Pages:
Author

Topic: Time-line of the MtGox attack (Read 4769 times)

mrb
legendary
Activity: 1512
Merit: 1028
June 21, 2011, 04:19:04 AM
#23
The "Adam" you guys said was on the OnlyOneTV show was not an MtGox employee, he was Adam Stradling, a TradeHill co-founder.
sr. member
Activity: 294
Merit: 252
June 21, 2011, 12:13:45 AM
#22
So, I've got a theory, and here are some interesting tidbits...

  • I created an account a few days before the hack and it appears in the export (57051,"bigshot").
  • Around the same time around 6000 random looking accounts were created (from 52709,"hyquoshy" to 59354,"crostypa"). Was that part of a DDoS attempt, or some sort of known-text attack?
  • Kevin says that he attempted to raise his withdrawal limit prior to the attack.
  • MagicalTux says that Kevin logged in 3 minutes before the sell off and placed a large order at $0.01
full member
Activity: 124
Merit: 101
June 20, 2011, 09:54:51 AM
#21
Presumably they have multiple wallets so there's nothing contradictory about it. They can be spread out and there can still be large transfers - maybe this is a secondary wallet.
sr. member
Activity: 364
Merit: 251
June 20, 2011, 02:01:50 AM
#20
FYI, on The Bitcoin Show tonight, one of the Mt. Gox guys said that the ~400k transfer was them taking security measures by moving their BTC to a different wallet.

Only problem is, just previously he stated they had their bitcoins spread out into different accounts. Contradictions
mrb
legendary
Activity: 1512
Merit: 1028
June 20, 2011, 01:39:02 AM
#19
Thanks, I did add the info.

I got confirmation from MagicalTux that the 432k BTC transfer was MtGox moving coins to a safer location.
newbie
Activity: 30
Merit: 0
June 19, 2011, 11:54:29 PM
#18
You should also consider including in the timeline the Mt. Gox passwords purportedly for sale on Friday

http://securityforthemasses.blogspot.com/2011/06/mt-gox-db-purportedly-for-sale.html

and people reporting coins stolen from Mt. Gox accounts over the weekend:

http://forum.bitcoin.org/index.php?topic=18858.0
newbie
Activity: 21
Merit: 0
June 19, 2011, 11:40:00 PM
#17
the input to the large transaction came entirely from the other large mtgox transaction of June 12th, which Tux explained at the time as being a security move to put majority of mtgox BTCs offline.  So we can be fairly confident the transfer was from MtGox offline storage.  Also, based on the numbers the full offline balance was moved.  So that makes sense.  I don't believe those BTC were available for withdrawal from mtgox.  For example, when I withdrew from mtgox a few days ago (spooked about increasing account compromise reports), the trx inputs were from 5 separate addresses.  I assume those are the online accounts and are the ones available for withdrawal, subject to daily limit.  I think it actually makes a lot of sense that he would re-secure the 400,000 offline BTC storage first thing when he woke up - before logging into IRC - even if he wasn't yet sure if an attack was in progress.
newbie
Activity: 59
Merit: 0
June 19, 2011, 11:28:43 PM
#16
What's the exact amount of the large transaction? Is this article accurate on that part? If so then that's not an internal Mt. Gox transaction making it even more likely than it already is that they're lying about the extent of this.
legendary
Activity: 1204
Merit: 1015
June 19, 2011, 11:28:17 PM
#15
FYI, on The Bitcoin Show tonight, one of the Mt. Gox guys said that the ~400k transfer was them taking security measures by moving their BTC to a different wallet.

Someone else said it was a certain "Adam" on the show who said the 432k BTC txfer was MtGox transferring as a security precaution. "Adam" is not related to MtGox.

(Sorry I forget where I heard about this Adam. I'll try to get clarification about this transfer.)

But regardless, it worries that it was made (a minute) before MagicalTux appeard on IRC, where he was clearly just discovering the selloff, and hadn't started his investigation yet. Also it doesn't make sense that a "single account" was compromised and had hundreds of thousands of BTC in it. No one in his right mind keeps this amount of coins on MtGox (other than MagicalTux himself?), ask knightmb how he secures his 370k BTC Smiley
Adam works at MtGox. I think he's fairly new.
mrb
legendary
Activity: 1512
Merit: 1028
June 19, 2011, 11:24:02 PM
#14
FYI, on The Bitcoin Show tonight, one of the Mt. Gox guys said that the ~400k transfer was them taking security measures by moving their BTC to a different wallet.

Someone else said it was a certain "Adam" on the show who said the 432k BTC txfer was MtGox transferring as a security precaution. "Adam" is not related to MtGox.

(Sorry I forget where I heard about this Adam. I'll try to get clarification about this transfer.)

But regardless, it worries that it was made (a minute) before MagicalTux appeard on IRC, where he was clearly just discovering the selloff, and hadn't started his investigation yet. Also it doesn't make sense that a "single account" was compromised and had hundreds of thousands of BTC in it. No one in his right mind keeps this amount of coins on MtGox (other than MagicalTux himself?), ask knightmb how he secures his 370k BTC Smiley
hero member
Activity: 616
Merit: 500
June 19, 2011, 11:14:34 PM
#13
Quote from: mrb
Many of these hashes, even those that appear to be strong passwords, show up on various websites about password brute-forcing. Notably, 2 days ago, a user named georgeclooney posted requests to crack some of these hashes on the InsidePro password recovery forums. He is almost certainly the same person who attacked MtGox.
Emphasis yours. Can you elaborate on why you think georgeclooney is the attacker? Is that based solely on the fact that he posted some of the hashes before they were publicly leaked?

Yes, it is based on this fact.



HAHAHAHAHA. DUDE IS HILARIOUS. CALLED HIMSELF GEORGE CLOONEY BECAUSE OF OCEANS 11.


Definitely suave.
hero member
Activity: 616
Merit: 500
June 19, 2011, 11:03:27 PM
#12
legendary
Activity: 1204
Merit: 1015
June 19, 2011, 10:58:26 PM
#11
http://blog.zorinaq.com/?e=55

There is a massive amount of information on IRC and the forum threads. Hopefully I have done an okay job at summarizing the attack..
Pretty good timeline! As for when the database was leaked, it was at least 5 minutes before you show it at. theymos can look up the exact time, since the post wasn't actually deleted.
jr. member
Activity: 42
Merit: 1
June 19, 2011, 10:34:42 PM
#10
FYI, on The Bitcoin Show tonight, one of the Mt. Gox guys said that the ~400k transfer was them taking security measures by moving their BTC to a different wallet.
full member
Activity: 124
Merit: 101
June 19, 2011, 10:22:31 PM
#9
On this show which just ended from onlyonetv, the MT Gox guy said they did this transaction
to move the bitcoins to a secure wallet, and that only maybe something like 200 coins got lost.

Lets hope this is true...

If so the timeline is off by a little since it says Mark Karpeles was only woken up after that transaction had occurred. I do hope it's true.
sr. member
Activity: 313
Merit: 250
June 19, 2011, 10:20:17 PM
#8
Nice timeline. I hadn't read about that big BTC transaction minutes before the MtGox shutdown yet.
I agree! I was also unaware of the 432077.76654321 BTC transaction. Kinda strange that if you read the digits backwards you get a '12345667' sequence. Could that just be a fluke?

On this show which just ended from onlyonetv, the MT Gox guy said they did this transaction
to move the bitcoins to a secure wallet, and that only maybe something like 200 coins got lost.

Lets hope this is true...
mrb
legendary
Activity: 1512
Merit: 1028
June 19, 2011, 10:13:32 PM
#7
Quote from: mrb
Many of these hashes, even those that appear to be strong passwords, show up on various websites about password brute-forcing. Notably, 2 days ago, a user named georgeclooney posted requests to crack some of these hashes on the InsidePro password recovery forums. He is almost certainly the same person who attacked MtGox.
Emphasis yours. Can you elaborate on why you think georgeclooney is the attacker? Is that based solely on the fact that he posted some of the hashes before they were publicly leaked?

Yes, it is based on this fact.
member
Activity: 70
Merit: 10
June 19, 2011, 10:10:56 PM
#6
Quote
Note to self: add support for Unix MD5-based crypt() hashes to whitepixel  )

Hahaha.
full member
Activity: 124
Merit: 101
June 19, 2011, 10:08:32 PM
#5
just for argument's sake, what evidence does the public (anyone outside of mt. gox) have that there even was an attack? how would anyone know that it wasn't a large holder of bitcoins who was trying to sell, hoping to get a decent price from large dark pools he or she suspected existed? then, unhappy with the total price received from the bulk sale, this large holder could have then asked or paid mt. gox to roll things back.

That's certainly a thought that could be valid to play with but it seems unlikely.

The hacker explanation sounds plausible given the prior reports of accounts being hacked, and the subsequent release of password hashes. If there really was a large seller who legitimately wanted to 'try the waters' and sell off massive amounts of coins at once just to see how much he or she could get, and then somehow could convince MtGox to destroy their own reputation to roll back the transaction - and this sounds implausible already - how likely is it that that would happen at the same time as a massive security breach? Would that be staged too?
member
Activity: 72
Merit: 10
June 19, 2011, 10:04:04 PM
#4
Nice timeline. I hadn't read about that big BTC transaction minutes before the MtGox shutdown yet.
I agree! I was also unaware of the 432077.76654321 BTC transaction. Kinda strange that if you read the digits backwards you get a '12345667' sequence. Could that just be a fluke?

mrb: I'm curious about this:
Quote from: mrb
Many of these hashes, even those that appear to be strong passwords, show up on various websites about password brute-forcing. Notably, 2 days ago, a user named georgeclooney posted requests to crack some of these hashes on the InsidePro password recovery forums. He is almost certainly the same person who attacked MtGox.
Emphasis yours. Can you elaborate on why you think georgeclooney is the attacker? Is that based solely on the fact that he posted some of the hashes before they were publicly leaked?
Pages:
Jump to: