Search content
Sort by
Showing 20 of 49 results by unixdude
I don't visit this site regularly any more since the theft and I've just seen this post - I've emailed you at that address I look forward to you sending my stolen bitcoin in full.
Though you have replied him after about 4 years, let's be hopeful that he will reply and maybe get you a refund. If they were serious about refunds then they should have made a huge announcement and a big campaign to notify the victims vs just replying in these thread where people take so long to revisit or even just completely forget.Yeah I'm not holding my breath - haven't had any response to my email.
So he's still a piece of **** and a thief.
Hello everyone,
First of all I want to say we're terribly sorry that you had to wait so long us to come through. While unfortunately the BTC from the exchange were never fully recovered, over the years we finally did manage to secure (hopefully) enough funds to reimburse the users as was initially promised - using the account value from the day the exchange closed down.
We've already started emailing everyone who had accounts on the exchange to let them know about this, but this process will take some time, plus I've already got few emails bounce back because the accounts don't longer exist or due to anti-spam measures. If you had a account Bitmarket.eu account with a non-zero balance when it closed please reach out to us at bitmarketreimbursements@gmail.com with a cryptocurrency address where you'd like us to send your reimbursement. If you're using a different email address than the one registered on the exchange please also send the username you used along with the exact balance the account held.
It does not matter whether you've already partially received your refunds (most people who we managed to get in contact before received up to 40% of their refunds already), please consider that an interest over all those years we failed to repay you.
There is no catch to this, we just want to finally set the matters straight and return the money to our users who trusted us with their funds, the trust we ultimately betrayed. Everyone please accept our apologies that this took so long.
First of all I want to say we're terribly sorry that you had to wait so long us to come through. While unfortunately the BTC from the exchange were never fully recovered, over the years we finally did manage to secure (hopefully) enough funds to reimburse the users as was initially promised - using the account value from the day the exchange closed down.
We've already started emailing everyone who had accounts on the exchange to let them know about this, but this process will take some time, plus I've already got few emails bounce back because the accounts don't longer exist or due to anti-spam measures. If you had a account Bitmarket.eu account with a non-zero balance when it closed please reach out to us at bitmarketreimbursements@gmail.com with a cryptocurrency address where you'd like us to send your reimbursement. If you're using a different email address than the one registered on the exchange please also send the username you used along with the exact balance the account held.
It does not matter whether you've already partially received your refunds (most people who we managed to get in contact before received up to 40% of their refunds already), please consider that an interest over all those years we failed to repay you.
There is no catch to this, we just want to finally set the matters straight and return the money to our users who trusted us with their funds, the trust we ultimately betrayed. Everyone please accept our apologies that this took so long.
I don't visit this site regularly any more since the theft and I've just seen this post - I've emailed you at that address I look forward to you sending my stolen bitcoin in full.
Just revisiting this old thread - if it wasn't for that scammer who stole 50 BTC from me I would be a millionaire now 
- I never saw a penny from him.
Why has the guy not been given a scammer tag yet or banned?
- I never saw a penny from him. Why has the guy not been given a scammer tag yet or banned?
Suing this and suing that, yes it is a wonderful tool and lawyers love it but there is just one catch. whoever gets sued must have assets. A car where the value is defined by weight (scrap metal) and a webpage is most likely the only two things found to be in his name. No fix job either, so whats left court appointed debt collector, yeh nice and good, but what u do when he moves residence? of course you win again and greece authority's will collect as happy as polish, but heck it takes a lot of energy. after all its an individual able to move at any time not like a multinational company with factory's and offices and patents. court appointed collection is all nice and good, but first u have to PROVE he owns u something. i can prove that i sent a total of 900 pounds to various people for btc payment and provide a screenshot of my login side showing the account balance 0 BTC (0 BTC frozen, 110.9 BTC on hold). so i might be able to "prove" more than most others, but its not proving anything real.
I am eagerly awaiting to see what the police response will be when they call back in a couple of days time.
One thing i do know no lawyer will see an iota of my money to chase this ill investment. Depending how much value i put on 1 hour of my life one could argue the loss just grows with every line written, read and time spent....
maybe we should sue the satoshi guy too whilst we at it. maybe the whole bitcoin thing is just an elaborate get rich scheme
I am eagerly awaiting to see what the police response will be when they call back in a couple of days time.
One thing i do know no lawyer will see an iota of my money to chase this ill investment. Depending how much value i put on 1 hour of my life one could argue the loss just grows with every line written, read and time spent....
maybe we should sue the satoshi guy too whilst we at it. maybe the whole bitcoin thing is just an elaborate get rich scheme
No ones talking about suing anyone.
