The History of the Mt Gox Hack: Bitcoin’s Biggest Heist

At the beginning of 2014, Mt Gox, a bitcoin exchange based in Japan, was the largest bitcoin exchange in the world, handling over 70% of all bitcoin transactions worldwide. By the end of February of that year, it was bankrupt.

Anyone who was using Mt. Gox lost access to their assets, and it has been a cautionary tale for crypto investors. While the assets weren’t all lost, anything that was left has been frozen for years.

Now, it looks like things might be turning a corner, but there are still many unknowns. Before we talk about how there could be a resolution on the horizon, let’s look at how we got here in the first place.

The victim of a massive hack, Mt. Gox lost about 740,000 bitcoins (6% of all bitcoin in existence at the time), valued at the equivalent of €460 million at the time and over $3 billion at October 2017 prices. An additional $27 million was missing from the company’s bank accounts.  Although 200,000 bitcoins were eventually recovered, the remaining 650,000 have never been recovered.

The Mt Gox website as it stood
The Mt Gox website as it stood

This post will discuss the rise and fall of Mt. Gox, the aftermath of the hack and the resulting (and ongoing) investigation and will consider whether it could happen again.

For a long time it looked like the creditors of Mt. Gox could be left empty handed, but there have been some new developments that may mean a return of capital to crypto traders who were left holding the bag when Mt. Gox went bust.


Quick Facts

  • Mt. Gox was the largest bitcoin exchange handling 70% of transactions in early 2014
  • It was hacked in 2014 resulting in the loss of 740,000 bitcoins worth $3B+
  • Only 200,000 bitcoins have been recovered leaving 650,000 still missing
  • Mt. Gox filed for bankruptcy protection in 2014
  • Investigations found the exchange was hacked as early as 2011
  • The hack drained the hot wallets and cold storage
  • CEO Mark Karpeles was arrested in 2015 but has pleaded not guilty
  • A new civil rehabilitation process began in 2019 to repay creditors
  • The repayment deadline has been extended to Oct 31, 2024

The Rise of the Mt Gox Exchange

Launched in 2010 by US programmer Jed McCaleb (who later went on to found Ripple), Mt Gox expanded rapidly to become by far the most popular bitcoin exchange in the world after being purchased by French developer and bitcoin enthusiast Mark Karpelés in March 2011. Rather bizarrely the name Mt Gox stood for  “Magic: The Gathering Online eXchange”.

In June 2011 the Mt. Gox exchange was hacked, most likely as a result of a compromised computer belonging to an auditor of the company. On that occasion, the hacker used their access to the exchange to artificially alter the nominal value of bitcoin to one cent and then transfer an estimated 2,000 bitcoins from customer accounts on the exchange, which were then sold.

Mt Gox at the time handled 80% of Bitcoin trading
Mt Gox at the time handled 80% of Bitcoin trading

In addition, an estimated 650 bitcoins were purchased from the exchange at the artificially low price by Mt. Gox customers, none of which were ever returned.  As a result of this hack Mt. Gox took a number of security measures, including arranging for a substantial amount of its bitcoin to be taken offline and held in cold storage.

 

In spite of the June 2011 hack, by 2013 Mt. Gox had established itself as the largest bitcoin exchange in the world, in part as a result of increased interest in bitcoin as the price of the coins increased rapidly (jumping from $13 dollars in January 2013 to a peak of more than $1,200).

However, behind the scenes all was not well.


The Struggles behind the scenes

Although Mt. Gox had quickly expanded to become the largest bitcoin exchange in the world by 2013, behind the scenes it was struggling.

Since its collapse, a number of Mt. Gox employees have spoken about how Mt. Gox was operating, with a picture being painted of a disorganized and discordant organization, with poor security procedures, serious issues relating to the source code of the website and a number of serious issues arising in relation to the operation of the business.

In May 2013, a former business partner of Mt. Gox called Coinlab sued the company for $75 million, claiming breach of contract. The two companies had signed an agreement under which Coinlab would take over Mt. Gox’s American customers but, according to Coinlab’s lawsuit, the deal failed to materialize due to Mt. Gox breaching a clause of the contract.

