Hacker News new | comments | show | ask | jobs | submit login
Mark Karpeles' blog hacked (magicaltux.net)
152 points by drewblaisdell 1147 days ago | hide | past | web | 84 comments | favorite

The leaked data set contains:

  * screenshot of the back office application
  * OSX and Windows back office application binaries
  * btc_xfer_total_summary.txt
  * CV-Mark_Karpeles_20100325.pdf
  * home_addresses.txt
  * trades_summary.txt
  * btc_xfer_report.csv containing every deposit and withdraw 
  * mtgox_balances containing the balances of all user wallets
  * trades.zip containing monthly csv files of all trades within mtgox & coinlab between 2011-04 to 2013-11
  * trades csvs have fields:  
  Trade_Id	Date	User_Id	User	User_Id_Hash	 
  Japan	Type	Currency  Bitcoins	Money	
  Money_Rate	Money_JPY	
  Money_Fee	Money_Fee_Rate	Money_Fee_JPY	 
  Bitcoin_Fee	Bitcoin_Fee_JPY	User_Country	User_State
From this data you could reconstruct every trade within the site, and identify the address from transaction values.

This dataset could lead to loss of anonymity to a significant number of people in the cryptocurrency world.

If what you say is true and this data is sufficient to recreate and de-anonymize the trades on gox against withdrawals from their addresses shouldn't we be able to see if coins were actually stolen through tx malleability?

My cousin had an account on there with 102 BTC, and bought it while the price was around $650. He was having a hard time since last few days, but after a trekking trip and being with him since the fiasco he seems to be coping up fine. He is more worried about the Driver's license copy he provided as a verification. The database sure is leaked, and Identity theft seems real possibility. What are the safeguards that can be adopted now? Any help will be good.

Primarily, you need to straighten out your framework - "identity theft" isn't actually a real thing. It's a marketing term to scare people into thinking they share fault for institutions' trivially broken systems. In the event that a third party commits fraud using your cousin's non-secret driver's license number and your cousin suffers repercussions, the actual concepts you're looking for are libel and tortious interference committed by credit bureaus and banks.

What kind of stupid comment is this? "Identity theft" has caused people to be chased by collection agencies, to be prosecuted for or imprisoned for crimes they had nothing to do with, and credit ratings ruined.

Case in point: a copy of a guy's id card here was used when signing a lease for an apartment. Apartment was later found to contain marihuana plantation. Public prosecutor claims the guy is the guy behind it all, and has him arrested several times until 2 years later, at trial, the judge decides 'well it can't have been this guy, given all the circumstances'. In the mean time, he lost his job over it, was so stressed and depressed that his relationship fell apart, and was in financial ruins.

He handed a copy of his id to a temp agency once before this thing happened. Probably somebody there copied it, or there was a break-in there and somebody took it. There was no way to hold them responsible, nor were the actual people who rented the house ever found.

How can you say that 'identity theft' isn't real?

The problem is that the term reverses the arrow of causality. It indicates that there is some specific "identity" that an individual possesses, and thus implies the individual has a responsibility to protect it from being "stolen".

> There was no way to hold them [the copier of his ID card] responsible

With the term "identity theft", one concludes that his damages come from being the victim of the copier, and that this crime was never solved. However, every harm that befell him was actually due to other parties that operate completely out in the open, but they manage to escape your blame!

> prosecuted for or imprisoned for crimes they had nothing to do with

The real crimes are the utter incompetence of the prosecutor and the extrajudicial punishment from merely being targeted by that system.

> people to be chased by collection agencies

The collection agencies are committing harassment and extortion, rooted in negligence.

> credit ratings ruined

Libel and tortious interference by the credit bureaus.

In all of these cases, the term "identity theft" primarily serves to obscure the root of the problem, which is the utter lack of diligence by creditors and the unearned importance given to the results of their sloppy process. The parties responsible for the above transgressions seek to pass the buck by glossing over their glaringly simplistic assumptions, because any actual fix would make their job much harder.

This is one of the most brilliant comments I've read in months. How can we make this perspective more mainstream?

It is? It reads like a mix of truth and sophistry. If somebody frames you for murder, you may well blame the prosecution for being incompetent, but the main guilty party is certainly the one who planted the evidence in the first place.

Yes, the murderer is still guilty of murder, just like the fraudster is still guilty of fraud.

But this doesn't account for the additional damage caused by complete reliance on "evidence" that shouldn't even pass a sniff test. One would very much fault a prosecutor for continuing to press a murder case with the sole piece of evidence being a typewritten note saying "I, John Smith, committed this murder".

(If I understand the original argument) a better analogy would be being framed for murder while the guy who framed you cashed out a life insurance policy on you. You neither took out the policy nor benefited from it - yet the burden is on you, not those who paid out incorrectly, to prove your innocence.

The prosecutors aren't being blamed here (by OP), but those who profit by blind prosecution are.

I really don't know, besides just stating the truth and hoping people recognize it. I think the disconnect is ultimately due to a precession of the model - as a system gets taken for granted, people analyze things in terms of its paradigm and its failures become seen in terms of the system's abstractions rather than the underlying reality.

On the other hand, when I'd write comments like this five years ago, they'd generally get a net negative reception. So it seems like widespread belief in manifest human inventorying and tracking is hopefully wearing off.

mind boggles

A word is a word is a word - you can make it your pet peeve to redefine common terms to mean something that better fits your ideology, that still doesn't make it relevant to us here living in the real world. Whatever you call it, people impersonating themselves as other people are a real and tangible threat to those being impersonated.

You can go blame others and make grandiose accusations of 'incompetence', 'the system' ('holding us down' too, presumably rollseyes ), 'harassment', 'extortion', 'tortious interference' - that just shows you have no idea of the law, sociology, history or the realities of emerging behavior in human relations.

What is your point, exactly? Are you saying the problem will go away if only everybody except the criminals doing the identify theft would... I don't know, what exactly?

These are just common feel-good anti-intellectualisms about individual words and phrases I wrote, which ignore my actual points.

So I'll try to put it plainly:

Most of the problem will indeed go away if everybody, not just the criminals, stopped relying on the concept of "identity" as if it were infallible.

In your example, the negligent prosecutor is responsible for the sheer majority of harm to the victim, by failing to evaluate the quality of the evidence. By perpetuating the term "identity theft", you are giving that prosecutor a shield to hide behind instead of them having to change.

He's doing a shitty job of pointing out that "negligence on the part of financial institutions" has been re-branded by the industry as "identity theft" so they can transfer part or all of the liability to the customer, and even get you to pay to protect yourself from their negligence. If he'd spoken plainly and not tried to mimic one of a hundred libertarian web sites that rail on such things it probably would have been clearer.

I wasn't trying to mimic anything, and was primarily saying things that derive from longstanding principles. Your wording is a bit more straightforward, so please chime in with further improvements.

From Richard Feynman:


The next Monday, when the fathers were all back at work, we kids were playing in a field. One kid says to me, “See that bird? What kind of bird is that?” I said, “I haven’t the slightest idea what kind of a bird it is.” He says, “It’s a brown-throated thrush. Your father doesn’t teach you anything!” But it was the opposite. He had already taught me: “See that bird?” he says. “It’s a Spencer’s warbler.” (I knew he didn’t know the real name.) “Well, in Italian, it’s a Chutto Lapittida. In Portuguese, it’s a Bom da Peida. In Chinese, it’s a Chung-long-tah, and in Japanese, it’s a Katano Tekeda. You can know the name of that bird in all the languages of the world, but when you’re finished, you’ll know absolutely nothing whatever about the bird. You’ll only know about humans in different places, and what they call the bird. So let’s look at the bird and see what it’s doing—that’s what counts.” (I learned very early the difference between knowing the name of something and knowing something.)


iamshs's cousin doesn't need to be straightened out on the NAME of his situation. He needs help on DEALING with it.

Except this situation is created by the information environment, in which names themselves are quite important. For your comment to be applicable, the credit system would have to be something that existed outside of human creation.

The term 'fraud' makes it clear that the situation involves the fraudster and the defrauded, and OP's cousin is not part of it. The term "identity theft" makes it sound like OP's cousin has had something taken from him and is therefore heavily involved.

"Identity theft" is a catch-all term describing fraud committed using this sort of information. It may not be as specific a term as you want it to be, but that's far from not being "actually a real thing".

The point being that "identity theft" is typically used to shift responsibility to the individual from institutions.

Truth is that "fraud" has existed for centuries (though the incidence of "financial fraud" in print has exploded since the mid 1980s). "Identity theft" emerged in the late 1990s.


> The point being that "identity theft" is typically used to shift responsibility to the individual from institutions.

That's hasn't been the case for me. Each of the several times my data was taken and there was the possibility of identity theft, the company responsible ended up having to pay for various monitoring schemes.

And should that data have been used fradulently, it would still have been the fault of whatever person took that data, not the institution that misproperly handled it.

the company responsible ended up having to pay for various monitoring schemes

And who did the monitoring?

That's pretty much my point: you have to keep track over use of credentials in your name, and fight these in a court of law.

There's little or no criminal liability on financial or information bureaus for getting information wrong.

That is: the onus is on the individual, not the system.

This is all very interesting, but what does the terminology of "identity theft" have to do with any of it?

It's not that "my identity has been stolen". It's that financial institutions (and others) have established procedures for freely creating binding obligations in my name on the flimsiest of actual evidence. It's fraud, enabled by financial institution's weak procedures.