We are talking about reporting an admitted thief and fraudster to the police as he has committed a crime and it is as simple as that - doesn't cost you anything to do that and takes less then 15 mins. I don't know if the police will act or not or how long it takes for them to act but at least I'm not condoning his actions like a lot of people are, as if what he did was some how not a crime and "poor M4v3R he has no job blah blah he can't pay blah blah". The guy has money, the guy has assets and he should have thought about all this before he decided to take the coins for his own purposes.
The PROOF is already there and his admission of guilt.
I've reported him for fraud and theft this morning and I am awaiting a call from the police in the coming days to get more information from me.
Well done. Do you happen to know M4v3rs postal address, or did you just state his name, country and photograph? 
Edit: Did you report him to the polish police or the police of your country?So, good luck and keep us updated! As far as the police thing is concerned, they will simply not do anything at all because there is no "public interest".
Probably yes as long it is only one case. However things may look differently, if several people file a police report. And even if they do not pursuit the case any further, M4v3rs name will from now on be on records.I don't have a postal address on him yet but I am working on it - quite easy to find information on him on line so shouldn't take long.
If you have the resources you could get the ISP he was using to give you his details via a court order I believe this was more then likely him either using a genuine Mac or a hackintosh to connect to the admin page of the site:
83.26.40.6 - - [14/Feb/2013:11:32:12 +0400] "GET /adminer-iuqgs124.php?server=localhost&username=bitmarket&db=bitmarket&sql= HTTP/1.1" 200 3489 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/536.26.17 (KHTML, like Gecko) Version/6.0.2 Safari/536.26.17"
I reported him to the met police in the UK.
He needs to learn a valuable lesson and so far he seems to have walked off without suffering any consequences for his actions. I don't know if the police will act or not but the more people that report him the better hopefully someone from his native country was a victim and reports him to the polish police who will be in a position to act much quicker.
-Can bitmarket-admin confirm, that he owes me 47,6258 bitcoins? (My username at bitmarket.eu is fluppisippi.)
Please note though that since Bitmarket is not a bank, we don't have any insurances against theft or other unpredicted losses of Bitcoin. While legally I don't think I own you any Bitcoins (as per mralbi said), I feel morally obliged to return them to all users that had them stolen, that's why you will receive them back after we gather necessary funds. They will get the same treatement as the "on hold" ones from the previous loss, possibly with one exception - they will be probably reimbursed first.
-To which bitcoinaddress(es) were the latest 620 stolen bitcoins sent? (Maybe bitmarket-admin already told us, but I could not find it)
As someone already said before, the address and all necessary information was already posted before. The address that was used for the theft is:
http://blockchain.info/pl/address/1Lbcfpaw3uHs3iarBqZ12FYeD5vFwNvY49
Also, I don't really feel posting my postal address to some random guy on the internet, even if I owe virtual currency for him. Bitmarket investors will know my personal information and that's sufficient.
This might be relevant for people in the UK and other EU countries thinking about taking the previous owner to court you may not get all your coins back or their monetary value but if you just want to see him suffer the consequences of his actions it might be worth it:
http://www.findlaw.co.uk/law/dispute_resolution/litigation/basics/500437.html
I've reported him for fraud and theft this morning and I am awaiting a call from the police in the coming days to get more information from me.
That's why I don't want to be an investor - I just want guarantees that over X period of time they will make regular payments to me for the bit-coins that the initial owner stole. I have no interest in being an investor.
No offense taken. I am still involved because it's the best way in the short-term to go forward. I know the site, the code and whole operations. After the investor group take back the site, I will not be involved anymore, but for the time being, there is no other way really if we want things to proceed in a timely manner.
Please rest assured that I will not have any access to people's Bitcoins at any point from now on.
What guarantees do you have that I will not dissapear? Well, it's hard for me to imagine such guarantee. One thing is I didn't do it already, even in the event of latest hack, and I'm not going to.
Apart from a professional network manager that is looking in to server security right now, there will be security audits/penetration tests done by independent third party company, as soon as the new site is ready to launch.
Please rest assured that I will not have any access to people's Bitcoins at any point from now on.
What guarantees do you have that I will not dissapear? Well, it's hard for me to imagine such guarantee. One thing is I didn't do it already, even in the event of latest hack, and I'm not going to.
Apart from a professional network manager that is looking in to server security right now, there will be security audits/penetration tests done by independent third party company, as soon as the new site is ready to launch.
Another question what qualifies this network manager to perform an internal security audit? Is he recognised by any professional bodies?
i.e. does he have any of the following certifications and been working in the industry for over 5 years as a minimum perferably 10 with at least one enterprise level company?
