Mt. Gox Auditor Theft: Difference between revisions
(Template) |
(Created Mt. Gox Auditor Theft page.) |
||
| Line 1: | Line 1: | ||
Although Mt. Gox is today synonymous with their most famous hack, at this time in June 2011 it was a massive exchange in full operation. A hacker managed to manufacture bitcoins using the credentials of an auditor, and sold them on the exchange, including to himself, then withdrew the earnings. Reports suggest that lost funds were not returned to their rightful owners. | |||
== About | == About Mt. Gox == | ||
The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events. | At the time Mt. Gox was established, there were no other major trading platforms for cryptocurrencies.<blockquote>"Mt.Gox is the world's most established Bitcoin exchange. You can quickly and securely trade bitcoins with other people around the world with your local currency!" | ||
"It allows you to trade US Dollars (USD) for Bitcoins (BTC) or Bitcoins for US Dollars with other Mt Gox users. You set the price you want to buy or sell your BTC for." | |||
"Buy Bitcoins at market rates with your credit card or many other payment methods." "Automate your trading with our Trading API" "Dark pools allow you to trade large quantities without moving the market." | |||
"Fully automated, always available, 24 hours a day, Safe and Easy." | |||
"The only multi-currency Bitcoin trading platform where you can trade with the entire world in your local currency."</blockquote>Mt. Gox achieved a wide popularity due to the ease with which users could sign up for services there. <blockquote>"Buying and selling Bitcoin doesn't have to be complicated! Get trading in a few simple steps." | |||
"4 Easy Steps: | |||
1. Make an Account. | |||
2. Add some funds. | |||
3. Buy or Sell Bitcoins. | |||
4. Withdraw your converted funds."</blockquote>Basic features like SSL were provided for account security and 24/7 uptime was advertised as a selling point.<blockquote>"Mt.Gox is protected by Prolexic and certified by VeriSign, which means all communications with our servers are encrypted with SSL technology." | |||
"We're always on. Buy and sell Bitcoin 24/7/365 with the world's most sophisticated trading platform." </blockquote>The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events. | |||
Include: | Include: | ||
| Line 27: | Line 47: | ||
* How the service was structured behind the scenes. (For example, there was no "trading bot".) | * How the service was structured behind the scenes. (For example, there was no "trading bot".) | ||
* Details of what audits reported and how vulnerabilities were missed during auditing. | * Details of what audits reported and how vulnerabilities were missed during auditing. | ||
It would appear that the security around passwords was such that they were not properly secured. If passwords were hashed, it was a weak hashing algorithm. It was possible to reverse engineer the weak hashing function with brute force attacks on the account passwords. | |||
== What Happened == | == What Happened == | ||
The | "On 13 June 2011, the Mt. Gox bitcoin exchange reported some 25,000 BTC (US$400,000 at the time) robbed from 478 accounts. Then on Friday 17 June, Mt. Gox's user database leaked for sale to pastebin, signed by ~cRazIeStinGeR~ and tied to auto36299386@hushmail.com. The theft of Bitcoins from Mt. Gox accounts continued, reportedly, throughout that day." | ||
“On June 19, 2011” an “auditor was hired to verify that Mt. Gox had sufficient bitcoin and cash reserves to cover its holdings, but the hacker was able to use the auditor’s computer to steal bitcoins from the exchange. The hacker used the auditor’s access to sell bitcoins to his or her own wallet, causing the price of bitcoin on the exchange to plummet. | |||
"The forum has a thread with the title “I'm Kevin, here's my side”. In which the user toasty tells how once he saw that gigantic sell order was burning through the bids at exchange, the price dropped from 17.5$ dollars to 10$, Mt. Gox processed orders slowly, it all lasted a minutes, there were many orders to buy bitcoin for $ 0.01, so he placed his order for $ 0.0101, the exchange was heavily lagging, but with some effort, he managed to place that order, then The site stopped responding completely, when he got back in, he saw:" | |||
"06/19/11 17:51 Bought BTC 259 684.77 for 0.0101" | |||
