Hacker News new | past | comments | ask | show | jobs | submit login
500k Bitcoins traded in 1h, Mt.Gox market hacked + crash (bitcoincharts.com)
276 points by eis on June 19, 2011 | hide | past | favorite | 245 comments

From the mt.gox site:

  Huge Bitcoin sell off due to a compromised account - rollback
  The bitcoin will be back to around 17.5$/BTC after we rollback all trades that have happened after the huge Bitcoin sale that happened on June 20th near 3:00am (JST).
  Service should be back by June 20th 10:00am (JST, 01:00am GMT) with all the trades reversed and accounts available.
  One account with a lot of coins was compromised and whoever stole it (using a HK based IP to login) first sold all the coins in there, to buy those again just after, and then tried to withdraw the coins. The $1000/day withdraw limit was active for this account and the hacker could only get out with $1000 worth of coins.
  Apart from this no account was compromised, and nothing was lost. Due to the large impact this had on the Bitcoin market, we will rollback every trade which happened since the big sale, and ensure this account is secure before opening access again.
I'm interested in the fact that they can do a rollback... is that just a rollback of their transaction log? Are they buffering transactions for a significant period before submitting them back to the network?

Trades are internal to Mt. Gox until you withdraw your money either as bitcoins or as USD. The compromised account had a $1000 per day withdraw limit, so the thief could only withdraw $1000 after selling all those coins. The rest of the cash is still within Mt. Gox, and therefore the state of the Mt. Gox DB can be rolled back to before all the coins were sold.

which makes me think mtgox got very lucky. I mean the hacker could overcome $1000 limit a day (roughly 80 bitcoins) by creating thousands of bogus accounts, putting on the market bid orders at $0.01 in all accounts, drive the market to the bottom like he did to fill his orders and quickly transfer 80 bitcoins from each account out of the exchange. he could get away with bitcoins worth of millions irreversibly and completely anonymously.

I think they were very lucky. Quite frankly I hope people take note of these near-misses and think a lot more about security.

It wouldn't be even necessary.

The 1000 USD is relative to the current price I suppose. So if I have access to an account with 500K bitcoins and I sell 400K bitcoins so that the price drops to 0.01 (like it did), and then I transfer the 100K bitcoin left in the account to my bitcoin address(and I can with the driven down exchange price) when the price goes back up I would have made a killing.

As I understand, there is also a 50 BTC withdrawal limit.

One would assume the $1000 limit is in the mtgox code. So if the hacker had full server access...

If you trust the Mt. Gox folks, they're now claiming that there was no server hack, just a database copy that some consultant had that got stolen.

If you trust what they're saying, which might be questionable since their business is pretty much going up in flames at the moment, so they are probably desperate to make things appear better than they are...

I hope for their sake that they actually have enough USD and BTC on hand to deal with the mass withdrawals that are coming...

My understanding is that he actually withdrawn BTCs after buying them back - presumably he was not really prepared to all this and only made the hack by accident. Withdrawing dollars would be harder - because he'd need to transfer them via standard banking systems, that takes days and could be stopped on the way and also be much harder to hide traces to the real identity of the hacker. During his buy back operation the price was back around $14 - and this price was used for the $1000 daily withdraw limit - reinforcing the notion that he did not prepare the attack at all.

[Update - 2:06 GMT] What we know and what is being done.

* It appears that someone who performs audits on our system and had read-only access to our database had their computer compromised. This allowed for someone to pull our database. The site was not compromised with a SQL injection as many are reporting, so in effect the site was not hacked.

* Two months ago we migrated from MD5 hashing to freeBSD MD5 salted hashing. The unsalted user accounts in the wild are ones that haven't been accessed in over 2 months and are considered idle. Once we are back up we will have implemented SHA-512 multi-iteration salted hashing and all users will be required to update to a new strong password.

* We have been working with Google to ensure any gmail accounts associated with Mt.Gox user accounts have been locked and need to be reverified.

* Mt.Gox will continue to be offline as we continue our investigation, at this time we are pushing it to 8:00am GMT.

* When Mt.Gox comes back online, we will be putting all users through a new security measure to authenticate the users. This will be a mix of matching the last IP address that accessed the account, verifying their email address, account name and old password. Users will then be prompted to enter in a new strong password.

* Once Mt.Gox is back online, trades 218869~222470 will be reverted.


I for one certainly wouldn't be going back. [MD5] is enough to tell me they only half heartedly care about securing user data, no matter how many buzz words they throw in now.

"We have been working with Google to ensure any gmail accounts associated with Mt.Gox user accounts have been locked and need to be reverified."

Ah, that's why I had to change my password then.

Yes, I was also worried when I saw the suspicious activity flag had been tripped on my acct., but apparently that doesn't actually mean that anyone actually tried anything, just that our e-mails appeared in the list.

Luckily I never reuse passwords for important stuff like e-mail or anything that touches money...

This allowed for someone to pull our database ... so in effect the site was not hacked.

Weasel words. If someone has a dump of your database, then your site was hacked.

mtgox acts like a central authority. basically all these trades were happening in mysql database within the exchange between internal accounts, there were no actual bitcoin transactions.

But if you bought a bunch of BTC at $0.01 and then withdrew them, Mt.Gox should have irreversibly sent that over the real Bitcoin network.

there is daily limit though. you can only withdraw up to 80 BTC a day.

What source are you getting this 80 BTC / day withdrawal limit from?

Due to some US law, they restrict withdrawals to $1000/day. That includes bitcoins. Presumably, they do that to make sure they are well within the law.

Before they closed it, the BTC traded for $0.01 each, which means they could withdraw 100,000 BTC under the $1000 rule.

But not the separate but related BTC / day rule.

Yeah, but my guess is that not many people managed to withdraw them because of the stability problems the site had/have. Mt.Gox will probably have some losses, but not that high I think.

This exactly. People _could_ have withdrawn a bunch, but mostly that didn't happen.

It sounds as if Mt. Gox managed to shut things down before anyone could do that.

mtgox acts like a central authority

Goodbye frying pan, hello fire.

