So according to the following, Vinnik was aware of the origin of bitcoins that were sold on BTC-e:
> Some of the funds moved to BTC-e seem to have moved straight to internal storage rather than customer deposit addresses, hinting at a relationship between Vinnik and BTC-e.
and he was stupid enough to deposit them back to his account on MtGox:
> Moving coins back onto MtGox was what let us identify Vinnik, as the MtGox accounts he used could be linked to his online identity "WME" http://archive.is/6cFcY
All in all, there a strong suggestion that he participated in money laundering and was involved in the whole scheme.
I wonder, if BTC-e somehow artificially pumped the bitcoin valuation leveraging the huge amount of bitcoins they put hands on, same as what MtGox did.
Also, it looks like that Mark Karpeles wasn't involved in the whole scheme, and the hack was that simple thanks to the low or no security and engineering culture at MtGox:
> In September 2011, the MtGox hot wallet private keys were stolen, in a case of a simple copied wallet.dat file.
> the shared keypool of the wallet.dat file lead to address reuse, which confused MtGox's systems into mistakenly interpreting some of the thief's spending as deposits, crediting multiple user accounts with large sums of BTC and causing MtGox's numbers to go further out of balance by about 40,000 BTC. None of these users seem to have reported their "sudden luck".
>All in all, there a strong suggestion that he participated in money laundering and was involved in the whole scheme.
Well duh, anyone involved in the Bitcoin community was very well aware of this. BTC-e has been flagrantly disregarding AML and KYC laws for it's entire existence.
Hating KYC/AML law may not be a strong indicator of legal wrongdoing; breaking it, OTOH, is not merely an indicator of legal wrongdoing, but is itself such wrongdoing.
Yes it is. The laws were legitimately passed; agree or not, citizens have a duty to follow them, or else protest them directly if they find them onerous enough.
>A Russian national arrested in Greece on Wednesday on suspicion of laundering criminal funds by switching them into bitcoins is a key person behind the BTC-e crypto-currency exchange, two sources close to the exchange told Reuters.
> All in all, there a strong suggestion that he participated in money laundering and was involved in the whole scheme.
I don't see how this proves he had direct involvement in the scheme instead of just running a laundering service for people.
This blog post mentioned he was connected to other thefts as well:
>> The stolen MtGox coins were not the only stolen coins handled by Vinnik; coins stolen from Bitcoinica, Bitfloor and several other thefts from back in 2011 and 2012 were all laundered through the same wallets.
Not much solid evidence here of direct involvement in the hacks despite the bold claims, but it does look like there is some connection to the crime at the post-hack stage...
In the archived BitcoinTalk post (http://archive.is/6cFcY) he makes several references to that he is working and handling the frozen funds for a "client". (He also happens to reveal his full legal name.) Supports him working as a money launder or front man for someone else.
If he ran BTC-e and some of the stolen Mt Gox coins were transferred directly from the Gox wallet to BTC-e's internal wallet (bypassing the BTC-e customer deposit wallets), doesn't that necessarily mean he was involved?
I imagine the difficult part is to group transactions and addresses into understandable entities. A good tool could certainly make incremental diagrams that help improving that grouping though.
This would have all been avoided if MtGox had transferred its coins to a new wallet after the 2011 breach. I guess they assumed that any attacker that got access to the private keys would have immediately emptied the wallet, and the fact that this hadn't happened proved that the private keys hadn't been compromised by the breach.
I have to admit, that is a reasonable assumption. This may show the limits of the usefulness of heuristics, and the importance of organizations like exchanges, that have very significant fiduciary duties, to undertake a systematic process after a security breach to eliminate all possible remaining vulnerabilities, no matter how unlikely and counterintuitive.
I think his point is that when it comes to stuff like this, our intuition about reasonable assumptions is wrong. And we must as both you and the parent post say, be systematic about the response.
It's a reasonable assumption, one move in advance. If you are thinking ahead of the immediate next move, then it is not. Clearly the person who outsmarted their security also exploited their naive human assumptions.
> I have to admit, that is a reasonable assumption.
It costs dirt to move your coins. It's not remotely reasonable if you're in the Bitcoin world at all - if you have any reason to believe that an attacker had any access to your wallet the advice is always the same. Make a new wallet and transfer all the coins ASAP.
They said it's a reasonable assumption to believe your private keys likely weren't compromised. That's not the same as saying it's reasonable to not move the coins anyway.
It's still insane to me that MtGox never moved coins to a wallet or acknowledged the breach until long after it was too late. You would think if you have billions of dollars sitting somewhere and you realize someone is starting to take them you would, you know, do something.
Same here, I saved mine to show to my kids some day. "Hey look kids, your dad was summoned to a Japanese district court over the loss of 0.0001 bitcoin!"
I got that card and had 0 BTC in my account. I think they sent it to anyone who ever used the exchange, regardless if they had funds in it at the time it fell apart.
