<cut>
Option 4: Mt Gox signals this to the competent authorities
+ We are safe
+ We may even have a chance of catching our hacker if Kevin knows him
+ We can rollback without having to worry
- Having to deal with FBI, provide logs and proof
I would also recommend that option but question if the FBI is the appropriate authority, if the business you are running is done on US soil and the suspicious activity comes from US soil too, then yes FBI would be the most appropriate agency to contact although you should that via the local police. It is their job to elevate it to national, thus federal, level.
If either party is foreign, well things get a whole lot more complicated, to the level that it might be best just to report to the police and most likely never be heard of again.
It might be an idea to have this whole fiasco recorded, signed by a notary and publicized on a prominent accessible part on your site.
Although a whole lot of people carry the sentiment that this could have been prevented, this hindsight is of course 20/20. Security as a goal can not be achieved, though it is a path that should be followed. A common rule of thumb is that the effectiveness of countermeasures can be roughly divided in 75% organizational, 15% structural and 10 % electronically. Meaning that switching to an alternative OS with a more robust database and scripting language might seem the right thing to do, it is more effective to make rules that prevent or at least monitor suspicious activity.
I wish you all the best and strength to carry on, this mishap is naturally a lesson learned, but not as much as some on this forum make it sound. From where I stand this should not affect you on a personal level
at all. It goes more in the oh-f* category, you already demonstrated you have a plan for contingency and are open to what is going to happen. The only thing that remains is doing that and rest is water under the bridge.
Believe me this is less of a screw up than when I accidentally shut down a banks main transaction mainframe (it was the end of the day and I typed shutdown -P now in my laptop terminal, which was actually an ssh session over to a box that was serial console attached to that SUN machine).
Luckily for me that bank had a hot fail over instance in another country, though waiting another 10 unpaid hours to verify the machine came up cleanly is synced and took over master role is not something I would like to do again :-).
