-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA1* On Friday, July 13 I was notified by MtGox that somebody had gain unauthorized access to Bitcoinica's MtGox account. I was also notified that most of the redeemable codes used in the heist were exchanged through AurumXchange on July 12.* At the time I was on an extended weekend vacation with very limited internet access. I immediately notified Mark Karpeles at MtGox as well as Charlie Shrem at Bitinstant that I would take a closer examination of the situation on Tuesday upon my return.* Upon closer examination of our database on Tuesday, I discovered that the hacker had indeed exchanged the MtGox coupons to Liberty Reserve through our instant exchange facility. The hacker had also exchanged Liberty Reserve back to MtGox presumably in an effort to conceal and/or "launder" the funds.* Over all, the hacker exchanged a total of $61,875 USD from MtGox to Liberty Reserve, and a total of $17,500 Liberty Reserve to MtGox, for a grand total of $44,375 MtGox to Liberty Reserve. After our fees, this number amounts to approximately $40,000 USD.* These orders were placed on our systems between 2012-07-12 11:46:48 and 2012-07-12 19:41:27 UTC.* The IP addresses used by the hacker belong to TOR exit nodes to my understanding, and are as follows:31.172.30.131.172.30.231.172.30.477.247.181.165146.164.91.24878.108.63.44* The Liberty Reserve account used by the hacker is U9236056.* The email address used by the hacker was stevejobs807@gmail.com * To my surprise, upon further examination of our order system, I found an order from Zhou Tong to sell Liberty Reserve to us for the amount of USD 40,000, requesting a wire to his bank account in Singapore. The amount for the order closely matches the total USD exchanged through us (after fees) using the MtGox USD codes stolen from the Bitcoinica account.* This order was placed the next day the hacking attempts occurred. In addition, it should be noted that Zhou Tong has never dealt with us before as an exchange customer.* This information was immediately sent to our two biggest trusted business partners: MtGox and Bitinstant in an effort to join forces to further investigate this situation.* Mark Karpeles indicated that there was an account opened at MtGox using the email stevejobs807@gmail.com sometime in 2011.* Mark replied stating that there was activity on this account, that the account was opened using an IP address belonging to Microsoft Singapore, that Zhou Tong was known to have worked for said company at said location, that the email stevejobs807@gmail.com have been verified, and that ALL activity on this account is linked to the MtGox account belonging to Zhou Tong.* Mark has also indicated that the very first operation on the MtGox account opened with email stevejobs807@gmail.com was the redeeming of a 10 BTC MtGox code generated from Zhou Tong's account.* Charlie indicated that Erik Vorhees (a well known member of this community) has emails he exchanged with Zhou using the email address stevejobs807@gmail.com At this time, it appears that there is an overwhelming amount of evidence linking Zhou Tong personally to the Bitcoinica account hack at MtGox. Our legal department has advised us to freeze the funds for the exchange order mentioned above until further investigation by the authorities and/or legal proceedings are concluded.Both Charlie and Mark have informed the current Bitcoinica owners of the situation and advised to start legal proceedings as soon as possible.Posts corroborating this information from both MtGox and BitInstant will follow. I am technically on vacation until mid august with limited internet access, however, I will attempt to answer any questions the community might have as often as possible. Please understand that some information will not be released until all legal proceedings have been concluded.Sincerely,Roberto GutierrezGeneral ManagerThe AurumXchange Company-----BEGIN PGP SIGNATURE-----Version: GnuPGiQEcBAEBAgAGBQJQEMmpAAoJECR5FGDHgkwDCqMH/Awy/Tjtqw9p/vzVh/ewoYgqCPCSjWn1OUZGGkCMeA/ZwkPHV8/FgsQqBTfHJKy7OBZPaRyL7KTynFo6/BfUSCiOtWz4QtRXE8hAV5uJNq6BtUvsSD9LXUFWanSEOZS9mApsmP5jmDc3S7JfBEDHli1wzE9DXJR5jHQmvloRgafIQNxQq8BK7DKG25LpltXCURpVqWFkmulGsMuCqZ9wV0cbfP92Hf4U+FnwSiM5TfZDwtOhbub9E6ilzPHBmfOjuneSEN1S49Zq3wl1wv0sHUda2fJ4jVONpOc6S3pvGN7Jb0pdcUJQtujiOcnc+YbKa1EFBjZYY0WBnJL1EVARy4Q==TFJe-----END PGP SIGNATURE-----

I have located a suspect, his name is 陈建海(Chen Jianhai). He's NOT my friend and we have never met in person. He was one of my previous business associates because he's very familiar with credit card fraud and he advised me a lot (in terms of fraud prevention, of course) when I built my virtual goods payment processor in late 2010. He has knowledge of my secret gmail address and I have once re-used the password in his web shop His English is not very proficient and I'm sure that he's not reading this forum at the moment. I'm giving him a call now to persuade him to admit his wrong-doing and return the funds. I'll post another thread soon.

