MtGox Customers Hack Karpales' Account, Post Fraud "Evidence" - Update

[Karloff]

MtGox Customers Hack Karpales' Account, Post Fraud "Evidence" - Update

But don't go clicking any links found in the spreadsheet the hackers posted, for There Be Trojans.

Update: Mt Gox has filed for US bankruptcy protection. CEO Karpales says, in the statement accompanying the bankruptcy protection documents [http://www.scribd.com/doc/211626536/Karpeles-Declaration], that it would "allow Mt Gox a necessary breathing period for it to focus on its restructuring efforts without the distraction that would result if certain litigation currently pending in the United States were allowed to proceed."

According to Karpales, Mt Gox has $63.9 million in liabilities and approximately $37.7 million in assets. Karpales also claims that the hack which took down Mt Gox stole approximately 7% of the world's Bitcoin supply.

Source: Ars Technica [http://arstechnica.com/tech-policy/2014/03/mtgox-files-for-us-bankruptcy-protection-to-put-ongoing-lawsuits-on-hold/]

Original Story:

One of the things that's been puzzling the Bitcoin community is, if the Mt Gox wallet really was emptied by person or persons unknown, where did all the coins go? You'd think a transaction of that size would show up in the public ledger of transactions, runs the theory. Those of you following all things Bitcoin related may remember that other self-appointed investigators followed a very similar theory searching for Sheep Marketplace's Bitcoin, with dismal results [http://www.escapistmagazine.com/news/view/130356-Bitcoin-Theft-Victims-Search-For-100-Million-In-Sheep-Farce]. Now some of Mt Gox's customers have hacked the personal blog and Reddit account of Mt Gox CEO Mark Karpales, posting what they claim is evidence of fraud. Or, as they prefer to put it, evidence that they've been Goxed.

The hackers posted messages, since removed from Karpales' blog and Reddit, claiming that they had discovered where Karpales stored the loot. The hackers claim Karpales kept back 951,116 Bitcoin, though this claim may not be all it seems.

For one, as Forbes [http://www.forbes.com/sites/andygreenberg/2014/03/09/hackers-hit-mt-gox-exchanges-ceo-claim-to-publish-evidence-of-fraud/] points out, the spreadsheet posted by the hackers may simply indicate how badly Mt Gox dropped the ball; that all those figures show is what Mt Gox thought it had, not what it actually possessed.

For another, the information posted seems to be infested with Trojans [http://www.coindesk.com/mt-gox-hackers-claim-release-transaction-details-ceos-personal-data/]. The posts included genuine Mt Gox data mixed in with a healthy helping of .exe and Mac.app files, some of which are actually Bitcoin stealing viruses disguised as back office tools. Should you go looking for the files yourself, you're advised not to open them.

One poster says that the data was obtained by installing a rootkit months ago on one of Mt Gox's servers [http://www.dailytech.com/Bitcoin+King+Mt+Gox+CEO+Mark+Karpels+History+of+Arrests+Firings/article34442.htm] via known Gentoo Linux distribution flaws, and the installation was successful because Karpales didn't bother to update. This same poster, nanashi, claimed to have access to much of Mt Gox's customer data in a 20GB stolen database, possibly including bank details, passwords, usernames, even passport scans. Nanashi offered this database for sale for 100 Bitcoin. "Selling it one or two times to make up personal loses from gox closure," he says.

Source: Forbes [http://www.forbes.com/sites/andygreenberg/2014/03/09/hackers-hit-mt-gox-exchanges-ceo-claim-to-publish-evidence-of-fraud/]


Permalink

 

[Daaaah Whoosh]

It seems to me like there are way too many hackers on the Internet. First they steal the money, then they steal information regarding the money, now that information steals more money from people that try and look at it. Can't we all just get along?

 

[RJ 17]

Seriously, I still don't know what the hell we're talking about here. The concept of money simply congealing out of the interwebz doesn't quite compute with me. Could someone explain to me just what the hell a bitcoin is, how the hell they're made, and how the hell they have any relation to actual currency?

 

[Angelous Wang]

Nanashi may end up in prison longer than Gox (or worse) is they are not careful. Stealing money, bank details, password and usernames is all criminal, but it's all falls under normal law enforcement. Selling passports (or scans in this case) falls under national security enforcement.

 

[Schadrach]

Can't we all just get along?

Welcome to the internet?