CISA
CISM
CISSP
GIAC
I just finished sending update emails. Each creditor should receive today a detailed information about the current situation, our near future plans and an update regarding reimbursement of his funds (based on questionaire answer we received from this user). In two weeks we plan an "official" investor meeting in Helsinki, Finland, on which we'll discuss in details how to move on. Anyone who wants to become an active investor in the project is welcome to participate. For details, please contact Martin (mralbi).
No offence I have a few simple questions:
Why are you still involved with the site going forward? - you being associated with the site just tarnishes the whole thing.
If there are plans for you to be completely removed from having access even at an operational level when will those take effect? - no offence I would not be comfortable with you having access to the server the site runs on.
What guarantees do we have that you will not disappear should people wish to take legal action against you as an individual?
Will the new owners get an actual reputable company in to audit your code and current infrastructure to deem how secure it is?
Will regular pen tests be run by a reputable vendor going forward?
I am waiting to see how this unfolds. The recent theft of coins is due to negligence of the owner and not even using basic security procedures for the site - you never have phpmyadmin open to the world at least lock it down to your own ip address or better still use a vpn and connect to the LAN of your server that way to admin the database. The initial theft of coins again down to the admin who stole the coins in a very real sense.
If a satisfactory solution is not found where I am able to get all my lost coins back I may pursue the legal route - I may not get anything back but at least he learns an important lesson and hopefully serves a prison term.
I noticed he uses a Mac for development from the web logs so I'm calling dibbs on that when it is sold
If a satisfactory solution is not found where I am able to get all my lost coins back I may pursue the legal route - I may not get anything back but at least he learns an important lesson and hopefully serves a prison term.
I noticed he uses a Mac for development from the web logs so I'm calling dibbs on that when it is sold
Quote
It takes more then that to create a secure exchange let alone a secure site. If you want some advice I can more then likely get a certified security auditor to come on and detail you a list of requirements. As the exchange should be regarded as a financial institution although it doesn't handle credit cards or debit card transactions it should still be as secure as a site that does and to put it nicely having a php website with a mysql database which sits on the same server as the web application, with poorly implemented iptables and a phpmyadmin page open to the world doesn't really scream I am secure to me. Not to mention the person who essentially stole 17k bitcoins initially is still involved with the site - If I saw all that I wouldn't touch it with a pole.
So with other words not bitmarked.eu is dead but bitcoins because lets face it no exchange would pass. This is exactly why it can be one opportunity to move away from the shanigans the whole bitcoin environment is in. As it stands its only a matter of time before the next shifty move is uncovered, minor or major. its about as buggy as any microsoft code, the moment u fix one hole another pops up, yet bitcoin raises and raises. It's not dead it just means there is a big opportunity there for people who have the knowledge and money to invest to create a an actual secure market for trades, any thing connected to the internet can be hacked it is all about mitigating the risk against it. My personal opinion is the exchanges need to have over site by a body similar to the PCI Security Standards Council and actually be accountable to someone and face penalties for shoddy security practices. At the very least these exchanges should perform security audits by approved ISA's and have regular sites scans done by an ASV such as Qualys. Until this is done I seriously doubt any sort of mass acceptance of bitcoin by large merchants.
Quote
My personal opinion is, that we should not try to earn back the money with fees. If the fees are too high people would simply use MtGox or other sites.
Fully agree, it must stay competitiveQuote
We only have a chance when we can develop something new and unique
yes move the bitcoin environment out of shonky backyard operators and create the only exchange u can trust. maybe three level security, like hot wallet, cold storage, and "deep" cold storage where it would need, say 5 people to cross-sign to access (if technical possible).New features must be the core of a revived side as well as ongoing development, unlike before, a stagnant side hoping someone signs up.
let alone a secure site. If you want some advice I can more then likely get a certified security auditor to come on and detail you a list of requirements. As the exchange should be regarded as a financial institution although it doesn't handle credit cards or debit card transactions it should still be as secure as a site that does and to put it nicely having a php website with a mysql database which sits on the same server as the web application, with poorly implemented iptables and a phpmyadmin page open to the world doesn't really scream I am secure to me. Not to mention the person who essentially stole 17k bitcoins initially is still involved with the site - If I saw all that I wouldn't touch it with a pole. this was written before the latest events so it was effectively outdated before it was finished.
anyway i decided to post it.
here is a draft solution to get everyone 100% of the on hold bitcoins back at a fixed price of the 21.12.2012 date, over a time frame of 7 years. of course it would need cooperating of all members and the owner. The owner/operator has got the choice, class action lawsuit and bankruptcy or investing in the company and working his arse of to earn some decent money in the future. As it stands everyone can expect very little in financial return if the side is liquidated, only the satisfaction of sending him to the gulags. He seems to have done alright with the coding just take away the business side from him.