My email stevejobs807@gmail.com was last accessed from 62.113.219.5 on July 13. The password has not been changed by the hacker (but I have changed just now).There was an auto-forwarding to ryan@xwaylab.com (which is another email address of mine). However it has been changed to bitcoinicasucks@hotmail.com (which is the email that was used to send the "Bitcoinica is done" email to verify@bitcoinica.com ). Of course I couldn't be notified about any email since the change.The email account had a heavily-reused password (for the sites that I don't intend to share any private data), *at least* it was used on LinkedIn and many other websites.I have several email communications between stevejobs807@gmail and other email accounts controlled by me, including a testing ticket for Bitcoinica's ZenDesk trial. The email address has never been publicised.Important discovery in recent emails (all times are in UTC+8):The hacker registered a Liberty Reserve account U9236056 at Jul 12, 2012 9:42 PM.There was several emails from Liberty Reserve mentioning "Verification PIN". It can be seen that the liberty reserve account was accessed by at least: 78.108.63.44, 212.84.206.250 and 31.172.30.1.There were many transactions done at F1ex.com, possibly used to launder Bitcoin. (I checked just now, F1ex.com provides anonymous fixed-rate BTC exchange service.)The hacker signed up for OKPAY, with IP 31.172.30.1.The hacker requested a sell-order on AurumXchange, totalling $5000, using the suspicious Liberty Reserve account mentioned by OP. A Chinese bank account was used (Account name: LIU HAIPENG, Account number: 6222020903006086032, Bank: INDUSTRIAL AND COMMERCIAL BANK OF CHINA).Order link: https://www.aurumxchange.com/order/view/34011/e5b466248e041ebdf2ae793181a840dc The hacker has also opened a ticket under his own name: https://www.aurumxchange.com/help/ticket.php?track=NLY-9AG-E468&Refresh=24195 He mentioned that I sold him the Mt. Gox codes at half price, which is absolutely not true. It seems that the hacker was trying to relate this event to me as an individual, and this possibly explains the reason that he wanted to "hijack" the email account. All my other email accounts did not have any suspicious access records and their passwords are all secure and different.This is my *own* genuine transaction at AurumXchange: https://www.aurumxchange.com/order/view/33100/3c05a9a572379bf91620302cc9dd7d22 And my ticket to question the funds: https://www.aurumxchange.com/help/ticket.php?track=J6W-EY3-ZY2U&Refresh=47091 It's important to note that the first time I gained any knowledge about the email being misused is through this thread. Neither AurumXchange nor Mt. Gox has provided me any specific information about the suspicion. Otherwise I could have checked that email account earlier.I'm willing to co-operate with any ongoing investigation and obviously I'm not trying to run away from this. I have already provided Mt. Gox with my certified copy of passport in an attempt to unlock my account with some Bitcoin balance.

I'm gathering some information and a statement will be posted soon. stevejobs807@gmail.com was indeed my email account used for anonymous testing purpose, however I haven't been using it for a long time. I'm logging in the account to check the suspicious activity and I'll post relevant details as well.The $40,000 I exchanged at AurumXchange was indeed from a friend. Later I can also post proof that I exchanged another $30,000 at other exchanges during the same period. The total amount far exceeds the stolen amount claimed in the OP. My own Liberty Reserve account number is U7097615.

