Have you ever heard someone say:
NEVER leave Bitcoin on an exchange
Not your keys, not your bitcoin.
Well, Mt Gox played a very large role in this…
From 2010 until its implosion in 2014, Mt. Gox was the largest and most influential Bitcoin exchange. By 2014, the exchange had processed 70% of the world’s bitcoin trades.
Exchanges like Mt. Gox connect buyers and sellers of bitcoin allowing them to store dedicated accounts on the exchange. For a long time, they were largely unregulated.
With little government oversight and irreversibility of bitcoin transactions, exchanges have become prone to insider theft and a target amongst hackers. Many users weren’t aware of these risks and believed keeping bitcoin on an exchange was safe.
That was a problem.
Keep reading, to learn how the events of Mt. Gox unfolded, leading to the largest theft in cryptocurrency history estimated at 850,000 Bitcoin (today would be worth about $6.4 billion).
In 2010, a Slashdot article published Bitcoin for the first time for its millions of tech-savvy readers. It described new digital internet money that anyone can access by downloading software on their computer.
This sent people flocking to the Bitcoin website. As these users became familiar with the software, they began showing interest in learning how to acquire bitcoin.
At the time, purchasing bitcoin was difficult. Not many options existed and the few that did were unreliable and limiting.
Jed McCaleb was one of those users. At the time, Jed was living in northern New York City with his wife MiSoon and expecting a second child.
He came across the Slashdot article and quickly became interested in Bitcoin. Frustrated by the lack of any reliable exchange, he decided to create one himself.
Jed built the exchange under an old domain name he’d purchased in 2007 called mtgox.com.
Its original purpose was to serve as an exchange to buy and sell cards used in the card game “Magic: The Gathering – hence the acronym Magic: The Gathering Online Exchange.
Jed promoted his new exchange on a Bitcoin forum by taking on an entirely new approach. For the first time, customers were able to use Paypal to fund their accounts. This made it accessible to people all over the world.
Despite its growing popularity, Paypal quickly caught on and froze the accounts. Not only was the exchange operating illegally as a money service business, but it also acted as a honeypot for hackers to steal bitcoin. The first hack resulted in a $40,000 loss worth of bitcoin.
Realizing this, Jed decided that he did not have the time nor the expertise to deal with these issues. He thought it would be best to sell the exchange.
Not long before this, Jed had been talking online with a user named MagicalTux, who came to be known as Mark Karpeles.
Mark was a French citizen living in Tokyo. He operated his own web-hosting business and became interested in Bitcoin. Mark would spend a lot of his time on forums talking to people who were also interested in Bitcoin.
Over time, Jed and Mark became very close through online forums. Mark assisted Jed on the back-end to help fix bugs and security issues.
By late 2010, Jed admitted to Mark that he’d been looking for investors to sell the exchange.
He estimated the exchange was worth $2 million dollars. This valuation came from the current number of transactions, low operational costs, and the huge potential upside.
Jed initially struggled to find investors to take over the exchange. As time passed, he started to become antsy and asked Mark if he’d be interested in taking over.
Jed offered Mark a deal that was hard to refuse. Mark wouldn’t have to put up any of his own money. In return, Jed would keep 50 percent of the revenues for the first 6 months. Jed would also retain a 12 percent stake in the company, whereas Mark would retain the remaining 88 percent.
With a few informal legal documents exchanged between the two, the deal was completed.
Mark was now the owner of Mt. Gox.
Soon after Mark took ownership, an online drug marketplace called The Silk Road had come online.
The Silk Road was an online marketplace for illegal drugs and weapons. Only accessible from the deep web, merchants would sign up and advertise their illegal drugs from all over the world.
Credit card companies could easily censor transactions going to these merchants. It became apparent bitcoin could solve this issue. Merchants only accept bitcoin as a payment which forced many customers to seek ways in acquiring this new digital currency.
These people came across Mt. Gox. Soon after, Mt. Gox became the popular choice amongst The Silk Road users. For the first time, bitcoin solved an important use case of being censorship-resistant.
Nobody could stop someone from transacting on the Bitcoin network. This became incredibly valuable for customers and merchants of The Silk Road.
Over the next few months, Mt. Gox became the dominant Bitcoin exchange. However, this drew unwanted attention from hackers.
In March 2011, a hacker successfully stole 80,000 bitcoins from the Mt. Gox hot wallet. Hackers were able to make a copy of the wallet.dat file (which contains the private keys) and drained the bitcoin associated with this wallet.
Nowadays, private keys are password protected. A password prevents a hacker from a compromised wallet.dat file from reading it.
Unfortunately, this security measure was not available at the time.
In May 2011, hackers gained access to a wallet stored on an off-site, unsecured, publicly accessible network drive. This enabled hackers to steal 300,000 bitcoins.
Fortunately, the hackers were afraid of being caught and returned the stolen bitcoin while keeping 1 percent (30,000 BTC) as part of a “keepers fee.”
