Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Allege Mt. Gox Still Controls "Stolen" Bitcoins

Posted by timothy on from the other-side-of-anonymity dept.

The Verge reports that "Tokyo-based Bitcoin exchange Mt. Gox lost $400 million worth of bitcoins in February. Its management said the amount was stolen after hackers exploited a transaction bug to divert the funds, but some of Mt. Gox's users are not so sure, suggesting instead that the exchange's owners pocketed the cash. Now, facing silence from those owners about the fate of the money and the methods by which 6 percent of all of the Bitcoin in the world could have been stolen, a group of hackers claims it has broken into the bankrupted Bitcoin exchange's network to get answers. ... Forbes reports that the group gained access to the personal blog and Reddit account of Mark Karpeles, Mt. Gox's CEO. The hackers used the platforms to post a message that claimed Karpeles still had access to some of the bitcoins that he'd reported stolen. In support of the claim, they uploaded a series of files that included a spreadsheet of more than a million trades, Karpeles' home addresses, and a screenshot purportedly confirming the hackers' access to the data." (The Forbes article on which the Verge report is based.)

33 of 228 comments (clear)

  1. Stills seems like it has to be an inside job by DarkOx · · Score: 5, Insightful

    I tend to think it has to be an inside job, that is being run by the folks pretty high up. Any kind of really really basic accounting and inventory control should have uncovered more coins going out than the transaction register indicates. This transaction malleability issue supposedly went on for months.

    Even a badly run business should have detected a problem like the time frame of weeks, whenever their next month end comes up. It would have been impossible to balance the books, unless someone was simply not doing them or cooking them.

    --
    Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    1. Re:Stills seems like it has to be an inside job by delt0r · · Score: 5, Informative

      Well i was on contract to fix bugs in a teleco accounting system where they could only find the missing cash every 3 months when a manual audit was done. Transaction volumes where a little over 1 Billion per year however, and it was only a million or so missing every 3 months.

      --
      If information wants to be free, why does my internet connection cost so much?
    2. Re:Stills seems like it has to be an inside job by Splab · · Score: 5, Insightful

      Why high up? Most articles about Mt. Gox talks about lax security and bag change management.

      They had half a billion dollars worth of bitcoins, a "currency" which is extremely hard to track and ridiculously easy to steal if you have the keys to the city. Stealing half a billion dollars (without being a bank) requires a truck and some heavy lifting - a developer stealing the wallets and nuking the database takes only a few seconds and very little lifting.

      I find it harder to believe it took so long for someone to steal it...

    3. Re:Stills seems like it has to be an inside job by Anonymous Coward · · Score: 3, Insightful

      I think the so-called 'lax security' was simply a ploy to generate plausible deniability for the fat cats at the top. There's no other reasonable explanation.

    4. Re:Stills seems like it has to be an inside job by ras · · Score: 5, Informative

      Consider these Mt. Gox loses:

      • - June 2011: seller's administrator account was hacked by an unknown process. The priveleges were then abused to generate humungous quantities of BTC. None of the BTC, however, was backed by Mt. Gox. The attackers sold the BTC generated, driving Mt. Gox BTC prices down to cents. They then purchased the cheap BTC with their own accounts and withdrew the money. ... Many customers claim they have lost money from this reversion, but Mt. Gox claims it has reimbursed all customers fully for this theft. After the incident, Mt. Gox shut down for several days.
      • - June 2011: Users with weak passwords on MyBitcoin who used the same password on Mt. Gox were in for a surprise after the June 2011 Mt. Gox Incident allowed weakly-salted hashes of all Mt. Gox user passwords to be leaked. These passwords were then hacked on MyBitcoin and a significant amount of money lost.
      • - October 2011: Mt. Gox accidentally destroyed 2609.36304319 bitcoins.
      • - July 2012: A hacker infiltrated the Mt. Gox account used by Bitcoin Syndicate, sold off the USD owned, and withdrew all balances.
      • - July 2012: On July 13, 2012, a thief compromised the Bitcoinica Mt. Gox account. The thief made off with around 30% of Bitcoinica's bitcoin assets.

      But for any programmer, none of this is a surprise given he hacked up an ssh server in PHP, then deployed it on a production server.

    5. Re:Stills seems like it has to be an inside job by rmdingler · · Score: 4, Interesting
      Interesting. Missing 1/1000th of the annual billion+ transactions every quarter can be found by a manual audit , but not detected by programmed oversight?

      Wait, it's those damn programmers, huh?

      --
      Happiness in intelligent people is the rarest thing I know.

      Ernest Hemingway

    6. Re:Stills seems like it has to be an inside job by JoeMerchant · · Score: 4, Insightful

      I think what people miss is that they didn't have a half billion USD worth of currency when they set things up. When they set things up, BTC was trading for less than 1% of today's values, and (just speculating here) a couple of years back they probably had a small fraction of the BTC that they have today (had a few months ago, at least...). So, the half billion USD peak might have only been a hundred thousand or so when the organization started to "get serious."

