2. Rovion is Bob who is having fun mocking and misleading the CEO, safe in the belief that he will never be caught.
3. Rovion is another insider who is providing himself with cover to blame Bob and an outside hacker if he's ever caught.
This post criticizes the first theory on Rovion's interaction not making much sense. And indeed it doesn't unless Rovion is a fairly weird guy.
The second theory makes some sense. By telling this yarn, Bob managed to steal two more times, while having all evidence of how he did it the second 2 times not being taken as leads to who he is now or what he is doing.
The third theory makes a ton of sense. Rovion can either be someone who was already planning to steal. Or just an insider who saw how easy it was and was motivated to do the same.
One interesting detail is that Bob's initial theft is just sitting in a wallet, untouched. So apparently he didn't need that money. The first theory would say because he got paid by Rovion and can wait. The second theory would say because he made 2 other withdrawals that he can use. The third theory leaves that open.
Based on human nature I'd rank them 3, 2, 1. Based on his leaving a bunch of money untouched, and my opinions about criminals, I'd rank the theories 2, 1, 3. Either way the CEO should be dubious about the story he was fed by "Rovion".
I think you missed the insinuation at the end of the article:
4. The CEO faked the entire story (perhaps using Bob or Rovion or both as patsies-- or perhaps taking the money for himself) because the same money-stealing "we learned our lesson" thing happened at Paypal, and Paypal became hugely successful shortly afterward.
There's another factor. Rovion implicated Bob, which would be a weird thing for Bob to do. What kind of idiot would defend themselves by pointing at themselves and screaming, "I did it!"?
If Rovion is Bob, then Bob suffers from a particularly stunning strain of stupidity.
Either Bob thinks he's playing some kind of crazy 4-dimensional chess, or he's not Rovion.
I agree that ShapeShift's account has holes in it and the CEO seemed a little too willing to take Rovion at his word, but this rebuttal swings too far in the other direction. Some comments:
> Red Flag #1. Bob is somehow able to connect with a hacker who has been hiding in their systems for some time.
Actually, in the original article Rovion says "We contacted Bob." Which makes total sense -- if Rovion eg. had access to the email account of a ShapeShift employee, he would have seen the drama with Bob unfold and been able to contact him easily.
> Red Flag #2. Rovion identifies Bob by his real life name "Bob," without a moment of hesitation.
> Why on earth would Bob run a criminal business under his real name?
If Rovion had access to some internal communications at ShapeShift, he would of course have "Bob"'s real name and no reason not to use it.
> Red Flag #3. Bob chooses to sell his backdoor access to Rovion instead of using it himself.
> Red Flag #4. Bob demands only 50 BTC for a backdoor.
There's a lot more risk in stealing something yourself vs just providing information that can be used for theft. Letting someone else do the dirty work could definitely be a rational decision. And anyway, the hot wallet at no point after the original hack had 315BTC again, so the expected value of the second/third hacks were a lot lower.
> Red Flag #6. Rovion is a moralistic individual who not only is a thief himself, but wants to see Bob, another thief from whom Rovion supposedly obtained credentials, severely punished
It's not surprising to me that someone could adopt a moral framework that let them steal from poorly-secured foreign companies while still considering it wrong to steal from your own employer.
> Orange Flag #9. Voorhees talks derisively about Bob's competence during the period of time when Bob was employed prior to the hack.
Many countries, possibly including Switzerland, do have a very high standard you have to meet to fire someone with cause. This process could be especially delicate if Bob is of an ethnic or racial minority.
Isn't this the standard scam -- crypto-currency exchange gets cleaned out by an insider/owner and then a there is a story of an disgruntled employee or other evil hacker. Everyone is supposed to hate this made up hacker instead of suspecting the owners themselves.
Maybe it is just the news bias, but crypto-currency seems to attract shady characters. I understand the sentiment about the central banks and global cabal of money controlling plutocrats and all that, but then the same people turn around and hand money to a bunch of amateurs with a website and trust them instead.
"I'm an investment banker. I...move money from one place to another."
-Michael Douglass as Nicholas Van Orton, The Game, 1997
Finance is a cutthroat industry where the common denominator for success is ruthlessness. Fortunes await the hungry. The hoodied crypto-currency hacker may not strike you as the Wall Street suit, but rampant greed is clear as day.
"Who here remembers the story of a bank called X.com? It was a tiny, little-known online bank, until it was hacked and covered in the mainstream press during the first dot-com boom. Its popularity absolutely soared after the hack. I actually had an account on X.com, but if you didn't and never heard of it, you may perhaps have heard of X.com's founder, a fellow who goes by the name of Elon Musk."
My initial reaction is: I am very glad I had nothing at stake here... my second reaction is the same as the author of this deconstruction. Why should I trust anything any of these actors do ever again given the way they have reacted to the data.
occam's razor suggests that Rovion, Bob and Voorhees are all the same person. Any other reading would, as the article points out too-obliquely, involve too much strain on reality.
Finally, someone who took a stab at this. Ever since I read Shapeshift's version of events I couldn't help but think the entire thing was bullshit. Wild incompetance, improbable alliances, its just weird.
I'm just kinda glad that my old-school, been-burned-100-times, cynical self, who also saw red flags galore into the original narrative, wasn't completely nuts.
It's a pretty solid takedown of all the issues in ShapeShift's sketchy story.
>By definition, Rovion was in deep undercover mode. How would Bob have gotten a hold of Rovion? Did he know of Rovion's partial penetration? If so, how? If not, then how did they meet up? In any case, how did the two hackers exchange messages?
If the attacker didn't have root or wasn't using a fancy rootkit, it's not surprising at all that his hack could have been discovered. Discovering the hack could be as simple as finding an unfamiliar php file that hosted a reverse shell in some directory. The attacker might've had some scripts in a folder. Communication could be started by editing one of the scripts to print a message instead.
A friend of mine as a student sysadmin once found a server was part of a botnet, figured out the bots communicated via an IRC channel, joined the channel himself, lurked for a while, found the operator connect one day, and talked. The server never had anything worthwhile on it, the server was re-imaged, the school never bothered pursuing legal action as the guy was in Russia, and I'm told they've played counter-strike together sometimes since then.
>Why wouldn't Bob take advantage of the backdoor himself? It's not like he had much to lose. He'd already been ousted from ShapeShift and was already the target of an investigation.
Because he could get a bunch of money now and have someone else do most of the work probably.
>Red Flag #4. Bob demands only 50 BTC for a backdoor. ... Why not split the proceeds in half, for starters?
If Bob has Rovion do all the work with the backdoor access, why would Bob trust Rovion to split the proceeds once he's hit the motherlode? Much easier to get some money up-front and be done with it.
>Red Flag #5. Rovion pays 50 BTC for a backdoor. ... How would Bob, then, demonstrate to Rovion that he wasn't just a scammer, or a honeypot operator, but indeed had a legitimate backdoor to sell?
It probably wasn't a single 50 btc transaction. Start it slow. (Just like how Erik managed to work out some trust with Rovion later.) Bob probably offered to not boot Rovion's original access into the system for a few btc to start with, and they found somewhere to go from there.
>Red Flag #6. Rovion is a moralistic individual who not only is a thief himself, but wants to see Bob, another thief from whom Rovion supposedly obtained credentials, severely punished, for being a thief.
Seriously, this is just grasping for straws. That doesn't seem so strange. Or hell, maybe Rovion just wants to try to throw someone else under the bus morally. People trying to justify themselves is nothing new.
[+] [-] ikeboy|10 years ago|reply
[+] [-] btilly|10 years ago|reply
1. ShapeShift has the right version of events.
2. Rovion is Bob who is having fun mocking and misleading the CEO, safe in the belief that he will never be caught.
3. Rovion is another insider who is providing himself with cover to blame Bob and an outside hacker if he's ever caught.
This post criticizes the first theory on Rovion's interaction not making much sense. And indeed it doesn't unless Rovion is a fairly weird guy.
The second theory makes some sense. By telling this yarn, Bob managed to steal two more times, while having all evidence of how he did it the second 2 times not being taken as leads to who he is now or what he is doing.
The third theory makes a ton of sense. Rovion can either be someone who was already planning to steal. Or just an insider who saw how easy it was and was motivated to do the same.
One interesting detail is that Bob's initial theft is just sitting in a wallet, untouched. So apparently he didn't need that money. The first theory would say because he got paid by Rovion and can wait. The second theory would say because he made 2 other withdrawals that he can use. The third theory leaves that open.
Based on human nature I'd rank them 3, 2, 1. Based on his leaving a bunch of money untouched, and my opinions about criminals, I'd rank the theories 2, 1, 3. Either way the CEO should be dubious about the story he was fed by "Rovion".
[+] [-] blakeyrat|10 years ago|reply
4. The CEO faked the entire story (perhaps using Bob or Rovion or both as patsies-- or perhaps taking the money for himself) because the same money-stealing "we learned our lesson" thing happened at Paypal, and Paypal became hugely successful shortly afterward.
[+] [-] actsasbuffoon|10 years ago|reply
If Rovion is Bob, then Bob suffers from a particularly stunning strain of stupidity.
Either Bob thinks he's playing some kind of crazy 4-dimensional chess, or he's not Rovion.
[+] [-] kcorbitt|10 years ago|reply
> Red Flag #1. Bob is somehow able to connect with a hacker who has been hiding in their systems for some time.
Actually, in the original article Rovion says "We contacted Bob." Which makes total sense -- if Rovion eg. had access to the email account of a ShapeShift employee, he would have seen the drama with Bob unfold and been able to contact him easily.
> Red Flag #2. Rovion identifies Bob by his real life name "Bob," without a moment of hesitation. > Why on earth would Bob run a criminal business under his real name?
If Rovion had access to some internal communications at ShapeShift, he would of course have "Bob"'s real name and no reason not to use it.
> Red Flag #3. Bob chooses to sell his backdoor access to Rovion instead of using it himself. > Red Flag #4. Bob demands only 50 BTC for a backdoor.
There's a lot more risk in stealing something yourself vs just providing information that can be used for theft. Letting someone else do the dirty work could definitely be a rational decision. And anyway, the hot wallet at no point after the original hack had 315BTC again, so the expected value of the second/third hacks were a lot lower.
> Red Flag #6. Rovion is a moralistic individual who not only is a thief himself, but wants to see Bob, another thief from whom Rovion supposedly obtained credentials, severely punished
It's not surprising to me that someone could adopt a moral framework that let them steal from poorly-secured foreign companies while still considering it wrong to steal from your own employer.
> Orange Flag #9. Voorhees talks derisively about Bob's competence during the period of time when Bob was employed prior to the hack.
Many countries, possibly including Switzerland, do have a very high standard you have to meet to fire someone with cause. This process could be especially delicate if Bob is of an ethnic or racial minority.
[+] [-] rdtsc|10 years ago|reply
Maybe it is just the news bias, but crypto-currency seems to attract shady characters. I understand the sentiment about the central banks and global cabal of money controlling plutocrats and all that, but then the same people turn around and hand money to a bunch of amateurs with a website and trust them instead.
[+] [-] rm_-rf_slash|10 years ago|reply
Finance is a cutthroat industry where the common denominator for success is ruthlessness. Fortunes await the hungry. The hoodied crypto-currency hacker may not strike you as the Wall Street suit, but rampant greed is clear as day.
[+] [-] ikeboy|10 years ago|reply
[+] [-] Ontheflyflyfly|10 years ago|reply
"Who here remembers the story of a bank called X.com? It was a tiny, little-known online bank, until it was hacked and covered in the mainstream press during the first dot-com boom. Its popularity absolutely soared after the hack. I actually had an account on X.com, but if you didn't and never heard of it, you may perhaps have heard of X.com's founder, a fellow who goes by the name of Elon Musk."
[+] [-] braderhart|10 years ago|reply
[+] [-] mjevans|10 years ago|reply
[+] [-] felixgallo|10 years ago|reply
[+] [-] buttershakes|10 years ago|reply
[+] [-] cubano|10 years ago|reply
It's a pretty solid takedown of all the issues in ShapeShift's sketchy story.
[+] [-] homero|10 years ago|reply
[+] [-] AgentME|10 years ago|reply
If the attacker didn't have root or wasn't using a fancy rootkit, it's not surprising at all that his hack could have been discovered. Discovering the hack could be as simple as finding an unfamiliar php file that hosted a reverse shell in some directory. The attacker might've had some scripts in a folder. Communication could be started by editing one of the scripts to print a message instead.
A friend of mine as a student sysadmin once found a server was part of a botnet, figured out the bots communicated via an IRC channel, joined the channel himself, lurked for a while, found the operator connect one day, and talked. The server never had anything worthwhile on it, the server was re-imaged, the school never bothered pursuing legal action as the guy was in Russia, and I'm told they've played counter-strike together sometimes since then.
>Why wouldn't Bob take advantage of the backdoor himself? It's not like he had much to lose. He'd already been ousted from ShapeShift and was already the target of an investigation.
Because he could get a bunch of money now and have someone else do most of the work probably.
>Red Flag #4. Bob demands only 50 BTC for a backdoor. ... Why not split the proceeds in half, for starters?
If Bob has Rovion do all the work with the backdoor access, why would Bob trust Rovion to split the proceeds once he's hit the motherlode? Much easier to get some money up-front and be done with it.
>Red Flag #5. Rovion pays 50 BTC for a backdoor. ... How would Bob, then, demonstrate to Rovion that he wasn't just a scammer, or a honeypot operator, but indeed had a legitimate backdoor to sell?
It probably wasn't a single 50 btc transaction. Start it slow. (Just like how Erik managed to work out some trust with Rovion later.) Bob probably offered to not boot Rovion's original access into the system for a few btc to start with, and they found somewhere to go from there.
>Red Flag #6. Rovion is a moralistic individual who not only is a thief himself, but wants to see Bob, another thief from whom Rovion supposedly obtained credentials, severely punished, for being a thief.
Seriously, this is just grasping for straws. That doesn't seem so strange. Or hell, maybe Rovion just wants to try to throw someone else under the bus morally. People trying to justify themselves is nothing new.