The biggest stumbling block is COOPERATION
So here it is:
current operator take out bank loan for 30% of all bitcoins on hold at a fixed 21.12.2012 price (not live price) and releases them (21.12.2012 is the date the coins got put on hold, i think) . The remaining 70% stay on hold. If he needs help and can not get a bank loan there is such a thing as community loans, family, friends, private investors..... also there is some return from bitcoinica.
current owner keeps only access to hot wallet to perform admin dutys and different members hold and manage the cold storage (as long as it is out of his hands and spread to different locations it is as save as possible).
all members accept 100% return of all on Hold bitcoins at fixed 21.12..2012 price per coin and form some sort of share company the size of the share depends in number of coins he has on hold (total about 20000). if someone is not happy with being part owner (does not trust himself, needs some money instantly....) he can sell his share immediately or at any time. Its fair to say that at the beginning the price would be very low. I am equally sure that there would be people eagerly interested to buy the coins (shares) way below market value, but the coins (share) come with some strings attached. After all a share could be worth way more than 100% at some time in future.
every year, for the next 7 years 10% of the on hold coins become available (at the 21.12.2012 fixed price) to everyone, distributed to the number of bitcoins they hold on hold, funded from the fees from the previous year. the case is not if the people will come back to the side, they are there but have the coins on hold and cant trade. also anyone not selling straight away is locked in so to speak to trade, promote,promote, promote buy ,sell on the side. So why trade somewhere else if i pay the fees in the own company.
yes it requires somewhere in the vicinity of 5 million transactions a year and would run a loss in the first year(s). A lose, (the side not archiving the targeted number of trades) simple means that it would be deducted form the released coins and not investment of new capital.
mtgox trades over a 2 million bitcoins a month. What was Mtgoxs volume 2 years ago, what will it be in 2 years time?
With the exception of the operator (loan and implementation of new features, p2p on webside and Android, iPhone app....) no one else invests any new money and only max. 70% of the on hold coins are risk of being lost. The risk will be, if the side is profitable in the long term and make some decent money. Whats needed is new users and hoards of them.
Depending how many believe that bitcoins are ready for the next step, being widespread accepted as a peer to peer payment option, the number of trades required is small if the ball gets rolling. Only trading with the bitcoins, it is impossible to archive, it needs the implementation of p2p transaction service and smartphone apps. (to pay my hotel/hostel room, my meal, any gadget.......a simple scan with the phone bitcoins transferred done.
Summery, Potentially full 100% of the bitcoins everybody gets back, but not at a live price and over 7 years time span. Live price is simply not possible at the current price.
Lets say i have 100 on hold at a price of 10 euro. So 300 euro worth of coins (30% of 21.12.2012 price, not 30 bitcoins) would be released immediately, the other 70% remain on hold. after then every year 100 euro worth of coins (10% of 21.12.2012 price, not 10 bitcoins) become available.
If the price in 7 years time is at 100 euro per bitcoin 1 bitcoin is credited to the account.
If the price in 7 years time is at 2 euro per bitcoin then 50 bitcoins are credied to the account.
Effectively about 20000 shares at about 10 euro each at start and start capital roughly 60000.
The idea is that the company make a profit as well by then not just give us the money back.
I know it is not possible to please everybody, but a possible 100% return of an investment of an insolvent company with no new money put in (only owners loan) is a good start.
Widespread cooperation is the achilles heel, also his Android Iphone coding skills would need to be verified.
This is a quick thought with a lot of room for improvements to save as many of the gambled coins as possible.
I can see no criminal intent as far as i can tell he never tried to hide, its a case of youth inexperience and plain old greed. Having no business plan in place, in order to get paid for the work deceits to gamble.
Official liquidation is about 6% from 21.12.2012 date, or?
Again, this possible solution was thought up before the latest events.
Latest hack seems inside job, how many coins does his ex partner have on hold?
anyway i decided to post it.
here is a draft solution to get everyone 100% of the on hold bitcoins back at a fixed price of the 21.12.2012 date, over a time frame of 7 years. of course it would need cooperating of all members and the owner. The owner/operator has got the choice, class action lawsuit and bankruptcy or investing in the company and working his arse of to earn some decent money in the future. As it stands everyone can expect very little in financial return if the side is liquidated, only the satisfaction of sending him to the gulags. He seems to have done alright with the coding just take away the business side from him.