And who gets to decide which trades are rolled back? By what criteria?

It is pretty clear that Mt Gox rolled back all trades from now to the first big unauthorized trade.

So if you had already done a legitimate trade it's gone? "Sorry you made some money there, but someone else got affect by something else, so we've undone that". So much for "There are no chargebacks on BitCoin"

I don't understand all the anger at the idea of rolling-back. Hasn't anybody trading bitcoins been watching how major equities exchanges have worked for decades?

Take the flash-crash last year. Yes, if you were a lucky one who bought GE at $3/share then hell yes you wanted that trade to count.

But to have an exchange it takes everybody acting in the interest of the group as well as themselves. The value to that over purely selfish motivations is that it creates a liquid market which benefits everybody involved.

Part of this is the acceptance of situations like this. In cases of attack or software defect, the only real viable option is to rollback. The only people this hurts are the 1% who tried to profiteer on the situation. Not rolling back would harm the other 99%. It's an easy call.

The only real tragedy would be if they cannot rollback accurately. You'd think this wouldn't be possible, but you never know... It seems as tho this site has had a known CSRF bugs for a while. This is not a hard thing to fix. It doesn't shine well upon their competence.

Just to be clear, I'm not taking a position, only asking a question: how does the exchange layer affect the fundamental goals of bitcoin, esp. the notion that no centralized authority controls monetary policy?

In principle, it doesn't affect that goal. An exchange doesn't control monetary policy, i.e., it doesn't set interest rates or increase the quantity of currency.

Of course, an exchange can affect the value of the products it is trading. Since Mt. Gox is the biggest bitcoin exchange, if a vulnerability is found then people might stop trading there, decreasing the liquidity and consequently the value of bitcoin. But this doesn't contradict the goal you mention.

As an analogy, if company ACME only trades on Nasdaq and there's a system problem with Nasdaq, some people will be scrambling to get rid of their ACME stocks so ACME's price will go down. That doesn't mean that the exchange controls the price of ACME.

But if MtGox's technical failure effectively took USD$120M of bitcoins offline, then MtGox has reduced the supply of BTC for some period of time, no? I understand that exchanges are secondary markets, but they seem to be contrary to the philosophy of no centralized control over supply/demand. I always understood bitcoin to be a per-transaction, ad hoc currency – not an exchange-traded commodity. Of course, people are free to do whatever they want with their stuff...

Edit: I realized after posting that I called bitcoin a "currency" above. I realize that it's a controversial position, but my feeling is that, as a medium of exchange, it qualifies a currency.

So much for "There are no chargebacks on BitCoin"

Well this is trading through an intermediary, you can't really expect it to work that way otherwise something like this would have a lot more incentive for wrongdoers.

If you really want to have no chargebacks you have to go the harder route of one on one trading, with everything that comes along with that.

And of course, one on one bitcoin trading is already alive and well at http://bitcoin-otc.com/

When designing a system like this you have to have a veil of ignorance. There may from time to time be attacks or defects that mean some people lose a lot of money while others gain some. Not knowing which will happen to you, how would you want the system to work?


You don't understand. There is a difference between the currency and the exchange. The exchange stores the trades internally without actually doing any bitcoin transactions until the time of withdrawal.

I can confirm that the alleged dump is the real deal.

Some passwords are md5 hashes, some are salted md5 hashes (utilizing the crypt[0] function). I did not log in for a long time and my password was still unsalted, so I assume that converting to salted passwords was done either automatically on login or on password changes.

0: http://www.kernel.org/doc/man-pages/online/pages/man3/crypt....

I hate to look down my nose at other programmers, because I understand that we all start somewhere, but if you are building a financial exchange and you encrypted passwords using unsalted MD5 at any point in the history of your product, you have proven to me that you are learning as you go, and there is no way in hell I'd trust you with any significant sum of money.

To give some context, that financial exchange had a trading volume of less than 1000 dollars/day six months ago. http://i.imgur.com/HHlnd.png

The original author sold the site in March before things got really serious.

Where do programmers learn about this stuff? Is it taught at schools? Can anyone recommend good books on proper security procedures?

For web security, I'd recommend checking out this question on Stack Overflow: http://stackoverflow.com/questions/72394/what-should-a-devel...

Also the OWASP top ten vulnerabilities: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Proje...

A great place to start is "Applied Cryptography" by Bruce Schneier.


Edit: Note, this really barely scratches the surface for building secure software. AC says how to apply cryptographic primitives correctly. It won't teach you how to avoid vulnerabilities specific to particular application domains (like CSS, SQL injection, etc...).

That book is old, and though still basically correct, there's much better ways to learn about the practice of developing secure systems. I recommend "Cryptography Engineering" by Ferguson, Schneier, Kohno which is a more modern descendant of Schneier's AC.

Looks like I need to update my bookshelf. Thanks for the recommendation.

Being a programmer means committing yourself to a life of continued education. Building a secure authentication system? Time to read up on the subject. You don't have to go far before you learn about the vulnerability of MD5 hashes for password storage.

A good start can be made by following the work of Ross Anderson and having a read of his book.

http://www.cl.cam.ac.uk/~rja14/ http://www.cl.cam.ac.uk/~rja14/book.html

Websites like this are great. Just look at what other learned people here are saying about cryptography.

My account is also in the list and appears salted. Someone just tried to access my gmail account via an ec3 instance so I bet the salting is done wrong or something else.

Damn, I'm in there. Glad I used a generated password (from LastPass) so I don't have to change my passwords on a lot of various sites.

this is the only way to fight incompetence of some websites. those passwords are (most likely) unsalted vanilla MD5 hashes. just entered a few of them into google from that file and yes, many of them are present in rainbow tables. damn. makes me angry as a programmer how financial website can be this unsecure and easy to compromise.

