Today we feature a guest post by Mark Hunter, the author of “Ultimate Catastrophe: How MtGox Lost Half a Billion Dollars and Nearly Killed Bitcoin” and co-creator and co-host of the podcast series “Dr Bitcoin: The Man Who Wasn't Satoshi Nakamoto.”
When Japanese bitcoin exchange Mt. Gox collapsed in February 2014, there were well-founded fears that it could kill the nascent cryptocurrency before it was more than five years out of the cradle. It is easy now to scoff at such suggestions, but many people thought along these lines given that Bitcoin had not yet faced such a catastrophe.
Over 880,000 BTC were lost by or stolen from Mt. Gox in various guises between March 2011 and January 2014, a haul worth a staggering $45 billion today, and yet with the 10th anniversary of its collapse upon us, there are still several important questions that remain unanswered.
Who did it?
One of the key questions that remains unknown is whether we know all of the culprits. Over 809,000 BTC were stolen across six hacks during Mt. Gox’s lifetime, and we only know of two names linked to one hack: Alexey Bilyuchenko and Aleksandr Verner, who are accused of being part of the Russian hacking group that compromised the exchange in October 2011. Over the course of 26 months, the pair helped steal and launder 647,000 bitcoins from the exchange’s cold wallets.
Verner and Bilyuchenko have only been charged by U.S. authorities with the laundering of the coins rather than the hack itself, however, which could suggest a lack of evidence against them on that charge.
Apart from these allegations, sealed in 2017 and made public in June last year, we have no idea who stole the remaining 162,000 BTC. 79,956 BTC remain tied to a well-known address beginning ‘1Feex’, while 77,500 stolen in September 2011 have never been traced. This hack was so successful it was not detected until 2015.
Then there’s the individual who stole 2,000 BTC in June 2011, which sent the value of bitcoin crashing from $17.50 to $0.01, and the hacker who swiped more than half the coins held by the exchange at the time, when Mt. Gox CEO Mark Karpelès left the wallet on a drive with unencrypted network. Fortunately for Karpelès the hacker got cold feet and negotiated a 1% bounty, leading to a loss of just 3,000 BTC for the exchange, rather than 300,000 BTC.
In all these cases we have no idea who did the deed, and it’s almost certain now that we never will. Many suspect the 1Feex hack was a dry run for the debilitating October 2011-January 2014 exploit, given that the modus operandi was the same, but this has never been confirmed.
How did it happen?
Of the 881,865 BTC which left Mt. Gox unintentionally, we can only say for sure how 72,409 BTC were lost. 30,000 BTC were logged as deposits to customers by Mt. Gox’s system when they were in fact being stolen by hackers. An error by Mark Karpelès in October 2011 led to 2,609 being sent to a non-existent address. Two bots operating on Mt. Gox, Markus and Willy, lost 22,800 BTC. And Karpelès bought Polish exchange Bitomat for 17,000 BTC in July 2011.
When it comes to the remainder, the method of entry is generally either unknown or merely suspected. In the case of the June 2011 hack, we know that the hacker was able to get access to the Mt. Gox server through an administrator-level account. This was initially attributed to auditor Auden McKernan but it was later revealed that it was the account of Jed McCaleb, the founder who had sold Mt. Gox to Mark Karpelès, which inexplicably still had administrator privileges. It is thought that the hacker obtained the details when the entire Mt. Gox user database was stolen along with the 79,956 BTC in the 1Feex hack.
Given that U.S. authorities were confident in naming Verner and Bilyuchenko as being part of a group that hacked into Mt. Gox in October 2011 they must have some evidence to back up their assertions, but unless it ever comes to a trial (which is almost certainly won’t now that their names are public) these details will likely never be divulged.
How safe were the Mt. Gox bitcoins?
Related to the question of how the hackers gained access to the Mt. Gox servers is the question of how they were then able to access the funds supposedly securely stored in cold wallets. We know that until the June 2011 hack, Karpelès kept users’ bitcoins in a haphazard manner across various physical and software wallets, which exacerbated the impact of the hacks and prolonged the cleanup.
Karpelès claims that this incident led him to incorporate a much more secure system: he split the coins across numerous paper wallets (he later said hundreds of pieces of paper were involved) and stashed them in bank vaults and safety deposit boxes around Tokyo. Therefore, if the hot wallet was stolen again, as it was for the 1Feex hack, the cold wallets should not be affected.
This seems safe enough in itself, but when it was revealed that the exchange’s cold wallets had indeed been ransacked between October 2011 and January 2014, many started to ask questions, including then Bitcoin blogger and future General Partner at crypto investment firm Andreessen Horowitz, Arianna Simpson:
“If you’re doing it right, the cold storage should not be accessible via the hot wallet, leak or no leak. That’s the whole point of separating the two.”
So how were the cold wallets compromised? Karpelès has never confirmed his bespoke cold wallet-hot wallet setup, potentially to avoid lawsuits based on the mishandling of funds, but he has given hints in interviews that paint an inconsistent and at times illogical scenario.
The only way to safely top up a hot wallet with funds from a paper wallet is to go and get the paper wallet and execute a multi-step manual transaction on an ultra-secure network. This must be done every single time, which is of course entirely impractical for any Bitcoin exchange no matter what its size or trading volume. No Mt. Gox staff member has reported seeing Mark Karpelès handling paper wallets, and indeed some prominent members of staff told me for “Ultimate Catastrophe: How Mt. Gox Lost Half a Billion Dollars and Nearly Killed Bitcoin” that they had only ever heard hot wallets mentioned, never cold wallets.
Was there, therefore, a system that automatically topped up the hot wallet from the cold wallets when it ran dry and vice versa? This seems to be the only feasible way in which the exchange could have operated, although it totally undermines the principles of a cold wallet system.
Read the full story online ...
– Mark Hunter
@twentynothing00