-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA1* On Friday, July 13 I was notified by MtGox that somebody had gain unauthorized access to Bitcoinica's MtGox account. I was also notified that most of the redeemable codes used in the heist were exchanged through AurumXchange on July 12.* At the time I was on an extended weekend vacation with very limited internet access. I immediately notified Mark Karpeles at MtGox as well as Charlie Shrem at Bitinstant that I would take a closer examination of the situation on Tuesday upon my return.* Upon closer examination of our database on Tuesday, I discovered that the hacker had indeed exchanged the MtGox coupons to Liberty Reserve through our instant exchange facility. The hacker had also exchanged Liberty Reserve back to MtGox presumably in an effort to conceal and/or "launder" the funds.* Over all, the hacker exchanged a total of $61,875 USD from MtGox to Liberty Reserve, and a total of $17,500 Liberty Reserve to MtGox, for a grand total of $44,375 MtGox to Liberty Reserve. After our fees, this number amounts to approximately $40,000 USD.* These orders were placed on our systems between 2012-07-12 11:46:48 and 2012-07-12 19:41:27 UTC.* The IP addresses used by the hacker belong to TOR exit nodes to my understanding, and are as follows:31.172.30.131.172.30.231.172.30.477.247.181.165146.164.91.24878.108.63.44* The Liberty Reserve account used by the hacker is U9236056.* The email address used by the hacker was stevejobs807@gmail.com * To my surprise, upon further examination of our order system, I found an order from Zhou Tong to sell Liberty Reserve to us for the amount of USD 40,000, requesting a wire to his bank account in Singapore. The amount for the order closely matches the total USD exchanged through us (after fees) using the MtGox USD codes stolen from the Bitcoinica account.* This order was placed the next day the hacking attempts occurred. In addition, it should be noted that Zhou Tong has never dealt with us before as an exchange customer.* This information was immediately sent to our two biggest trusted business partners: MtGox and Bitinstant in an effort to join forces to further investigate this situation.* Mark Karpeles indicated that there was an account opened at MtGox using the email stevejobs807@gmail.com sometime in 2011.* Mark replied stating that there was activity on this account, that the account was opened using an IP address belonging to Microsoft Singapore, that Zhou Tong was known to have worked for said company at said location, that the email stevejobs807@gmail.com have been verified, and that ALL activity on this account is linked to the MtGox account belonging to Zhou Tong.* Mark has also indicated that the very first operation on the MtGox account opened with email stevejobs807@gmail.com was the redeeming of a 10 BTC MtGox code generated from Zhou Tong's account.* Charlie indicated that Erik Vorhees (a well known member of this community) has emails he exchanged with Zhou using the email address stevejobs807@gmail.com At this time, it appears that there is an overwhelming amount of evidence linking Zhou Tong personally to the Bitcoinica account hack at MtGox. Our legal department has advised us to freeze the funds for the exchange order mentioned above until further investigation by the authorities and/or legal proceedings are concluded.Both Charlie and Mark have informed the current Bitcoinica owners of the situation and advised to start legal proceedings as soon as possible.Posts corroborating this information from both MtGox and BitInstant will follow. I am technically on vacation until mid august with limited internet access, however, I will attempt to answer any questions the community might have as often as possible. Please understand that some information will not be released until all legal proceedings have been concluded.Sincerely,Roberto GutierrezGeneral ManagerThe AurumXchange Company-----BEGIN PGP SIGNATURE-----Version: GnuPGiQEcBAEBAgAGBQJQEMmpAAoJECR5FGDHgkwDCqMH/Awy/Tjtqw9p/vzVh/ewoYgqCPCSjWn1OUZGGkCMeA/ZwkPHV8/FgsQqBTfHJKy7OBZPaRyL7KTynFo6/BfUSCiOtWz4QtRXE8hAV5uJNq6BtUvsSD9LXUFWanSEOZS9mApsmP5jmDc3S7JfBEDHli1wzE9DXJR5jHQmvloRgafIQNxQq8BK7DKG25LpltXCURpVqWFkmulGsMuCqZ9wV0cbfP92Hf4U+FnwSiM5TfZDwtOhbub9E6ilzPHBmfOjuneSEN1S49Zq3wl1wv0sHUda2fJ4jVONpOc6S3pvGN7Jb0pdcUJQtujiOcnc+YbKa1EFBjZYY0WBnJL1EVARy4Q==TFJe-----END PGP SIGNATURE-----