How a Mountain of Bitcoins Vanished: the Mt. Gox Hack

This is an edited version of a paper I wrote in 2019 as part of a post-grad course on information security management. (Photo by David McBee from Pexels.)

At a press conference in Tokyo on February 28, 2014, bitcoin exchange Mt. Gox revealed it had been the victim of what was at the time – and remains today – the largest theft of bitcoins ever disclosed.

Mt. Gox chief executive Mark Karpeles told the press conference approximately 850,000 bitcoins belonging to his company and its customers were missing, believed stolen by hackers.

The following month, Karpeles revised the loss down to 650,000 bitcoins – valued at the time at approximately $US360 million. Even at the revised-down value, the Mt. Gox heist amounted to more than five times the number of bitcoins stolen in the second largest reported bitcoin theft when just under 120,000 bitcoins were stolen from the Bitfinex exchange in August 2016.

The Mt. Gox theft forced the company – which had been the world’s largest bitcoin exchange – into bankruptcy. It resulted in significant losses for Mt. Gox’s customers and led to Karpeles being arrested, held in custody and eventually convicted on charges of falsifying data. He was, however, acquitted of other more serious charges of embezzlement and aggravated breach of trust.

Karpeles has always denied having any involvement in the disappearance of Mt. Gox’s bitcoins and no evidence has come to light suggesting the theft was an inside job. The falsifying data charges he was convicted on pertained to unrelated actions he took to amend company records in order to inflate the value of Mt Gox’s cryptocurrency assets.

As well as the impact it had on those directly involved, the heist also rocked the confidence of the then nascent global bitcoin community, resulting in a steep – although temporary – decline in the price of bitcoin over the following months.

Announcing the quantum of the loss at the Tokyo press conference, Karpeles offered up a very simple explanation of what had gone wrong. “We had weaknesses in our system, and our bitcoins vanished,” he told reporters.

But how did the world’s largest cryptocurrency exchange – which was processing approximately 70 percent of all bitcoin transactions globally prior to its collapse – leave itself open to losing more than a third of a billion dollars of virtual assets?

Karpeles’ February 28, 2014 revelation about the quantum of the company’s loss did not come out of the blue. Earlier in the month, Mt. Gox issued a statement saying it had suspended customers’ ability to withdraw bitcoins from the exchange as it attempted “to obtain a clear technical view” of issues it was experiencing. The statement said the issues were due to transaction malleability – a blockchain-related security weakness that can allow “double-spending” by the holders of bitcoin.

However, research by Decker and Wattenhofer subsequently found there had not been widespread use of malleability attacks prior to Mt. Gox’s closure. After analysing bitcoin transactions on the blockchain, they concluded that a maximum of only 386 bitcoins could have been stolen using malleability attacks on Mt. Gox. “[Mt. Gox] needs to explain the whereabouts of 849,600 bitcoins,” Decker and Wattenhofer stated.

According to Adelstein & Stucky, Karpeles drew the ire of the wider bitcoin community when he claimed Mt. Gox’s problems were a result of malleability attacks. Security adviser Jason Maurice told Adelstein & Stucky it wasn’t until February 2014 that Karpeles understood the transaction malleability threat and developed a solution to mitigate it.

“Basically he dismissed a multimillion-dollar bug in his software that any decent software engineer would immediately have realized was a major issue,” Maurice told Adelstein & Stucky.

From Trading Card Site to Bitcoin Exchange

2014 was not the first time Mt. Gox had suffered losses due to security failings. The company’s security weaknesses can be traced back to its inception and were exacerbated by a lack of systems and procedures, and Karpeles’ unfocused leadership.
Mtgox.com was originally a website set up as an exchange to trade cards owned by players of the fantasy game Magic: The Gathering Online. (Mt. Gox is an acronym for “Magic: The Gathering Online eXchange”.)

The card exchange did not last and, in 2010, when bitcoin was still in its infancy, the site’s founder, Jed McCaleb, repurposed mtgox.com as a bitcoin exchange. He sold the Mt. Gox business to Karpeles in 2011.

Karpeles’ acquisition of the business coincided with a period of massive growth in interest in bitcoin trading. By April 2012, Mt. Gox was receiving between $US5 million and $US20 million in incoming transfers per day. The company was facilitating more than 70 percent of the world’s bitcoin transactions, yet Karpeles had virtually no experience in the financial services sector and the former card-trading platform he was running was technically and procedurally ill-equipped to cope with the demands placed on it.

The site’s significant security risks and vulnerabilities had already been exposed in June 2011 when a user was able to manipulate the trading price, effectively enabling them to buy up large volumes of bitcoins for nothing. That attack resulted in the loss of bitcoins worth, at the time, $US8.75 million. Over the same weekend, a hacked database of Mt. Gox users was circulated online, and an apparent cross-site request forgery vulnerability was reported.

According to the findings of an extensive investigation into the subsequent, larger, loss of the 650,000 bitcoins, carried out by specialist security firm WizSec, the hack began in 2011 with the theft of hot wallet private keys “in a case of a simple copied wallet.dat file”. Having gained the private keys, those responsible were able to periodically siphon bitcoins out of the wallets over the ensuing months and years – unbeknown to Mt. Gox management, who weren’t aware their bitcoin storage been compromised.

A bitcoin exchange operator, Alexander Vinnik, was arrested in July 2017 and implicated by authorities as a central figure in the Mt. Gox heist. WizSec also described Vinnik as their “chief suspect” in the theft.

Lax Security Processes Amplified by CEO’s Lack of Focus

While it seems extraordinary that such large-scale theft could be instigated and continue for several years under the company’s nose, a picture would emerge of the corporate culture at Mt. Gox that enabled this to happen. The environment within Mt. Gox – as portrayed by some of those working there – was described as “a messy combination of poor management, neglect and raw inexperience”.

