

Mark Karpeles' blog hacked - drewblaisdell
http://blog.magicaltux.net/

======
MiWDesktopHack
The leaked data set contains:

    
    
      * screenshot of the back office application
      * OSX and Windows back office application binaries
      * btc_xfer_total_summary.txt
      * CV-Mark_Karpeles_20100325.pdf
      * home_addresses.txt
      * trades_summary.txt
      * btc_xfer_report.csv containing every deposit and withdraw 
      * mtgox_balances containing the balances of all user wallets
      * trades.zip containing monthly csv files of all trades within mtgox & coinlab between 2011-04 to 2013-11
      * trades csvs have fields:  
      Trade_Id	Date	User_Id	User	User_Id_Hash	 
      Japan	Type	Currency  Bitcoins	Money	
      Money_Rate	Money_JPY	
      Money_Fee	Money_Fee_Rate	Money_Fee_JPY	 
      Bitcoin_Fee	Bitcoin_Fee_JPY	User_Country	User_State
    

From this data you could reconstruct every trade within the site, and identify
the address from transaction values.

This dataset could lead to loss of anonymity to a significant number of people
in the cryptocurrency world.

~~~
Phlarp
If what you say is true and this data is sufficient to recreate and de-
anonymize the trades on gox against withdrawals from their addresses shouldn't
we be able to see if coins were actually stolen through tx malleability?

------
iamshs
My cousin had an account on there with 102 BTC, and bought it while the price
was around $650. He was having a hard time since last few days, but after a
trekking trip and being with him since the fiasco he seems to be coping up
fine. He is more worried about the Driver's license copy he provided as a
verification. The database sure is leaked, and Identity theft seems real
possibility. What are the safeguards that can be adopted now? Any help will be
good.

~~~
mindslight
Primarily, you need to straighten out your framework - "identity theft" isn't
actually a real thing. It's a marketing term to scare people into thinking
they share fault for institutions' trivially broken systems. In the event that
a third party commits fraud using your cousin's _non-secret_ driver's license
number and your cousin suffers repercussions, the actual concepts you're
looking for are libel and tortious interference committed by credit bureaus
and banks.

~~~
mikeash
"Identity theft" is a catch-all term describing fraud committed using this
sort of information. It may not be as specific a term as you want it to be,
but that's far from not being "actually a real thing".

~~~
dredmorbius
The point being that "identity theft" is typically used to shift
responsibility to the individual from institutions.

Truth is that "fraud" has existed for centuries (though the incidence of
"financial fraud" in print has exploded since the mid 1980s). "Identity theft"
emerged in the late 1990s.

[https://books.google.com/ngrams/graph?content=financial+frau...](https://books.google.com/ngrams/graph?content=financial+fraud%2C+identity+theft&year_start=1900&year_end=2008&corpus=15&smoothing=3&share=&search_plus_one=form&direct_url=t1%3B%2Cfinancial%20fraud%3B%2Cc0%3B.t1%3B%2Cidentity%20theft%3B%2Cc0)

~~~
mpyne
> The point being that "identity theft" is typically used to shift
> responsibility to the individual from institutions.

That's hasn't been the case for me. Each of the several times my data was
taken and there was the possibility of identity theft, the company responsible
ended up having to pay for various monitoring schemes.

And should that data have been used fradulently, it would still have been the
fault of whatever _person_ took that data, not the institution that
misproperly handled it.

~~~
dredmorbius
_the company responsible ended up having to pay for various monitoring
schemes_

And who did the monitoring?

That's pretty much my point: _you_ have to keep track over use of credentials
in your name, and fight these in a court of law.

There's little or no criminal liability on financial or information bureaus
for getting information wrong.

That is: the onus is on the individual, not the system.

~~~
mikeash
This is all very interesting, but what does the _terminology_ of "identity
theft" have to do with any of it?

~~~
dredmorbius
It's not that "my identity has been stolen". It's that financial institutions
(and others) have established procedures for freely creating binding
obligations in my name on the flimsiest of actual evidence. It's fraud,
enabled by financial institution's weak procedures.

------
bhaumik
Original post from his reddit account:
[http://www.reddit.com/r/Bitcoin/comments/1zz21j/mtgox_2014_h...](http://www.reddit.com/r/Bitcoin/comments/1zz21j/mtgox_2014_hack_database_revealed_live_from_mark/)

Bitcoin's history already has a trilogy's worth of entertainment

------
codewiz
Until a few minutes ago, you could see this hidden message:

    
    
      $ curl http://89.248.171.30/
      <a href='MtGox2014Leak.zip'>They were not made out of magic Mark...</a>
      <!-- I hated working with you.   You deserve everything you get for what you did. -->
    

The machine seems down now.

~~~
wcummings
Up now

------
Aqueous
They might very well be in possession of the 950k but have lost the private
key to spend those funds. It looks like in recent days they regained control
of 200k BTC, so perhaps they've recovered a key or two?

I sure wish they would make a statement soon because if it was in fact the
case that they recovered a large portion of their BTC, that would go a long
way to bolstering faith in BitCoin itself, whose brand they totally damaged by
blaming transaction malleability in the first place.