They look like salted hashes to me.

you can recognize salted hashes from unsalted ones just by looking at them? open the file and search for 5f4dcc3b5aa765d61d8327deb882cf99, at least 1,600 passwords in that list are unsalted. (those without $1$)

5f4dcc3b5aa765d61d8327deb882cf99 = md5("password")

for those who don't know

Man, these programmers are fucking amateurs. It's a FUCKING TRADING PLATFORM.

That's what happens when there's no regulation...

You must not have been following the news: http://www.theinquirer.net/inquirer/news/2079431/citibank-ha...

It happens everywhere.

Would you be willing and able to point out the regulation violated?


Cause, I don't think they broke any rules. Are they even required to keep those details secret? It's pretty clear marketing agencies can buy that data, so i don't think it's any sort of violation of privacy policy.

icebraining, that's called irony

...i hope

I find it funny that people are outraged about unsalted MD5 yet they use passwords like "secret123" that are found in every wordlist.

Guess what: Even salted hashes won't save your ass with such weak passwords. And yes: it's a FUCKING TRADING PLATFORM you want to put money on so _you_ should think of a secure password.

And what makes you think that the same people who are complaining about unsalted MD5 are also the same people who use passwords as weak as 'secret123'?

A little bit explanation:

Mt.Gox is the biggest bitcoin market place by far. During the last 1h the whole volume of about 500k BTC was traded making the price drop from somewhere around $17 to virtually nothing.

Details are not available yet. It could have been a bug or an intrudor.

Rumors have it that someone with a huge wallet got hacked.

<+MagicalTux> someone with lots of coins did get hacked

MagicalTux is working on Mt.Gox

Also some other markets like btcex or tradehill are seeing problems and/or price drops.

Update: Mt.Gox have published an announcement:


I'm surprised that people with large amounts of bitcoin don't have better security measures. For that amount of money, I'd consider securing the private key in a safety deposit box. Probably several safety deposit boxes, actually.

They apparently had 500k BTC in their MtGox account, which is insane. Unless they were actively trading all of that they should have withdrawn from MtGox to the BitCoin network.

If they were Satoshi, they could be sitting on enough early-adopter bitcoins that 500k is relatively not insane.

I keep reading about people only being able to take a small number (50 or 80 BTC) out of the market at once, which is why the hacker couldn't do the same.

If that is true, then once you have your 500k BTC in the exchange, it will take you over a decade to get them out, either as cash or as bitcoins.

And therein lies the seed of the eternal cat-and-mouse game that is key management.

Technically, each layer of security you impose is also an impediment to the bitcoin market's liquidity.

Technically true, but no-one can sell off 500k bitcoins without the market crashing anyway, so from a practical perspective, no liquidity is lost.

Agreed. It seems the real fallout of this incident is the fact that the rollback can never recover BTC taken out of the exchange accounts and put into anonymous local "wallets". I wonder who will cover those losses?

"to virtually nothing" - I believe this is misreading the chart. I had to take a second look myself. The light red column at 5:10pm is trade volume (240K sold). The price stayed between $17-18. The sale of 260k at 5:50pm was priced between $10-$13. The lowest price during the 'crash' is $10.

My theory is there are miners with large amounts of BTC and someone decided to sell a lot in a relatively small market. According to the depth-of-market calculator and there is only about 2000BTC in total on the buying side right now. Its easy to swing the market.

No, there were definitely transactions for $0.01 per BTC in the live feed.

Here is another nice graph: http://leanback.eu/bitcoin/plots/20110619195756-mtgox.png

This was apparently on HN 14 hours ago:

Mtgox hacked database listed for sale (pastebin.com)


pointed to: http://pastebin.com/ui0nusuZ

which says:

  I have hacked into mtgox database. Got a huge number of logins password combos.
  Mtgox has fixed the problem now. Too late, cause I've already got the data.

  Will sell the database for the right price.
  Send your offers to:

Was he accepting BitCoins?

i must admit i'm somewhat impressed how fast the hackers and cheaters managed to take over bitcoin trading.

i think it's kind of cute. people hoped for an economy no government could control, and got exactly that: anarchy and a burning world.

Where is anarchy? What's burning?

Someone sold a huge amount of Bitcoins. The market acted accordingly. Expect a bounce back to the old exchange rate as soon as Mt. Gox is available again.

Of course it might be possible that the computer of the person who sold the Bitcoin was cracked. But that's not the fault of Bitcoin - if someone is not capable of taking care of the security of his local computer, it's better not to use a distributed currency where your money is basically stored inside a single file.

Exactly, someone sold a huge amount of Bitcoins. I.e., this was the first time it was hacked by someone stupid enough to call enough attention to his crime to have most of what he stole taken back from him. What do you want to bet someone smarter got in there first, and is maybe still in there? There are subtler ways to steal money than grabbing a huge amount all in one chunk and trying to cash out.

> Of course it might be possible that the computer of the person who sold the Bitcoin was cracked. But that's not the fault of Bitcoin.

Just like it's not the fault of the dollar if someone mugs you at gunpoint. Except robbing someone typically requires you to take physical risks and (threaten to) use violence. I'll be very curious to see any effective way of tracking down bitcoin thieves.

If you have to be a security expert to own more than a few dollars worth of bitcoins, the project has effectively failed already.

You don't necessarily have to be a security expert to use Bitcoins, just if you want to run the client by yourself.

If you don't have the required knowledge just pay a little bit to a "Bitcoin bank" that handles the task for you. In the real world you also don't carry your money with you all the time, but store it on a bank.

Wait, so this is the train of thought for Bitcoin:

- Centralized money is bad! We need to create a perfectly decentralized, distributed economy!

- Oh no! It turns out that the average Joe will get burned really badly by this new decentralized system!

- But wait! What if we created these things called "banks" and provide people peace of mind and security by taking on some of this risk?!

- ...?

- Um... not profit.

Did you somehow get the idea that bitcoin users are against banking? Banking (as a concept) and decentralized money are not at odds.

Banking eradicates many of the supposed gains of decentralized money - not all, but most. I just dig a quick Google for "benefits of Bitcoin" and it seems most people agree on the following:

- Anonymity/trackability. Gone if you are with a bank. Sure, possible to sidestep by going through the song-and-dance that is withdraw-send-deposit. We can do this IRL also, but there's a reason people do not.

- Taxability. Welp, if your BTCs are in a bank, the IRS can easily get you.

- Abusive/coercisve government action (e.g., freezing). Well, yeah, if you're with a bank that can happen too.

- Lack of fees. If banks become standard (and if BTC takes off, yes, they will become standard) then kiss goodbye to this benefit - the same way cash right now has no transaction fee, but bank transactions do.

In fact, the only major sell of Bitcoin that remains:

- Inability for government to arbitrarily expand the supply of money.

Still a win, but suddenly Bitcoins have lost a lot of charm, especially for the everyman for whom the above 4 points are much more salient than that last one.

> In the real world you also don't carry your money with you all the time, but store it on a bank.

In the real world, the banks are subject to regulation.

In the real world, the banks /can/ be subject to regulation, and FDIC is a US creation.

If you have to be a security expert to own more than a few dollars worth of bitcoins, the project has effectively failed already.


It's true that key management and security are not as good as they could be in the official client, but that doesn't mean the project has failed, merely that the client needs to be improved.

Improving the wallet security is priority #1 of the dev team at the moment.

Note that no one of the developers expected it to get this big this fast. Six months ago, no one would even bother stealing bitcoins as they were not more than a toy curiousity. Now very serious amounts of money are represented.

Mt.Gox itself was hacked not just a guy. That's a bit like Wall Street being hacked, with due proportions. Also, Mt.Gox reaction to the episode is apparently pissing off a lot of users, as per comments in linked page.

I don't think this is the end of bitcoins but surely enough is quite a ouch moment.

Lesson I've learned today: given that bitcoin wants to be a better currency, they have the chance to provide a better service. A good bitcoin marketplace should enforce two way authentications, maybe with yubikey or even just GPG keys.

> Someone sold a huge amount of Bitcoins. The market acted accordingly.

It doesn't seem very free market to rollback the market and cancel all the free market trades that happened.

No, but that's also what would happen when the stock market behaves weirdly enough. It's a good thing, though, that stock markets and foreign exchanges have more trading volume; I'm starting to wonder what happens if a random blokes with a million actual USD wants to game the bitcoin like George Soros did it with the Swedish kroner.

As a note, when markets get really freaky, rollback of trades happen. I think the usual term I've read is "declared invalid".

Sorry for being off topic but do you have a link that explains how Soros games the kroner? Just out of genuine interest.

Actually the bigger event around it was the Black Friday in 1992: The Bank of England was hoping/pretending that the pound would stay strong against the FRG Mark, whereas Soros lent a massive amount of pound to other people. When the pound finally devalued, he could fulfill the lendings (at the cheaper pound price). The Swedish currency took similar damage.

Basically, governments trying to stabilize their currency are in danger of losses whenever they meet someone with even deeper pockets. In contrast, the Japanese government could out-trade Soros in the crash in 1987 and Soros had to pocket substantial losses.

http://en.wikipedia.org/wiki/Black_Wednesday http://en.wikipedia.org/wiki/Monetary_policy_of_Sweden#1992

It's entirely free market for an exchange to have its own set of rules and regulation.

Yes, for some time MtGox was The Exchange. It seems that it just ended.

I agree. If one ever needed an example of why Mt. Gox or Bitcoin shouldn't be taken seriously. They had a withdrawal limit of $1000 per day, too. This was simply to save one more day of that.

It makes you wonder if Mt. Gox actually had the hard currency to back up everyone's account balance.

The whole point of the exchange is that what you have is only worth what others participating in the exchange are willing to pay.

"It makes you wonder if The New York Stock Exchange actually had the hard currency to back up everyone's account balance."

That doesn't make any sense either.

The point of an exchange is that you can trade one thing for another. E.g., US dollars for bitcoins.

Mt. Gox seems to act like both an exchange and a brokerage. Presumably people have an "account" in which they can deposit and withdraw various currencies.

"It makes you wonder if The New York Stock Exchange actually had the hard currency to back up everyone's account balance." That doesn't make any sense either.

I guess you don't have an account with any brokers participating in the NYSE or other exchanges. You can't open an account without writing them a check. Once you've given them money, you can trade NYSE stocks which may gain or lose value. But the dollars you deposit into your account you should be able to get them out again with low risk.

Each currency or security should represent a zero-sum balance sheet for the exchange as a whole. Unless Mt. Gox spent the hard cash for themselves and hoped the market for bitcoins stayed healthy.

Who do they think they are, a Wall Street investment bank?

I agree it doesn't make any sense (but for a different reason).

Will MtGox buy bitcoins from me? Will the NYSE buy shares from me?

Are these two things actually alike?

Will MtGox buy bitcoins from me?

AFAICT, yes.

Will the NYSE buy shares from me?

Yes, the NYSE is a building full of member broker dealers who will, in fact, buy shares from you when the proper conditions are met. (I.e., you need to be worth their time).

I was under the understanding that not even real banks have all the money of their users on hand. What point are you trying to make?

"Real banks" are highly regulated and in the US are backed up by the US government. I don't know of too many other entities that can handle other people's assets with such low reserve requirements without being considered fraudulent. If there are any, I suspect they're heavily regulated or at least exempted as a speculative private fund.

You're right about the anarchy, but I don't see the burning world. I don't see hackers and cheaters "taking over" bitcoin.

An account was compromised, and despite there being no government regulation, the exchange stepped in, protected their customer, rolled back the trades and protected the market.

That is anarchy exactly! But no burning world. And it is yet another realworld test that has been successfully met by the bitcoin idea.

I'm not sold on bitcoins viability, due to questions about the larger marketability and having not done an audit of the software. But from an economic perspective, bitcoin is a viable currency, or as close to meeting all the requirements that any non-physical currency can.

