Re: Public STATEMENT Regarding Bitcoinica account hack at MtGox

Quote from: aurumxchange on July 26, 2012, 04:41:02 AM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

* On Friday, July 13 I was notified by MtGox that somebody had gain unauthorized access to Bitcoinica's MtGox account. I was also notified that most of the redeemable codes used in the heist were exchanged through AurumXchange on July 12.
* At the time I was on an extended weekend vacation with very limited internet access. I immediately notified Mark Karpeles at MtGox as well as Charlie Shrem at Bitinstant that I would take a closer examination of the situation on Tuesday upon my return.
* Upon closer examination of our database on Tuesday, I discovered that the hacker had indeed exchanged the MtGox coupons to Liberty Reserve through our instant exchange facility. The hacker had also exchanged Liberty Reserve back to MtGox presumably in an effort to conceal and/or "launder" the funds.
* Over all, the hacker exchanged a total of $61,875 USD from MtGox to Liberty Reserve, and a total of $17,500 Liberty Reserve to MtGox, for a grand total of $44,375 MtGox to Liberty Reserve. After our fees, this number amounts to approximately $40,000 USD.
* These orders were placed on our systems between 2012-07-12 11:46:48 and 2012-07-12 19:41:27 UTC.
* The IP addresses used by the hacker belong to TOR exit nodes to my understanding, and are as follows:

31.172.30.1
31.172.30.2
31.172.30.4
77.247.181.165
146.164.91.248
78.108.63.44

* The Liberty Reserve account used by the hacker is U9236056.
* The email address used by the hacker was stevejobs807@gmail.com.
* To my surprise, upon further examination of our order system, I found an order from Zhou Tong to sell Liberty Reserve to us for the amount of USD 40,000, requesting a wire to his bank account in Singapore. The amount for the order closely matches the total USD exchanged through us (after fees) using the MtGox USD codes stolen from the Bitcoinica account.
* This order was placed the next day the hacking attempts occurred. In addition, it should be noted that Zhou Tong has never dealt with us before as an exchange customer.
* This information was immediately sent to our two biggest trusted business partners: MtGox and Bitinstant in an effort to join forces to further investigate this situation.
* Mark Karpeles indicated that there was an account opened at MtGox using the email stevejobs807@gmail.com sometime in 2011.
* Mark replied stating that there was activity on this account, that the account was opened using an IP address belonging to Microsoft Singapore, that Zhou Tong was known to have worked for said company at said location, that the email stevejobs807@gmail.com have been verified, and that ALL activity on this account is linked to the MtGox account belonging to Zhou Tong.
* Mark has also indicated that the very first operation on the MtGox account opened with email stevejobs807@gmail.com was the redeeming of a 10 BTC MtGox code generated from Zhou Tong's account.
* Charlie indicated that Erik Vorhees (a well known member of this community) has emails he exchanged with Zhou using the email address stevejobs807@gmail.com.

At this time, it appears that there is an overwhelming amount of evidence linking Zhou Tong personally to the Bitcoinica account hack at MtGox. Our legal department has advised us to freeze the funds for the exchange order mentioned above until further investigation by the authorities and/or legal proceedings are concluded.

Both Charlie and Mark have informed the current Bitcoinica owners of the situation and advised to start legal proceedings as soon as possible.

Posts corroborating this information from both MtGox and BitInstant will follow. I am technically on vacation until mid august with limited internet access, however, I will attempt to answer any questions the community might have as often as possible. Please understand that some information will not be released until all legal proceedings have been concluded.

Sincerely,

Roberto Gutierrez
General Manager
The AurumXchange Company
https://www.aurumxchange.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG

iQEcBAEBAgAGBQJQEMmpAAoJECR5FGDHgkwDCqMH/Awy/Tjtqw9p/vzVh/ewoYgq
CPCSjWn1OUZGGkCMeA/ZwkPHV8/FgsQqBTfHJKy7OBZPaRyL7KTynFo6/BfUSCiO
tWz4QtRXE8hAV5uJNq6BtUvsSD9LXUFWanSEOZS9mApsmP5jmDc3S7JfBEDHli1w
zE9DXJR5jHQmvloRgafIQNxQq8BK7DKG25LpltXCURpVqWFkmulGsMuCqZ9wV0cb
fP92Hf4U+FnwSiM5TfZDwtOhbub9E6ilzPHBmfOjuneSEN1S49Zq3wl1wv0sHUda
2fJ4jVONpOc6S3pvGN7Jb0pdcUJQtujiOcnc+YbKa1EFBjZYY0WBnJL1EVARy4Q=
=TFJe
-----END PGP SIGNATURE-----

Quote from: MagicalTux on July 26, 2012, 04:43:43 AM

As representative of MtGox, I do confirm the following facts:

Upon hack of Bitcoinica's account on our platform, a large number of redeemable codes have been issued. Seeing a large volume of codes emitted by Bitcoinica didn't alert us at first as we assumed those were funds returned to Bitcoinica customers, however we were made aware it was not the case upon posting on this forum by Genjix about the account hack. We noticed that most of those codes were sent to AurumXchange.
Codes were all generated from IP 184.22.31.180 (184-22-31-180.static.hostnoc.net)
During the investigation, AurumXchange asked us if we knew anything about email address stevejobs807@gmail.com which was used by the hacker according to AurumXchange. We found an account under this email which had some activity back in 2011, with access only from an IP at Microsoft Singapore and which initial funds are deposited from an account known to belong to Zhou Tong.

While we have no definitive proof at this time, there is a definitive need for a proper investigation of what happened there. We have got no reply at this date from Bitcoinica LP and its representatives/owners regarding this matter despite many requests.

Quote from: Yankee (BitInstant) on July 26, 2012, 04:44:56 AM

We would like to make a few points:

I want to thank Roberto for leading the investigation on this one with Mark and myself. We pooled together our resources to connect the dots and paper trail. This just shows that even competitors can work together for the better of the Bitcoin community.
I can confirm that both Tihan from Bitcoinica LP and Patrick from Bitcoin Consultancy were both alerted about this investigation personally face-to-face by me. I urged them to seek legal action and request clarification from Zhou. I also requested that they decline him further access to any funds in any of the accounts.
Both assured me separately that action is being taken on this front and on the claims front. They assured me that the claims process will continue pending legal clarifications.
As you can imagine, we had to keep this information to ourselves for 10 days or so until we can completely verify all the information we presented here.

As more information comes to light and verified, we will release it to you as soon as possible.

Thanks,

Charlie, Bitinstant.

Wow.

How long until Zhou claims gmail account hack?

Quote from: zhoutong on July 26, 2012, 05:28:00 AM

I'm gathering some information and a statement will be posted soon.

stevejobs807@gmail.com was indeed my email account used for anonymous testing purpose, however I haven't been using it for a long time. I'm logging in the account to check the suspicious activity and I'll post relevant details as well.

The $40,000 I exchanged at AurumXchange was indeed from a friend. Later I can also post proof that I exchanged another $30,000 at other exchanges during the same period. The total amount far exceeds the stolen amount claimed in the OP. My own Liberty Reserve account number is U7097615.

Quote from: zhoutong on July 26, 2012, 06:03:27 AM

My email stevejobs807@gmail.com was last accessed from 62.113.219.5 on July 13. The password has not been changed by the hacker (but I have changed just now).

There was an auto-forwarding to ryan@xwaylab.com (which is another email address of mine). However it has been changed to bitcoinicasucks@hotmail.com (which is the email that was used to send the "Bitcoinica is done" email to verify@bitcoinica.com). Of course I couldn't be notified about any email since the change.

The email account had a heavily-reused password (for the sites that I don't intend to share any private data), *at least* it was used on LinkedIn and many other websites.

I have several email communications between stevejobs807@gmail and other email accounts controlled by me, including a testing ticket for Bitcoinica's ZenDesk trial. The email address has never been publicised.

Important discovery in recent emails (all times are in UTC+8):

The hacker registered a Liberty Reserve account U9236056 at Jul 12, 2012 9:42 PM.

There was several emails from Liberty Reserve mentioning "Verification PIN". It can be seen that the liberty reserve account was accessed by at least: 78.108.63.44, 212.84.206.250 and 31.172.30.1.

There were many transactions done at F1ex.com, possibly used to launder Bitcoin. (I checked just now, F1ex.com provides anonymous fixed-rate BTC exchange service.)

The hacker signed up for OKPAY, with IP 31.172.30.1.

The hacker requested a sell-order on AurumXchange, totalling $5000, using the suspicious Liberty Reserve account mentioned by OP. A Chinese bank account was used (Account name: LIU HAIPENG, Account number: 6222020903006086032, Bank: INDUSTRIAL AND COMMERCIAL BANK OF CHINA).

Order link: https://www.aurumxchange.com/order/view/34011/e5b466248e041ebdf2ae793181a840dc

The hacker has also opened a ticket under his own name: https://www.aurumxchange.com/help/ticket.php?track=NLY-9AG-E468&Refresh=24195

He mentioned that I sold him the Mt. Gox codes at half price, which is absolutely not true. It seems that the hacker was trying to relate this event to me as an individual, and this possibly explains the reason that he wanted to "hijack" the email account. All my other email accounts did not have any suspicious access records and their passwords are all secure and different.

This is my *own* genuine transaction at AurumXchange: https://www.aurumxchange.com/order/view/33100/3c05a9a572379bf91620302cc9dd7d22

And my ticket to question the funds: https://www.aurumxchange.com/help/ticket.php?track=J6W-EY3-ZY2U&Refresh=47091

It's important to note that the first time I gained any knowledge about the email being misused is through this thread. Neither AurumXchange nor Mt. Gox has provided me any specific information about the suspicion. Otherwise I could have checked that email account earlier.

I'm willing to co-operate with any ongoing investigation and obviously I'm not trying to run away from this. I have already provided Mt. Gox with my certified copy of passport in an attempt to unlock my account with some Bitcoin balance.

Not long at all!

Quote from: zhoutong on July 26, 2012, 10:46:19 AM

I have located a suspect, his name is 陈建海(Chen Jianhai). He's NOT my friend and we have never met in person. He was one of my previous business associates because he's very familiar with credit card fraud and he advised me a lot (in terms of fraud prevention, of course) when I built my virtual goods payment processor in late 2010.

He has knowledge of my secret gmail address and I have once re-used the password in his web shop

His English is not very proficient and I'm sure that he's not reading this forum at the moment. I'm giving him a call now to persuade him to admit his wrong-doing and return the funds.

I'll post another thread soon.

An interesting development.