The biggest stumbling block is COOPERATION
So here it is:
current operator take out bank loan for 30% of all bitcoins on hold at a fixed 21.12.2012 price (not live price) and releases them (21.12.2012 is the date the coins got put on hold, i think) . The remaining 70% stay on hold. If he needs help and can not get a bank loan there is such a thing as community loans, family, friends, private investors..... also there is some return from bitcoinica.
current owner keeps only access to hot wallet to perform admin dutys and different members hold and manage the cold storage (as long as it is out of his hands and spread to different locations it is as save as possible).
all members accept 100% return of all on Hold bitcoins at fixed 21.12..2012 price per coin and form some sort of share company the size of the share depends in number of coins he has on hold (total about 20000). if someone is not happy with being part owner (does not trust himself, needs some money instantly....) he can sell his share immediately or at any time. Its fair to say that at the beginning the price would be very low. I am equally sure that there would be people eagerly interested to buy the coins (shares) way below market value, but the coins (share) come with some strings attached. After all a share could be worth way more than 100% at some time in future.
every year, for the next 7 years 10% of the on hold coins become available (at the 21.12.2012 fixed price) to everyone, distributed to the number of bitcoins they hold on hold, funded from the fees from the previous year. the case is not if the people will come back to the side, they are there but have the coins on hold and cant trade. also anyone not selling straight away is locked in so to speak to trade, promote,promote, promote buy ,sell on the side. So why trade somewhere else if i pay the fees in the own company.
yes it requires somewhere in the vicinity of 5 million transactions a year and would run a loss in the first year(s). A lose, (the side not archiving the targeted number of trades) simple means that it would be deducted form the released coins and not investment of new capital.
mtgox trades over a 2 million bitcoins a month. What was Mtgoxs volume 2 years ago, what will it be in 2 years time?
With the exception of the operator (loan and implementation of new features, p2p on webside and Android, iPhone app....) no one else invests any new money and only max. 70% of the on hold coins are risk of being lost. The risk will be, if the side is profitable in the long term and make some decent money. Whats needed is new users and hoards of them.
Depending how many believe that bitcoins are ready for the next step, being widespread accepted as a peer to peer payment option, the number of trades required is small if the ball gets rolling. Only trading with the bitcoins, it is impossible to archive, it needs the implementation of p2p transaction service and smartphone apps. (to pay my hotel/hostel room, my meal, any gadget.......a simple scan with the phone bitcoins transferred done.
Summery, Potentially full 100% of the bitcoins everybody gets back, but not at a live price and over 7 years time span. Live price is simply not possible at the current price.
Lets say i have 100 on hold at a price of 10 euro. So 300 euro worth of coins (30% of 21.12.2012 price, not 30 bitcoins) would be released immediately, the other 70% remain on hold. after then every year 100 euro worth of coins (10% of 21.12.2012 price, not 10 bitcoins) become available.
If the price in 7 years time is at 100 euro per bitcoin 1 bitcoin is credited to the account.
If the price in 7 years time is at 2 euro per bitcoin then 50 bitcoins are credied to the account.
Effectively about 20000 shares at about 10 euro each at start and start capital roughly 60000.
The idea is that the company make a profit as well by then not just give us the money back.
I know it is not possible to please everybody, but a possible 100% return of an investment of an insolvent company with no new money put in (only owners loan) is a good start.
Widespread cooperation is the achilles heel, also his Android Iphone coding skills would need to be verified.
This is a quick thought with a lot of room for improvements to save as many of the gambled coins as possible.
I can see no criminal intent as far as i can tell he never tried to hide, its a case of youth inexperience and plain old greed. Having no business plan in place, in order to get paid for the work deceits to gamble.
Official liquidation is about 6% from 21.12.2012 date, or?
Again, this possible solution was thought up before the latest events.
Latest hack seems inside job, how many coins does his ex partner have on hold?
I don't think the biggest stumbling block is cooperation it's security and that the current owner is an admitted scammer where the original loss of coins was down to him using bitmarket users funds to help his own gambling habit ( just because he came out and owned up to it doesn't mean he didn't commit theft - he did and for all we know he has those coins as he hasn't provided proof to the contrary). Due to those actions and this latest hack where I believe he stole the coins purely based on his past actions ( I have zero reason to put any sort of faith in him) bitmarket is dead. The chance anyone has of getting any thing substantial back is low and this self admitted "scammer" will get off without any repercussions like the rest have so far. Take the losses and move on.
We can say all we want about him taking out loans to pay people back but who in reality would do that? - no one, he will walk off and my guess is cash in his haul of coins in small amounts now or at a much later date ( again he has provided no proof that he doesn't have the coins as someone in a previous post suggested).
I'm not angry but annoyed and just being a realist.
None of these exchanges are secure you can never be fully protected from hackers all you can do is mitigate against the risks and that costs money. I doubt any of these exchanges have invested anything remotely required to a standard where institutions which handle financial transactions should. You can probably get evidence of this by asking them to fill out a standard infosec questionnaire which most third parties have to fill out when they are doing business with companies who handle sensitive data or data which falls in to PCI scope.
You are only safe from hacking as long as you are not targeted.
Bitmarket is dead unless you do all of the following:
A - post bitcoinica transfers and any information available to how the original 3000 btc disappeared
(if you don't people will rightfully see you no1 suspect)
B - take out a loan at a bank / friends / family / boss to recover the latest 600 missing btc
(if you don't, you will lose MrAlbi and other investors because you cannot ask anyone for such a leap of faith,
the latest story sounds very fishy, just like bitcoinica being hacked over and over again, and we all learned yes - lightning does
strike the same spot twice, or even three times)
C - convince investors to move forward with restructuring/investment plans
D - do not reopen bitmarket until other experts and you have looked at bitmarket code for loopholes and you know exactly what caused
the latest hack
E - post information on progress at each of the steps, at least daily
In BTC other case, run everyone and get your lawyers ready.
Bitmarket is dead unless you do all of the following:
A - post bitcoinica transfers and any information available to how the original 3000 btc disappeared
(if you don't people will rightfully see you no1 suspect)
B - take out a loan at a bank / friends / family / boss to recover the latest 600 missing btc
(if you don't, you will lose MrAlbi and other investors because you cannot ask anyone for such a leap of faith,
the latest story sounds very fishy, just like bitcoinica being hacked over and over again, and we all learned yes - lightning does
strike the same spot twice, or even three times)
C - convince investors to move forward with restructuring/investment plans
D - do not reopen bitmarket until other experts and you have looked at bitmarket code for loopholes and you know exactly what caused
the latest hack
E - post information on progress at each of the steps, at least daily
In BTC other case, run everyone and get your lawyers ready.
Always option F send a few polish guys around and physically recover the losses
- jokingWhy was there 600 in a hot wallet? Without cold storage you always take a big risk.
It went up to 600 very quickly. And I didn't want to move any coins offline because at this stage, if people couldn't withdraw for any reason, they would be very nervous (it already happened once).
After the transition it would be the case - ~90% in cold storage and 10% for daily operations. I'm even considering encrypting the private keys with user password, so the attacker can't just use them without user's credentials.
[Added on 17.02.2013, 08:10]
Details about the hack follows:
On February 14th, 01:17:21 GMT+1, the attacker approached website's MySQL administration console, which can be seen on the log below:
Code:
178.177.206.245 - - [14/Feb/2013:04:17:21 +0400] "GET /adminer-iuqgs124.php HTTP/1.1" 200 2325 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
The IP address 178.177.206.245 was used throughout the hack, and wasn't used on the site before. It does not look like a proxy server, and the address comes from Moscow, Russia. The script, which is a well known MySQL administration toolkit was located at a randomly chosen (by me) filename (adminer-[eight random chars].php). The logs doesn't show any signs of guessing, he knew this filename somehow (more on this later).
Knowing the script's filename is not enough, because you still have to know the MySQL credentials. They are stored only in one place, in a config.php file, accessible only to website scripts. The password was 16 characters long and random: cVPzBh54N6bfdbmb (I've already changed it). Yet, the attacker somehow, again, without guessing, logged in to the console without a problem.
Having writeable access to the whole database he could do whatever he wanted really. He adjusted his account's record with new 'bitcoins' figure, and then even made a fictional transaction to point at his account (this was sloppy though, because he changed an existing one from last year, which was standing out, because this transaction seemed to be made before he even registered).
Then, he proceeded to the site itself. According to my logs, this is how it went:
- First, he tried to login to mralbi's account with a password that was supposedly leaked a year ago from other site. He failed at this.
- Then, he tried to access sonba's account (another high-profile user of Bitmarket, also known on the forums). He succeeded, but for some reason he didn't do anything there (just logged in, and two minutes later, logged out).
- Finally, he went to create a new account. The details are as follows:
Code:
[username] => chinabig01
[email] => chinabig01@gmail.com
[password] => c....1
[country] => fi
- If you google this email address, you will notice that it's not a disposable address. It was used as early as 2009 on various sites (even one Bitcoin site - forbitcoin.com). Also, the username he chose is the same as on those sites. And the password seems to be his username (I don't store sent passwords in server logs, but for critical situations like this I leave first and last letter to prove that someone used a legitimate password for the owner. I know it lowers the password entropy, but if you use long password that you should use, it doesn't matter).[email] => chinabig01@gmail.com
[password] => c....1
[country] => fi
- He then activated his account using his email
- In account settings he set the withdrawal address to 1Lbcfpaw3uHs3iarBqZ12FYeD5vFwNvY49. Again, he confirmed this change by his email.
- Then he proceeded to withdraw the funds. He first withdrew 1 BTC (to test if it worked, I think), then 9 BTC. Finally, he withdrew 55.4561581 and 554.5438419 BTC, which all totals to 620 BTC you can see in the blockchain.
- After that, he went to transactions page to see if the transaction he made up is there, and logged out. I didn't saw this IP on the site since then.
Now, after reading this, there are some legitimate questions that one could ask himself: How in the earth this person could know filename of the script that wasn't posted ANYWHERE? How he knew the MySQL password? I don't know yet. I've asked those questions to my hosting provider and hope to get some answers. There are few possibilities, but at this point it's only guessing:
- there was a flaw in server software. Most critical parts are: Bitcoin client, Apache, PHP, MySQL. Bitcoin client at that time was at version 0.6.1 I believe. The reason for that was, when 0.7 came out, it didn't wanted to work with my wallet for some reason. I didn't want to risk any corruption, so I reverted to 0.6.x. The other bits were using fairly up-to-date software (not the latest point releases, but judging from the changelogs for these, there weren't any flaws in them fixed that could cause this).
- it was an inside job. Possible candidates are: someone from hosting company (which is hard to believe and literally can't be proven) or my old partner (which I don't believe, because he also had some Bitcoins on site when this happened and they were lost as well. He also didn't knew that this MySQL admin tool existed, I've installed this later).
- someone hijacked my SSH details. I've looked at the auth.log and that doesn't seem the case.
- a flaw in website's code. I believe it's not the case, because remote code execution (and that's what was needed for this) is fairly easy to spot, and I looked again at the code yesterday and didn't find anything. The codebase is pretty small and straightforward. Also, I was looking through the apache access logs and didn't find any trace of this.
- something else that I didn't think of
Steps, that I've taken so far:
- gathered all necessary information and passed it to hosting company
- changed my SSH password and bitmarket's MySQL password (root password is totally separate, never used anywhere and not stored anywhere)
- removed all remote access to MySQL
- downloaded site logs for futher analysis.
Right ...... just hope you have enough to refund my coins I had on sale there as I really don't have time for this shit to put it plainly.
Any chance you can zip up your server logs and make them available here ? - no offence but you should understand no one believes a word you are saying without providing proof - I don't really want to go the liquidation route so there is another option available and one which probably isn't the best for you
I don't want you walking away like you were wearing a Teflon suit.Why was there 600 in a hot wallet? Without cold storage you always take a big risk.
It went up to 600 very quickly. And I didn't want to move any coins offline because at this stage, if people couldn't withdraw for any reason, they would be very nervous (it already happened once).
After the transition it would be the case - ~90% in cold storage and 10% for daily operations. I'm even considering encrypting the private keys with user password, so the attacker can't just use them without user's credentials.
[Added on 17.02.2013, 08:10]
Details about the hack follows:
On February 14th, 01:17:21 GMT+1, the attacker approached website's MySQL administration console, which can be seen on the log below:
Code:
178.177.206.245 - - [14/Feb/2013:04:17:21 +0400] "GET /adminer-iuqgs124.php HTTP/1.1" 200 2325 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
The IP address 178.177.206.245 was used throughout the hack, and wasn't used on the site before. It does not look like a proxy server, and the address comes from Moscow, Russia. The script, which is a well known MySQL administration toolkit was located at a randomly chosen (by me) filename (adminer-[eight random chars].php). The logs doesn't show any signs of guessing, he knew this filename somehow (more on this later).
Knowing the script's filename is not enough, because you still have to know the MySQL credentials. They are stored only in one place, in a config.php file, accessible only to website scripts. The password was 16 characters long and random: cVPzBh54N6bfdbmb (I've already changed it). Yet, the attacker somehow, again, without guessing, logged in to the console without a problem.
Having writeable access to the whole database he could do whatever he wanted really. He adjusted his account's record with new 'bitcoins' figure, and then even made a fictional transaction to point at his account (this was sloppy though, because he changed an existing one from last year, which was standing out, because this transaction seemed to be made before he even registered).
Then, he proceeded to the site itself. According to my logs, this is how it went:
- First, he tried to login to mralbi's account with a password that was supposedly leaked a year ago from other site. He failed at this.
- Then, he tried to access sonba's account (another high-profile user of Bitmarket, also known on the forums). He succeeded, but for some reason he didn't do anything there (just logged in, and two minutes later, logged out).
- Finally, he went to create a new account. The details are as follows:
Code:
[username] => chinabig01
[email] => chinabig01@gmail.com
[password] => c....1
[country] => fi
- If you google this email address, you will notice that it's not a disposable address. It was used as early as 2009 on various sites (even one Bitcoin site - forbitcoin.com). Also, the username he chose is the same as on those sites. And the password seems to be his username (I don't store sent passwords in server logs, but for critical situations like this I leave first and last letter to prove that someone used a legitimate password for the owner. I know it lowers the password entropy, but if you use long password that you should use, it doesn't matter).[email] => chinabig01@gmail.com
[password] => c....1
[country] => fi
- He then activated his account using his email
- In account settings he set the withdrawal address to 1Lbcfpaw3uHs3iarBqZ12FYeD5vFwNvY49. Again, he confirmed this change by his email.
- Then he proceeded to withdraw the funds. He first withdrew 1 BTC (to test if it worked, I think), then 9 BTC. Finally, he withdrew 55.4561581 and 554.5438419 BTC, which all totals to 620 BTC you can see in the blockchain.
- After that, he went to transactions page to see if the transaction he made up is there, and logged out. I didn't saw this IP on the site since then.
Now, after reading this, there are some legitimate questions that one could ask himself: How in the earth this person could know filename of the script that wasn't posted ANYWHERE? How he knew the MySQL password? I don't know yet. I've asked those questions to my hosting provider and hope to get some answers. There are few possibilities, but at this point it's only guessing:
- there was a flaw in server software. Most critical parts are: Bitcoin client, Apache, PHP, MySQL. Bitcoin client at that time was at version 0.6.1 I believe. The reason for that was, when 0.7 came out, it didn't wanted to work with my wallet for some reason. I didn't want to risk any corruption, so I reverted to 0.6.x. The other bits were using fairly up-to-date software (not the latest point releases, but judging from the changelogs for these, there weren't any flaws in them fixed that could cause this).
- it was an inside job. Possible candidates are: someone from hosting company (which is hard to believe and literally can't be proven) or my old partner (which I don't believe, because he also had some Bitcoins on site when this happened and they were lost as well. He also didn't knew that this MySQL admin tool existed, I've installed this later).
- someone hijacked my SSH details. I've looked at the auth.log and that doesn't seem the case.
- a flaw in website's code. I believe it's not the case, because remote code execution (and that's what was needed for this) is fairly easy to spot, and I looked again at the code yesterday and didn't find anything. The codebase is pretty small and straightforward. Also, I was looking through the apache access logs and didn't find any trace of this.
- something else that I didn't think of
Steps, that I've taken so far:
- gathered all necessary information and passed it to hosting company
- changed my SSH password and bitmarket's MySQL password (root password is totally separate, never used anywhere and not stored anywhere)
- removed all remote access to MySQL
- downloaded site logs for futher analysis.
Right ...... just hope you have enough to refund my coins I had on sale there as I really don't have time for this shit to put it plainly.
And he's not been posting here for some time... worrying.
Yup I had 57 coins on sale as well :p
I find it fascinating that M4v3r is refusing to release the transaction(s) related to the Bitcoinica debacle. This is indicative of guilt. I would not be surprised to learn that he took those coins for himself at this point, never gambling with them at Bitcoinica but simply using that as an excuse. Hopefully he can prove me wrong on that...
Wouldn't surprise me ( no offence intended to M4v3r nothing personal) he was either extremely stupid and naive which is a possibility but what you stated above is more probable since he has not provided proof to the contrary.
I do like bitmarket and prefer it to mt.gox but I am not confident enough to use the site with any large sums of coins while he has any significant involvement.
I also don't mind waiting to get my on hold balance back - which is the option I chose because this is the best exchange for me personally and I don't want to see it disappear.
http://lmgtfy.com/?q=spring+2013
That sucks, but hopefully they can get your unit out this spring.
Quote
The astronomical spring (Northern Hemisphere) 2013 begins on
Wednesday, March 20
and ends on
Thursday, June 20
Wednesday, March 20
and ends on
Thursday, June 20
That sucks, but hopefully they can get your unit out this spring.
Well if it doesn't no loss I will carry on with my GPU farm
I was order 15900 something that was placed over the weekend so if they are shipping in batches of 3 (read that some where not sure if it was on this forum or the BFL forum) for the pre-orders order 1 to 53XX will be shipped first then 53xx to 10XXX then the batch I am in 10xxx to 15xxx. If mine is scheduled for say April at the earliest they need to start shipping the first lot in Jan/Feb unless they delay again in which case I would probably cancel my order. Or I will probably wait until another company has regular stock and buy then.