> and despite there being no government regulation, the exchange stepped in, protected their customer, rolled back the trades and protected the market

You know that's basically the same thing - central entity with overarching authority exerts its will over the market, canceling transactions it's deemed 'fraudulent' between two independent consenting entities. "Free hand of the market" ain't present here, chief - this is regulation.

I would argue that it's not the same thing, since people use Mt.Gox voluntarily. We can expect no-rollback exchanges to appear any day now.

Do they? It's by far the largest BTC exchange - by a factor of ~50 or so. If you want to exchange more than a couple hundred BTC, they're the only game in town right now.

Yes, but they're the only big game in town not because they held a gun to anyone's head or threatened to throw their customers in jail if they dared to start using another exchange, but because they provided the best service. They did not engage in coercion. This is the heart of the free market and of anarchy.

It is the heart of the free market but it is not the heart of anarchy. Anarchy would happily employ coercion. After all theres no one to stop you when anarchy reigns. In anarchy the big dog wins until a bigger dog comes along.

Please don't conflate the free market with anarchy.

"Anarchy would employ coercion"?

You should read up on the foundations of anarchy before spouting your mouth off, since you are woefully ignorant on the subject. Bakunin, Kropotkin, and Bookchin are all good places to start.

Perhaps anarchy the philosophy would not employ coercion. But anyone in an anarchic society would happily employ coercion. That's what I meant when used the poorly phrased sentence "Anarchy would happily employ coercion".

Coercion does not have to be done by a governmental entity. The philosophy of government can wax as poetic as it wants but I know too many people who would happily take advantage of anarchy to employ said coercions. Practically speaking, Human nature being what it is, coercion will be rampant in an anarchic society. I'm quite familiar with the foundations of anarchy. I just occasionally use poor wording :-)

You can't unsubscribe yourself and your property from the government services, but you can from mtgox. That's the difference.

> central entity with overarching authority exerts its will over the market

MtGox certainly is not central authority. If you stop being their customer, they will have just to live with that.

> If you stop being their customer, they will have just to live with that.

That's precisely the theory behind free governments the world over, to wit: "Governments are instituted among Men, deriving their just Powers from the Consent of the Governed". Except we all know in practice there are barriers to withdrawing consent from the government, just as there are surely barriers to leaving a market.

> the hackers and cheaters

To throw in a bit of conspiracy theory, it may have been the good guys...

P.S. If the latest news are to be trusted it was a cheater. Actually the $1000 he got, is a rather low price to pay for a lesson that... instructive.

Sounds like it has been dealt with pretty well:


It just mean that the market is really small.

do you mean that if the market would be bigger such things won't be done? they could do more of the same unfortunately..

If the market was bigger, 500k would not crash it, as there would be enough buy orders to take someone dumping 500k.

It would still be crashable, but more would be needed if it was bigger.

When the market is really big, then only the really rich people can manipulate it. Comforting thought ;)

It's already a little disturbing to realize that a single account held 261K BTC out of 6.5M BTC in circulation.

I wonder how the distribution of bitcoins compares to that of dollars

I think that someone actually kept that 250k BTC in their MTGox account!

If I'm doing my math right, $500k is something like 2% of the bitcoin economy. Imagine what would happen to wall street if someone cashed out a few trillion dollars' worth of stock at once.

And if "your math" is "number of BitCoins extant time current market value of one BitCoin", your math is not correct. Macha is correct; crashing the market with $500K is proof that the entire MtGox exchange can't be much larger than that, no matter what multiplication says.

Of course MtGox isn't much bigger than $500k per ten minutes. Given how many bitcoins there are and how much each is worth, that kind of volume would be like every cent in the United States changing hands every couple of hours.

You have a terribly flawed idea of how exchanges work and what they are; your logic doesn't flow at all. But I can't really correct that in an HN post.

Entirely possible; I'm writing these before bed after getting home from work. I just have a feeling that if someone tried to convert 2% of the world's USD to rubles in a few seconds without an equivalent transfer in the opposite direction everything would explode. MtGox not being able to handle a transaction like this simply means that there was less than 500k flowing in the opposite direction every ten minutes. If there were, that would imply either a spectacular amount of arbitrage or enough transactions going on inside bitcoin for people to be changing 500k back and forth every ten minutes. This crash just means that neither of those are happening, which I find entirely believable.

and honestly it only dropped for a minute...then it went right back over $14...so even if this had really been legit it would have sorta recovered.

Did you not read the outcome? The accounts are being rolled back while other exchanges are operating fine. These kinks have to be worked out and it's better late than never - even though it's relatively early.

Yes, the mayhem at the beginning is expected but I'm curious if the trial/error process could actually bring some sound stable system at the end. I'm inclined to think that this won't happen because most of the people in the bitcoin "economy" have some serious dislike for central authorities. And it's hard to design a stable monetary system without some kind of regulation and more transparency.

Wanting to avoid single points of failure doesn't seem that strange to me. It's an engineering decision, not a political one. Central authority is just a central system to hack, or become corrupt.

You wouldn't let your business become reliant on a single-supplier part, why would you let it rely on a single-supplier currency?

Regulations are only worth as much as the authority regulating them, if that. Just look at the USA. All the laws required to stop the recent mortgage meltdown were already in place and could still be used, but won't be. What value do those unused regulations have? It's better to have less fake regulations and simply not depend on a non-existent safety net.

well the IRL exchanges are run by cheaters and there's not much anarchy around yet.

I'm a little annoyed that MtGox effectively is bitcoin. I've been spending my mined coins on goods from various merchants and it has been working great. That's what bitcoin is designed to be, a currency. Recently there's so much speculation and people buying, holding and selling that so much focus has shifted away from the real use.

Mining was never supposed to be the primary means to obtain bitcoins. As long as people are still being paid salaries in other currencies, they'll need to use an exchange to buy bitcoins if you want them to participate. On the other side of the (bit)coin, do you suppose those merchants you're buying from can pay all of their suppliers in bitcoins? So they need the service of an exchange, too.

This is an "I told you so" post, but not about bitcoin, about the current exchanges.

I haven't cashed out any bitcoins because the current exchanges are a fucking joke and I've said as much many times in the IRC channel and forums. Bitcoins will remain a novelty for people with lots of disposable income until it has a real money changing service linking it to other exchanges. I can not conceive of the level of folly it would take for me to put anything more than pocket money on one of the current exchanges.

Newest update:

Apparently someone got the whole user account database of Mt.Gox

I wont publish the link to it though for obvious reasons.

Quick analysis: the database is legit, it contains user id, username, email if set, and a bcrypt hash. The hashes seem salted with a global salt.

Something weird is going on. I just downloaded the CSV file and my account was in there(I don't really have any bitcoins at the moment, so that's OK). But I just got a message when trying to log into GMail about 'suspicious' activity being detected on my account. My guess is that someone might have tried logging into my mail. Luckily my email password is unique, so I don't think anyone got in. I hope that other people in their DB was savvy enough not to re-use passwords.

Google has preemptively locked all the Gmail accounts that appeared on that list. (see http://forum.bitcoin.org/index.php?topic=19641.msg245983#msg...)

About 1600 passwords in this database are hashed with plain md5 without salt. I found quite a lot hits (34% success rate) using a rainbow table cracker.

Password hashes are standard php crypt() ones. I'm in that DB, was able to generate the hash using the DB entry (in contains the salt for each password) and my one-time password from mtgox. One-time PWs ftw.

I don't think the db is public, it's being sold for a price.

It's public. I have the db loaded in mysql right now, and have confirmed its validity (my account is in there).

Quite public. At least passwords seem to be hashed, though.

The entire account database was also leaked:


So it was... I confirmed my username is in there but at least passwords are hashed. Luckily, I never added an email address and used a different Username and pw than I do everywhere else. Gotta take precautions with bitcoin!

Doesn't look as if passwords were salted, though :-( (Edit: just read in another comment that there seems to have been a global salt)

They were hashed using the standard php crypt() method, it generates a salt for every password encrypted. I'm in that database and was able to generate the exact hash. Luckily I use one-time passwords with such things...

Hm, if it is using the same hash all over the world (on your computer it has the same salt as on the MtGox server?), what is the point? I don't understand how this salting scheme is supposed to work?

Edit: Ah OK, the salt is encoded in the String.

In theory, it just slows it down so rainbow tables are ineffective (not that people need them anymore), and it requires you to brute force each password than brute forcing one password and then checking it against everything.

In reality, it's all MD5 and the passwords were leaked to a community who are running tons of GPUs to brute force hashes. So it's kind of irrelevant.

The salt is one of the other fields in the row? I'm pretty sure I used unimportant password, but I can't remember for sure!

You can recreate the hash by calling crypt() in php with your PW and the full hash as arguments. Basically, the hash is built like $1$_salt_$_hash_ - by feeding it as an argument to the function, you make it use the same salt used originally at encryption, when it was randomly generated. This is exactly the way these hashes are verified on login.

Wait. The effective exchange for bitcoins worldwide is using PHP internally? People are actually trusting this with thousands of dollars in cash?

I'm not even much of a PHP fan, but it seems like you're unaware of what most people use. Including financial institutions.

Haha. I came from PHP and won't ever go back, but, you would be surprised what people use PHP for.

Very sloppy. When you're dealing with actual money, industry-standard practices like this shouldn't be considered optional.

Legally, they're not. Bitcoin just isn't actual money in any country.

Someone should buy sealand and change the national currency to bitcoin...

What would be the point of doing that?

You can also have real money in your mtgox account.

I keep getting a message saying that forum post is inaccessible to me.

If this was legitimate "dump" (by someone who obviously didn't care about the money), it was certainly the fastest crash of any known market ever.

That's about 7% of the total number of bitcoins in circulation. Anyone have details on how this happened?


according to the guy running the exchange: user with 500k bitcoins was hacked (probably password bruteforce or csrf).

they'll probably reverse all transactions since then

Mtgox has announced they're indeed reversing the transactions. https://support.mtgox.com/entries/20208066-huge-bitcoin-sell...

Presumably they can do this because they're not actually bitcoin transactions, just exchange trades. The bitcoins and USDs entering and leaving Mtgox are not going to roll back.

How do you "reverse" transactions that live in a peer-to-peer network? Or are you saying that MtGox has some kind of buffer of transactions that haven't been "executed" onto the network yet?

MTGox runs its own private system. They display the value of BitCoins you can withdraw, but they're not really BitCoins until you withdraw them.

As far as I know bitcoin transfers are issues without any delay, so it would indeed be impossible to reverse the transactions.

Who is 'they'?

As far as I understood bitcoin, there is no authority. Nobody can do anything about a user having 500k of his coins hacked, and nobody can do anything about the market crash either.

As long as the money hasn't been withdrawn from the market, the market should be able to reverse all the transactions. The problem would be if the BTC or USD were withdrawn from the market before they shut down trading.

the exchange is a central authority, and acts like one.

you can do whatever you want with your bitcoins, but currency exchange is liable to laws and regulations.

as far as i know you're right. there is no infrastructure for rollbacks of any kind.

MtGox != Bitcoin. Transactions on bitcoin network cannot be undone, that is true; however, MtGox will undo the transactions inside their system (buys and sells within MtGox). The only thing that cannot be undone is the withdrawal of 80 stolen BTC from a MtGox account into Bitcoin network.

they'll probably reverse all transactions since then

How can they? Surely if the blocks have started to get verified by other users then you'd have to fork bitcoin to do it? Wasn't "There are no chargebacks" one of the selling points of BitCoin?

That's kind of scary that a single user had roughly 7% of all of the bitcoins.

Does anybody have a link to instructions for reading that kind of chart (or the name of the chart type)? I used to know, but it has been many years.

I suppose green bars means the price went up and red down, and the bar extends between the high and low price. But what does the chunk in the middle mean? And where can I see that 500k were traded?

EDIT: The below is wrong, see here: http://en.wikipedia.org/wiki/Candlestick_chart

The chunk in the middle is the price for the majority of trades, and the lighter bar is all trades, if I remember right.