~~~
sp332
They never mentioned losing a private key, did they?

~~~
Aqueous
Not specifically - perhaps because saying they were stolen is slightly (but
only slightly) less embarrassing than saying they misplaced the key.

Karpeles did say something to the effect that the funds were "temporarily
unavailable" \- which would be consistent with losing the key, if they had any
hope of getting it back.

~~~
sp332
The attack that they claim happened was due to a bug in their accounting
software. The software sometimes wouldn't record that a transaction had
finished, so that account's balance didn't go down. Nothing to do with losing
keys.

Karpeles was trying to get investors to cover the losses after the bug was
found. That's why he was hoping the losses would be temporary. But Mt Gox's
business practices are so bad no one wanted to invest in them, so that's
almost certainly not going to happen.

There is only one way the coins could be recovered: if the thieves are found
with the stash intact. Just keep in mind that Karpeles might be the thief.

~~~
danielweber
Last week people had tracked down Gox's prior BTC transactions and they still
had the coins in an address they controlled.

I've theorized that they lost the key, not because of any direct evidence, but
because it's the only thing that makes a little bit of sense without out-and-
out fraud.

~~~
sp332
I hadn't really thought of that. There's something going on with those
addresses today!
[http://www.reddit.com/r/MtGox/comments/1zsw9l/90000_bitcoins...](http://www.reddit.com/r/MtGox/comments/1zsw9l/90000_bitcoins_attributed_to_mtgox_addresses/)

------
yanghan
It's just a database dump. This doesn't mean that these values are backed by
their wallets.

It's possible the bitcoin could be stolen and not reflected in the data.

------
aegiso
You know what would be brilliant? If this were Karpeles himself using
"hackings" in a desperate attempt to deflect legal responsibility.

I have no idea what the likelihood of this is, but it's in the realm of
plausibility with all of the feces hitting the fan at Gox.

~~~
Aqueous
"Brilliant" seems like the wrong word for that.

~~~
jpatokal
I'd go for "brillant":
[http://thedailywtf.com/Articles/The_Brillant_Paula_Bean.aspx](http://thedailywtf.com/Articles/The_Brillant_Paula_Bean.aspx)

------
callahad
Wow, this is interesting. The folks dumping the dox asked for donations via
Bitcoin. Thanks to the public nature of the blockchain, we can watch in real
time as the donations come in:
[https://blockchain.info/address/1859rayqN1X7DYjD1BrAHm4vaQxo...](https://blockchain.info/address/1859rayqN1X7DYjD1BrAHm4vaQxoUhhzsN)

------
Cless
Just because my database says I have $100 trillion does not mean I have $100
trillion.

------
wfn
I wonder if the balances revealed are concretely tied to wallet data, or
rather simply are entries in a database. If the latter (and from what they
said it seems to indeed be the latter), doesn't really mean much / doesn't
contradict Mark's words in itself. (cf. Mark's comment that 'technically
speaking [bitcoins are] not "lost" just yet, just temporarily unavailable.')

~~~
nwh
They would just be balances, otherwise every trade in their engine would
hammer the Bitcoin network with transactions. No sane person would do anything
but have an external databases with a fairly tenuous connection to the actual
wallet balances.

------
danielweber
According to /r/Bitcoin the .zip file contains a virus. It's taking forever-
and-a-day for me to download it so I can't verify that.

~~~
sp332
Which post? I see several that say it's clean.

------
sp332
magnet:?xt=urn:btih:b6545ecc7db8d44c8cbc4e93989edf8221af75f5&dn=MtGox2014Leak.zip

If you can't get a peer via DHT, add tracker udp://tracker.publicbt.com:80

~~~
skorgu
From the reddit thread:
[http://burnbit.com/torrent/280433/MtGox2014Leak_zip](http://burnbit.com/torrent/280433/MtGox2014Leak_zip)

~~~
sp332
That has some advantages, but also some disadvantages. It uses the original
server as a "web seed", so even though it's a torrent, it's still putting a
little strain on the web server for no good reason. Also with all those
unnecessary trackers in there, it's long and awkward to copy-and-paste.

------
antonius
Waiting for a class-action against Mark Karpeles any minute now.

~~~
rmc
Does Japan have class action lawsuits? Not all countries do.

------
bertil
Does this (the almost one million BitCoins) mean that he openly lied about
being insolvent, or is this an undisclosed donation?

~~~
mpyne
It might be as simple as there being a balance in the accounts, but being
insolvent on the books due to outstanding liabilities owed by MtGox. But I'm
not an accountant so YMMV.

~~~
fredgrott
even at $100 is more than the liabialities of 66 million

------
cauterize
Would it be possible to use an alternative blockchain (maybe currency) to do
internal accounting? Low confirmation requirement, add the BTC block chain
transaction ID as a memo, consistency, etc.

------
rmc
Does this mean MtGox should get on haveibeenpwned.com ?