Seriously though, that is one things I've wondered in this whole mess -- if the bitcoin address of the Mt Gox wallet that was hacked is known (and it shouldn't be unreasonable to make it available especially at this point) then it should be straightforward (if time consuming) to figure out where the money went, since *all Bitcoin transactions are public knowledge* -- seriously, there's a public ledger, transactions are posted to the public ledger and validated cryptographically by the cloud -- if you know one bitcoin address in the transaction, seeing which bitcoin addresses have sent/received bitcoin to/from that address is not that difficult.

For example, here's a transaction applying newly minted BTC to an assortment of target addresses (one of which is mine):
https://blockchain.info/tx/f759627b95cc9b9cedea418a8f98f2d9d8cdd1bc21a0883d91140bcc093165da

If you click on one of those addresses, you can see it's transactions in the public ledger (using the address that got the largest piece of that block as an example): https://blockchain.info/address/1CJuy8GnPrpvQFY51zJZk5fvYFgfxNKrLG

Everything is a matter of public record regarding bitcoin, except who actually owns any given address.

 

[CriticalMiss]

"Hacked and stole details... not certain if credible or false... files filled with mal-ware designed to steal bitcoins... hackers offering to sell illegal files in return for bitcoins"

*slow clap*

If you were hoping to shame MtGox you have failed miserably by acting as or even more repulsively. All this does is expose a portion of the bitcoin community as money-grubbing scumbags who are willing to do anything and everything to re-coup money they lost gambling on unregulated digital fairy dust. The inclusion of malware is especially spiteful and exposes these wannabe 'hacktivists' as mean spirited privateers interested nothing apart from their own personal wealth.

There truly is no honor amongst thieves.

Yeah, it's kind of sad to see that people who lost money on a risky endeavour doing illegal shit to try and recover some of their losses. Like a gambler losing all of their money in Vegas only to kidnap the blackjack dealer and hold them hostage. It makes me think bitcoin is an even worse idea than I already did if there are people who will do this sort of thing.

And wouldn't the evidence these guys have unearthed be inadmissable in a court since it was obtained illegally? If it's even legitimate to begin with.

 

[Karloff]

Speaking personally, I have to wonder why the hackers concluded 'we have been able to crack Mt Gox code and find this stuff, including virus-laden .exe files' must mean 'Karpales is a crook', and not 'Mt Gox was an easily-hacked disaster waiting to happen.'

 

[Neurotic Void Melody]

Bitcoin eh?? May need to google this, as im not sure what advantage it holds over the original currency that 'consumers' are wast...er, i mean spending on it.

 

[Silentpony_v1legacy]

Its so sad really. I remember when bitcoins first came out and smart people said, 'no, its a scam. these companies will take your money and run'
but nooooooo. The damned hipsters had to go and do it because its ironic or the world is globalizing and an online currency will be just as viable in a post-modern cyber based economy.
Turns out it was a scam...

 

[drakonz]

Its so sad really. I remember when bitcoins first came out and smart people said, 'no, its a scam. these companies will take your money and run'
but nooooooo. The damned hipsters had to go and do it because its ironic or the world is globalizing and an online currency will be just as viable in a post-modern cyber based economy.
Turns out it was a scam...

bitcoin itself is not a scam but the bitcoin banks that you can ask to take care of your bitcoins and make trading faster and easier, are most of the time scams and sadly there isnt rly law against it since virtual coins are in gray area of most lawbooks not to forget tracking all addresses the stolens coins have went throught takes long time expelialy if they have set up multible bitcoin wallets to do it (setting one up takes under 30 seconds)

 

[Schadrach]

Seriously, I still don't know what the hell we're talking about here. The concept of money simply congealing out of the interwebz doesn't quite compute with me. Could someone explain to me just what the hell a bitcoin is, how the hell they're made, and how the hell they have any relation to actual currency?

Basically, it's all built out of difficult cryptography and cracking it by brute force. All transactions are signed and distributed within the public ledger, and the proof-of-work for cracking the signature proves the validity of the transactions it signs, and the system itself awards an amount of bitcoin to whoever submits the first successful proof-of-work for doing so, with gradually diminishing returns until a certain total amount of bitcoin is created.

As for how they function as currency, they're essentially no different than any other currency -- they function as a fungible medium of exchange for goods -- no currency is inherently "worth" anything other than what it's physically made of, only the degree of value that can be extracted from it in terms of goods or services. As far as relationship to actual currency, like any other money market, it's worth precisely what someone will pay you in another currency for it (which is what they mean when they talk about things like the "dollar being strong against the Yen" or what have you).

Bitcoin eh?? May need to google this, as im not sure what advantage it holds over the original currency that 'consumers' are wast...er, i mean spending on it.

