Topic: Bitcoinica MtGox account compromised - page 11. (Read 155957 times)

If you look at the transaction history you'll see that there's one incoming tx for each outgoing payout. The address never held more at once than what was being processed. It looks like some kind of public ledger for their BTC payouts. It also shows that the last payout was performed today. The question is if these are real payouts, or if they're just trying to make the impression that they're still processing claims. Anyhow, I beg you to please, please turn off your random post generator, Phinnaeus. It's all just white noise.

This right here.

Basically bitcoinica was a ponzi of sorts, now they have just plain run off with your money.

The lack of security is so vast the only explanation is that one, more or all of the operators just stole everything while using "hacks" as an excuse.


I would suggest filing police reports against everyone involved whose name is known. Bank fraud is bank fraud and with USD involved the police should AT LEAST inconvenience them with a few questions.

Even if it was a hack there might be such a thing as criminal negligence which could also give them trouble.

http://blockchain.info/address/1Bfsa8rbU99TLMVhVZefZijadATBwfUWCP


Poof...it's gone!

Now let's sing the Bitcoinica Anthem: http://www.youtube.com/watch?v=nPL7nN99jno

Like so many other things, everything's fine until someone gets hurt.  Whatever legal inadequacies there may have been regarding the operation of Bitcoinica at various points could likely have been easily remedied up until this shitstorm happened.  Technical breaches are rarely punished to any meaningful extent until they cause harm to shareholders, creditors, users etc.  Even at that point, the penalties tend to be administrative rather than criminal in the majority of cases because most businesses do not fail because of criminal activity (the reason for the failure of the business is one of the things examined in insolvency proceedings).  Directors may be deemed personally liable under certain circumstances and their personal assets attached.  The primary concern is making whole (or as near to whole as possible) those who have been damaged by incompetence or reckless conduct. Directors can also be banned from participating in the management of other companies (this rarely happens unless outright fraud has been involved).

All of us - and I suspect Amir himself - have incomplete information.  It's simply not possible to determine the best course of action with incomplete information.  As I said elsewhere, a 30% shortfall is not that much.  In many cases it would be possible for an otherwise viable business to solve the problem with outside investment.  In this instance, there are factors which make the business less attractive to outside investors, though - not the least of which is the possibility of the limited partner/s taking legal action against the general partner.

The reason I keep urging Amir to get sound legal advice from a NZ practitioner is that this situation really can get worse if Bitcoinica Consultancy makes a wrong move at this point and that could harm the interests of users as well as the principals.  There is rarely only one option available, but Amir needs to know which options are realistic, legal and which ones are just optimistic suggestions from strangers on the internet.  that way, he can come back and say "these are our options guys and we've decided to do X".

Although I do think that the claims process should have been handled by an accountant following the Rackspace intrusion, an attempt was made to find out who was owed money and to make provision for paying them.  That's certainly something which will be taken into account if the company ends up in liquidation or under administration.

You have some good points, but then I have a question:

Was Bitcoinica run legally from the very start? I highly doubt so, and have anyone been charged with it ? Not that I know, so even though you're probably 100% correct from a legal standpoint about what you're saying, and it probably makes sense as well, it doesn't mean that if BC did relaunch Bitcoinica, even under another domain name that anything would happen to them. I highly doubt they would, but given the turn of events lately, nothing would surprise me at this point. Who would've tought that the master password for all passwords was the mtGox API key ?

But, in essence, my final point is that we should not be so problem minded. There's a shitload of problems to handle, but we need to see it as challenges, and not as problems. If we get overwhelmed by problems, then we never get to do any real work.

In that light, I think my proposal is a good one, at least some elements of it. Right now we don't know what happens at all.

If everyone in the bitcoin community were to adhere to all laws and regulations when starting a service, not much would've been started I would think. At the mo, BC seems shocked and unable to move.

They cannot legally do this unless it's under the oversight of an administrator.  It is a serious offence to continue trading while insolvent unless it has been determined by a liquidator that this is the best option, an administrator is appointed, and it is agreed to by creditors. When an administrator is appointed, they pretty much oversee the running of the company and financial transactions must be approved by them - it's hard to see how that would even be workable given the amount of transactions a service like Bitcoinica has daily.  Bitcoinica LP also has a limited partner which may wish to dissolve the partnership, complicating things even more.

It is also not known who actually owns the Bitcoinica domain and IP.  If it is not Bitcoinica Consultancy Ltd, then they cannot use the domain or the IP without the permission of the owner.  

The LP makes this a bit more complicated.  If there was only Bitcoinica Consultancy Ltd involved then you'd look at trying to put together a rescue package in exchange for equity and trade out (a 30% shortfall isn't all that much) - there are investors who look for exactly these kinds of situations.  The problem is that Bitcoinica has already been "rescued" and we don't know what the terms of that rescue were or how much it would cost a new investor to buy out the limited partners and cover the shortfall.  An administrator or liquidator is bound to consider any such offers, so I guess one thing which users could do for their own benefit is use their networks to seek out investors who might be willing to rescue the company.

Real security professionals go about their work mostly unnoticed if they do everything right.

Be sceptical about anyone making a lot of noise about their level of expertise, it smells of immaturity,and more often than not boils down to not being what they want everyone to believe they are.

Taking over a business as Bitcoinica means that if you're a security professional and wants to become the new administrator and/or owner of said business, at minimum you do the following:

* Review the source code
* Check the hosting situation esp. in regards to security and redundancy.
* Make sure all funds are safe, use two factor identification and/or cold storage for bitcoins, with multiple encrypted backups.
* Check the backup routines, and that they're satisfactorily, a backups of the live system should be done very often, at least daily, but for a site like Bitcoinica, it should perhaps be constantly mirrored to a safe server at the very least, heck if you're a sysadmin, you can even hack a bash script using mysqldump,tar,gpg and mutt to mail encrypted backups to admins. It takes 30 minutes or less to fix for the experienced admin.
* Make sure that all passwords are handled properly (change all of them, just to be sure.)
* Make sure password management is handled with an iron grip. Better to have some incovenience than to lose funds.
* Dont' use mailing lists for resets of passwords..
* Use a dedicated secure computer to access all important information.
* Use encrypted email when communication with other team members, this can easily be achived with many e-mail programs using PGP today.
* Make a set of security policies that everybody has to follow. For instance, strong encryption and good passwords for residential wifi's, restrict login to secure services to certain ip's and so on and so forth.

If you don't have the time or the resources to secure everything properly, then fuckups will happen. And in this case a real clusterfuckup happened.

Some of the points above, while not being an exhaustive list, is some of the things that a security professional should think of. Obviously from following the Bitcoinica debacle, a lot of the points above which requires no more than common sense to follow (ie. backup routines) has been breached.

I won't attack Zouthong specifically, and while I can't rule out that he's done anything wrong (everybody involved is a suspect at this point), a 17 year old doing no backups wouldn't make the headlines, but a company priding themselves with being security experts, and yet not following many of the rules above, which doesn't even require you to be a security professional, that's laughable.

Sorry to say this, but it's a complete joke.

Now, that the clowns have been revealed, the Circus need not shut down, but if the clows takes of their gowns and masks, starts talking, thinking, and flips over backwards to fix this clusterfuck, then we may have a resolution. Not doing anything about the situation at all, and even walking away, shows what kind of material those individuals are made of.

Intersango, should at this point only receive the minimal amount of attention from the bitcoin consultancy, while the Bitcoinica case should get their full attention. A plan could even be to make promises to current customers that have lost funds that they will be paid back from the profit of the continued operation of Bitcoinica, that is if the Bitcoin Consultancy still have the stomachs and nerves to continue to run Bitcoinica.

