BTC-E.COM NICE RECOVERY FROM THE HACK! =) - page 15.

hazek

legendary

Activity: 1078

Merit: 1003

Quote from: dree12 on July 30, 2012, 09:14:15 PM

Quote from: DeathAndTaxes on July 30, 2012, 09:12:15 PM

Quote from: tiberiandusk on July 30, 2012, 09:04:35 PM

They wouldn't be able to withdraw any USD since it's fake. Saying you have 500000 fake BTC on BTC-e doesn't mean anything if you don't actually have the keys to those coins in an actual wallet. They used fake USD to buy real BTC then ride off into the sunset laughing.

Dude. All exchanges use a pooled wallet. There is no such things "your" BTC or "your BTC" wallet on BTC-E, MtGox or any other exchange. The exchange simply has one (or more) hot and/or cold wallets. Then they maintain a database of each user's balance, and trades change those balance. One could withdraw "fake" BTC just as easily as selling "fake" USD for BTC and withdrawing that.

The likely reason for faking USD is simply because that is the exploit the hacker founds. Hacker found a way to add USD to his USD balance. Once had had that why try hacking any further. Give yourself huge amounts of USD, buy BTC and remove them from the exchange.

If it was a SQL injection (extremely likely), it should have been just as easy to add BTC. I suspect the hacker may be intentionally messing with the exchange.

New theory: hacker emptied the BTC-e BTC wallet first and all that's happening now is him having some fun with the other users..

DeathAndTaxes

donator

Activity: 1218

Merit: 1079

Gerald Davis

Quote from: tiberiandusk on July 30, 2012, 09:14:31 PM

I understand all that. What I was saying is that simply putting 50000 in the BTC balance box doesn't mean there is actually 500000 BTC there.

Well obviously the attacker can only withdraw the max in the hot wallet (or any per day limit unless compromised).
That limit is the same regardless of if the attacker "fakes" BTC or "faked" USD to build up his BTC balance.

Say the hot wallet only had 10,000 BTC (hopefully it had a lot less) and the hacker was able to compromise the withdraw limit (by using multiple accounts).

"fake" 50,000 BTC you can only withdraw 10,000 BTC
"fake" $1M USD and buy 50,000 BTC you can still only withdraw 10,000 BTC.

Once the hot wallet is empty the hacker is "maxed out" regardless of what tricks he pulls.

Unless BTC-E is very stupid incoming deposits should go to the COLD WALLET thus not increase the amount stolen.

jwzguy

hero member

Activity: 868

Merit: 1002

Quote from: ydenys on July 30, 2012, 09:20:16 PM

While mildly exiting, it is actually no fun. Are you, guys, saying that someone can ‘inject’ fake btc into major exchange/service provider, then exchange between the currencies/withdraw and the surplus of the coins would be recorded into the blockchain?

Major doesn't mean secure. BTC-e always looked sketchy as hell to me.

ydenys

member

Activity: 96

Merit: 10

While mildly exiting, it is actually no fun. Are you, guys, saying that someone can ‘inject’ fake btc into major exchange/service provider, then exchange between the currencies/withdraw and the surplus of the coins would be recorded into the blockchain?

Darktongue

sr. member

Activity: 574

Merit: 250

30BTC
40LTC
22NMC

Flush.......

Thank you come again~!

Chalkbot

legendary

Activity: 896

Merit: 1001

Is there a reliable way of knowing how many of these fraudulently purchased BTC made it out of the exchange?

adamstgBit

legendary

Activity: 1904

Merit: 1037

Trusted Bitcoiner

Quote from: bg002h on July 30, 2012, 09:15:54 PM

Quote from: Ferroh on July 30, 2012, 07:27:05 PM

Perhaps someone at BTC-E got hacked, and bought all the BTC they could.

If so, they may not be able to withdraw.

I vote hack vs. scam vs. clever stunt by the exchange to get more deposits.

i lol'd

adamstgBit

legendary

Activity: 1904

Merit: 1037

Trusted Bitcoiner

Quote from: dree12 on July 30, 2012, 09:14:15 PM

Quote from: DeathAndTaxes on July 30, 2012, 09:12:15 PM

Quote from: tiberiandusk on July 30, 2012, 09:04:35 PM

They wouldn't be able to withdraw any USD since it's fake. Saying you have 500000 fake BTC on BTC-e doesn't mean anything if you don't actually have the keys to those coins in an actual wallet. They used fake USD to buy real BTC then ride off into the sunset laughing.

Dude. All exchanges use a pooled wallet. There is no such things "your" BTC or "your BTC" wallet on BTC-E, MtGox or any other exchange. The exchange simply has one (or more) hot and/or cold wallets. Then they maintain a database of each user's balance, and trades change those balance. One could withdraw "fake" BTC just as easily as selling "fake" USD for BTC and withdrawing that.

The likely reason for faking USD is simply because that is the exploit the hacker founds. Hacker found a way to add USD to his USD balance. Once had had that why try hacking any further. Give yourself huge amounts of USD, buy BTC and remove them from the exchange.

If it was a SQL injection (extremely likely), it should have been just as easy to add BTC. I suspect the hacker may be intentionally messing with the exchange.

if BTC-e wasn't protected against SQL injection.... that's just sad...

bg002h

donator

Activity: 1464

Merit: 1047

I outlived my lifetime membership:)

Quote from: Ferroh on July 30, 2012, 07:27:05 PM

Perhaps someone at BTC-E got hacked, and bought all the BTC they could.

If so, they may not be able to withdraw.

I vote hack vs. scam vs. clever stunt by the exchange to get more deposits.

tiberiandusk

hero member

Activity: 575

Merit: 500

The North Remembers

Quote from: DeathAndTaxes on July 30, 2012, 09:12:15 PM

Quote from: tiberiandusk on July 30, 2012, 09:04:35 PM

They wouldn't be able to withdraw any USD since it's fake. Saying you have 500000 fake BTC on BTC-e doesn't mean anything if you don't actually have the keys to those coins in an actual wallet. They used fake USD to buy real BTC then ride off into the sunset laughing.

Dude. All exchanges use a pooled wallet. There is no such things "your" BTC or "your BTC" wallet on BTC-E, MtGox or any other exchange. The exchange simply has one (or more) hot and/or cold wallets. Then they maintain a database of each user's balance, and trades change those balance. One could withdraw "fake" BTC just as easily as selling "fake" USD for BTC and withdrawing that.

The likely reason for faking USD is simply because that is the exploit the hacker founds. Hacker found a way to add USD to his USD balance. Once had had that why try hacking any further. Give yourself huge amounts of USD, buy BTC and remove them from the exchange.

I understand all that. What I was saying is that simply putting 50000 in the BTC balance box doesn't mean there is actually 500000 BTC there.

dree12

legendary

Activity: 1246

Merit: 1077

Quote from: DeathAndTaxes on July 30, 2012, 09:12:15 PM

Quote from: tiberiandusk on July 30, 2012, 09:04:35 PM

They wouldn't be able to withdraw any USD since it's fake. Saying you have 500000 fake BTC on BTC-e doesn't mean anything if you don't actually have the keys to those coins in an actual wallet. They used fake USD to buy real BTC then ride off into the sunset laughing.

Dude. All exchanges use a pooled wallet. There is no such things "your" BTC or "your BTC" wallet on BTC-E, MtGox or any other exchange. The exchange simply has one (or more) hot and/or cold wallets. Then they maintain a database of each user's balance, and trades change those balance. One could withdraw "fake" BTC just as easily as selling "fake" USD for BTC and withdrawing that.

The likely reason for faking USD is simply because that is the exploit the hacker founds. Hacker found a way to add USD to his USD balance. Once had had that why try hacking any further. Give yourself huge amounts of USD, buy BTC and remove them from the exchange.

If it was a SQL injection (extremely likely), it should have been just as easy to add BTC. I suspect the hacker may be intentionally messing with the exchange.

TTBit

legendary

Activity: 1136

Merit: 1001

Quote from: jwzguy on July 30, 2012, 09:01:53 PM

Quote from: TTBit on July 30, 2012, 08:50:17 PM

Um... no. 2.18 of it to: 12JGzgb7ezdp5UT4EoJN3Spcn3P8fyyFav

http://blockexplorer.com/address/12JGzgb7ezdp5UT4EoJN3Spcn3P8fyyFav
0BTC
Did you get any out successfully?

No, that is first few. Waiting for some confirms.

DeathAndTaxes

donator

Activity: 1218

Merit: 1079

Gerald Davis

Quote from: tiberiandusk on July 30, 2012, 09:04:35 PM

They wouldn't be able to withdraw any USD since it's fake. Saying you have 500000 fake BTC on BTC-e doesn't mean anything if you don't actually have the keys to those coins in an actual wallet. They used fake USD to buy real BTC then ride off into the sunset laughing.

Dude. All exchanges use a pooled wallet. There is no such things "your" BTC or "your BTC" wallet on BTC-E, MtGox or any other exchange. The exchange simply has one (or more) hot and/or cold wallets. Then they maintain a database of each user's balance, and trades change those balance. One could withdraw "fake" BTC just as easily as selling "fake" USD for BTC and withdrawing that.

The likely reason for faking USD is simply because that is the exploit the hacker founds. Hacker found a way to add USD to his USD balance. Once had had that why try hacking any further. Give yourself huge amounts of USD, buy BTC and remove them from the exchange.

AndrewBUD

hero member

Activity: 1078

Merit: 502

The excitement around here never ends

Yankee (BitInstant)

legendary

Activity: 1078

Merit: 1000

Charlie 'Van Bitcoin' Shrem

The part of BitInstant reserves being leaked is false, our books are accurate

finkleshnorts

sr. member

Activity: 336

Merit: 250

Quote from: ThiagoCMC on July 30, 2012, 08:54:07 PM

OMG... I had 180 Bitcoins there... Jesus...

My latest withdraw at btc-e webpage says "confirmed", but nothing reached my wallet yet.

40 Bitcoins was "sold" there... And 140 Bitcoins are stucked at some point there... In Russia... Damn!

Jesus no, please no...

dree12

legendary

Activity: 1246

Merit: 1077

Quote from: tiberiandusk on July 30, 2012, 09:04:35 PM

Quote from: dree12 on July 30, 2012, 09:01:14 PM

Quote from: tiberiandusk on July 30, 2012, 08:58:51 PM

Quote from: dree12 on July 30, 2012, 08:57:58 PM

Quote from: moocow1452 on July 30, 2012, 08:53:27 PM

Quote from: Scott J on July 30, 2012, 08:47:49 PM

From the BTC-E chat box:

Quote

MrWubbles: now logging in as support to troll more
MrWubbles: dev account has been deleted
MrWubbles: dev account has been deleted
MrWubbles: support is being deleted now
MrWubbles: dumping everyone's wallets
MrWubbles: bitinstant reserves have been leaked for days
MrWubbles: all your base
MrWubbles: I'm Mr Wubbles of wub fame
MrWubbles: Expect Mass Database Leak Soon
MrWubbles: wub database destroyed

That can't be good, but how do we know he wasn't just trollololing?

There is no reason not to suspect a database leak.

The hacker must have gotten the fake USD in either through remote execution or SQL injection. Both these allow access to the database.

What confuses me is why they did not simply hack the BTC in.

They wouldn't be able to withdraw fake BTC.

Why not?

They wouldn't be able to withdraw any USD since it's fake. Saying you have 500000 fake BTC on BTC-e doesn't mean anything if you don't actually have the keys to those coins in an actual wallet. They used fake USD to buy real BTC then ride off into the sunset laughing.

There's no practical difference between "fake" and "real" BTC or USD on an exchange. It can be withdrawn regardless. USD usually is more easily traceable, freezable, and is more dangerous, which is why the hacker could not withdraw that way.

BkkCoins

hero member

Activity: 784

Merit: 1009

firstbits:1MinerQ

Isn't the BTC-E exchange the one I reported here and said beware some months ago? Or maybe I'm getting mixed up.

Another one of these, "oops we were hacked" scams. Someone there is selling people's BTC on them and the USD will vanish soon. Any users have BTC there that seem to be missing from their account now?

terrytibbs

hero member

Activity: 560

Merit: 501

I think it's time for the anonymous Russians to abandon ship!

tiberiandusk

hero member

Activity: 575

Merit: 500

The North Remembers

Quote from: dree12 on July 30, 2012, 09:01:14 PM

Quote from: tiberiandusk on July 30, 2012, 08:58:51 PM

Quote from: dree12 on July 30, 2012, 08:57:58 PM

Quote from: moocow1452 on July 30, 2012, 08:53:27 PM

Quote from: Scott J on July 30, 2012, 08:47:49 PM

From the BTC-E chat box:

Quote

MrWubbles: now logging in as support to troll more
MrWubbles: dev account has been deleted
MrWubbles: dev account has been deleted
MrWubbles: support is being deleted now
MrWubbles: dumping everyone's wallets
MrWubbles: bitinstant reserves have been leaked for days
MrWubbles: all your base
MrWubbles: I'm Mr Wubbles of wub fame
MrWubbles: Expect Mass Database Leak Soon
MrWubbles: wub database destroyed

That can't be good, but how do we know he wasn't just trollololing?

There is no reason not to suspect a database leak.

The hacker must have gotten the fake USD in either through remote execution or SQL injection. Both these allow access to the database.

What confuses me is why they did not simply hack the BTC in.

They wouldn't be able to withdraw fake BTC.

Why not?

They wouldn't be able to withdraw any USD since it's fake. Saying you have 500000 fake BTC on BTC-e doesn't mean anything if you don't actually have the keys to those coins in an actual wallet. They used fake USD to buy real BTC then ride off into the sunset laughing.

Topic: BTC-E.COM NICE RECOVERY FROM THE HACK! =) - page 15. (Read 51047 times)