As far as advantages, it's semi-anonymous (there's no clear way to tie bitcoin addresses to people unless they've advertised the addresses as such) and impossible to counterfeit unless you control >50% of the network. Hence the reason it was the currency of choice for less-than-legal commerce of various kinds.

Its so sad really. I remember when bitcoins first came out and smart people said, 'no, its a scam. these companies will take your money and run'
but nooooooo. The damned hipsters had to go and do it because its ironic or the world is globalizing and an online currency will be just as viable in a post-modern cyber based economy.
Turns out it was a scam...

This is equivalent to a "bank" in a hypothetical unregulated libertarian utopia closing it's doors and keeping the vault contents, and then arguing that proves "money" is flawed because there were no laws preventing the bank from doing exactly that.

 

[Silentpony_v1legacy]

Its so sad really. I remember when bitcoins first came out and smart people said, 'no, its a scam. these companies will take your money and run'
but nooooooo. The damned hipsters had to go and do it because its ironic or the world is globalizing and an online currency will be just as viable in a post-modern cyber based economy.
Turns out it was a scam...

bitcoin itself is not a scam but the bitcoin banks that you can ask to take care of your bitcoins and make trading faster and easier, are most of the time scams and sadly there isnt rly law against it since virtual coins are in gray area of most lawbooks not to forget tracking all addresses the stolens coins have went throught takes long time expelialy if they have set up multible bitcoin wallets to do it (setting one up takes under 30 seconds)

Thats probably more accurate. The larger banks and the like are the ones that steal bitcoins. But again, being a nebulous and grey currency, what are the stealing? I always assumed they were like barer bonds, as in the one who holds them(so to speak) is the legal owner. So whoever has the bitcoins linked to their account is the legal bitcoin owner.

 

[FalloutJack]

Speaking personally, I have to wonder why the hackers concluded 'we have been able to crack Mt Gox code and find this stuff, including virus-laden .exe files' must mean 'Karpales is a crook', and not 'Mt Gox was an easily-hacked disaster waiting to happen.'

Sorta' damned if you do and damned if you don't then, right? When it's already an unregulated and dubious fantasy PLUS the whole drug thing AND it's not very well defended, you have to look at it and wonder 'Why did we get into this crap?'.

 

[faefrost]

Nanashi may end up in prison longer than Gox (or worse) is they are not careful. Stealing money, bank details, password and usernames is all criminal, but it's all falls under normal law enforcement. Selling passports (or scans in this case) falls under national security enforcement.

But here's the fuuny thing. Let's assume that Kapales did in fact simply walk off with all of the Bitcoins. What jail time would he possibly do? Where exactly is the crime, and under what legal jurisdiction? Part of the whole "money not issued by or controlled by any sovereign government" nature of Bitcoin is that it also means "not protected by nor falling under the laws of any sovereign government." Notice how Japanese regulators and investigators have been a bit cautious about getting involved? That's because before the law Bitcoin has about as much standing as WoW gold. Before anyone could even begin to go after Kapales civilly or criminally they would first need to establish that the item "stolen" did in fact have real value before and under the law. And a host of other legal tests. (ie Who's virtual property was it? What protections does virtual property have? etc). Honestly Monopoly money has more standing before the law right now because it is a tangible good to which an actual value can be assigned and a clear transparent path of ownership can be determined.

And honestly think it through. All the Internet champion of the new stateless virtual currency of the future somehow missed that they not only have to get the new digital currency to interface with the existing sovereign currencies and financial infrastructure in order to give it value for transnational purposes. They also need to interface it with the more traditional state legal systems in order to define it as real property in order to offer any legal protections for the bearers. And honestly do you think any court, or sane legislature is going to assign this stuff the standing of property or currency without knowing who the creators are or having the opportunity to talk with them? No state can prosecute because they can't put the alias known as Satoshi Nakamoto on the stand to answer questions to define to the judge what the data is. At best they might be able to make a vague low level fraud case involving the US dollar portions of the transactions. And once again it gets a bit questionable. At that point you have about as much luck prosecuting the kid who promised to sell you WoW gold. Before the court and the law the original purpose of Mt GoX, Magic the Gathering cards have more defined value and more protections than Bitcoins. If Karpales did walk off with them all, there isn't much the law can do. Maybe some can attempt a civil suit. But once again, you can sue someone for WoW gold. But what exactly are you going to get back do you think? You might have a case for data theft. But that's going to get very weird and very hard to prove. This is why Mr. Karpales will not see a day in court or jail. But probably will mysteriously disappear one day, with assorted parts showing up in seven different countries.