According to one software developer who had worked in the business, the company did not use any form of version control when developing software. Until a short time before its collapse, it also did not use a software testing environment, instead pushing changes out directly to a live environment. Karpeles was the only person in the organization who could approve source code changes, meaning some bug fixes would take weeks to be deployed.

Karpeles was said to be “obsessed” with a side project, the development of a bitcoin-themes café within the company’s headquarters, an endeavour which consumed much of his efforts despite Mt. Gox facing a number of serious issues that were threatening the business’s survival. According to one insider: “Aside from the café, he [Karpeles] liked to spend time fixing servers, setting up networks and installing gadgets … probably distracting himself from dealing with the real issues that the company was up against.”

One unnamed former Mt. Gox employee told Adelstein and Stucky that Karpeles was not motivated by malice or making profit for himself, but was simply overcome by the situation he found himself in:

He’s a workaholic and a geek, but a good-hearted geed. He just has very limited management skills, a little hubris, and didn’t pay attention to accounting. He was only twenty-seven or twenty-eight years old.

The extent of the failings of business processes – or, indeed the lack of them – is evidenced by the way Mt. Gox initially over-estimated the extent of the eight-figure bitcoin loss it discovered in 2014.

After initially announcing the company was missing 850,000 bitcoins, Kapeles later announced 200,000 of the coins were subsequently found in a wallet that had previously been assumed to be empty.

Fallout from the Hack Spread Beyond Mt. Gox and its Customers

The collapse of Mt. Gox – as a result of the impact of it falling victim to the largest-ever bitcoin heist – had a significant financial impact on the exchange’s customers, staff and chief executive, with the latter also ended up facing the consequences through Japan’s notoriously harsh legal system.

The company’s bankruptcy also inflicted reputational damage on the wider bitcoin ecosystem. The potential for such damage was recognized by the company itself, as revealed in a leaked internal crisis strategy document.

The document said with bitcoin and cryptocurrencies only recently having gained acceptance in the public eye, “the likely damage in public perception to this class of technology [as a result of fallout from the Mt. Gox crisis] could put it back 5~10 years, and cause governments to react swiftly and harshly”.

“At the risk of appearing hyperbolic, this could be the end of Bitcoin, at lease for most of the public,” the leaked document stated.

Other players in the bitcoin ecosystem had similar thoughts and scrambled to minimise the damage from Mt Gox’s crisis.

As reported by Byford (2014) and others, a number of bitcoin industry companies put their names to a joint statement, which read in part: “This tragic violation of the trust of users of Mt. Gox was the result of one company’s actions and does not reflect the resilience or value of Bitcoin and the digital currency industry.”

How can cryptocurrency exchanges mitigate security risks?

As the value of bitcoin skyrocketed in the period between 2011 and 2014, hacker interest in targeting cryptocurrency exchanges intensified and Mt. Gox, as the dominant operator, was an obvious target.

The security threats faced by cryptocurrency exchanges have only become more intense since the collapse of Mt. Gox. As holders of literally billions of dollars of easily transferable assets, they are among the most lucrative potential targets for cyber criminals.

As WizSec’s Kim Nilsson said in 2016: “The unfortunate reality of Bitcoin is that it’s just so tempting to steal it digitally.”

In the case of Mt. Gox, an obvious security failing was the storing on its servers of an unencrypted wallet.dat file containing private keys to its hot wallets. While that was unforgivable, perhaps an even more fundamental failing was the company’s seeming lack of a security-focused culture, and its shambolic lack of risk-related planning and policy.

As Whitman & Mattord put it: “It is difficult to overstate how essential planning is to business and organizational management.”

For a cryptocurrency exchange business, given the inherent risks it faces from hackers, effective cyber security planning needs to be at the top of its priority list.

IT development company Merehead identified 14 areas cryptocurrency exchanges should consider in order to make their security stronger.

If Mt. Gox were still active today, it would be well advised to consider acting on Merehead’s entire list. However, from what is known of the specifics of the vulnerabilities which enabled the site to be compromised, taking action on two items listed by Merehead could have potentially mitigated the most obvious of those vulnerabilities:

Exposure of Server Information

The attacker’s ability to obtain wallet.dat file containing private keys to Mt. Gox’s bitcoin wallets was the major breach which led, eventually, to the company’s collapse.

Complying to best practice development procedures, along with ensuring a company’s focus on security remains paramount, will go some way to mitigating the risk of server information being exposed, as it was in the Mt. Gox case.

Cold storage

Once the Mt. Gox attacker had obtained the company’s wallet.dat file, they effectively had access to the bitcoins stored in its hot wallets (an online cryptocurrency storage method). This enabled the hacker to continue pilfering the company’s digital assets over a period of months and years.

While some degree of hot wallet storage is an operational necessity for cryptocurrency exchanges, they must store the bulk of their assets in cold (offline) wallets in order to reduce the risk of the contents of those wallets being stolen. The fact a hacker was able to access the wallet.dat file, together with the post-hack retrieval of a previously discounted wallet containing 200,000 bitcoins shows Mt. Gox’s wallet security management policies and procedures were woefully inadequate.

Conclusion

The rise and fall of Mt. Gox can be considered a classic case study in the dangers faced by a company that finds itself experiencing strong growth.

Those dangers include failure to plan for, address and deal with multiple risk factors in general – and cybersecurity issues in particular – until it is too late.

In the words of Quora user Anthony Alfidi: “That’s what happens when someone tries to turn a playing card portal into a financial exchange.”