Years ago, it stated I was a creditor and was owed some comically tiny amount of BTC I had left in my account. Cool form factor, a sorta sticky postcard sized accordian you would pull apart, japanese on one side, english on the other.
At the time of the MtGox implosion I was bummed to have lost a few hundred $ worth of BTC. Now I'd be very interested in recovering that balance ... in BTC.
There is a good chance part of what customers lost during MtGox will be redistributed after bankruptcy hearings, but you needed to file a claim by July 29, 2015.
It sounds like MtGox must have had no auditing of their wallets, or completely ineffective auditing.
How did they not at least perform a simple sum of coins held by their wallets and compare it against the amount expected by their databases? Or is the attack more sophisticated than this would detect?
If I were building a system like this, I'd want to run an auditing system continuously that looks for discrepancies, and then "shuts down everything" if they're detected.
In trading environments we have a thing called drop copy that is a real-tine feed of what the street thinks the house's trades are. This is constantly compared to what tree house's own view is. This way trade breaks (discrepancies) are caught immediately.
The analogy would be scanning the block chain looking for tree firm's account numbers to verify all transactions are accounted for.
I don't know for the life of me why basic stuff like this isn't implemented. The crypto currency world is like a big joke.
In the early days, Bitcoin exchanges weren't making enough money to pay for "real" engineering. Then things tended to take off so fast that just keeping the site up consumed all its resources.
There were one or two exchanges that did things "right" (e.g. TradeHill) and were immediately driven out of business by their own high costs.
I don't buy that argument, if it implies that the site operators were anything but flabbergastingly incompetent.
It's pretty straightforward to compute the sum of all coins in your wallets, I would assume. It's also straightforward to compute the sum of all account deposits tracked by your database. Just knowing those two numbers is really simple stuff, like a single SQL query on the DB. All they need to do is calculate those numbers and report on it daily or weekly and they'd have detected the fraud the very first time coins were taken.
Yeah, how dare you presume incompetence on the part of Magic: The Gathering Online Exchange, the internet's largest online trading card site turned financial exchange. /s
(Not physical cards traded online, mind you, these were virtual cards in the game Magic: The Gathering Online.)
They were simultaneously bit by an attack exploiting a fault in their wallet implementation in combination with transaction malleability. You can invert all the bits in a transaction id and if you also take the complement of the signature then the signature is still valid. The transaction still happens but you never see the transaction ID come over the network (it's actually the complement of the txid). After a while, most clients concluded that it wasn't broadcast successfully and either aborted or retry, so their wallet balance diverged. And yes they probably did not check it against the official client balance.
A significant number of frontend nodes participated in this transaction malleability attack over a sustained period of time, probably more than a lone-wolf attacker could access (although renting botnets isn't all that expensive, especially if you are sucking out bitcoin at the same time...)
The interesting question is whether they had someone on the inside, although it could also be explained by incompetence and an attacker probing for weaknesses who comes to realize that the bug wasn't being patched.
There is a lot of space between 'real engineering' and 'flabbergastingly incompetent'.
> It's pretty straightforward to compute the sum of all coins in your wallets, I would assume.
You assume incorrectly. It's a cold wallet. It's not connected to anything; that is its purpose. To monitor the balance, one would have to write software to watch the blockchain and calculate the balance of specific addresses. This is by no means impossible but in 2011 there were very very few engineers on Earth competent to do it and Mt Gox was trading bitcoins for pennies. Don't underestimate how fast Bitcoin went from a strange curious technology to being worth significant money.
Ultimately you are judging their actions through the lens of hindsight. Best practices weren't even established yet.
The site was originally made for trading Magic The Gathering Online cards by one guy who later got bored and then got into Bitcoin but I have no idea and wikipedia doesn't mention if they reused any code or just the domain name itself.
It's a fun piece of trivia one crypto currency guy told me and it seems to be true.
Yes, I never realized.. seriously, I didn't until today. I thought it was meant to sounds like Knox and Mount to invoke images of gold, vault in a mountain side and so on.
It really bothers me how often people repeat it like it means anything in this case. Like they forget Amazon was just selling books. Also no idea if it still uses any of the old code or just the name itself.
Jed McCaleb built a beta release of a Magic trading card exchange for the MtGox domain. He then read about bitcoin in a Slashdot article posted on July 11th, 2010 after which he decided to write an exchange. McCaleb insists that the bitcoin exchange was completely different from the Magic cards exchange, but Mt Gox went live as a Bitcoin exchange July 18th, 2010.
So either McCaleb built a brand new exchange from the ground up in one week, or he reused code from his Magic card trading service.