This "security breach ... caused ... the price of a bitcoin to fraudulently drop to one cent, after a hacker allegedly used credentials from a Mt. Gox auditor's compromised computer to transfer a large number of bitcoins illegally to himself." "On 19 June, a stream of fraudulent trades caused the nominal price of a bitcoin to fraudulently drop to one cent on the Mt. Gox exchange, after a hacker allegedly used credentials from a Mt. Gox auditor's compromised computer to transfer a large number of bitcoins illegally to himself. He used the exchange's software to sell them all nominally, creating a massive "ask" order at any price. Within minutes the price corrected to its correct user-traded value. | |||
{| class="wikitable" | {| class="wikitable" | ||
|+ | |+Key Event Timeline - Mt. Gox Auditor Theft | ||
!Date | !Date | ||
!Event | !Event | ||
!Description | !Description | ||
|- | |- | ||
| | |June 13th, 2011 | ||
| | |Exchange Reports Losses | ||
| | |The exchange made an announcement that 25,000 BTC (worth $400,000 USD at the time) were robbed from 478 accounts. | ||
|- | |- | ||
| | |June 17th, 2011 | ||
| | |Pastebin File Leaked | ||
| | |A pastebin file was leaked with the user database credentials. | ||
It was reported that a theft of bitcoins from accounts continued through the day. | |||
|- | |- | ||
| | |June 19th, 2011 | ||
| | |Auditor Steals Bitcoins | ||
| | |The auditor hired to verify that the holding of Mt. Gox were sufficient used their access to sell bitcoins to their own wallet. | ||
|} | |} | ||
== Total Amount Lost == | == Total Amount Lost == | ||
The hacker acquired an estimated 2,000 BTC through this strategy, with an additional 650 BTC purchased by other Mt. Gox users at deflated prices.” | |||
Accounts with the equivalent of more than $8,750,000 were affected." | |||
== Immediate Reactions == | == Immediate Reactions == | ||
| Line 59: | Line 88: | ||
== Ultimate Outcome == | == Ultimate Outcome == | ||
"He realized that these bitcoins were most likely from hacking and wanted to behave as honestly as possible, especially since on the eve he sent his id documents for passing verification. There was a limit for withdrawal, but there was a bug that allowed you to withdraw $ 1000 many times in a day, he could also sell a huge number of bitcoins, lower the price again to 0.01 cents, and withdraw all bitcoins fitting in the daily limit, but he did not do it, he only withdraw 643 bitcoins. He hoped until the end that he would be let to keep these BTC, but there where decision to roll back all transactions, and Kevin gained only 643 BTC." | |||
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done? | What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done? | ||
== Total Amount Recovered == | == Total Amount Recovered == | ||
"To prove that Mt. Gox still had control of the coins, the move of 424,242 bitcoins from "cold storage" to a Mt. Gox address was announced beforehand, and executed in Block 132749." | |||
“None of the [withdrawn] bitcoins were returned to their rightful owners.” | |||
What funds were recovered? What funds were reimbursed for those affected users? | What funds were recovered? What funds were reimbursed for those affected users? | ||
== Ongoing Developments == | == Ongoing Developments == | ||
While the issues here have been largely settled out, the Mt. Gox bankruptcy continues to play out. | |||
== Prevention Policies == | == Prevention Policies == | ||
Generally, minting of new coins in the database needs to have tight access control. For example, an auditor's access level should be read-only. | |||
Regarding the lost funds, these all came from the hot wallet. Serious losses can be prevented with a multi-signature cold storage wallet, limiting the total losses to the funds available in the hot wallet. There is no need for an auditor to have access to any funds, as access can be proven by creating a small transaction or partially signing a hypothetical transaction. | |||
== References == | == References == | ||
A | [https://bitcointalk.org/index.php?topic=83794.msg923918#msg923918 <nowiki>List of Major Bitcoin Heists, Thefts, Hacks, Scams, and Losses [Old]</nowiki>] (Jan 27) | ||
[https://medium.com/@kylegibson/100-crypto-thefts-a-timeline-of-hacks-glitches-exit-scams-and-other-lost-cryptocurrency-873c87fd5522 100 Crypto Thefts: A Timeline of Hacks, Glitches, Exit Scams, and other Lost Cryptocurrency Incidents] (Jan 24) | |||
[https://bitcointalk.org/index.php?topic=576337 List of Major Bitcoin Heists, Thefts, Hacks, Scams, and Losses] (Feb 14) | |||
[https://bitcoinexchangeguide.com/bitcoin/scams-hacks/ Bitcoin Scams and Cryptocurrency Hacks List - BitcoinExchangeGuide.com] (Mar 4) | |||
[https://darknetdiaries.com/episode/9/ The Rise and Fall of Mt. Gox – Darknet Diaries] (Jun 24) | |||
[https://web.archive.org/web/20110203031942/http://mtgox.com/ Mt Gox - Bitcoin Exchange] (Oct 12) | |||
