Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Bitcoin Discussion
Re: Bitcoinica MtGox account compromised
by
jcp
on 13/07/2012, 14:55:59 UTC
Occam's Razor says some shady stuff is going down.

It's fairly obvious that the money should've been returned to bitcoinica deposit clients a long time ago. It doesn't take this long to verify account information. Zhoutong's passive aggressive missives on this board shows that there might be something weird going down behind the scenes.

Currently we have no clear indication of who the owners are, I believe in the interest of transparency, the ownership structure as well as all roles of individuals involved for Bitcoinica should be made clear. This has near-zero security implications, and people holding balances are owed that much after this security breach.

Quite frankly, unless the ownership structure is made clear, there is a non-zero probability that non-principals that are involved may be unwitting accomplices to a scam. Assuming Zhoutong is an independent actor, he should ask himself whether he received payment for selling full equity where assets are strip-mined and stolen after transfer of the equity stake -- I'd be especially curious if he received a payment relative to the NPV seems a little too good to be true (unless of course, he did not realize that client funds were to be stolen upon ownership transfer). Assuming genjix / Bitcoin Consultancy et al are independent actors, they should be asking hard questions about their relative independent agency with regards to payment distribution and the worth of their association with this and the material risk if the owner is scamming them.

Storing your lastpass password as an API key in plaintext is beyond bizarre, no one in their right mind would do such a thing. This isn't SQL injection level incompetence we're talking about here, that happens all the time. Using an incredibly important password that gives access to all your online account and placing it in a plain-text API key is a poor excuse and isn't plausible at all.

Last bit of advice: Bitcoinica should put all their USD deposits in a real bank account, with real bankers. You have enough funds to have a personal relationship with a banker that will give you a courtesy call when large withdrawals are made. Mt Gox should consider locking all accounts even remotely associated with Bitcoinica. If they have more funds in other mtgox accounts, they should be locked due to material risks of bitcoinica ownership not acting in good faith.

Waiting far too long to return money plus now a claimed hacking with partial default implies that they needed time to transfer money elsewhere. This is a very serious accusation, but until we have a clear picture on why it is taking so long, who the owners are, and the bizarre use of a master password as a plaintext API key, Occam's Razor says the odds of the owner acting in good faith is not perfect.