In addition, the US Department of Homeland Security was investigating claims that a subsidiary of Mt. Gox operating in the US was not licensed and was therefore operating as an unregistered money transmitter. As a result of this investigation, more than $5 million was seized by the US government from the company’s bank accounts.

As a result of the US investigation, Mt. Gox had announced a temporarily suspension of withdrawals in US dollars. Although this suspension only nominally lasted for one month, many customers were experiencing delays of up to 3 months in withdrawing cash from their accounts and few US dollar withdrawals were being successfully completed.

All these delays resulted in Mt. Gox losing its place as the largest bitcoin exchange in the world by the end of 2013, falling to third.

However, as it turned out, these issues were the tip of the iceberg. Underneath the hood, Mt. Gox had much bigger problems than it realized. It had been the victim of an ongoing hacking for over two years.


The Mt. Gox hack

  • On 7 February 2014, Mt. Gox stopped all bitcoin withdrawals, claiming that it was merely pausing withdrawal requests “to obtain a clear technical view of the currency process.”
  • After a number of weeks of uncertainty, on 24 February 2014, the exchange suspended all trading and the website went offline.
  • That same week, a leaked corporate document claimed that hackers had raided that Mt. Gox exchange and stole 744,408 bitcoins belonging to Mt. Gox customers, as well as an additional 100,000  bitcoins belonging to the company, resulting in the exchange being declared to be insolvent.
  • On 28 February Mt. Gox filed for bankruptcy protection in Japan, and in the US two weeks later.
  • Subsequent investigations have shown that the massive hack of Mt. Gox had begun as early as September 2011.

As a result of all this, Mt. Gox was operating while technically insolvent for almost two years and had practically lost all of its bitcoins by mid-2013. Additional evidence has suggested that Mt. Gox was already missing up to 80,000 bitcoins from its exchange even before Mark Karpelés purchased the exchange in 2011.

Although it remains an ongoing investigation and the facts remain unclear at this time, it is presumed that most of the bitcoins that were stolen from Mt. Gox were taken from its online (or hot) wallets, including all of the currency being held in cold storage, due to a “leak” in the hot wallet.

An online cryptocurrency wallet is a web-based wallet used to store secure digital codes, known as private keys that show ownership of a public digital code, known as a public key, that can be used to access the currency addresses and it is this information that is stored in a wallet.

Prior to September 2011, the Mt. Gox private key was unencrypted and it would appear that it was stolen via a copied wallet.dat file, either by hacking or perhaps through an insider.

Once the file was hacked, the hacker(s) were able to access and cipher bitcoins gradually from the wallets associated with Mt. Gox’s private keys without the hack being detected.

The shared keypool of the copied file led to address re-use, which meant that the company appeared to be oblivious to the theft, with the Mt. Gox systems interpreting the transfers as deposits apparently being moved to more secure addresses.

Whenever the wallets emptied, the Mt Gox system’s interpretation of the theft as deposits resulted in an additional 40,000 extra bitcoins being credited to multiple user accounts.


The Aftermath

In March 2014, Mt. Gox reported on its website that it had found 200,000 bitcoins in old-format digital wallets that had been used by the exchange prior to June 2011.  These bitcoins remain held on trust for creditors while the company remains under bankruptcy protection.

Mark Karpelés was arrested in Japan in August 2015 and charged with fraud and embezzlement, although none of these charges directly relate to the theft. He was imprisoned until July 2016, when he was released on bail.

He has pleaded not guilty to the charges and his trial is ongoing.

Mt. Gox remains under bankruptcy protection, with the case still being under investigation. In addition, the litigation with CoinLab remains outstanding and distribution to creditors cannot occur until that lawsuit is settled.


Where did the money go?

650,000 bitcoins remain unaccounted for as a result of the Mt. Gox hack. A number of online theories have been developed as to where the missing coins are.

Some have suggested that Mt. Gox never had the amount of coins that it claimed, and that Karpelés had manipulated the numbers to make it appear that Mt. Gox held more bitcoin than it in fact held.

In respect of how the hacker was able to access the bitcoins that Mt. Gox held in cold storage, the theories range from suggestions that the storage may have been compromised by an individual with on-site access to suggestions that the cold storage coins were gradually deposited into the Mt. Gox exchange system when a hot wallet ran low, and that a lack of accountability among staff simply meant that there was no awareness that the wallets were being drained by hackers.

In July 2017, a Russian national named Alexander Vinnik was arrested by US authorities in Greece and charged with playing a key role in the laundering of bitcoins stolen from Mt. Gox. In additional Vinnick was charged by Greek authorities for laundering of approximately $4 billion in bitcoin.

Vinnick is alleged to be associated with BTC-e, a well-established bitcoin exchange, which was raided by the FBI as part of the investigation.

The BTC-e site has been shut down and the domain & web hosting accounts seized by the FBI, the first time the US government has seized a foreign exchange on foreign soil.

Investigations by Wizsec, a group of bitcoin security specialists, had identified Vinnik as the owner of the wallets into which the stolen bitcoins had been transferred, many of which were sold on BTC-e.

With the trial of Mark Karpelés ongoing in Japan and the indictment against Vinnik, it would appear that the separate strands of the investigation into the Mt. Gox hack are finally coming together.

Whether any of this will result in the recovery of all or any of the stolen bitcoins remains to be seen, but it does appear that we will have at least some clarity into the Mt. Gox hack in the near future.


“GoxRising”-A New Path Forward

In February of 2019, TechCrunch reported that a movement called GoxRising was working to pursue an alternative to bankruptcy for Mt. Gox.

The idea behind GoxRising is simple: instead of use the bankruptcy courts to hand over Mt. Gox’s assets to the owners of the company, it is using civil rehabilitation law to return the most it can to the creditors of the company.

It would appear that GoxRising has been successful in its efforts, as Tokyo lawyer Nobuaki Kobayashi has been appointed by Japanese courts to handle the civil rehabilitation process. This is good news for anyone who lost their assets in the Mt. Gox failure, as they will likely gain much more as a result of civil rehabilitation.

There is also another potential upside for Mark Karpeles, the embattled CEO of Mt. Gox.

If the bankruptcy process had continued to move forward, it is likely that Karpeles would’ve ended up with a lot of Mt. Gox’s assets. He owned around 80% of the company when it went bust, putting him in pole position for a massive payout under Japanese bankruptcy law.

Karpeles knows that if he ended up with most of the Mt. Gox stash, his life would be in limbo. First, he would face a barrage of civil suits from Mt. Gox creditors who had lost everything to him. Bitcoin prices are much higher today than they were in 2014, which would just add insult to injury.

Also, jilted investors may not be satisfied with simply suing Karpeles. People have been killed for far, far less than what Karpeles would have done, if he ended up walking away with a massive pile of Bitcoins after everyone who trusted him got burned.

Needless to say, the civil rehabilitation process seems like a winning idea for everyone involved, and it looks like it is moving forward. Kobayashi was put into his position earlier this year, and the  civil rehabilitation is expected to take 3-5 years, according to reports in the media.

Civil rehabilitation is still a time-consuming process, but it does look a lot better than bankruptcy!


Lessons Learned

The pivot to civil rehabilitation is emblematic of how much different the crypto world is from the established financial system. Bankruptcy law was a terrible framework to address the failure of Mt. Gox, and would’ve created an unjust situation that may have led to massive amounts if litigation, and potentially illegal acts.

It is highly unlikely that Karpeles was actually planning to defraud people who were using Mt. Gox, and his life has been rough since the exchange went belly-up. He has faced multiple lawsuits already, can’t leave Japan, and also did some jail time before getting released into the land of the rising sun on a limited basis.

Not a lot of fun for anyone!

Now, it looks like there is a way forward that would get Karpeles out of his unenviable situation, and make sure anyone whose assets assets were frozen in 2014 got them back.

The clear lesson to the crypto community is that there need to be better structures in place for when the worst happens, as it is absurd that people are still waiting to gain access to their property.


The Centralized Crypto Exchange Dilemma

Crypto assets lend themselves to decentralized networks. Despite that, the exchanges that offer the best prices and deepest liquidity are almost universally centralized. While the centralized nature of the exchanges isn’t inherently an issue, the fact they they act as custodians isn’t ideal.

Once an entity takes ownership over an asset, the potential for a Mt. Gox-esque scenario exists. Given the kind of laws that govern bankruptcy in the established financial system, the way cryptos are traded does appear to be less-than-perfect.

There are decentralized exchanges that offer a wide range of trading services, but they are unlikely to be able to match centralized crypto exchanges, especially when it comes to inter-exchange interface.

The ability to trade directly with other centralized crypto exchanges is a big advantage, and it is difficult to see how that could happen without custodianship.


A Horror Story for Institutional Investors

Custodial issues are one of the biggest issues for institutional investors when it comes to cryptos. Far from being paranoid speculation, the Mt. Gox situation gives any money manager who is being pressured to invest in cryptos a terrible example that could scare anyone out of the sector.

The idea that a hack could turn an entire exchange illiquid and keep any of the traders from accessing their assets isn’t going to win cryptos many proponents in the investment banking community. If cryptos are going to grow, the ‘Custodial Question’ has to be addressed.

Unfortunately, the crypt world grew out of boot-strapped platforms and business structures that were never intended to appeal to the world of high-finance. Now that more people are interested in cryptos, these sub-par systems are holding back the industry in a big way.

It doesn’t matter how professional a trading interface looks, the back office is what really matters when it comes to attracting the big money. If chain-of-custody and ownership can’t be established quickly, and by an outside auditor, nothing else really matters.


Could it happen again?

The short answer is that yes, it could.

There are many bitcoin exchanges operating at present, some of which are more reputable than others. Popular exchanges such as Coinbase and Binance are relatively transparent about their operations, as well as offering insured deposits, and are backed by reputable venture capitalists.

However, they are also going to be the targets of the best hackers, who will be only too happy to exploit any security gaps.

Decentralized exchanges generally don’t act as a custodian for you assets, which means Mt. Gox couldn’t happen to you.

In addition, there are many smaller exchanges currently trading that aren’t as clear about how they operate. That does not mean that such exchanges are operating a hack or disreputable in any way.

When it comes to cryptocurrency trading, it is recommended that you use the more reputable exchanges, if only for your own peace of mind, unless you have the means to absolutely guarantee the legitimacy of any smaller exchange that you are dealing with.

And if the above isn’t enough to scare you, my one last word of advice would be to make sure that you don’t store your bitcoins on any exchange. See our post on cryptocurrency wallets for more details on how to store your bitcoins.


MT Gox Update 2023

As of 2023, The long-running Mt. Gox saga continues, as trustees for the hacked cryptocurrency exchange have announced a deadline extension for repaying creditors. Originally ordered to finish distributions by October 31, 2023, the trustee now has until October 31, 2024 to complete the repayment process.

This marks the second major deadline extension, as creditors have waited nearly a decade to recoup losses from the infamous 2014 hack.

While around 200,000 of those coins have since been recovered, creditors are still owed around 650,000 BTC from the hack. With bitcoin’s value exponentially higher now compared to 2014, that stolen sum is worth close to $23 billion today.

The Tokyo-based trustee managing distributions cites technical and administrative delays as reasons for pushing the deadline back another full year. This includes time spent hunting for more of the missing bitcoin and organizing the process for evaluating creditor claims.

The repayment is slated to proceed in both BTC and fiat currency at creditor’s request. Analysts expect the release of tens of thousands of bitcoins may impact prices to some degree, though markets are much more liquid today.

For Mt. Gox victims, the deadline extension provides closure on any hopes of receiving funds in 2023. But it also promises progress by finally making creditors whole after years of waiting.

We will update as the story progresses.

Source: https://blockonomi.com/mt-gox-hack/