Mt. Gox: the biggest hack in cryptocurrency history

16.09.2022

Intermediate

#Crimes #Mark Karpeles #Mt Gox

Key points

Mt. Gox was one of the world’s first bitcoin exchanges, launched in 2010. By early 2014 the platform accounted for about 70% of global bitcoin trading.
In 2014 Mt. Gox shut down after a “hole” in user balances caused by a hack was discovered. Between 2011 and 2013 attackers quietly siphoned 650,000 BTC — the largest hack in crypto history.
Since 2018 Mt. Gox has been in civil rehabilitation, which envisages distributing the cryptocurrency remaining on the exchange to victims. Around 25,000 users filed claims.
The organisers and perpetrators of the Mt. Gox hack remain unidentified. In the United States, former BTC‑e administrator Alexander Vinnik is on trial for laundering cryptocurrency stolen from Mt. Gox.

Who founded Mt. Gox, and when

Mt. Gox’s story did not start with cryptocurrency. In 2007 Jed McCaleb, future co‑founder of Ripple and Stellar, registered mtgox.com. He launched a platform called “Magic: The Gathering Online EXchange” for trading cards from the popular fantasy game. The shortened name was Mt. Gox.

After McCaleb learned about cryptocurrency in the summer of 2010, he decided to turn Mt. Gox into a bitcoin exchange. A year later he sold it to French developer Mark Karpeles, who lived in Japan, citing a lack of time to grow the project.

According to Rolling Stone, Karpeles effectively acquired Mt. Gox for free. In return he was obliged to pay McCaleb 50% of profits for the first six months of ownership and 12% thereafter.

Meanwhile Mt. Gox quickly gained popularity. In 2011 its user base already numbered tens of thousands, and by 2013 trading volume in bitcoin on the platform accounted for around 70% of the global total.

Early attacks on the exchange

Security problems began at Mt. Gox even before the sale. As later emerged, in March 2011 Karpeles told McCaleb that about 80,000 BTC in user funds had gone missing. The issue was brushed aside. In 2020 Karpeles said the stolen funds had been moved to a blockchain address controlled by Bitcoin SV creator Craig Wright. Some suggest he was behind the subsequent hack of the platform.

The first publicly recorded attack on Mt. Gox occurred in June 2011. Hackers managed to steal at least 25,000 BTC, then worth roughly $400,000. The price of bitcoin on Mt. Gox plunged from $17 to almost zero.

An internal investigation concluded that attackers had compromised Jed McCaleb’s old administrator account, giving them access to client funds and personal data.

About a week after the attack Mt. Gox resumed operations. Karpeles demonstrated control over the exchange’s wallets by making a confirming transaction and reimbursed client losses.

Successes and new problems (2011–2013)

After the first attack, activity on Mt. Gox gradually recovered, and by 2013 it had become the world’s largest venue for bitcoin trading. The company moved its head office to a prestigious Tokyo business district, and Karpeles became a prominent media spokesman for the bitcoin industry.

As later became clear, beneath the surface Mt. Gox was struggling. It lacked proper code quality and security controls. There was no financial accounting system to track balances and reserves. In short, no one was monitoring flows of money and cryptocurrency.

Most Mt. Gox users were in the United States, yet the exchange had no licence to operate there. In May 2013 US authorities seized about $5m of the project’s funds held at the payments service Dwolla. Mt. Gox subsequently obtained a money‑services licence from FinCEN.

In June the exchange halted US‑dollar deposits after Japanese bank Mizuho refused to service its accounts. Users began to complain en masse about lengthy cash withdrawals.

The second hack and Mt. Gox’s shutdown

In February 2014 Mt. Gox abruptly stopped bitcoin withdrawals. A press release said a bug in bitcoin’s code made it possible effectively to double‑spend coins, which attackers used against the exchange’s address. The platform then halted all withdrawals.

By the end of the month the price of bitcoin on Mt. Gox was just 20% of the market average, a clear signal that investors believed the project could not fix its problems. On 24 February all trading was halted; hours later the website went offline.

It later emerged that the team had discovered the theft of roughly 750,000 BTC from users that had gone unnoticed for years. The platform was insolvent. On 28 February Mt. Gox announced bankruptcy and closure.

How many bitcoins were stolen from Mt. Gox

The bankruptcy filing stated that, in addition to user funds, criminals had stolen 100,000 BTC from the exchange’s reserves. That brought total losses to 850,000 BTC — about 7% of the cryptocurrency’s supply at the time.

Total losses were estimated at $440m–$480m. As of September 2022, with bitcoin at about $20,000, that is roughly $17bn.

In addition to bitcoins, $28m in fiat “disappeared” from Mt. Gox’s bank accounts in Japan.

In March 2014 Mt. Gox reported the “sudden” discovery of about 200,000 BTC, held at an old‑format address used before June 2011. The address had been active only days before it was “found”. This reduced total cryptocurrency losses to 650,000 BTC, though it did not save Mt. Gox from closure.

Details of the Mt. Gox hack

The second and most extensive hack of Mt. Gox stemmed from poor security and multiple management failures. According to research by WizSec, the second and largest attack began back in 2011. Specialists found that:

In September 2011 hackers stole the private key to Mt. Gox’s hot bitcoin wallet. Using it, they gained control over users’ cryptocurrency flows to the exchange;

With this private key, the hackers quietly but regularly drained the exchange’s accounts for years;

In mid‑2013, when inflows to the exchange slowed, the hackers withdrew 630,000 BTC from Mt. Gox’s wallet in one go.

How Alexander Vinnik’s arrest is linked to Mt. Gox

Because many Mt. Gox victims were in the United States, authorities there opened an investigation.

In late July 2017, Greek police detained Alexander Vinnik, an administrator of the Russian crypto exchange BTC‑e. He was accused of laundering funds stolen from Mt. Gox. According to the US Department of Justice, the criminal organisation involving Vinnik laundered nearly 307,000 BTC of the 850,000 BTC stolen from Mt. Gox via BTC‑e.

Extradition requests were sent to Greece by several countries — the United States, France and Russia. In 2020 he was extradited to France, where he was sentenced to five years in prison and a €100,000 fine. In the summer of 2022 Vinnik was extradited to the United States, where he faces up to 55 years in prison.

Investigation and litigation

In May 2016 Kraken, the Canadian crypto exchange that assisted the investigation, completed the collection and analysis of creditors’ claims. According to Kraken, 24,750 users filed for payouts.

By decision of the Tokyo District Court, which became the main forum for the Mt. Gox case, the compensation process shifted from bankruptcy to civil rehabilitation. Under bankruptcy, creditors would have received compensation equal to assets at the time of the filing; under civil rehabilitation, they would receive “physical” bitcoins or the fiat equivalent at the time of distribution.

In February 2021 the court approved a plan to reimburse creditors in bitcoin, and only in July 2022 did Mt. Gox trustee Nobuaki Kobayashi announce preparations for distributions. As of mid‑September 2022, no precise figures or dates had been set.

What became of Mark Karpeles

On 1 August 2015 Japanese police arrested former Mt. Gox chief Mark Karpeles. He was charged with fraud, embezzlement and manipulating the exchange’s computer system to inflate account balances.

In July 2016 Karpeles was released on bail of about $95,000. In March 2019 he was found guilty of falsifying records and sentenced to two years and six months’ imprisonment, later suspended for four years.

In spring 2022 Karpeles announced plans to launch a crypto‑ratings agency and distribute NFTs to former Mt. Gox clients.

How much cryptocurrency remains on Mt. Gox addresses

Mt. Gox trustee Nobuaki Kobayashi managed to sell part of the BTC and BCH holdings in early 2018, before the shift from bankruptcy to civil rehabilitation. From April to May 2018 Kobayashi sold 24,658 BTC and 25,331 BCH for a total of $406m.

According to Cryptoground, which tracks Mt. Gox wallet balances, the exchange holds a total of 137,891 BTC and 137,891 BCH — worth more than $2.3bn at prices on 15 September 2022.

What compensation will Mt. Gox clients receive

Public documents do not give exact figures for bitcoin distributions to creditors. However, in 2021 a CoinLab representative said users might receive only 0.23 BTC for each bitcoin stolen from them at Mt. Gox.

Specialised firms later emerged offering to buy creditors’ claims. For example, in late 2019 the investment group Fortress sent a letter to Mt. Gox creditors offering to purchase their claims for $5,000 per bitcoin — allowing immediate payment without waiting for the lengthy court process.

In dollar terms, 0.23 BTC is about $4,600 at a bitcoin price of $20,000 as of 15 September 2022. When the bankruptcy was filed in 2014, the price of bitcoin was around $489. That implies almost a tenfold gain in dollar terms, despite losing more than three‑quarters of bitcoin holdings.

In autumn 2021 a compensation plan was published and approved by the court. However, payouts to former Mt. Gox users have yet to begin.