Hackers steal data from MtGox server and release it with Mark's reddit account. - page 2.

bananas

sr. member

Activity: 364

Merit: 257

Quote from: joesmoe2012 on March 09, 2014, 11:57:14 PM

It can't represent all of their customers if there's only 80K or so accounts, that's way too few.

At one point they were handling thousands of verifications a day weren't they? Or was it all just one big lie...?

The balance file states this:

mysql> SELECT * FROM platform.User_Wallet WHERE platform.User_Wallet.Balance != 0 ORDER BY platform.User_Wallet.Balance DESC;

Means that only accounts with balance different of 0 were retrieved.

Phinnaeus Gage

legendary

Activity: 1918

Merit: 1570

Bitcoin: An Idea Worth Spending

Is the following site safe to visit: bitcoincorp.de/MtGox_Ba lances.txt (broken up with spaces, so just connect the a to the l -- self-explantory)

smooth

legendary

Activity: 2968

Merit: 1198

Quote from: Phinnaeus Gage on March 10, 2014, 01:13:02 AM

I do open PDF's all the time, but seem to be spooked by this one due to the warnings.

It's more than just warnings. We know for a fact^* that the very same zip file contained wallet-stealing malware. That makes the rest of the zip very suspicious as well. You are justified in being spooked.

^* Fact in the sense that someone claimed to disassemble it and posted the code. In theory that could be fake.

Phinnaeus Gage

legendary

Activity: 1918

Merit: 1570

Bitcoin: An Idea Worth Spending

Quote from: joesmoe2012 on March 10, 2014, 12:06:13 AM

Quote from: smooth on March 10, 2014, 12:04:39 AM

Quote from: joesmoe2012 on March 10, 2014, 12:03:36 AM

Opening the zip in an of itself shouldn't be a problem.

Correct (assuming it has been verified to be a valid zip without some hidden executable component), but he said he also opened a PDF file. That's dangerous.

yes, have to be careful with PDF's. Though I don't think that the CV contained a virus.

I do open PDF's all the time, but seem to be spooked by this one due to the warnings. This is the main laptop I use for everything. In fact, I even had it in Atlanta and stored it in BitPay's Coke (as in soda) locker that Friday evening, unlocked. The next day, it was under the table where the Bitcoin Magazine was being sold in the conference lecture room. If stolen, the thief could have easily gotten tens of thousands of dollars from me, and that's with not having a personal bitcoin wallet. Yes, I'm still using a third party service, not learning my lesson after InstaWallet went dark.

I guess my only concern is some keylogger program and password sniffer being in place now. Is such a possibility with any malware that may now be in place?

darkmule

legendary

Activity: 1176

Merit: 1005

Quote from: joesmoe2012 on March 10, 2014, 12:06:13 AM

yes, have to be careful with PDF's. Though I don't think that the CV contained a virus.

Most virus scanning software is simple pattern matching. It looks for the signature of known viral code. This isn't going to detect something like wallet stealing software that is custom made for one particular purpose, never released into the wild, and which is not technically a virus but a trojan. A virus gets your computer to replicate it to other media. This kind of thing doesn't.

Even AV that uses some kind of heuristic method to detect the kind of code that might be viral, i.e. looking for specific kinds of suspicious behavior, is still probably not going to recognize something aimed at a specific application, like Bitcoin wallet software.

joesmoe2012

hero member

Activity: 882

Merit: 501

Ching-Chang;Ding-Dong

Quote from: usabitcoinbuyer on March 10, 2014, 12:39:16 AM

Some more interesting info...

The btc_xfer_report shows withdrawals occurring well after the Feb 7 BTC withdrawal suspension. There are 1360 withdrawals dated Feb 10 or later, involving 315 wallet ids, totaling 15541 BTC.

Many of these are paired with deposits to other wallet ids, so this suggests that the xfers document internal non-blockchain transfers as well.

There is a screenshot.png in the bin folder which shows some withdrawals in an admin interface. For whatever reason, they are all associated with wallet id 023e30c1-9c0d-41be-a471-6ac6992f62f1. I wonder if there's something significant about that wallet vs. the others, or it was just a random example. In any case, if this was intended to show that there were "special" external withdrawals after the freeze, that wasn't the case. It looks like all of the withdraws from this account went to wallet id a6acd802-bb4f-412b-be6d-b0bf3f2bb055.

Alot of the internal, off-blockchain transfers were likely people speculating on GoxBTC vs RealBTC, like what bitcoinbuilder had setup.

I wonder how many GoxBTC ended up in bitcoinbuilder's account...

usabitcoinbuyer

newbie

Activity: 57

Merit: 0

Some more interesting info...

The btc_xfer_report shows withdrawals occurring well after the Feb 7 BTC withdrawal suspension. There are 1360 withdrawals dated Feb 10 or later, involving 315 wallet ids, totaling 15541 BTC.

Many of these are paired with deposits to other wallet ids, so this suggests that the xfers document internal non-blockchain transfers as well.

There is a screenshot.png in the bin folder which shows some withdrawals in an admin interface. For whatever reason, they are all associated with wallet id 023e30c1-9c0d-41be-a471-6ac6992f62f1. I wonder if there's something significant about that wallet vs. the others, or it was just a random example. In any case, if this was intended to show that there were "special" external withdrawals after the freeze, that wasn't the case. It looks like all of the withdraws from this account went to wallet id a6acd802-bb4f-412b-be6d-b0bf3f2bb055.

joesmoe2012

hero member

Activity: 882

Merit: 501

Ching-Chang;Ding-Dong

Quote from: smooth on March 10, 2014, 12:04:39 AM

Quote from: joesmoe2012 on March 10, 2014, 12:03:36 AM

Opening the zip in an of itself shouldn't be a problem.

Correct (assuming it has been verified to be a valid zip without some hidden executable component), but he said he also opened a PDF file. That's dangerous.

yes, have to be careful with PDF's. Though I don't think that the CV contained a virus.

smooth

legendary

Activity: 2968

Merit: 1198

Quote from: joesmoe2012 on March 10, 2014, 12:03:36 AM

Opening the zip in an of itself shouldn't be a problem.

Correct (assuming it has been verified to be a valid zip without some hidden executable component), but he said he also opened a PDF file. That's dangerous.

joesmoe2012

hero member

Activity: 882

Merit: 501

Ching-Chang;Ding-Dong

Quote from: smooth on March 10, 2014, 12:00:51 AM

Quote from: Phinnaeus Gage on March 09, 2014, 11:27:02 PM

Now what? Besides any wallets that a person may have stored on their computer, of which is not the case with me, luckily, can the malware perform any other tasks like sniff for keystrokes, passwords, etc.

Bruno your tone is sometimes to read online but if you are serious, my answer would be to never trust that computer again until after wiping it, and be extremely cautious with any "data" files stored there.

Opening the zip in an of itself shouldn't be a problem.

smooth

legendary

Activity: 2968

Merit: 1198

Quote from: Phinnaeus Gage on March 09, 2014, 11:27:02 PM

Now what? Besides any wallets that a person may have stored on their computer, of which is not the case with me, luckily, can the malware perform any other tasks like sniff for keystrokes, passwords, etc.

Bruno your tone is sometimes to read online but if you are serious, my answer would be to never trust that computer again until after wiping it, and be extremely cautious with any "data" files stored there.

joesmoe2012

hero member

Activity: 882

Merit: 501

Ching-Chang;Ding-Dong

It can't represent all of their customers if there's only 80K or so accounts, that's way too few.

At one point they were handling thousands of verifications a day weren't they? Or was it all just one big lie...?

bananas

sr. member

Activity: 364

Merit: 257

Quote from: Phinnaeus Gage on March 09, 2014, 11:27:02 PM

Quote from: joesmoe2012 on March 09, 2014, 10:59:43 PM

Quote from: Phinnaeus Gage on March 09, 2014, 10:31:54 PM

Quote from: relm9 on March 09, 2014, 09:53:49 PM

The .exe in the info dump is a wallet stealer apparently. Haven't seen this posted yet?

http://www.reddit.com/r/Bitcoin/comments/200k30/the_tibannebackofficeexe_executable_is_wallet/

If you ran it, hopefully you did so on a sandboxed computer or VM.

Well, ain't this motherfuckin' special! I waited till the all clear prior to downloading the file and unzipping it. Now, I learn that that wasn't a good idea.

What am I up against here, guys?

If you just unzipped it you should be fine. Just don't open the .exe or .pdf

Too late! I opened the CV-Mark_Karpeles...... one. I guess that explains why the the page deal for blank.

There is no problem if you opened with Acrobat Reader, only the full version of Acrobat may execute some kind of virus.

smooth

legendary

Activity: 2968

Merit: 1198

Quote from: usabitcoinbuyer on March 09, 2014, 11:48:30 PM

Quote from: ?? on ??

It's possible that there were accounts without bitcoin balances.

Although, I still don't trust anything Gox says.

Right. I just realized that. Reference my edited post above...

But... then that would mean that 900,000 of the customers either 1) never deposited any BTC or 2) were smart enough to get it all out before the final goxxing. I wasn't that smart, and I'd find it hard to believe that 90% of users who ever had a balance actually got it out. On the other hand, I wouldn't be surprised that Gox would claim any registered account as a customer, even if it never had any deposit/trade activity.

I stopped using the site last year and withdrew essentially all of my btc when they stopped paying USD and had other issues. Was a huge red flag to me.

usabitcoinbuyer

newbie

Activity: 57

Merit: 0

Quote from: ?? on ??

It's possible that there were accounts without bitcoin balances.

Although, I still don't trust anything Gox says.

Right. I just realized that. Reference my edited post above...

But... then that would mean that 900,000 of the customers either 1) never deposited any BTC or 2) were smart enough to get it all out before the final goxxing. I wasn't that smart, and I'd find it hard to believe that 90% of users who ever had a balance actually got it out. On the other hand, I wouldn't be surprised that Gox would claim any registered account as a customer, even if it never had any deposit/trade activity.

Bobsurplus

legendary

Activity: 1008

Merit: 1000

Making money since I was in the womb! @emc2whale

Quote from: Moebius327 on March 09, 2014, 01:31:27 PM

Quote from: DeathAndTaxes on March 09, 2014, 01:27:19 PM

Since the data seems to have been stolen around the time MtGox shutdown or later the question would be ... why would you keep this information on a webserver if you aren't actively using it anymore?

My guess is the db was stolen from a business associate/employee.

left from the leaker:

Code:

That's deep. He must have really fucked over everyone around him too.

Phinnaeus Gage

legendary

Activity: 1918

Merit: 1570

Bitcoin: An Idea Worth Spending

Quote from: usabitcoinbuyer on March 09, 2014, 11:24:06 PM

I'm trying to do some datamining on the files. Here are some interesting initial observations:

- There are 88267 accounts with BTC balances; I was under the impression there should be more than that.
- There appear to be wallet ids in the transaction history that aren't in the mtgox_balances file. This would explain the above.
- Some accounts have negative BTC balances (-85 BTC!). Oops!

88,267 is a far cry from 1M: https://www.facebook.com/MtGox

Quote

Holiday Discount to celebrate reaching 1 Million Customers and a new partnership with Mayzus FS

Dear MtGox Customers,

Thank you for your patience and support all throughout 2013.
As we noted in our previous update there are many things happening, and we’re proud to announce two more major developments that will make MtGox both easier and more economical for our valued customers:

1) One million MtGox customers and reduced fees for the holidays!

BTW, that's 1M customers that should have equated to more accounts. 88,267 accounts equates to lot less fewer customers.

InstaWallet pulled the same shit with their 3M customers claim. I can easily add up all the customers they paid out via the blockchain. BTW, they still have ~3000 BTC in that account after the last payout, and 1,132 BTC of it is mine.

One more thing: Google Mayzus.

Phinnaeus Gage

legendary

Activity: 1918

Merit: 1570

Bitcoin: An Idea Worth Spending

Quote from: joesmoe2012 on March 09, 2014, 10:59:43 PM

Quote from: Phinnaeus Gage on March 09, 2014, 10:31:54 PM

Quote from: relm9 on March 09, 2014, 09:53:49 PM

The .exe in the info dump is a wallet stealer apparently. Haven't seen this posted yet?

http://www.reddit.com/r/Bitcoin/comments/200k30/the_tibannebackofficeexe_executable_is_wallet/

If you ran it, hopefully you did so on a sandboxed computer or VM.

Well, ain't this motherfuckin' special! I waited till the all clear prior to downloading the file and unzipping it. Now, I learn that that wasn't a good idea.

What am I up against here, guys?

If you just unzipped it you should be fine. Just don't open the .exe or .pdf

Too late! I opened the CV-Mark_Karpeles...... one. I guess that explains why the the page deal for blank.

Now what? Besides any wallets that a person may have stored on their computer, of which is not the case with me, luckily, can the malware perform any other tasks like sniff for keystrokes, passwords, etc. I truly don't know anything on this regard, that's why I had 1,132 BTC stored on InstaWallet last year, because the general consensus is that they could be trusted.

It's also why I told a guy here in Sandwich, IL, that Bitcoinica was okay, so he put in $10K USD (I have strong reason to believe that's the correct figure considering the sources, though he claims it's a lot more)--because I trusted them. I told the guy not to use Mt Gox, so he didn't. Guess what happened? Sick!

But I digress, and look forward to an answer to the earlier question in this post.

Thanks in advance, from me and any others that the answers may help.

Bit_Happy

legendary

Activity: 2114

Merit: 1040

A Great Time to Start Something!

Quote from: WindMaster on March 09, 2014, 01:31:34 PM

Top 10 (apparent) account balances in the leaked database dump:

711a4e9d-e183-... 44547.7 BTC
34fcda44-5832-... 43768.2 BTC
c0b24126-f199-... 19985.0 BTC
92d047e9-9f2b-... 11500.6 BTC
ff84fc35-b22a-... 11007.8 BTC
0afba433-817e-... 9819.2 BTC
19b38844-b58b-... 8752.6 BTC
945e5a15-4100-... 8000.0 BTC
4339257e-4b12-... 6051.3 BTC
0766852e-9187-... 5199.9 BTC

Ouch, I don't feel too bad now about losing single-digit quantities of BTC. I'd assume that at least some of these accounts are Mark however (depending whether or not one believes he took the BTC himself).

Whale blubber got trimmed, ouch.

usabitcoinbuyer

newbie

Activity: 57

Merit: 0

I'm trying to do some datamining on the files. Here are some interesting initial observations:

- There are 88267 accounts with BTC balances; I was under the impression there should be more than that.
- There appear to be wallet ids in the transaction history that aren't in the mtgox_balances file. This would explain the above.
- Some accounts have negative BTC balances (-85 BTC!). Oops!

Edit: it looks like 0 balance accounts aren't in mtgox_balances, so you can't xref user ids with wallet ids for those.

Edit2: There are 39905 accounts with only fiat balances, for a total of 128172 unique user accounts in the mtgox_balances file. The btc_xfer_report has 147079 unique wallet ids that have either deposited or withdrawn bitcoin. That implies at least 18907 users who have shown BTC deposit/withdrawal activity got all their funds out. I haven't yet gone through the trade history logs, so this is just a lower bound.

Topic: Hackers steal data from MtGox server and release it with Mark's reddit account. - page 2. (Read 15376 times)