      When your organization's total assets are less than a year's salary of a good software engineer, odds are, you don't have a good software engineer on staff full time to make sure things like change management are happening properly. Ditto for accounting and audits.

      Should they have hired up proper staff when assets started to resemble Scrooge McDuck's vault? Yep, they sure should have. Think about how long it takes to hire good people when you're looking for them. Now think about how long it takes management to start looking for good people, even when they have a clearly demonstrated need, but no immediate crisis.

      Not that I trust a damn thing written about fund managers on prospectuses, but this is why people should be looking for years of experience in relevant fields in the team that manages an investment. Then, when the fund goes bust and it turns out that the prospectus was a pack of lies, some lawyers can make a little money suing the bastards until they only have their offshore accounts left to live on.

    7. Re:Stills seems like it has to be an inside job by delt0r · · Score: 5, Insightful

      Financial system i have worked have never used floats. Its integers. Either just cents, or 10th of a cent. Or 2 integers for dollars and cents. There are rounding rules for this sort of thing.

      --
      If information wants to be free, why does my internet connection cost so much?
    8. Re:Stills seems like it has to be an inside job by DarkOx · · Score: 3, Insightful

      That would be my guess or perhaps just enable the theft in the first place by creating a culture where nobody will ask any questions being aware the documentation and logs won't exist to provide answers.

      If someone in authority was making a routine habit of bypassing organizational policies, or thwarting security control some pesky honest person might start to scrutinize their behavior and might even blow a whistle. On the other hand if there are no policies and no security control than nothing anyone does malicious or others is going to seem strange enough to stick ones neck out over.

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    9. Re:Stills seems like it has to be an inside job by Ralph+Wiggam · · Score: 4, Insightful

      There's no other reasonable explanation.

      So there's absolutely no chance that people who created a web site to trade Magic The Gathering cards, then hastily modified it to trade bitcoins, could possible get in over their heads technically and financially?

  2. Anonymous cryptocurrency, who to trust? by Rick+in+China · · Score: 4, Interesting

    Given how easily it would be to get away with the theft of anonymous cryptocurrency, I am surprised there aren't far more 'hacks' where exchanges rob all they can from their customers then close up shop. I know it has happened in China on much smaller scales, and I'm sure it will happen many more times, the question is who can you possibly trust with something that can be so easily disappeared.

    1. Re:Anonymous cryptocurrency, who to trust? by Anonymous Coward · · Score: 5, Funny

      who can you possibly trust with something that can be so easily disappeared.

      If only there was some kind of existing business that had heavy government oversight that could take care of that issue.

    2. Re:Anonymous cryptocurrency, who to trust? by Z34107 · · Score: 4, Insightful

      who can you possibly trust with something that can be so easily disappeared

      No one, which is why you don't. There's no reason to keep your bitcoins in an "online wallet," or maintain a balance in an exchange, just like there's no reason to keep your life savings in PayPal.

      --
      DATABASE WOW WOW
    3. Re:Anonymous cryptocurrency, who to trust? by Anonymous Coward · · Score: 5, Insightful

      Right, instead you should keep it in an offline wallet! Just like how it's smart to keep your life's savings in an actual, physical wallet!
      Oh wait, no, that's fucking retarded.

      This is (one of) the (many) problem(s) with bitcoin: no one can actually come up with a sane answer of how you are supposed to store it safely. Trust it to an exchange and you're basically no better off than trusting real money to a bank -- worse off, in fact, because the lack of regulations means that if the exchange takes your money and runs you're SOL, while if a bank takes your money and runs it will be reimbursed (up to a limit) courtesy of the FDIC. Keep it in an offline wallet and you can be sure that no banker can abscond with it, but now your life's savings are tied to a single, stealable object.

    4. Re:Anonymous cryptocurrency, who to trust? by gox · · Score: 4, Interesting

      the question is who can you possibly trust with something that can be so easily disappeared.

      The answer is to never assign trust in a single point. That's the whole reason Bitcoin was designed for, and these thefts really show how backwards we are with regards to the technology we have.

      Surprisingly few people actually know this, but Bitcoin addresses are actually little programs that calculate the required criteria to move money out of the "address". It's purposefully Turing incomplete. The simplest defense against malevolent or incompetent parties is to require multiple signatory entities. For instance, one could be the deposit institution itself, another party for dispute resolution (e.g. a lawyer), and finally the customer. You can require only two of three signatures to move the amount so that the customer can extract the money with the help of the arbiter even if the deposit institution disappears.

      Other, more sophisticated solutions are also possible, and some of the businesses themselves can even become transparently automated. However, it seems like it won't be that easy to get there, even though the crucial technology is already available.

