Mt. Gox: What We Still Don’t Know 10 Years After the Collapse

When Japanese bitcoin exchange Mt. Gox collapsed in February 2014, there were well-founded fears that it could kill the nascent cryptocurrency before it was more than five years out of the cradle. It is easy now to scoff at such suggestions, but many people thought along these lines given that Bitcoin had not yet faced such a catastrophe.

Mark Hunter has been an author and ghostwriter for 20 years and a leading cryptocurrency writer since 2017. He is the author of “Ultimate Catastrophe: How Mt. Gox Lost Half a Billion Dollars and Nearly Killed Bitcoin” co-creator and co-host of the podcast series “Dr Bitcoin: The Man Who Wasn't Satoshi Nakamoto.”

Over 880,000 BTC were lost by or stolen from Mt. Gox in various guises between March 2011 and January 2014, a haul worth a staggering $45 billion today, and yet with the 10th anniversary of its collapse upon us, there are still several important questions that remain unanswered.

One of the key questions that remains unknown is whether we know all of the culprits. Over 809,000 BTC were stolen across six hacks during Mt. Gox’s lifetime, and we only know of two names linked to one hack: Alexey Bilyuchenko and Aleksandr Verner, who are accused of being part of the Russian hacking group that compromised the exchange in October 2011. Over the course of 26 months, the pair helped steal and launder 647,000 bitcoins from the exchange’s cold wallets.

Verner and Bilyuchenko have only been charged by U.S. authorities with the laundering of the coins rather than the hack itself, however, which could suggest a lack of evidence against them on that charge.

See also: Where the Mt. Gox Money Went

Apart from these allegations, sealed in 2017 and made public in June last year, we have no idea who stole the remaining 162,000 BTC. 79,956 BTC remain tied to a well-known address beginning ‘1Feex’, while 77,500 stolen in September 2011 have never been traced. This hack was so successful it was not detected until 2015.

Then there’s the individual who stole 2,000 BTC in June 2011, which sent the value of bitcoin crashing from $17.50 to $0.01, and the hacker who swiped more than half the coins held by the exchange at the time, when Mt. Gox CEO Mark Karpelès left the wallet on a drive with unencrypted network. Fortunately for Karpelès the hacker got cold feet and negotiated a 1% bounty, leading to a loss of just 3,000 BTC for the exchange, rather than 300,000 BTC.

In all these cases we have no idea who did the deed, and it’s almost certain now that we never will. Many suspect the 1Feex hack was a dry run for the debilitating October 2011-January 2014 exploit, given that the modus operandi was the same, but this has never been confirmed.

Of the 881,865 BTC which left Mt. Gox unintentionally, we can only say for sure how 72,409 BTC were lost. 30,000 BTC were logged as deposits to customers by Mt. Gox’s system when they were in fact being stolen by hackers. An error by Mark Karpelès in October 2011 led to 2,609 being sent to a non-existent address. Two bots operating on Mt. Gox, Markus and Willy, lost 22,800 BTC. And Karpelès bought Polish exchange Bitomat for 17,000 BTC in July 2011.

When it comes to the remainder, the method of entry is generally either unknown or merely suspected. In the case of the June 2011 hack, we know that the hacker was able to get access to the Mt. Gox server through an administrator-level account. This was initially attributed to auditor Auden McKernan but it was later revealed that it was the account of Jed McCaleb, the founder who had sold Mt. Gox to Mark Karpelès, which inexplicably still had administrator privileges. It is thought that the hacker obtained the details when the entire Mt. Gox user database was stolen along with the 79,956 BTC in the 1Feex hack.

See also: Why Bitcoin's Greatest Hack Still Matters: The Legacy of Mt. Gox

Given that U.S. authorities were confident in naming Verner and Bilyuchenko as being part of a group that hacked into Mt. Gox in October 2011 they must have some evidence to back up their assertions, but unless it ever comes to a trial (which is almost certainly won’t now that their names are public) these details will likely never be divulged.

Related to the question of how the hackers gained access to the Mt. Gox servers is the question of how they were then able to access the funds supposedly securely stored in cold wallets. We know that until the June 2011 hack, Karpelès kept users’ bitcoins in a haphazard manner across various physical and software wallets, which exacerbated the impact of the hacks and prolonged the cleanup.

Karpelès claims that this incident led him to incorporate a much more secure system: he split the coins across numerous paper wallets (he later said hundreds of pieces of paper were involved) and stashed them in bank vaults and safety deposit boxes around Tokyo. Therefore, if the hot wallet was stolen again, as it was for the 1Feex hack, the cold wallets should not be affected.

This seems safe enough in itself, but when it was revealed that the exchange’s cold wallets had indeed been ransacked between October 2011 and January 2014, many started to ask questions, including then Bitcoin blogger and future General Partner at crypto investment firm Andreessen Horowitz, Arianna Simpson:

“If you’re doing it right, the cold storage should not be accessible via the hot wallet, leak or no leak. That’s the whole point of separating the two.”

So how were the cold wallets compromised? Karpelès has never confirmed his bespoke cold wallet-hot wallet setup, potentially to avoid lawsuits based on the mishandling of funds, but he has given hints in interviews that paint an inconsistent and at times illogical scenario.

The only way to safely top up a hot wallet with funds from a paper wallet is to go and get the paper wallet and execute a multi-step manual transaction on an ultra-secure network. This must be done every single time, which is of course entirely impractical for any Bitcoin exchange no matter what its size or trading volume. No Mt. Gox staff member has reported seeing Mark Karpelès handling paper wallets, and indeed some prominent members of staff told me for “Ultimate Catastrophe: How Mt. Gox Lost Half a Billion Dollars and Nearly Killed Bitcoin” that they had only ever heard hot wallets mentioned, never cold wallets.

See also: Mt. Gox Bitcoin (BTC) Payments Move Closer

Was there, therefore, a system that automatically topped up the hot wallet from the cold wallets when it ran dry and vice versa? This seems to be the only feasible way in which the exchange could have operated, although it totally undermines the principles of a cold wallet system.

This is the big question that still divides opinion. Naturally, Karpelès insists that he didn’t know the exchange had been bled dry until he checked the cold wallets in mid-February 2014, but there are flaws with this claim. Mt. Gox had started experiencing bitcoin withdrawal issues as far back as August 2013, which should have raised red flags. And yet Karpelès seems not to have considered Mt. Gox was underfunded, despite the exchange having been the victim of multiple hacks in its lifetime.

Karpelès was quick to blame the “transaction malleability” bug when it emerged in early 2014 as the reason for withdrawal issues, but this was known to require a tremendous amount of social engineering to pull off even a small theft. He also said he didn’t suspect any losses because there was a monitoring system in place. If such a system existed then it wasn’t designed properly, which is indicative of the kind of mismanagement that plagued the exchange.

Needless to say, there are plenty who refuse to believe that Karpelès only discovered the loss in February 2014. Others go further in saying Karpelès not only knew about the missing bitcoins, but used Willy and Markus to make up the loss. If this was Karpelès’ intention it backfired spectacularly: the pair lost 22,800 BTC and $51.6 million between them before the exchange collapsed.

The simple answer is that we can only speculate as to how the bitcoins on Mt. Gox were secured, and unless Mark Karpelès deigns to tell us it will remain that way.