Bitcoinica breach done by leaked source code results In 40,000+ being stolen

Back in may, well known and trusted bitcoin service Bitcoinica was breached and bitcoins were stolen as a result. Since then the website has claim to shut down and has a "claims" process for those who were effected in the main breach. Well it appears that from that hack others were able to obtain access to another lump of coins which were locked in an account that had its login credentials for a 3rd party api which stored the data. The most recent attack has got alot of people flaming all over reddit and that the owner of such service should never be trusted again and that they also claim to be security experts. The Owners have also tried to justify this by throwing the blame around between "new and old" owners and the middle men involved.

We were not privy to all the problems when taking on Bitcoinica. Zhou was being paid $8000 a month for operating Bitcoinica in his part time while Tihan was scrambling to get the site working. During the last month, Zhou was not taking pay, to refund the money stolen by the Linode compromise. Tihan was rushing to get the paperwork finished because Zhou is attending school. We kept sending the paperwork back saying it’s incomplete and there’s problems, so when the initial compromise happened, the company was not yet fully formed. The initial confusion was over who is responsible as the GP – the part time owner devoting maybe 5 hours a week? The new owners who had no experience operating the site? The middleman who acts on behalf of the owner and has no technical knowledge? That’s why payments were initially complicated and delayed.

The bit of code that is said to of caused this whole issue is this:

genjix:~/tmp/bitcoinica_legacy/config/initializers$ cat mtgox_credentials.rb if Rails.env.production? MtGox.configure do |config| config.key = "c02e1a27-5524-449f-ba65-aff9581ddedc" config.secret = ’83U1ROG++O3vwBqFrxpcdyLIoChpgnowImy1oMVQwBLalaLevZDmWeCPJFTrYW00OQ7XUgG53LsIL2pBZ2PQgA==’ end end

AS you can see they allowed this to be leaked and clearly they have never changed or updated the 3rd party api and account details to prevent any further damage. Now we aren’t here to say whats right and wrong, but clear the Bitcoinica administration has totally failed to keep a duty of care with its clients funds. A police investigation is claimed to of been started into this breach as well as stated by a Sr member of the bitcointalk foum: "We will open a police investigation and get this clear on the police’s side. We will not however be able to share such details publicly while an investigation is in progress." Keep up to date with how the community feels about this on the Bitcointalk forum: The source code for Bitcoinica was also published, now being hosted on deposit files in a compressed file that’s 6.2mb.

About the author: Lee J

Security Analyst, Developer, OSINT,

Comments are closed.