Author

Topic: Tracing Mt. Gox Hack (Read 1638 times)

newbie
Activity: 45
Merit: 0
April 23, 2013, 04:38:46 AM
#16
Someone munched a lot of coins.. Nom Nom..  Cheesy
eco
newbie
Activity: 12
Merit: 0
April 23, 2013, 03:56:44 AM
#15
yes certainly has changed quite a bit since then..no doubt.
newbie
Activity: 9
Merit: 0
April 23, 2013, 03:48:51 AM
#14
you are quoting something from 2011

it's a a totally new site now
sr. member
Activity: 294
Merit: 250
April 22, 2013, 08:19:25 PM
#13
new spam email being sent out                                                                                                                                                                                                                 
Delivered-To: my email
Received: by 10.204.49.86 with SMTP id u22cs24977bkf;
        Sun, 19 Jun 2011 18:17:15 -0700 (PDT)
Received: by 10.150.63.12 with SMTP id l12mr5078373yba.120.1308532635049;
        Sun, 19 Jun 2011 18:17:15 -0700 (PDT)
Return-Path: <[email protected]>
Received: from mail.daveblood.com (li9-33.members.linode.com [67.18.176.33])
        by mx.google.com with SMTP id n19si6525878ybm.84.2011.06.19.18.17.14;
        Sun, 19 Jun 2011 18:17:15 -0700 (PDT)
Received-SPF: neutral (google.com: 67.18.176.33 is neither permitted nor denied by best guess record for domain of [email protected]) client-ip=67.18.176.33;
Authentication-Results: mx.google.com; spf=neutral (google.com: 67.18.176.33 is neither permitted nor denied by best guess record for domain of [email protected]) [email protected]
Received: (qmail 22898 invoked by uid 500); 20 Jun 2011 01:17:14 -0000
Date: 20 Jun 2011 01:17:14 -0000
Message-ID: <[email protected]>
From: [email protected]
To: myemail
Subject: Was this the last straw with Mt Gox?

The latest in a string of hacks to Mt Gox has made me move to Trade Hill. Use this referral code to get 10% off all trade fees: TH-R13698

Sign up at Trade Hill today!

http://www.tradehill.com/?r=TH-R13698




How's the volume over there? Their front page makes it look pretty iffy.
newbie
Activity: 42
Merit: 0
June 20, 2011, 02:29:58 AM
#12
It (a 432k transfer) was Mt.Gox operator's attempt at securing the remaining funds, as they explained somewhere.
sr. member
Activity: 309
Merit: 290
June 20, 2011, 12:49:38 AM
#11
Am I reading that right, a 300K and a 400K chunk of bitcoins? If so that's a significant portion of the entire pool.

hero member
Activity: 700
Merit: 500
June 19, 2011, 11:59:46 PM
#10
can someone familiar with blockexplorer PLEASE get the ip address(es) used to do the big transfers mentioned above?  Trace it, like OP suggested.

You can't.
sr. member
Activity: 332
Merit: 250
June 19, 2011, 11:55:13 PM
#9
can someone familiar with blockexplorer PLEASE get the ip address(es) used to do the big transfers mentioned above?  Trace it, like OP suggested.
newbie
Activity: 9
Merit: 0
June 19, 2011, 11:23:20 PM
#8
new spam email being sent out                                                                                                                                                                                                                 

Be sure to report it as spam.
newbie
Activity: 54
Merit: 0
June 19, 2011, 09:35:21 PM
#7
new spam email being sent out                                                                                                                                                                                                                 
Delivered-To: my email
Received: by 10.204.49.86 with SMTP id u22cs24977bkf;
        Sun, 19 Jun 2011 18:17:15 -0700 (PDT)
Received: by 10.150.63.12 with SMTP id l12mr5078373yba.120.1308532635049;
        Sun, 19 Jun 2011 18:17:15 -0700 (PDT)
Return-Path: <[email protected]>
Received: from mail.daveblood.com (li9-33.members.linode.com [67.18.176.33])
        by mx.google.com with SMTP id n19si6525878ybm.84.2011.06.19.18.17.14;
        Sun, 19 Jun 2011 18:17:15 -0700 (PDT)
Received-SPF: neutral (google.com: 67.18.176.33 is neither permitted nor denied by best guess record for domain of [email protected]) client-ip=67.18.176.33;
Authentication-Results: mx.google.com; spf=neutral (google.com: 67.18.176.33 is neither permitted nor denied by best guess record for domain of [email protected]) [email protected]
Received: (qmail 22898 invoked by uid 500); 20 Jun 2011 01:17:14 -0000
Date: 20 Jun 2011 01:17:14 -0000
Message-ID: <[email protected]>
From: [email protected]
To: myemail
Subject: Was this the last straw with Mt Gox?

