Hackers Allege Mt. Gox Still Controls "Stolen" Bitcoins

The Verge reports that "Tokyo-based Bitcoin exchange Mt. Gox lost $400 million worth of bitcoins in February. Its management said the amount was stolen after hackers exploited a transaction bug to divert the funds, but some of Mt. Gox's users are not so sure, suggesting instead that the exchange's owners pocketed the cash. Now, facing silence from those owners about the fate of the money and the methods by which 6 percent of all of the Bitcoin in the world could have been stolen, a group of hackers claims it has broken into the bankrupted Bitcoin exchange's network to get answers. ... Forbes reports that the group gained access to the personal blog and Reddit account of Mark Karpeles, Mt. Gox's CEO. The hackers used the platforms to post a message that claimed Karpeles still had access to some of the bitcoins that he'd reported stolen. In support of the claim, they uploaded a series of files that included a spreadsheet of more than a million trades, Karpeles' home addresses, and a screenshot purportedly confirming the hackers' access to the data." (The Forbes article on which the Verge report is based.)

Stills seems like it has to be an inside job

[DarkOx]

I tend to think it has to be an inside job, that is being run by the folks pretty high up. Any kind of really really basic accounting and inventory control should have uncovered more coins going out than the transaction register indicates. This transaction malleability issue supposedly went on for months.

Even a badly run business should have detected a problem like the time frame of weeks, whenever their next month end comes up. It would have been impossible to balance the books, unless someone was simply not doing them or cooking them.

Re:Stills seems like it has to be an inside job

[delt0r]

Well i was on contract to fix bugs in a teleco accounting system where they could only find the missing cash every 3 months when a manual audit was done. Transaction volumes where a little over 1 Billion per year however, and it was only a million or so missing every 3 months.

Re:Stills seems like it has to be an inside job

[Splab]

Why high up? Most articles about Mt. Gox talks about lax security and bag change management.

They had half a billion dollars worth of bitcoins, a "currency" which is extremely hard to track and ridiculously easy to steal if you have the keys to the city. Stealing half a billion dollars (without being a bank) requires a truck and some heavy lifting - a developer stealing the wallets and nuking the database takes only a few seconds and very little lifting.

I find it harder to believe it took so long for someone to steal it...

Re:Stills seems like it has to be an inside job

[ras]

Consider these Mt. Gox loses:

• - June 2011: seller's administrator account was hacked by an unknown process. The priveleges were then abused to generate humungous quantities of BTC. None of the BTC, however, was backed by Mt. Gox. The attackers sold the BTC generated, driving Mt. Gox BTC prices down to cents. They then purchased the cheap BTC with their own accounts and withdrew the money. ... Many customers claim they have lost money from this reversion, but Mt. Gox claims it has reimbursed all customers fully for this theft. After the incident, Mt. Gox shut down for several days.
• - June 2011: Users with weak passwords on MyBitcoin who used the same password on Mt. Gox were in for a surprise after the June 2011 Mt. Gox Incident allowed weakly-salted hashes of all Mt. Gox user passwords to be leaked. These passwords were then hacked on MyBitcoin and a significant amount of money lost.
• - October 2011: Mt. Gox accidentally destroyed 2609.36304319 bitcoins.
• - July 2012: A hacker infiltrated the Mt. Gox account used by Bitcoin Syndicate, sold off the USD owned, and withdrew all balances.
• - July 2012: On July 13, 2012, a thief compromised the Bitcoinica Mt. Gox account. The thief made off with around 30% of Bitcoinica's bitcoin assets.

But for any programmer, none of this is a surprise given he hacked up an ssh server in PHP, then deployed it on a production server.

Re:Stills seems like it has to be an inside job

[delt0r]

Financial system i have worked have never used floats. Its integers. Either just cents, or 10th of a cent. Or 2 integers for dollars and cents. There are rounding rules for this sort of thing.

Re:Anonymous cryptocurrency, who to trust?

who can you possibly trust with something that can be so easily disappeared.

If only there was some kind of existing business that had heavy government oversight that could take care of that issue.

Beware: Wallet-stealing virus in the dump

[psymastr]

Reddit users have verified via decompilation that the dump file includes a wallet-stealing executable. The executable attempts to send the wallet to a hard-coded IP address, whose ISP has been notified of this.

Re:Anonymous cryptocurrency, who to trust?

Right, instead you should keep it in an offline wallet! Just like how it's smart to keep your life's savings in an actual, physical wallet!
Oh wait, no, that's fucking retarded.

This is (one of) the (many) problem(s) with bitcoin: no one can actually come up with a sane answer of how you are supposed to store it safely. Trust it to an exchange and you're basically no better off than trusting real money to a bank -- worse off, in fact, because the lack of regulations means that if the exchange takes your money and runs you're SOL, while if a bank takes your money and runs it will be reimbursed (up to a limit) courtesy of the FDIC. Keep it in an offline wallet and you can be sure that no banker can abscond with it, but now your life's savings are tied to a single, stealable object.

Sitting on a stack of traceable coins

[Alarash]

There's something I don't understand. If they 'stole' the coins, they can't really trade them can they? Anyone I mean. As I understand every single transaction is tracked, so you can't really spend them without people knowing so right? Ok so you can hide your identity and whatnot, but wouldn't people know the instant these BTC are back on the market?

Re:Anonymous cryptocurrency, who to trust?

[MartinSchou]

No banks? How do you plan on borrowing money to buy things you can't afford outright, like a new car or a house?

Re:This is why we can't have nice tihngs...

[egarland]

People who claim modern currency is baseless don't understand economics. Modern currency is backed by *everything*. Gold, Real Estate, Cars, Businesses. Everything that is used for collateral against a loan becomes backing for our currency. Crypto-currency is based on scarcity like gold was, and thus makes a terrible general purpose currency because it's vulnerable to manipulations, and rigidity that make it easy for bankers and insiders rob everyone. The modern form of debt backed currency is the most flexible and least vulnerable to manipulation there has ever been. Our advanced modern currency has weathered the pressures of the current economic stresses extremely well, and dramatically lessened the impact of the current problems with our economy. If you want to look at what things where like with a scarcity backed currency, look at the economics of the US pre 1913. It's full of horror stories like the panic of 1893 and 1873, and even some events where bankers conspired to not give out loans to anyone to buy up houses cheap and re-sell them for a profit once they all agreed to give out mortgages again.