This isn't absolute proof, but it does look VERY suspicious. I also notice that GolderMarkets went silent a little after there was a claim that a forums account from one of Gaban's referrals was accusing of being fake.This is what I find here:
- the broker logs show series of GBPNZD trades that are not in gaban13 logs.
- gaban13 EURUSD trades are both in his logs and the broker logs (it would be nice if you created a package of both application and experts logs because one needs both to aggregate events).
- both gaban13 trades and the ones he says he didn't do are logged with the same ISP ip addresses.
- there is a difference in the way the broker system responded to the orders. gaban13 EA/manual order sequence looks like this:
2011.09.06 17:14:38 18.104.22.168 '8117721': instant sell 0.05 EURUSD at 1.40753 sl: 0.00000 tp: 0.00000 (1.40754 / 1.40774)
2011.09.06 17:14:38 '1': request from '8117721' (sell 0.05 EURUSD at 1.40753 sl: 0.00000 tp: 0.00000)
2011.09.06 17:14:40 GolderMarkets Meta T '1': confirm '8117721' sell 0.05 EURUSD at 1.40753 sl: 0.00000 tp: 0.00000 (1.40759 / 1.40779)
Note we have a sequence of events: an order is coming in and the broker system responding and logging the order processing progress messages.
While the problematic ones are missing the normal system messages:
2011.09.08 19:29:17 22.214.171.124 '841571': order #1550584, sell 0.50 GBPNZD at 1.91623
2011.09.08 19:29:45 126.96.36.199 '841571': order #1550591, sell 0.50 GBPNZD at 1.91612
2011.09.08 19:30:03 188.8.131.52 '841571': order #1550598, sell 0.50 GBPNZD at 1.91607
2011.09.08 19:30:20 184.108.40.206 '841571': order #1550604, sell 0.50 GBPNZD at 1.91608
2011.09.08 19:30:35 220.127.116.11 '841571': order #1550607, sell 0.50 GBPNZD at 1.91607
2011.09.08 19:30:50 18.104.22.168 '841571': order #1550614, sell 0.50 GBPNZD at 1.91583
2011.09.08 19:31:07 22.214.171.124 '841571': order #1550622, sell 0.50 GBPNZD at 1.91576
2011.09.08 19:31:26 126.96.36.199 '841571': order #1550627, sell 0.50 GBPNZD at 1.91572
2011.09.08 19:31:27 '841571': reach stopout ml 82.05%, equity: 1051.96, margin: 1282.05
Which suggests these orders were entered somehow differently (outside MT4) while the timing suggests automated action.
Either something/someone traded the accounts from gaban13 side (he says not) using the same public ip, either someone wiped out the accounts (deliberately?) and then covered it by replacing ip addresses in the broker database with the one gaban13 used the last.
gaban13 points that about 15 minutes before the first GBPUSD trade someone was checking the accounts passwords:
2011.09.08 19:15:43 188.8.131.52 '4019': checking password of '8118831' [successful]
2011.09.08 19:21:08 184.108.40.206 '4019': checking password of '841571' [successful]
2011.09.08 19:21:22 220.127.116.11 '4019': checking password of '8117721' [successful]
2011.09.08 19:21:46 18.104.22.168 '4019': checking password of '8118826' [successful]
And these requests come from some ISP located in UK while the rest comes either from Malaysia (gaban13 location), either Singapore (the broker server?).
This indeed may point to the fraud/hacking. Especially I didn't find this kind of entry elsewhere. Neither this kind, neither this ISP.
I have a growing impression either the broker did it either someone hacked the broker internal system and then the accounts - only this way he could bypass the MT4 interface resulting in missing normal order processing system messages while he was able to replace ip addresses to cover his activity.
Yes - the fraudster wasn't smart enough thinking he could cover it all. ;-)
Of course one may say gaban13 did it all and then edited his logs to cover it up.
Yes, he could do that. But he couldn't enter the trades the way they didn't trigger the broker MT4 interface to log the order processing messages. Unless he had some other way to do it automatically.
That's how I get it.
Just came across the broker warning/scam report regarding gaban13:
GolderMarkets.com -Official Notice to warn clients & affiliates on fraudulent churning activities!
Which sounds very serious. The text contains links to the five accounts journals:
And indeed all of them are missing this password check entry.
This does not build the broker report confidence.
I've held back my vote so far, but if I don't see something new from GolderMarkets explaining these discrepancies, I'll probably vote Guilty before the poll closes.