It really is a terrible term though. I dislike it enough that I sent Al Franken a letter asking him not to use it during hearings (though given that I'm not in Minnesota it probably wasn't even a symbolic act).

Is that a legal theory that has been supported by court victories?

I've no idea about recovering damages, but it's at least congruent with reality. No competent security analyst would ever declare that numbers openly printed on a card and freely submitted on forms and devices are authentication secrets.

So the answer is "no", right?

It's not a legal claim.

Very well said. The main problem is the poor system in place and people's lack of ability to put constraints on their records.

Given the current state of affairs it is unforgivable that users can't activate higher levels of security for using their information. Given that the cost of the credit industries practices are born by people it is not ok for people to have no say over how casually credit is handed out.

Here is more evidence. "Court records just released last week show that Ngo tricked an Experian subsidiary into giving him direct access to personal and financial data" on millions of Americans http://krebsonsecurity.com/2014/03/experian-lapse-allowed-id... The casual disregard these companies have for what should be private information creates the pain for people.

Europe has much more protection for people versus data brokers (that create huge costs to people with their actions). I think Europe has a much more sensible view.

I agree with you. Even my friends know everything that is contained on the driver's license. Obtaining SSN can be a trivial thing too. The thing is he wants to contain the damage because now there can be real repercussions. Even though the banks are liable, he still needs to be proactive.

The ground-floor safeguard-which-isn't-a-safeguard is subscribing to one of many credit monitoring sites so you know what's happening.

Your state will have information about what to do if your drivers license was lost or stolen (even though obviously he still has the physical license). Some states will have somewhere to report you may be the target of identity theft. You should see if you can replace your license.

It is a freaky situation to experience. It was straight freakout at first, which will now be replaced by lifelong paranoia of stolen identity.

Thank you. I did not know that the license could be replaced. If that can be done, that would be somewhat good.

Here are the steps found on the mounties site [1]:-

A- File a police report.

B- Contact your financial institutions.

C- Report to Equifax and TransUnion Canada

D- Report to info@antifraudcentre.ca

He is more freaked out due to the recent news reports of stolen passports used on the MAH 370.

[1] http://www.rcmp-grc.gc.ca/scams-fraudes/id-theft-vol-eng.htm

Privacy Rights Clearinghouse has an excellent fact sheet for dealing with identity theft in the US. https://www.privacyrights.org/identity-theft-what-do-if-it-h...

Not sure how much applies to Canada but there's some very good stuff there.

Thank you. That link was wonderful. Pretty much all of it applies. I think doing a credit freeze will shrink the size of the damage, though medical identity theft still remains a possibility.

FWIW, the original reddit post says "Keeping in line with fucking Gox alone, no user database dumps have been included."

Just because it's not posted publicly doesn't mean it won't be used by whatever parties have it. Given that this seems to be an American posting (comments about pizza and beer) and not the badly-typed Russian hacker earlier, it would appear that two parties at least have a copy of this information now (or alternatively got the information independently). You'd be a fool to assume this person is acting in good faith, they've exposed a hell of a lot of private data by posting this alone.

But, if that hacker can get in, more nefarious ones can as well. You should assume that any information stored with Gox is now no longer private.

True. They have not included it, they probably have it. Maybe there are other people who already have accessed it. He is effectively considering it in hands he may not want.

That's because they may be selling the rest of it. A 'nanashi' has already posted on Bitcointalk their terms (100btc for the entire dump, 10btc for 2gb etc).

I signed up for a Mt. Gox account ~12 months ago and included my drivers license. I then cancelled the account a few weeks later after one of the many Mt. Gox incidents. A few months ago when the price skyrocketed to $1000 USD/BTC I reopened my account with Mt. Gox. They didn't require any further information from me, just a a request to open the account.

I took from that that even when an account is cancelled/deleted, they still retained all user information including drivers licenses. Even if you deleted your Mt. Gox account before they went bust you may still be at risk.

Retaining a customer's information after the account is closed is usually required by know-your-customer and anti-money laundering laws.

Yes you're right, I thought that would have been the case. Just putting it out there for people who might think they are safe.

I feel for your friend. I lost a lot of money as well, plus they have a copy of my drivers license and a copy of a utility bill for my home.

I feel for you. He says hardest part was breaking the news to family. Straight afterwards he drove down to me, he said hearing scorn every second was becoming overbearing for him. Cryptocurrency can be hard to explain in layman terms.

That's exactly right. I told those close to me that an overseas financial services company I was using collapsed. I only specify Bitcoin if they press for details.

Original post from his reddit account: http://www.reddit.com/r/Bitcoin/comments/1zz21j/mtgox_2014_h...

Bitcoin's history already has a trilogy's worth of entertainment

Until a few minutes ago, you could see this hidden message:

  $ curl
  <a href='MtGox2014Leak.zip'>They were not made out of magic Mark...</a>
  <!-- I hated working with you.   You deserve everything you get for what you did. -->
The machine seems down now.

Up now

They might very well be in possession of the 950k but have lost the private key to spend those funds. It looks like in recent days they regained control of 200k BTC, so perhaps they've recovered a key or two?

I sure wish they would make a statement soon because if it was in fact the case that they recovered a large portion of their BTC, that would go a long way to bolstering faith in BitCoin itself, whose brand they totally damaged by blaming transaction malleability in the first place.

They never mentioned losing a private key, did they?

Not specifically - perhaps because saying they were stolen is slightly (but only slightly) less embarrassing than saying they misplaced the key.

Karpeles did say something to the effect that the funds were "temporarily unavailable" - which would be consistent with losing the key, if they had any hope of getting it back.

The attack that they claim happened was due to a bug in their accounting software. The software sometimes wouldn't record that a transaction had finished, so that account's balance didn't go down. Nothing to do with losing keys.

Karpeles was trying to get investors to cover the losses after the bug was found. That's why he was hoping the losses would be temporary. But Mt Gox's business practices are so bad no one wanted to invest in them, so that's almost certainly not going to happen.

There is only one way the coins could be recovered: if the thieves are found with the stash intact. Just keep in mind that Karpeles might be the thief.

Last week people had tracked down Gox's prior BTC transactions and they still had the coins in an address they controlled.

I've theorized that they lost the key, not because of any direct evidence, but because it's the only thing that makes a little bit of sense without out-and-out fraud.

I hadn't really thought of that. There's something going on with those addresses today! http://www.reddit.com/r/MtGox/comments/1zsw9l/90000_bitcoins...


>to most people having everyone on earth think that they are criminally incompetent is not worth $400 million.

Have you ever in your life seen a reality TV show? You really think people aren't willing to debase themselves for money?

I think people in reality TV aren't necessarily self-aware enough to know that they are debasing themselves.

It's just a database dump. This doesn't mean that these values are backed by their wallets.

It's possible the bitcoin could be stolen and not reflected in the data.

Wow, this is interesting. The folks dumping the dox asked for donations via Bitcoin. Thanks to the public nature of the blockchain, we can watch in real time as the donations come in: https://blockchain.info/address/1859rayqN1X7DYjD1BrAHm4vaQxo...

You know what would be brilliant? If this were Karpeles himself using "hackings" in a desperate attempt to deflect legal responsibility.

I have no idea what the likelihood of this is, but it's in the realm of plausibility with all of the feces hitting the fan at Gox.

"Brilliant" seems like the wrong word for that.

Karpeles posting about himself "That fat fuck has been lying!!" is an amusing thought :)

Just as long as it isn't him saying "every statement I make is a lie".

It's more likely the other way around. The same hackers dumping it to put the blame on Mark and deflect it from themselves.

Just because my database says I have $100 trillion does not mean I have $100 trillion.

I wonder if the balances revealed are concretely tied to wallet data, or rather simply are entries in a database. If the latter (and from what they said it seems to indeed be the latter), doesn't really mean much / doesn't contradict Mark's words in itself. (cf. Mark's comment that 'technically speaking [bitcoins are] not "lost" just yet, just temporarily unavailable.')

They would just be balances, otherwise every trade in their engine would hammer the Bitcoin network with transactions. No sane person would do anything but have an external databases with a fairly tenuous connection to the actual wallet balances.

According to /r/Bitcoin the .zip file contains a virus. It's taking forever-and-a-day for me to download it so I can't verify that.

Which post? I see several that say it's clean.

Waiting for a class-action against Mark Karpeles any minute now.

Does Japan have class action lawsuits? Not all countries do.


If you can't get a peer via DHT, add tracker udp://tracker.publicbt.com:80

That has some advantages, but also some disadvantages. It uses the original server as a "web seed", so even though it's a torrent, it's still putting a little strain on the web server for no good reason. Also with all those unnecessary trackers in there, it's long and awkward to copy-and-paste.

Probably worth adding openbittorrent as a tracker as well:


Does this (the almost one million BitCoins) mean that he openly lied about being insolvent, or is this an undisclosed donation?

Remember, the "transaction malleability" attack would have siphoned money from their real wallet while not showing up in their accounting software. So having a balance in this file doesn't mean the wallet actually has BTC left.

It might be as simple as there being a balance in the accounts, but being insolvent on the books due to outstanding liabilities owed by MtGox. But I'm not an accountant so YMMV.

even at $100 is more than the liabialities of 66 million

Would it be possible to use an alternative blockchain (maybe currency) to do internal accounting? Low confirmation requirement, add the BTC block chain transaction ID as a memo, consistency, etc.

Does this mean MtGox should get on haveibeenpwned.com ?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact