Accepting big-value zero-fee zero-confirmation transaction is stupid. They deserve it.

But (1) doesn't explain why ghash found 0 blocks to their address during the attack.
(2) is possible, but we need more data.

It would be good to hear from someone who had been mining on ghash back then to check their earnings.

We are now aware of this issue and we will perform an internal investigation to find out who is responsible for this.
Thank you for pointing out.

If I understand the CEX.IO website correctly, it's a place where you can temporarily buy mining power that runs onto your own node? We've seen one of those before, didn't we?

I am curious who is stupid enough to rent their hardware out to random strangers over the internet and whether they understand what the point of mining actually is.

An interesting and historic milestone! I think this would be the first time we've seen miners profitably double-spend against merchants. If ghash.io was selling their hashpower to a criminal (and defrauding merchants is a crime regardless of the exact technique you're using), then that suggests we should be formally discouraging miners from using that pool.

well it is a private operation with private hardware, miners cant do anything about it, this is the time when miners have to start thinking about using p2pool.

Not quite. At least today miners who have mempool accepted a transaction will not accept a conflicting one with higher fees, even if they're not attempting to mine the lower fee one yet.

You can pull off doublespends against no-confirm acceptors today, but it's a heck of a lot easier to do it reliably if you have some friendly hashpower.

Someone who no longer has an ownership interest in it.

CEX.IO doesn't rent out hashpower. They actually sell hardware "ownership" by the GH/s.  You pay them some amount upfront per GH/s, equal to a fairly high price for mining hardware ($36.6/GH/s), and you "forever" own an interest in some hardware. If you own enough to equal at least one board worth, you can pay for shipping and have some gear de-racked and sent to you. They also provide a market where current owners of hardware can sell it to new owners.  They charge maintenance fees on the hardware (denominated in USD, currently about 2.78% of your income).

All of this hashrate, while in their hands, is currently required to be pointed at their "partner" mining pool, GHash.io which is an invite only pool.

Maybe a larger CEX.IO hashrate owner could get them to redirect their hashrate to something else, but thats not advertised anywhere, it's not clear to me that they'd have any obligation to do so... though I was unable to find a lot of detailed T/C for owning the hashrate, their contract mostly seems to focus on their exchange business.

If this is actually true then cex.io needs to give an explanation !! I wouldn't trust them if this is true!

So, finally cex.io/ghash.io have decided to respond. I'd like to think that this was purely due to pressure from the Bitcoin community, well done.

Cex.io/ghash.io investigating cex.io/ghash.io though - can't wait to see how that pans out It's like the police investigating the police  .

Still, this is their chance to silence the critics and clear their name, I only hope they take this opportunity to do so - and do it well.

Cex.io/ghash.io have found a niche market that appeals to noobs who want to get into mining but can't afford the hardware - it gives them an option to get into mining that they would never have had before, which is to be commended (even if it is at an extortionate price per G/hash). This section of users are inexperienced with Bitcoin & it's workings, and throw their trust (and hard earned cash) into cex.io/ghash.io blindly - not fully understanding the consequences of their actions. My concern is that if cex.io/ghash.io have already conned a Bitcoin company -and therefore Bitcoin itself - what is stopping them from doing it again to their users? One only has to look around to see other pools and wallet services that have done the same thing, services that had no scam accusations against them and seemed much more trustworthy than this one does.
Imagine if the worst happened & cex.io/ghash.io done a GBL & disappeared overnight - there would be a huge outcry from it's users all asking the same question - why weren't we warned? Why didn't anyone tell us about them?

Roadtrain has gone out on a limb, putting his reputation on the line & provided pretty solid evidence to substantiate the scam accusation, not for personal gain, but to inform the community of what he believes is going on - the least the community can do is warn users of cex.io/ghash.io of the current accusations until solid evidence/actions are taken by cex.io/ghash.io that either prove their innocence or that appropriate action has been taken against the employee who perpetrated the con (if any).

I urge cex/ghash to grab this opportunity to clear their name, I also urge the Bitcoin community to keep the pressure on them to do so - it can only be good for everyone.

Peace