The latest in a string of hacks to Mt Gox has made me move to Trade Hill. Use this referral code to get 10% off all trade fees: TH-R13698

Sign up at Trade Hill today!

http://www.tradehill.com/?r=TH-R13698


newbie
Activity: 41
Merit: 0
June 19, 2011, 08:15:23 PM
#6
very interesting
sr. member
Activity: 332
Merit: 250
June 19, 2011, 08:11:22 PM
#5
Thanks for the info, it looks like it all happened in one second, all the trades cleared in one second.  Tux really has his work cut out for him.  Anyway, someone called "Ross" posted this on the mtgox comments today:

Quote
Are you certain that an account was compromised or that the account itself was a collection of compromised BTC? Some time should be spent thinking about the result of when/how you determine intervention should be applied to the market.

See: http://blockexplorer.com/address/1KLahQtqDNAXvrjNyfvgSBtAhwco5ZxLp4  For what i'm talking about. This address received large sums of BTC from many different addresses all at one time a week ago. That BTC was then transfered to MtGox and dumped on the market at once.

I can't read blockexplorer too well, but it does deter from the theory proposed by mtgox that this was a "hack".  I mean, if someone consolidated 400k+ bitcoins all at once a week ago from several address and then transferred to mtgox all those coins, then the same day sold them all.  That's not a hack, that is something else.
member
Activity: 87
Merit: 10
June 19, 2011, 08:07:57 PM
#4


Is it possible to write a quick mod to the client that will refuse transactions rooted in the transaction listed above? Or maybe start a new block chain that accepts transfers from the current chain, but excludes BTC originating from that transaction?

I for one wouldn't want a client that had that mod. If you block some transactions it means you can block others. The real problem here is mtgox, not the bitcoin client.
newbie
Activity: 28
Merit: 0
June 19, 2011, 08:03:37 PM
#3
Here you have a log of all Mt. Gox trades between 19:15:36 and 20:13:51 (GMT +2). Maybe it's usefull in some way.
The file was produced by the debug output from some of my monitoring tools.

https://rapidshare.com/files/624965338/history.txt
hero member
Activity: 630
Merit: 500
Posts: 69
June 19, 2011, 07:53:53 PM
#2
I love it, Bitcoins are the most non anonymous form of currency, however I still like it more than cash.
newbie
Activity: 9
Merit: 0
June 19, 2011, 07:43:39 PM
#1
I was interested to see how the perpetrators of the Mt. Gox hack would try to hide the money. Since every transaction is publicly visible, you really can't. It's not possible to get the BTC back, but you can try to figure out where it ended up. This is what I found.

Here's a suspicious looking set of transactions:

http://blockexplorer.com/tx/84f96975ea88d317676771a482c71f39ff53beda790c89c07ae82e427b4d090f
(can anyone confirm that the timestamp is about the time of the hack? This transaction would have happened very close to the moment BTC went to US$.01)

Here's the history of the receiving address:

http://blockexplorer.com/address/18T3AFPJ2sTu6ti7gGj5x52uzJNmVFw9y9

Most of the BTC were sent to:

http://blockexplorer.com/address/1LceqX2YsnmuhfkUePV6M2hJP9zMoWphn

Keep following the chain like this and the BTC is broken up into 50K chunks. It's fairly easy to follow the money all the way to the end of the chain and get a fairly small set of addresses where it ended up. I'd publish all of the addresses from this chain of transactions, but some of the chains have already been extended.

It would also be interesting to search Google and all bitcoin forums for the addresses in these transactions.

Is it possible to write a quick mod to the client that will refuse transactions rooted in the transaction listed above? Or maybe start a new block chain that accepts transfers from the current chain, but excludes BTC originating from that transaction?


Jump to: