Hacker News new | past | comments | ask | show | jobs | submit login

Trades are internal to Mt. Gox until you withdraw your money either as bitcoins or as USD. The compromised account had a $1000 per day withdraw limit, so the thief could only withdraw $1000 after selling all those coins. The rest of the cash is still within Mt. Gox, and therefore the state of the Mt. Gox DB can be rolled back to before all the coins were sold.



which makes me think mtgox got very lucky. I mean the hacker could overcome $1000 limit a day (roughly 80 bitcoins) by creating thousands of bogus accounts, putting on the market bid orders at $0.01 in all accounts, drive the market to the bottom like he did to fill his orders and quickly transfer 80 bitcoins from each account out of the exchange. he could get away with bitcoins worth of millions irreversibly and completely anonymously.


I think they were very lucky. Quite frankly I hope people take note of these near-misses and think a lot more about security.


It wouldn't be even necessary.

The 1000 USD is relative to the current price I suppose. So if I have access to an account with 500K bitcoins and I sell 400K bitcoins so that the price drops to 0.01 (like it did), and then I transfer the 100K bitcoin left in the account to my bitcoin address(and I can with the driven down exchange price) when the price goes back up I would have made a killing.


As I understand, there is also a 50 BTC withdrawal limit.


One would assume the $1000 limit is in the mtgox code. So if the hacker had full server access...


If you trust the Mt. Gox folks, they're now claiming that there was no server hack, just a database copy that some consultant had that got stolen.

If you trust what they're saying, which might be questionable since their business is pretty much going up in flames at the moment, so they are probably desperate to make things appear better than they are...

I hope for their sake that they actually have enough USD and BTC on hand to deal with the mass withdrawals that are coming...


My understanding is that he actually withdrawn BTCs after buying them back - presumably he was not really prepared to all this and only made the hack by accident. Withdrawing dollars would be harder - because he'd need to transfer them via standard banking systems, that takes days and could be stopped on the way and also be much harder to hide traces to the real identity of the hacker. During his buy back operation the price was back around $14 - and this price was used for the $1000 daily withdraw limit - reinforcing the notion that he did not prepare the attack at all.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: