Attacks/Breaches
3/10/2014
01:07 PM
Connect Directly
RSS
E-Mail
50%
50%

Mt. Gox Chief Stole 100,000 Bitcoins, Hackers Claim

Cryptocurrency aficionados' ire stoked by leaked accounts showing 100,000 bitcoins remain missing.

Hackers seized control of the personal blog of Mark Karpeles, CEO of the bankrupt Mt. Gox Bitcoin exchange, on Sunday and posted a message accusing him of stealing 100,000 bitcoins (BTC).

"It's time that MTGOX got the bitcoin communities wrath instead of [the] Bitcoin Community getting Goxed," read the message, which hackers posted both to Karpeles's magicaltux.net site as well as to his Reddit page. "This release would have been sooner, but in [the] spirit of responsible disclosure and making sure all of [our] ducks were in a row, it took a few days longer than [we] would have liked to verify the data."

The data in question referred to a dump -- a.k.a. dox -- in the form of a 716-MB zip file, which hackers distributed via Karpeles's site, and which purportedly contained evidence of fraud. "Included in this download you will find relevant database dumps, CSV exports, specialized tools, and some highlighted summaries compiled from data. Keeping in line with [expletive] Gox alone, no user database dumps have been included." The zip file also includes an Excel spreadsheet listing about a million Mt. Gox trades, a screenshot of hackers' access to the systems of Mt. Gox's parent company, Tibanne Limited, a listing of Mark Karpeles's home addresses, as well as his CV, Forbes reported.

[Mt. Gox is not the only Bitcoin exchange with problems. See Bitcoin Heists Cause More Trouble.]

Also included -- and excerpted in a post to Pastebin -- were the exchange's alleged balances, in 18 different currencies, including a bitcoin balance of 951,116 BTC. Whoever hacked Karpeles's site cited that number as evidence that the Mt. Gox chief lied about the site going bankrupt, since he'd said that attackers appeared to have stolen 850,000 bitcoins. In other words, there appeared to be a discrepancy involving 100,000 BTC, which would have been worth about $62.4 million.

Some Bitcoin followers read that discrepancy as evidence that Karpeles still controlled a horde of bitcoins, no matter whether hackers had stolen the rest. Or in the words of one Reddit commenter: "We've been goxed!"

But other Bitcoin watchers said that the leaked data, while likely legitimate, didn't prove anything about the actual state of either Mt. Gox's coffers -- to say nothing of its accounting prowess. "It's legit data, but it's not proof of anything," said "PuffyHerb" on Reddit. "This is Mt. Gox's internal accounting. If there are problems with this, then it lines up with what they've been [saying] all along (i.e. they didn't know BTC was being siphoned off)."

While Karpeles appears to have blanked out his personal site after hackers began using it to distribute their dox, supposed copies of the data dump have been mirrored to other download sites and are also circulating via BitTorrent.

One caution for anyone who wants to analyze the leaked information: In a discussion on Bitcoin Forum, multiple people said that the text files in the download "are interesting and safe," but warned that executable files in the zip archive contain malware, and thus should only be analyzed using a virtual machine (VM). "One of the .exe files contains the wallet.dat stealer," said "oyvinds" in a comment. "Only run the .exe files in a throw-away VM if you are curious or on your normal Windows installation if you have too many Bitcoins and want to get rid of them." He noted that a PDF document included in the dump also included "evil JavaScript," suggesting that it was designed to steal bitcoins.

As the hackers' accusations suggest, many Bitcoin aficionados are fuming over Mt. Gox's meltdown, and don't mind taking revenge at the expense of other Mt. Gox -- or Bitcoin -- users. On a related note, as Forbes first reported, a Bitcoin Forum user called "nanashi___" on Friday posted a message offering to sell a 20-GB file of user information -- including passport scans -- allegedly stolen from Mt. Gox, for 100 bitcoins (about $62,000) to cover losses he incurred from the exchange's failure. "Selling it one or two times to make up personal loses from gox closure," according to the post, which has since been deleted by the forum's administrators. "Asking 100BTC for entire document. Willing to sell it in pieces, 10BTC for 2gb of data."

Revenge aside, fresh evidence that Mt. Gox's bitcoins were stolen by outside attackers surfaced Sunday, when The Japan News reported -- referencing multiple, unnamed sources -- that the exchange was being hammered by distributed denial-of-service (DDoS) attacks, peaking at 150,000 system access attempts per second. The attacks, which reportedly originated from systems in the United States and Europe, began on February 7, and apparently occurred at the same time as hackers were draining the company's bitcoin balance via transaction malleability attacks.

On February 10, Mt. Gox suspended all bitcoin withdrawals, before filing for bankruptcy protection on February 28.

While it's not clear whether Mt. Gox's bitcoin thieves also launched the DDoS attacks, criminals have regularly employed DDoS smokescreens to steal bitcoins. In November, for example, the Denmark-based Bitcoin Internet Payment System (BIPS) was hit by a DDoS attack at the same time that attackers hacked into the company's free online wallets and stole 1,295 bitcoins, worth nearly $1 million. According to Kris Henriksen, CEO of the Bitcoin payment processor, the attacks against his site appeared to emanate "from Russia and neighboring countries."

Cybercriminals wielding APTs have plenty of innovative techniques to evade network and endpoint defenses. It's scary stuff, and ignorance is definitely not bliss. How to fight back? Think security that's distributed, stratified, and adaptive. Read our Advanced Attacks Demand New Defenses report today. (Free registration required.)

Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
zapzapouch
100%
0%
zapzapouch,
User Rank: Apprentice
3/10/2014 | 1:50:38 PM
sigh
It's always fun watching Libertarians learn why governments and regulations exist.
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Ninja
3/10/2014 | 1:55:26 PM
Re: sigh
This is true, but also, these people have a LOT of time on their hands.
Whoopty
50%
50%
Whoopty,
User Rank: Moderator
3/11/2014 | 8:22:11 AM
Re: sigh
There's two sides to that (bit) coin though. The benefits of bitcoin like: instantaneous transfer, lack of fees, no requirement of middlemen, anonymity, are features that simply cannot be found anywhere in the banking system outside of cash, which is gradually going away. 

While of course there are sturdier ways to invest your money than by buying up lots of bitcoins, it shows real promise as a way of eliminating antiquated practices of institutions and governments harassing money out of people simply because they're too small to do anything about it. 
anon8712953534
50%
50%
anon8712953534,
User Rank: Apprentice
3/30/2014 | 4:48:39 AM
Re: sigh
Way to go hackers! now with all that evidence provided.......... wait you mean now he can probally say that all his files were corrupted by hackers and blame them for what he did because they were stupid and trying to take vigialante justice/investigating?
Madhava verma dantuluri
50%
50%
Madhava verma dantuluri,
User Rank: Apprentice
3/11/2014 | 9:29:39 AM
So much!
With the Bitcoin, so much inner security leaks opened up and hope system should be rebust.
Whoopty
50%
50%
Whoopty,
User Rank: Moderator
3/12/2014 | 10:21:37 AM
Re: So much!
While I suspect not, it does make you wonder if we'll need to see a new generation of coin with a stronger backbone before a digital currency really becomes accepted.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7298
Published: 2014-10-24
adsetgroups in Centrify Server Suite 2008 through 2014.1 and Centrify DirectControl 3.x through 4.2.0 on Linux and UNIX allows local users to read arbitrary files with root privileges by leveraging improperly protected setuid functionality.

CVE-2014-8346
Published: 2014-10-24
The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic.

CVE-2014-0619
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

CVE-2014-2230
Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

CVE-2014-7281
Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.