The small bar indicates the range of prices during the time frame (for example, each bar could represent 15 minutes of trading on a 15 minute chart). The big bar shows the closing and opening prices for that time range. If the closing price is below the opening price the bar is red, and vice versa.

The red bar that shoots up from the bottom is the trading volume, and usually isn't covering up the bars so it looks strange. It just says a ton of BTC was sold in that time frame.

It's called a candlestick chart.


There are two charts here.

Along the bottom of the chart is the volume of trades, i.e. how many shares/coins are being sold or bought (and whether they're being sold or bought).

The chart in the middle is the price and variability of the trades (i think).

Not a stock person or a BTC trader. Just gawking at the spectacle.

I like the looks of this chart of the crash, haven't seen that kind before: http://leanback.eu/bitcoin/plots/20110619195756-mtgox.png (found via @zedshaw on Twitter)

And Zed found it from me on Twitter, and I found it on this thread: http://news.ycombinator.com/item?id=2671576 (Just setting the record straight as Zed attributed it to me)

Lower limit of $0 a bitcoin showing there, did someone really dump bitcoins at $0.01?

$0.01 is still a profit if you stole the coins.

So for someone who doesn't understand economics that much, what does this mean? Have bitcoins finally failed?

Not as such. As an example, Steve Jobs ownes 7% the shared of Disney. If tomorrow, he were to sell them all, no matter what the price, there might not be enough people to buy them all, so people who, for the laugh, said they'd buy Disney stock at $0.01 a share would eventually get the shares. Thus the stock price for Disney would drop to $0.01. A similar thing just happened to BitCoin, but rather than shares of Disney being traded, it was bitcoins.

This is the best explanation so far. Thanks!

Someone just went to sell a ton of bitcoins at once. Because the market's so small they were able to fill all the buy orders placed all the way down to 1 cent per bitcoin. Some people with long-shot bets made quite a bit of money. About half of the 500k filled the buy orders on the way down and half of them were sold at the 1 cent price.

Which kind of implies someone was doing this with stolen coins, right? You don't sell so cheap if you have USD 8,500,000 on paper and want to get as much possible out of the sale.

unless you are US government trying to destroy alternative currency. right?

This didn't destroy bitcoin... but it made a lot of cash for some bottom feeders.

What they did was destroyed the reputation of Mt. Gox - I don't think the Gox people will have a very good outcome as their customers jump ship to other exchanges.

BUT on the other hand, you could say Mt. Gox was asking for it with such poor security measures. A day ago, it was a CSRF hack ... and today it's a database dump.

I tell ya, tomorrow, the code for their trading platform will hit the net.

In fact, I wouldn't put it past the operators of the other exchanges to perpetrate something like this.

In reality, no damage to the bitcoin network was done, but Mt.Gox ended up with egg on their face.

Where will all the trades go? To other bitcoin exchanges - and there goes the services charges too. There's a sizable amount of money to be made by taking down Mt. Gox.

Imagine if someone stole 7% of all printed currency in the US and then traded it for gold at effective prices as low as pennies on the dollar. That's effectively what just happened with bitcoins.

BitCoins haven't really started yet in my opinion. It seems far too early to say they have failed or not.

<CorvusCorax> poor bot had a division by zero when trying to calculate the mt gox exchange rate

Out of curiosity, how does the Mt.Gox hold the bitcoins. Do they have a bitcoin account for every user or do they hold all the bitcoins in their account and trades are only changes in their database?

The latter; in the block chain you can see a single address that holds over 400K BTC.

I'm on record here as saying a few weeks ago that a BTC bank needs to be established.

I reiterate my position. A BTC bank needs to be established, with appropriate data protection features.

Sounds like a startup opportunity.

Absolutely. I wish I had enough time and security knowledge to do it.

A BTC bank will have to have some no-kidding competent security around it.


You know whats funny about that whole 25k thing...he has shown no proof, says he filed a police report but has not shown it, media went wild with it (with no evidence) and to the best of my knowledge no media outlet has interviewed the supposed law enforcement regarding the matter....I smell some FUD...there are numerous more inconsistencies with his story and many believe him to be a troll.

NO early adopter leaves his wallet.dat file unprotected on a known compromised computer. Especially one who claims to be an early adopter and saying he got in later in the same post. If you really read that whole thread you will smell a rat or troll also.

NO early adopter leaves his wallet.dat file unprotected on a known compromised computer.

Now that's making claims without proof.

My response was to a comment that was deleted...If you go and read the thread he posted to...which is about the supposed theft last week there seem to be a bunch of inconsistencies with the story...the biggest being he supposedly had 3btc stolen but he leaves his wallet unencrypted, unprotected, on a computer that after having supposed 3btc stolen and flagging a virus threat...either he is lying or he is very stupid...either way I do not feel bad.

As for what happened this morning I believe that the market snapped right back was a good sign...someone dumping .5M BTC at once at the lowest possible amount and it still came back in minutes.

Not only is it making claims without proof, the claims make no sense. Why would anyone with a large pile of Bitcoins want to drive the price down by advertising how insecure the currency can be?

The flash sale broke the price resistance chart: http://mtgoxlive.com/orders

If the 500K Bitcoins sold are the total of the Bitcoins in all MtGox wallets, than Bitcoin is over.

Sample of one: I have for about 100 USD in Bitcoins at MtGox, if they got stolen today, I will leave the project.

Yea, I had been keeping my bitcoins in MtGox too, but I figured at the very least I wanted to have two points of failure, so I moved half of them onto my computer.

Figured worst case scenario I'd lose half in a single day. But hopefully that's not what happened!

I think the bitcoins belonged to a guy who had his wallet of 500k stolen some time around last week.

You're probably thinking of the guy who claimed he lost 25k bit coins (which at that moment was "worth" 500k USD). This was a trade of 500,000 bit coins.

Ahh yes, you're correct, I got confused.

he had only 25k stolen.