    5. Re:Anonymous cryptocurrency, who to trust? by jittles · · Score: 3, Funny

      Given how easily it would be to get away with the theft of anonymous cryptocurrency, I am surprised there aren't far more 'hacks' where exchanges rob all they can from their customers then close up shop. I know it has happened in China on much smaller scales, and I'm sure it will happen many more times, the question is who can you possibly trust with something that can be so easily disappeared.

      Thank you for sharing my retirement strategy with all of Slashdot you unselfish bastard. Now my plan will never work.

    6. Re:Anonymous cryptocurrency, who to trust? by Gunboat_Diplomat · · Score: 4, Interesting
      Nearly 150 Breeds Of Bitcoin-Stealing Malware In The Wild, Researchers Say
      .

      From the article:

      "To steal the coins of users who encrypt their private keys with passwords, many of the Bitcoin stealing programs also included keyloggers designed to eavesdrop on users’ typing. Even more tricky are malware types that wait for users to copy a Bitcoin address they want to send bitcoins to into their clipboard. When the user tries to paste the address, the malware replaces it with a different string, irreversibly sending the currency to the malware operator’s wallet. That last method never sends data to a remote server, so it can be much harder to detect, SecureWorks’ researchers say. In fact, they tested a range of antivirus scanners on their malware samples and found that roughly 50% went unnoticed."

    7. Re:Anonymous cryptocurrency, who to trust? by MartinSchou · · Score: 5, Insightful

      No banks? How do you plan on borrowing money to buy things you can't afford outright, like a new car or a house?

    8. Re:Anonymous cryptocurrency, who to trust? by MachineShedFred · · Score: 3, Insightful

      Tape it to the inside of your TV or some other device.

      Yeah, so when they steal your TV, they get your encrypted life savings too!

      --
      Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
    9. Re:Anonymous cryptocurrency, who to trust? by medv4380 · · Score: 3, Insightful

      Who would lend money in a deflationary currency? You're practically guaranteeing default. If I take out a loan for 100 bitcoins to be paid back in 10 years I'd never be able to pay it off because my wages wouldn't go up nearly as fast and the deflationary pressure. Wages go down with deflation not up. A bitcoin bank that issues loans is guaranteed mass defaults, and a bank that has that many defaults is guaranteed to fail. Ether you want the shangrala "Sound" money that has nether inflation, nor deflation, or you want an Inflationary currency that isn't so bad that money become worthless in a few years, but not so low that you have to worry about defaults caused by deflation kicking in. A banking system build on deflation is unstable, and prone to failures. It's what we had when we were on the Gold Standard, and is undesirable for any banking system to work long term. Then again some people enjoy watching people suffer.

  3. Beware: Wallet-stealing virus in the dump by psymastr · · Score: 5, Informative

    Reddit users have verified via decompilation that the dump file includes a wallet-stealing executable. The executable attempts to send the wallet to a hard-coded IP address, whose ISP has been notified of this.

    --
    Improve at backgammon rapidly through addictive quickfire position quizzes: www.bgtrain.com
    1. Re:Beware: Wallet-stealing virus in the dump by psymastr · · Score: 4, Informative

      Actually it was Bulgaria, and they responded that they will take care of this.

      --
      Improve at backgammon rapidly through addictive quickfire position quizzes: www.bgtrain.com
  4. It happened before.. by xtal · · Score: 3, Interesting

    This happened a few years ago and is why I have nothing to do with Bitcoin - I lost quite a few coins, then decided it was too risky to be involved with until the exchange problem was figured out.

    I am not sure why this is not more widely known, but there you go. I am not sure there is a solution to this problem.. without the involvement of traditional government.

    --
    ..don't panic
  5. Re:This is why we can't have nice tihngs... by MRe_nl · · Score: 3, Interesting

    For all it's faults it's still more transparent then the Federal Reserve, the European Central Bank, the Peoples Bank of China or the Russian Goznak. "Because when the entire world is a credit-fueled ponzi scheme, these are the kind of numbers that matter". http://www.zerohedge.com/news/2013-12-11/matter-stunning-perspective-china-money-creation-blows-us-and-japan-out-water

    --
    "Kill 'em all and let Root sort 'em out"
  6. The article is full of errors by pantaril · · Score: 4, Interesting

    The reporter probably doesn't understand what's going on at all.