One of the most notorious hacks occurred in June 2011. A hacker gained access to Jed’s administrator account. This allowed the hacker to artificially create over 100,000 bitcoins on the Mt. Gox exchange and dumped them in a newly created account.
These bitcoins were created on Mt. Gox exchange and not on the bitcoin network, therefore exploiting a flaw within the accounting software of the exchange. The hacker proceeded to sell all the bitcoins on the exchange causing the price to plummet to one cent.
As a well-planned out attack, the hacker knew that users could only withdraw $1,000 worth of bitcoins at a time. By reducing the bitcoin price drastically, the hacker was able to withdraw more bitcoin. Once the price of bitcoin was low enough, the hacker began buying with his own account and transferred the bitcoin off the exchange.
Side Note: One lucky customer managed to purchase bitcoin just above the 1 cent price. Allowing him to purchase 259,864 BTC for about $3,000.
A live recording as the event unfolded can be viewed here:
Unfortunately, the hacks didn’t stop. Mark’s carelessness to improve the security had only caused the number of hacks to accelerate.
It became apparent that the hackers who originally gained access to the private keys had been slowly draining the Mt. Gox wallet from 2011.
At first, Mark hadn’t realized this and had consistently topped up the wallet. By 2013, Mark caught on and attempted to conceal the missing bitcoin. In an attempt to have customers keep their bitcoin on the exchange, a trading bot was used to push the bitcoin price higher.
By artificially increasing the price, it would disincentivize customers from withdrawing their bitcoin. Helping to conceal the fact that Mt. Gox was insolvent.
In February 2014, Mt. Gox stopped all transactions. The initial claim for stopping transactions was that there was a bug in Bitcoin’s code was allowing for hackers to manipulate transaction details. Like always… Bitcoin was working just fine.
But what really happened, was a hacker obtained a copy of Mt. Gox’s wallet.dat file and stole 630,000 bitcoin.
Mark could no longer hide Mt. Gox’s insolvency. On February 24, Mark filed for civil rehabilitation in Tokyo. On March 9th, Mt. Gox also filed for bankruptcy protection in the US.
In total, Mt. Gox claimed 850,000 bitcoin had been stolen. Of this, 750,000 belonged to customers and 100,000 to the exchange. At the time, this represented about 7 percent of all available bitcoins, and worth about $473 million.
In August 2015, Mark was arrested by the Japanese police and charged with fraud, embezzlement, and manipulation of the Mt. Gox accounting system.
After 4 years, on March 14, 2019, Mark was acquitted on a number of charges which included embezzlement and aggravated breach of trust. The court believed Mark acted without ill intent.
However, Mark was found guilty of falsifying data to inflate Mt. Gox’s holdings by $33.5 million. He was sentenced to 30 months in prison, but the sentence was later suspended. He avoided serving time provided he did not commit additional offenses during the next four years.
Kim Nilsson was one the victims affected. Kim was a 36-year-old Swede living in Tokyo. He had been using Mt. Gox to build a small collection of bitcoin. Unlike most victims, Kim decided to take a proactive investigation to identify the people behind the hacks.
Kim spent three years going through Mt. Gox’s transactions. Much of the stolen bitcoin would end up in accounts located on an exchange called BTC-E. One account that held stolen bitcoin had cashed out to a bank account with a note “WME.”
After internet searching, Kim was able to find a post on an online forum by a “WME” figure. In this post, he claimed an exchange had “stolen $100,000 USD+ and refuses to return it.”
To help strengthen his case, “WME” posted messages between the exchange and himself. One of the messages contained a document that showed the account the exchange had deposited his funds into. In this document, the account owner’s name was Vinnik Alexander.
Kim didn’t believe it would have been this easy to get his identity. At first, he believed the name was a pseudonym. However, with more investigation and the help of US federal agents, prosecutors had enough to indict Mr. Vinnik.
On July 25th 2017, undercover cops arrested Mr. Vinnik while vacationing in Greece.
In July 2018, a Greek court ruled to extradite him to France over an alleged money laundering, cybercrime, membership in a criminal organization, and extortion.
Kim was pleased to know Mr. Vinnik had been arrested. Although he remained frustrated.
Kim’s claim is currently tied up in Mt. Gox bankruptcy proceeding. With no resolution in sight, it will be years before Kim could see any of his money returned.
Policies and regulations for cryptocurrency exchanges are improving.
For example, exchanges based in North America are required to have a Money Service Business (MSB) license to legally operate. With clearer regulatory guidance, banks are starting to warm up to these types of businesses by offering bank accounts.
Other measures such as proof of reserves and customer deposit insurance policies have recently been developed. These measures help protect customer funds in the event of a hack and to give better transparency with regards to the solvency of the exchange.
These necessary steps are required to help legitimize cryptocurrency exchanges. Making them more reliable and trustworthy among users.
However, these measures still do not change the fact that bitcoin stored on an exchange are not in your possession. A degree of trust is still required.
Whether you trust the exchange or not, unless you are in possession of the private keys, the bitcoins are technically not yours.