We all remember the mtGox hack, where shortly after Bitcoin Consultancy offered their services to Mark, and called Mark's exchange a complety incompetent one man show. NOW IS THE TIME FOR THE BITCOIN CONSULTANCY DUDES TO STAND UP AND SHOW THAT THEY HAVE A SPINE, AND SORT OUT THIS CLUSTERFUCK!!!

It's easy to see the faults in others, but hard to see one's own faults, and especially hard to face them when the shit hits the fan. As for the personal well beings of individuals of the Intersango team, most community members are uninterested, this is the responsibility of the individual team members of BC to get enough sun, sleep enough, eat their vitamins and food. The community is suffering, and you have a part of it, unfair or not, this is reality and have to be dealt with.

I'm sure that most people's memory is shortlived, and if you can sort out this mess in a civil manner, I'm sure many community members will be mostly grateful. Now there's even been a price increase for bitcoins, so selling those slowly off could even make for more USD to be reimbursed, and I'm sure that a lot of former members would be happy to get back their funds, in any form, even if it was the USD equvivalent of the bitcoin value when Bitcoinica closed down.

So my advise now:

1. Secure all funds, cold storage for coins, and put two factor identification on all accounts where USD is stored. Change all passwords, and let a trusted lawyer set the master password for Keepass, LastPass or whatever password management you chose.

2. Take some days off, or even a week. Announce to the community when you will be back, then leave everything that has to do with bitcoin and computes for a few days, go into nature, relax, feel the sun on your skin.

3. After the short hiatus, get back, take a deep breath, work with the lawyer (I'm sure no Bitcoinica ex-member would object to using a few bucks on a lawyer, if it means they could even get 50% or more of their funds back), ask for help from trusted community members if you needed to.

4. Work intensly on paying back all funds, let all other unnecesary leisure activites and work activities (writing articles, coding etc.) rest, and focus on the task at hand.

5. When the remaining funds have been distributed, either call it a day and go on a vacation for a month on a tropical island, or your nearest woods (whatever fits your budget).

6. Decide if you want to relaunch Bitcoinica, or forever call it a day.

THEN YOU WOULD GO OUT OF THIS MESS WITH HEADS HELD HIGH!!! Right now, it's more like a ship were all rats are jumping off, and a drunk captain is left manouvering it.

Yes, you fucked up majorly, but there's always another day. People talk as everything is lost, it is not. What really matters now is the attitude, honesty and integrity of the ones left on the ship, or which have already jumped ship, you could always climb back.

Try to put your personal EGOS, embarrassment, anger, hostility etc. to rest. Make sure everything related to payouts goes through a certified and trustworthy lawyer, as at this point, you're all suspects, even though there's no exact evidence as to who's to blame.

Failure to do this will only hurt your reputation, and continued careers, in and out of bitcoin. You may even face criminal charges down the line and serve jail time for it.

I'm sure most people in the community don't wish anything bad on your persons, but they have a right to their funds, and that's something you should honour, and that's why they're angry. If people know this is being worked on, and that something happens, then they will be much less hostile.

Updating the bitcoinica.com site with some information about the recent incident and with a plan from here would be a good way to go. You could post daily, or at least weekly reports about the work done with repayments, and ex-customers could report on this forum what they have received.

On the opposite case, there's always the possibility that you are in fact criminals, and that the remaining funds + Intersango will be emptied very soon, and you're off to a remote island with fake passports and golddigger whores. If this is the case, I hope it feels good, that you sleep well at night, and that you have a good time. A lot of people do not have a good time at this point.

Disclaimer: I had 0 funds in Bitcoinica and I have 0 funds on Intersango, but it's uneasing to see the community being hit by this, and I hope it will be sorted out. Even having 50% back is better than a 100% loss!!!

Pretty much this.  Although liquidation/administration/receivership (which is the most appropriate depends on whether there are any secured creditors and whether it's deemed possible for the company to trade out of trouble) is a legal process, it has nothing to do with law enforcement or with litigation against the principals.

A liquidator (usually an accountant unless a company is being wound up by court order) takes control of all assets and liquidates them for the benefit of creditors.  They are then distributed according to a process mandated by law (there's a specific order in which claims must be paid).  The liquidator (or receiver/administrator) is legally liable in the same way that the executor of a will is liable.  A simple liquidation takes about 6 months.  It takes much longer if any assets have been hidden or if any payments have been wrongly made during the look-back period as the liquidator is obliged by law to recover those assets/reverse those payments for the benefit of all creditors.

While we do know that there's a shortfall of funds, we do not know if users are the only creditors and we do not know whether user funds are the only assets.  If Bitcoinica LP owns the Bitcoinica.com domain and the IP (which is what Zhou says he sold), then a liquidator is obliged to attempt to sell those assets (which admittedly would not be worth much now).

I cannot stress how much you need advice from a NZ accountant or lawyer, Amir. 

A lots of people asked that they continue refunds with what is left.  I am mostly against it, so far a lot of people have had 100% a lot have had more back that they had, some false claim were paid out, all of this was paid with some of my money.

It was found most all who has large account have not been paid their 50% even if their claim was marked accurate.
(we are a group of ~15 who had rather big account and got 0% back)

The large account that went paid 100% were a small select group with large account, I'd guess friend.

Having Patrick quit while he has done most of the refund work and may be the only one with access to the information about the process status is what sadden me the most.

The timing of the hack to the release of the code make it very likely that the hacker is well known.  It is most certainly someone who had prior knowledge of the vulnerability and after figuring out the code was out in public, decided to cash in.

Zhou or Tihan? Hmm, one of them just got fired. Zhou is unlikely a suspect imo. If I was a Bitcoinica team member and I knew I was innocent, I would do my own investigation and take an extra careful look at Tihans involvement. I'd really hate it if I was screwed over and now held accountable for someone's heist.

That's assuming the registered professional you choose holds the private keys, and is the only one with the keys.

According to posts by those two persons themselves, [at least] two persons knew the LastPass password and, more crucially, that the password was insecure (i.e, not randomly generated but a known string).

One of those persons was Tihan - who selected it, the other Zhou - who knew where it came from. It will be interesting to hear, whenever that might be, where all the USD went - something MtGox seem to have information on according to Mark's posts.

(And I'm sure lots of people here would be interested in seeing the IP address from the X-Originating-IP field in the hotmail-sent "Your LastPas pasword is" mail quoted earlier by Zhou)

As to the source code release itself, which is the reason why the known string became useable for both an inside as well as an outside intrusion - the latter much more implausible, I believe the question marks as to its origin still haven't been cleared.

Really easy. Choose a registered professional. Hold him legally responsible. Win.

so even though Tihan is out of the picture, the investment fund is not.  Who is the new contact?

How would you seize Bitcoinica's assets, at least the BTC, without giving whoever controls the private keys the opportunity to transfer the funds to safety?

there is almost no way that if this goes into the hands of a 3rd party with some type of official / legal obligation such as a receiver or such that any assets will remain in bitcoin unfortunately... 

Only if he understands bitcoin, which is unlikely. He has to prevent further losses foremost. He has the authority to sell off and close customers positions if that's in their best interest long term, and it is better than getting more assets stolen. I assume much of the details here depend a lot on the jurisdiction this will end in.

He can (and should) rather put them into cold storage. These are deposits of Bitcoinica's customers, noone should have an authority to sell them.

Those big accounts that want to sue, I bet they sure would love their 50% back.  I know I would.     "More is lost to indecision than a bad decision."   sure seems to be ringing true here..  

No. A judicial overseer would first secure all assets. That might mean immediately converting all BTC to $ and putting it into a safe bank. Since the appointed overseer can be held responsible for some losses accrued during his reign, you can bet he will play it safe.

He might incur losses due to the underlying BTC price rising, and people would cry foul even more than over open positions now, but at least there would be some assets to distribute (eventually). I am confident even lawyers can't take a bigger cut than criminals do now.