Mt. Gox Hackers Extorting BTC for Customers’ Personal Information

March 12, 2014 00:30 UTC
Russian hacker Nanashi claims to have a database of Mt. Gox customers’ personal information.

About a week ago, Russian hacker “Nanashi” leaked the entire source code for Mt. Gox. Unsurprisingly, considering how unprofessional Mt. Gox has been, the code is pretty bad.

Some random red flags:

  • – There’s a class with the name of the application. (Issues: Scope, SRP)
  • – There’s a class with 1708 lines of code. (Scope)
  • – There’s a switch-case statement that runs over 150 LOC (readability, maintainability)
  • – There’s a string parsing function in the same class as transaction processing (Separation of concerns)
  • – There are segments of code commented out (are they not using source control?)

Now, it seems like Nanashi and the rest of his/her group have turned to extortion. If you were a Mt. Gox customer, Nanashi claims to have your personal information, including passport scans, and will sell it unless you send 0.25 BTC (~$160 at the time of this post). Apparently 20% of the customer database has already been sold to two unknown buyers, and the rest will be sold sometime this week. If a customer was part of the 20% already sold, “it’s too late for you.” However, Nanashi outlines the following steps for everyone else who wants to remove himself/herself from the database before it’s sold.

  1. Email with the email you used with mtgox.
  2. I will check file already sold, if you are not part of that I will send you unique bitcoin address. If you don’t get response it means your data has already been sold in first batch or we have finalized sale of all data.
  3. After you have sent .25 bitcoin payment, email us again to inform us of this.
  4. Thats all, we will delete your personal data and passport scan from all copies of database.

Furthermore, Nanashi states, “do not email us asking to confirm what information we have about you,” after receiving over 3000 emails asking for confirmation within the last 36 hours. Instead, the hacker simply states,

“If gox had it, we have it, and as you can read on boards we have confirmed possession of this dump for many people. We let you use our same email for this as all other gox hack communication so you know we are same people.”

One reddit user sent a fake email to Nanashi claiming to be a rich Saudi Mt. Gox customer, and asked if his information had been sold yet. Nanashi replied with the following:

Of course, this could mean that the hackers actually do not have the database and that this is just one huge scam. On the other hand, the email states that any data associated with the fake email has not been sold, which is a true statement since there is no data to sell. Nanashi stated that he/she checks the email against a list of addresses that were a part of the “sold” list instead of checking against a list of all people in the database. Furthermore, even if Nanashi does actually have the database, there is nothing to stop him/her from selling it even after people send the 0.25 BTC ransom. After all, how can you trust an extortionist?

Unfortunately for Mt. Gox customers, this seems like a no-win scenario.

Last modified: March 12, 2014 00:46 UTC


I enjoy keeping up with the latest stuff in science and technology and have been following Bitcoin for a few years now. I also occasionally post cool stuff on twitter.

Show comments