McCaleb sold the site to Karpeles 8 months later, and 3 months after that, it was breached for the first time. Allegedly, the hacker used McCaleb's old admin credentials to arbitrarily assign himself any amount of bitcoin, which he then started selling off to crash the price. Since the price crashed to $0.01, the dollar value of the withdrawal limit represented several thousand bitcoin, which the attacker promptly sent off-site.
No matter if the site was reused code from a Magic card exchange, or was written from the ground up, it never should have been within a thousand miles of anything of value.
IIRC the site was written in PHP and it was a miracle it didn't get hacked earlier (or, now it seems, it did, but the hackers kept the site running to maximize the heist).
To be fair, PHP by itself is not the issue here, the issue is rather being amateurs (Mark, Ross) who started doing a fun project and ended up brokering millions of dollars without having the experience or opsec of doing so. This is what lead to their downfall.
Around Mid 2013 Bitcoin supply was around 11.5M coins so 630K was more like 5.5% of total Bitcoin. Just using a different kind of math. There's more coins now so using todays market cap % makes it seem less then it actually was.
Of course, there is almost no way to liquidate those BTC for $1.5 billion. Unless you can find a buyer for all of them at once, the market price will fall sharply as you sell them off.
I remember a time when BTC-e was the most logical exchange to use, especially in the fallout of MtGox. I really enjoyed how straightforward the exchange was, and how easy it was to get started using their API. I don't think they're coming back after this.
Give BTC a little credit, it's capable of giving you a solid rush and getting you(r bank balance) high. It doesn't always bankrupt you. That's a lot better than you can say of krokodil.
But many (not all of course, and probably a minority of people who do bitcoin) of its proponents seem as crazy as krokodil users with their snappy judgements, saying it's government propaganda that there is crime done using bitcoin, that bitcoin will replace all currencies, that 'revolution is coming', 'banksters are afraid', and other weird 'freedom' slogans, etc.
At the same time, in some weird massive cognitive dissonance, anytime one of these evil governments they hate so much decides to legitimize bitcoin in some way by recognizing it as some financial instrument or when USD/BTC rises (and let's remember - dollars are a fiat currency a.k.a. useless pieces of paper that bankers print and force people to use) they are giddy as hell.
I even seen comments saying that Satoshi becoming instant billionaire (richest in the world by far, in pure currency, not 'net worth' that's hard to liquidate and spend) if bitcoin really became global currency is deserved for his contribution to humanity. Can you imagine someone saying Dennis Ritchie should own 5% to 10% for his contributions to Unix, C, etc. (that largely went unrewarded and he died the same time Jesus of electronics Steve Jobs did so no one even cared). Or RMS for the FSF? I just can't imagine how much you have to like a thing (FOSS, Unix, C, Bitcoin, ..) to say its creator should be rewarded that heavily and become the richest person in Earth's history.
It's what you get if you walk into a gas station determined to mix everything they have on their shelves and hope this results in a drug. It's a very cheap and easy drug to create, but its ability to destroy the user's body far surpasses more conventional drugs like heroin.
The life expectancy of a user is 1-2 years as their tissue starts to die.
It's an old obsolete but very potent pain killer that recently resurfaced in Russia and it makes you body rot and require amputations.
I think it's an apt comparison of the 'potence' of these two things. People who take coke don't rot alive and die within a few years. Similarly penny stocks are (relatively) harmless, never used to buy illegal stuff and people who do them don't go around saying that penny stocks will replace all finances and currencies and cause a revolution against the corrupt banker filled governments and accuse everyone of being governmental propagandists (yada, yada..), many of Bitcoin proponents on the other hand...
Is the diagram simplifying things? It looks like in a number of cases, coins were stolen, sent to a single wallet, and then sent to an exchange. That doesn't seem like a particularly ambitious attempt to launder. I must be missing something...
> Some of the funds moved to BTC-e seem to have moved straight to internal storage rather than customer deposit addresses, hinting at a relationship between Vinnik and BTC-e.
and he was stupid enough to deposit them back to his account on MtGox:
> Moving coins back onto MtGox was what let us identify Vinnik, as the MtGox accounts he used could be linked to his online identity "WME" http://archive.is/6cFcY
All in all, there a strong suggestion that he participated in money laundering and was involved in the whole scheme.
I wonder, if BTC-e somehow artificially pumped the bitcoin valuation leveraging the huge amount of bitcoins they put hands on, same as what MtGox did.
Also, it looks like that Mark Karpeles wasn't involved in the whole scheme, and the hack was that simple thanks to the low or no security and engineering culture at MtGox:
> In September 2011, the MtGox hot wallet private keys were stolen, in a case of a simple copied wallet.dat file.
> the shared keypool of the wallet.dat file lead to address reuse, which confused MtGox's systems into mistakenly interpreting some of the thief's spending as deposits, crediting multiple user accounts with large sums of BTC and causing MtGox's numbers to go further out of balance by about 40,000 BTC. None of these users seem to have reported their "sudden luck".