Interesting that on bitmarket.eu there are a lot of buy offers for 0.01€ suddenly. I wonder if those are already bots trying to automatically react to the mtgox price.

More likely, people trying to make bank when (not if) it happens again.

Ah, true, taking advantage of market glitches. I should add some positions for that, too :-)

The real question is if mtgox can actually reverse trades like they claim they're going to do as a result of this situation.

In a regulated exchange it's certainly possible. Is it possible with bitcoin? Once the block is away...it's away.

If you want to check if you've been Mt.Goxed I whipped up a little something for that


If you feel like complaining, check Complainr: http://complainr.syx.sk/

Some people already started :)

mtgox.com is offline. Did they shut trading down?

the site has been on and off for the past week or so. not intentional perse just busy servers as far as i can tell.

I was in the bitcoin forums and mt gox as this happened...they shut down afterwards.

I wanted to see if I could buy some on the cheap, but I wasn't already set up to do so. I would never take this currency seriously, but I'd be willing to put in a bit of money to speculate a bit.

I looked at bitmarket.eu but they have a manual verification process, which I'm sure would not complete until after the price recovers. Oh well.


We shouldn't be surprised by this. This monetary have no authority behind it.

That this was Bitcoin was of no consequence. The hack was of a web site that happens to provide an exchange for Bitcoin, not the Bitcoin network. It could have been an exchange for anything.

The proliferation of amateurs with even less security than Sony is a predictable side effect of decentralization.

I have more trust in Darwin's law than banks, banking rules and centralized control to solve this issue.

What is the point of down votes without explanation?

You're being downvoted because you neither understand the Bitcoin system nor the mechanics of how Mt. Gox works, as evidenced by your post.

Sure, i don't understand it, neither the people who brought bitcoins.

And you're basing this statement on what evidence?

You're both wrong and arrogant. Or, at least, perceived as such.

Your post ran counter to internet-libertarian dogma.

Probably. I regret each time i comment here, but I attribute this to the cultural differences between California based NH-users and the rest of the world.

It's not cultural differences between California and the rest of the world. It's simply that your statements indicate you're commenting without an understanding the subject matter.

This incident occurred because (a) people with large amounts of bitcoin do not always store them securely, and (b) the bitcoin market is very small, and therefore can be destabilised by relatively small amounts of money (a few million dollars, for instance).

I should say it again: This monetary system have no authority behind it and as such is going to nowhere. Disclaimer: I work as financial analytic and at least have some knowledge of how money work.

Let me explain what I mean: "Real" money are just a tokens, transferring the "Trust" between one market participant to authority and other market participant to authority. By "trust" I mean that every participants believe that Rules in the market will be followed. When you have N market participants you have N*(N-1)/2 ways to exchange "trust". If I understand correctly Bitcoin is N to N system. When you have Authority there are only N ways to exchange it - Each participant to Authority. N^2 is not scalable at least. And N^2 monetary system might work in theory only when there are no problems like this security problem.

Trust that the participants in the market will behave in accordance with established rules on penalty of punishment of human administered centralised authority is one thing, trust that mathematical truths governing how cryptography works is completely another. If the latter does not hold, the financial institutions which you claim to be employed by are in a lot more hot water than they would be if it does and bitcoin flourishes because of it.

It will take a long time for normal people to understand the implications of the cryptographic backing of bitcoins. Even quite a few people here don't "get it"

You always need governing authority to enforce the rules, just because the cryptography protocol can not handle all the possible situations of human interactions and because money have no intrinsic value. Value is determined by the level of trust to Authority transferred by different communication channels and protocols (encrypted messages, paper with special printings etc.) In the case of Bitcoin it is not necessary to be Government Authority.

This is precisely what I mean by people do not grasp the entire concept of a mathematical law and how it relates to public key cryptography. There are man made laws which are invariably prescriptive, and natural laws (not in the legal sense) which are invariably descriptive, and fallible only to the extent that this is not the case.

There is no authority needed to enforce these natural laws just as there is no authority needed to enforce gravity, it is a force of nature, public key cryptography relies upon mathematics which is also a force of nature. If the math is incorrect the system is insecure, failing that no authority is required to uphold the mathematical dogma of public key cryptography lest faith in the system be compromised. You're working from a set of premises and assumptions that simply do not apply here.

These laws do not require enforcement by an authority;


Read this for a primer on public key cryptography;


I pretty well understand both laws of science (PhD in physics) and what PK cryptography is, but you still don't get my point. There is something outside the protocols implementation, that are secure and do the job they are are developed for.

So which "authority" gives gold its value?

The rules in Bitcoin are enforced by cryptography and the CPU-majority. So long as public key encryption works, and the majority of Bitcoin mining power is put to honest use, the system is trustworthy.

Accidentally upvoted this... HNs really needs to have an undo vote feature, even if it is as blunt as slashdots "undo moderation".

You can always down-vote my other comments if this make you fill better.

Feeling good is not the purpose of the comment voting system.

I pretty well understand that there are rules that are technically implemented to be enforced (protocols, cryptography etc) but when there is some problem in the system (hacking, fraud etc.) there is no one to enforce fairness. The value of given currency is not based only on technical implementations but on trust. In this case the trust and Authority is the technical implementation of this protocol (all bitcoin markets participating). The technical implementation cannot self improve. You can only trust that technical implementation (cryptography, protocols etc) are implemented as specified.

If someone hacks into your computer and steals bitcoins, you report them to the computer crimes division of the police. It is not the job of the currency itself to enforce fairness. If someone steals $100 from me, it's not the Federal Reserve that gets involved.

And you expect police to return you stolen bitcoins?

No more than I expect them to return stolen property. If I had a large amount of bitcoins, I'd probably want to insure them, or at least keep the private key in a secure location, such as in a security deposit box.

The police act as a deterrent, and make it more difficult to offload stolen bitcoins without being caught.

I suspect the downvotes come from around the world, not just California.


http://news.ycombinator.com/item?id=752262 (shame can't see the vote counts on this one any more)

Applications are open for YC Summer 2023

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact