OMG the irony is unbearable.

and, according to the reports from the week before, tux had moved the vast majority of deposited BTC's "offline" before the attack (~400K, I believe - there were a bunch of threads about the huge BTC transaction in the block chain).  So any attack withdrawal would have been limited at most to the BTC's that were not moved offline.  I assume that would have been some small percentage based on a calculation of the average daily withdrawals.

it's also not clear yet that the 250K BTC on mtgox were actually "real".  plausible (likely?) that they were created out of whole cloth in the mtgox database by the attackers (UPDATE account_table SET btc_balance=500000 WHERE USER_ID=schmucko)

see original thread:  http://forum.bitcoin.org/index.php?topic=20437.0

heh. merely a prediction.

MtGox will revert his 250k purchase, Kevin will keep the 600 withdrawn, and MtGox will take Kevin's $3000 from rollback as collateral.  Kevin makes out with 600 BTC at market price - $3000.  $5/BTC to break-even.

Random User w/ SQL Injection appears the most probable.  Answers the obvious question of why the hell would anyone keep 500,000 BTC on mtgox: they wouldn't.  the "BTC" were likely created out of thin air via malicious SQL statement.

Thank you for posting.  The theory seems credible and is, at the least, a very interesting read.

Question: what was the purpose of https://mtgox.com/claim ?

Looks like there are changes to the API in the works as well:

https://support.mtgox.com/entries/20208658-changes-to-the-api

perhaps the 500,000 BTC were transferred in from the stolen wallet files obtained via the trojan that's been circulating?  Not sure that makes total sense, but it might explain why someone with 500,000 BTC would have them all in mtgox.

Atlas, given your stance on property rights, I think you would have to agree that as soon as someone cedes control of their property (be it USD or BTC) they must live by the whim of the controller.

If MtGox decides to keep your BTC and/or your USD, sucks to be you.  Caveat Emptor.

Your world view is (a) juvenile and (b) boring.

I actually think Kevin's story makes some sense.  I still think he should return the BTC he withdrew (or forfeit the $3000 and all remaining BTC in account to cover the loss, which, as he claims, is probably worth close to $10,000 at market prices).

Kevin says (1) he has a higher withdraw limit than $1000 and (2) he withdrew around 600 BTC.  It is true that his post implies that his limit was at $1000 when he withdrew, but I don't think that's actually the case and I don't think that he meant to imply that.  Many on the forums have claimed that the BTC withdrawal is based on a 24-hr rolling average (people who claim to have hit this limit themselves, presumably when trying to withdraw during recent volatile periods) and not on the current market price.  At that point the 24-hr rolling average was apparently around $4.5, which would have allowed a maximum withdrawal of around 200 BTC per $1000 allowed.  600 BTC withdrawal, then, aligns with a roughly $3000 withdrawal limit.  I think perhaps he assumed that the limit was based on $0.01, but was in fact wrong about that.

But, like I said, I still think he has no claim to profit on the buy-side of a fraudulent sell order.

the entire mtgox user database was compromised.  it is very likely that the attackers had their choice of accounts and found the one with the largest balance.

the input to the large transaction came entirely from the other large mtgox transaction of June 12th, which Tux explained at the time as being a security move to put majority of mtgox BTCs offline.  So we can be fairly confident the transfer was from MtGox offline storage.  Also, based on the numbers the full offline balance was moved.  So that makes sense.  I don't believe those BTC were available for withdrawal from mtgox.  For example, when I withdrew from mtgox a few days ago (spooked about increasing account compromise reports), the trx inputs were from 5 separate addresses.  I assume those are the online accounts and are the ones available for withdrawal, subject to daily limit.  I think it actually makes a lot of sense that he would re-secure the 400,000 offline BTC storage first thing when he woke up - before logging into IRC - even if he wasn't yet sure if an attack was in progress.

The way they'll have to deal with this is not roll back the buy-side of a transaction if it was withdrawn.  Roll back the sell-side and cover the difference.  I.e., if market price is 17 and you bought at 12, MTGOX will have to refund the BTC to the rolled-back seller from the MtGox stash or, if stash is too small, add $5 per BTC to your $12 per and buy them back on the open market then refund to seller.

No doubt some buyers withdrew, but if it isn't a huge percentage then MtGox should be fine to cover the loss from the fees its collected so far.  But we'll see what actually happens...

Open source GPG encryption tools for Mac OS are available here: http://macgpg.sourceforge.net/

But don't these tools still leave you vulnerable while you're running the bitcoin client (because client requires unencrypted wallet.dat)?

merchants will likely convert BTC to local currency instantly at the time of the transaction.  i expect there are and will be services that provide instant conversion services for these types of merchants, which would reduce, if not eliminate, the investment risk merchants have to assume in order to accept BTC.

Hi and +1 post

Agree - your friend should find a lawyer to address general legal issues related to running a small webshop.  BTC or no.

good point. and in bitcoin the fee is optional.  but I assume the market will set a price based on supply/demand of transaction processors.

Of course, but they're also born by the seller in lost profits from customers that drop out at the margin.  i admit it's been a long time since econ 101 though.