And for those that missed the "blood money" aspects of Bitcoins. The safe bet is either Karpales walked off with the stuff himself, or it is currently funding a years worth of North Korean military development. Juche!

 

[faefrost]

Speaking personally, I have to wonder why the hackers concluded 'we have been able to crack Mt Gox code and find this stuff, including virus-laden .exe files' must mean 'Karpales is a crook', and not 'Mt Gox was an easily-hacked disaster waiting to happen.'

Honestly, the main reason I tend to suspect Karpales himself above and beyond the story of "we was hacked!" is some of the other stuff that was going on. They had been hacked in 2011. He seemed very very nonchalant about it, almost dismissive. He was having some serious issues with US financial authorities including an $8 million seizure and was having increasing issues using banks to provide the exchange transactions. he had been pretty much shut down in the US. Either the root cause of this, or as a result his Mt GoX Accounts Receivables and Accounts Payable were in all likelihood wildly out of balance. he had no previous experience in the currency markets and certainly nothing at this level. He clearly had no idea what exactly is needed to keep things in balance. All of this means Karpales would have been under enormous pressure. He was facing legal action on several fronts. He was deeply in over his head. His site was a security swiss cheese brick. And it just wasn't fun anymore. There was literally nothing to stop him from simply taking everyone's ball and going home so to speak.

Could it have been hacked? Clearly yes. But there are a hell of a lot of reasons to suspect it to be a bit more internal as well. Once you look behind the curtains its obvious this was not a proper or healthy business with a lot of questionable things going on.

 

[IamLEAM1983]

Speaking personally, I have to wonder why the hackers concluded 'we have been able to crack Mt Gox code and find this stuff, including virus-laden .exe files' must mean 'Karpales is a crook', and not 'Mt Gox was an easily-hacked disaster waiting to happen.'

This. Karpelès and his associates have all gone on record with outlets like Ars Technica before the blowout, and one of the things that could be taken away from the interview is that Karpelès worked with what's essentially a team of international shut-ins and self-diagnosed Asperger's sufferers. My guess is going for the oft-unemployed Impaired Math Whiz market gave his exchange a pretty solid technical basis to stand on, but not necessarily guaranteed security.

Plus, not updating your Linux distro when it's the backbone of your operation just smacks of gross negligence. No I.T. guy in the world would look at a server farm's update schedule and go "Eh, no problems were reported as of the last two weeks. I can sit on it!" as this simply wouldn't fly.

There's real I.T., and then there's stuff that the Big Bang Theory and the I.T. Crowds of television tend to present, which is the illusion that a job in that sector means you can get paid to jerk around on your Nintendo DS until one of the office drones does something stupid with its workstation.

 

[medv4380]

Seriously, I still don't know what the hell we're talking about here. The concept of money simply congealing out of the interwebz doesn't quite compute with me. Could someone explain to me just what the hell a bitcoin is, how the hell they're made, and how the hell they have any relation to actual currency?

It's hard to explain if you don't have enough background, but I'll give it a try.

Bitcoin, and all 'coin (feathercoin, lightcoin, etc), exists only as a massive peer to peer database. This database is equivalent to a local banks database of who has what money and how much. The money is also in the database, rather than vaults, and is represented by a random block of data that is only generated once every few minutes. Who gets this block is determined randomly by generating a number, hashvalue, for the block that meets a given set of criteria. The criteria changes from 'coin to 'coin and from block to block to ensure that they are generated at a predefined interval which have been defined according to gold bug libertarian standards, at present time. Since the entire database is public and anyone can submit a transaction the funds and who they're allocated to are protected by a public key private key system. This is similar to your account number and pin. You should never share your pin, but your account number is needed to know were they're sending money, just as your private key needs to be kept private, and shouldn't be used or created with a known bad method, similar to setting your pin to 1234.

If every copy of that database become corrupted then that 'coin doesn't exist anymore. Difficult given it's a peer to peer database making a lot of copies that would have to be simultaneously destroyed. However if someone had 51% of the database power, which someone does, they could actually just forcibly honer illegitimate transactions private key or no private key. A private key can be reversed if two public keys are generated using the same random number generated. Similar to how one time pads are impossible to decrypt when done properly except when you used the one time pad more than once.

However as much as it may look like a bank or banking system it lacks the one thing that has made our banking system stable for almost a century, and that's Insurance. Deposit Insurance, Charge Back Insurance, and all the other needed forms of insurance. If you think our system isn't stable now look at how unstable it was prior to the creation of the FDIC.

Does that make it easier to understand?