    1) the leaked data contains not only the mt.gox DB dump (which seems to be legit) but also the TibanneBackOffice.exe binary which is actualy malware which steals bitcoin wallets. So i wouldn't trust the hackers at all, they are scammers. See http://www.reddit.com/r/Bitcoi... for more details.
    2) The article/the hackers claim that the mt.gox database dump shows that mt.gox should be in control of over 900k bitcoins and that it is an evidence that mt.gox is lying. Well it is evidence that the article/hackers don't understand anything. From the start, mt.gox is saying that because of a transaction malevability bug, their ballances in DB and their balances on their actual accounts were ouf of sync. This is the reason they didn't notice sooner. Their DB was showing everything was ok but in reality, their money was silently siphoned out of their accounts.
    3) Karpeles (mt.gox owner) is probably staing silent because his lawayers told him so. Nothing unusual here.

  7. Re:An executable? In a dump? by wonkey_monkey · · Score: 4, Funny

    And I thought people that ran kitten.scr.exe were idiots.

    What a bunch of morons. I checked, Windows says I only have kitten.scr so I'm safe.

    --
    systemd is Roko's Basilisk.
  8. Sitting on a stack of traceable coins by Alarash · · Score: 5, Interesting

    There's something I don't understand. If they 'stole' the coins, they can't really trade them can they? Anyone I mean. As I understand every single transaction is tracked, so you can't really spend them without people knowing so right? Ok so you can hide your identity and whatnot, but wouldn't people know the instant these BTC are back on the market?

    1. Re:Sitting on a stack of traceable coins by codebonobo · · Score: 4, Informative

      Stolen coins can all be tracked but are still usable. There are numerous ways to make it harder to track with coinjoin, mixers, and trading back and forth between different crypto-blockchains that a thief can use to hide their assets however.

  9. Re:Use them! don't save them by Chas · · Score: 3, Informative

    "Bitcoins are like cash."

    I really REALLY wish people would stop saying this.
    They're not. The way the Bitcoin system works, they're more like commodities.
    Granted, some businesses have allowed you to pay for things with said fractional commodities, but still. At some point, an actual cash value has to be determined before you can actually SPEND them.

    --


    Chas - The one, the only.
    THANK GOD!!!
  10. Re:This is why we can't have nice tihngs... by egarland · · Score: 5, Insightful

    People who claim modern currency is baseless don't understand economics. Modern currency is backed by *everything*. Gold, Real Estate, Cars, Businesses. Everything that is used for collateral against a loan becomes backing for our currency. Crypto-currency is based on scarcity like gold was, and thus makes a terrible general purpose currency because it's vulnerable to manipulations, and rigidity that make it easy for bankers and insiders rob everyone. The modern form of debt backed currency is the most flexible and least vulnerable to manipulation there has ever been. Our advanced modern currency has weathered the pressures of the current economic stresses extremely well, and dramatically lessened the impact of the current problems with our economy. If you want to look at what things where like with a scarcity backed currency, look at the economics of the US pre 1913. It's full of horror stories like the panic of 1893 and 1873, and even some events where bankers conspired to not give out loans to anyone to buy up houses cheap and re-sell them for a profit once they all agreed to give out mortgages again.

    --
    set softtabstop=4 shiftwidth=4 expandtab nocp worlddomination
  11. Re:This is why we can't have nice tihngs... by Ralph+Wiggam · · Score: 4, Funny

    Your basic grasp of economics and history has no place here.

  12. Re:This is why we can't have nice tihngs... by Cardoor · · Score: 3, Informative

    absolutely NOT. wow - and how long have you been employed by the fed I wonder - bringing out the 'magic of 1913'? is that you janet? modern currency as a fiat currency is not 'backed' by anything other than what it says on the bills - legal tender.. that the currency is acceptable as a means of payment in the eyes of the court system and hence, the structural society in which we live (with the implicit backing of the powers that be within that system). the fact that hard assets are used as collateral to make loans in a given currency in NO way means that said currency is then 'backed by those hard assets'. that is simply a line of recourse to a default on the CREDIT extended - nothing to do with the currency used as a medium of exchange. I could just as easily lend someone bitcoins using their car as collateral. jeez. and to say that debt-backed currency is even relatively immune to manipulation is incredible - especially when we are living in an age where it stares people in the face every day under the guise of 'quantitative easing', rate-rigging, and lawsuits involving currency manipulation. i'm not saying cryptocurrency is a solution, but damn. before you start throwing barbs under the guise of being the one who understands economics, you should make sure you know what you're talking about, and/or put down the propaganda talking points.

  13. Re:This is why we can't have nice tihngs... by durrr · · Score: 4, Informative

    You've misunderstood what currency backing means.

    A something-backed currency means that there have to be a _fixed_ amount of physical entity somewhere in the possession of whoever decides to give out the currency. This is not the case with the current fiat. Sure it can be exchanged for all those things you mentioned but it's backed by none of them, some central bankers could agree to create ex nihilo enough money to give a billion USD to every bank account in the world. If you then reason that a dollar is backed by cars then either there would be a huge surplus of cars somewhere to allow this to happen, or someone managed to multiply the current global carpool a millionfold overnight.