTBit]

Um... no. 2.18 of it to: 12JGzgb7ezdp5UT4EoJN3Spcn3P8fyyFav

http://blockexplorer.com/address/12JGzgb7ezdp5UT4EoJN3Spcn3P8fyyFav
0BTC
Did you get any out successfully?

No, that is first few. Waiting for some confirms.

[dree12]

They wouldn't be able to withdraw any USD since it's fake. Saying you have 500000 fake BTC on BTC-e doesn't mean anything if you don't actually have the keys to those coins in an actual wallet. They used fake USD to buy real BTC then ride off into the sunset laughing.

Dude.  All exchanges use a pooled wallet.  There is no such things "your" BTC or "your BTC" wallet on BTC-E, MtGox or any other exchange.  The exchange simply has one (or more) hot and/or cold wallets.  Then they maintain a database of each user's balance, and trades change those balance.     One could withdraw "fake" BTC just as easily as selling "fake" USD for BTC and withdrawing that.

The likely reason for faking USD is simply because that is the exploit the hacker founds.  Hacker found a way to add USD to his USD balance.  Once had had that why try hacking any further.  Give yourself huge amounts of USD, buy BTC and remove them from the exchange.

If it was a SQL injection (extremely likely), it should have been just as easy to add BTC. I suspect the hacker may be intentionally messing with the exchange.

[tiberiandusk]

They wouldn't be able to withdraw any USD since it's fake. Saying you have 500000 fake BTC on BTC-e doesn't mean anything if you don't actually have the keys to those coins in an actual wallet. They used fake USD to buy real BTC then ride off into the sunset laughing.

Dude.  All exchanges use a pooled wallet.  There is no such things "your" BTC or "your BTC" wallet on BTC-E, MtGox or any other exchange.  The exchange simply has one (or more) hot and/or cold wallets.  Then they maintain a database of each user's balance, and trades change those balance.     One could withdraw "fake" BTC just as easily as selling "fake" USD for BTC and withdrawing that.

The likely reason for faking USD is simply because that is the exploit the hacker founds.  Hacker found a way to add USD to his USD balance.  Once had had that why try hacking any further.  Give yourself huge amounts of USD, buy BTC and remove them from the exchange.

I understand all that. What I was saying is that simply putting 50000 in the BTC balance box doesn't mean there is actually 500000 BTC there.

[bg002h]

Perhaps someone at BTC-E got hacked, and bought all the BTC they could.

If so, they may not be able to withdraw.

I vote hack vs. scam vs. clever stunt by the exchange to get more deposits.

[adamstgBit]

They wouldn't be able to withdraw any USD since it's fake. Saying you have 500000 fake BTC on BTC-e doesn't mean anything if you don't actually have the keys to those coins in an actual wallet. They used fake USD to buy real BTC then ride off into the sunset laughing.

Dude.  All exchanges use a pooled wallet.  There is no such things "your" BTC or "your BTC" wallet on BTC-E, MtGox or any other exchange.  The exchange simply has one (or more) hot and/or cold wallets.  Then they maintain a database of each user's balance, and trades change those balance.     One could withdraw "fake" BTC just as easily as selling "fake" USD for BTC and withdrawing that.

The likely reason for faking USD is simply because that is the exploit the hacker founds.  Hacker found a way to add USD to his USD balance.  Once had had that why try hacking any further.  Give yourself huge amounts of USD, buy BTC and remove them from the exchange.

If it was a SQL injection (extremely likely), it should have been just as easy to add BTC. I suspect the hacker may be intentionally messing with the exchange.

if BTC-e wasn't protected against  SQL injection.... that's just sad...

[adamstgBit]

Perhaps someone at BTC-E got hacked, and bought all the BTC they could.

If so, they may not be able to withdraw.

I vote hack vs. scam vs. clever stunt by the exchange to get more deposits.

i lol'd 

[Chalkbot]

Is there a reliable way of knowing how many of these fraudulently purchased BTC made it out of the exchange?

[ydenys]

While mildly exiting, it is actually no fun. Are you, guys, saying that someone can ‘inject’ fake btc into major exchange/service provider, then exchange between the currencies/withdraw and the surplus of the coins would be recorded into the blockchain?