[https://web.archive.org/web/20120112024603/https://mtgox.com/ Mt.Gox - Bitcoin Exchange] (Oct 12) | |||
[https://blockonomi.com/mt-gox-hack/ The History of the Mt Gox Hack: Bitcoin's Biggest Heist] (Dec 22) | |||
https://media.consensys.net/mtgox-btc-e-and-the-missing-coins-a-living-timeline-of-the-greatest-cyber-crime-ever-f94fbb1eb42 (Dec 22) | |||
[[wikipedia:Mt._Gox|Mt. Gox - Wikipedia]] (Dec 22) | |||
[https://bitcointalk.org/index.php?topic=3247239.0 Legendary profiles of bitcointalk.] (Mar 7) | |||
[https://bitcointalk.org/index.php?topic=20207.0 I'm Kevin, here's my side.] (Mar 15) | |||
Revision as of 13:37, 17 January 2023
Although Mt. Gox is today synonymous with their most famous hack, at this time in June 2011 it was a massive exchange in full operation. A hacker managed to manufacture bitcoins using the credentials of an auditor, and sold them on the exchange, including to himself, then withdrew the earnings. Reports suggest that lost funds were not returned to their rightful owners.
About Mt. Gox
At the time Mt. Gox was established, there were no other major trading platforms for cryptocurrencies.
"Mt.Gox is the world's most established Bitcoin exchange. You can quickly and securely trade bitcoins with other people around the world with your local currency!"
"It allows you to trade US Dollars (USD) for Bitcoins (BTC) or Bitcoins for US Dollars with other Mt Gox users. You set the price you want to buy or sell your BTC for."
"Buy Bitcoins at market rates with your credit card or many other payment methods." "Automate your trading with our Trading API" "Dark pools allow you to trade large quantities without moving the market."
"Fully automated, always available, 24 hours a day, Safe and Easy."
"The only multi-currency Bitcoin trading platform where you can trade with the entire world in your local currency."
Mt. Gox achieved a wide popularity due to the ease with which users could sign up for services there.
"Buying and selling Bitcoin doesn't have to be complicated! Get trading in a few simple steps."
"4 Easy Steps:
1. Make an Account.
2. Add some funds.
3. Buy or Sell Bitcoins.
4. Withdraw your converted funds."
Basic features like SSL were provided for account security and 24/7 uptime was advertised as a selling point.
"Mt.Gox is protected by Prolexic and certified by VeriSign, which means all communications with our servers are encrypted with SSL technology." "We're always on. Buy and sell Bitcoin 24/7/365 with the world's most sophisticated trading platform."
The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.
Include:
- Known history of when and how the service was started.
- What problems does the company or service claim to solve?
- What marketing materials were used by the firm or business?
- Audits performed, and excerpts that may have been included.
- Business registration documents shown (fake or legitimate).
- How were people recruited to participate?
- Public warnings and announcements prior to the event.
Don't Include:
- Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
- Anything that wasn't reasonably knowable at the time of the event.
There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.
The Reality
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
It would appear that the security around passwords was such that they were not properly secured. If passwords were hashed, it was a weak hashing algorithm. It was possible to reverse engineer the weak hashing function with brute force attacks on the account passwords.
What Happened
"On 13 June 2011, the Mt. Gox bitcoin exchange reported some 25,000 BTC (US$400,000 at the time) robbed from 478 accounts. Then on Friday 17 June, Mt. Gox's user database leaked for sale to pastebin, signed by ~cRazIeStinGeR~ and tied to auto36299386@hushmail.com. The theft of Bitcoins from Mt. Gox accounts continued, reportedly, throughout that day."
“On June 19, 2011” an “auditor was hired to verify that Mt. Gox had sufficient bitcoin and cash reserves to cover its holdings, but the hacker was able to use the auditor’s computer to steal bitcoins from the exchange. The hacker used the auditor’s access to sell bitcoins to his or her own wallet, causing the price of bitcoin on the exchange to plummet.
"The forum has a thread with the title “I'm Kevin, here's my side”. In which the user toasty tells how once he saw that gigantic sell order was burning through the bids at exchange, the price dropped from 17.5$ dollars to 10$, Mt. Gox processed orders slowly, it all lasted a minutes, there were many orders to buy bitcoin for $ 0.01, so he placed his order for $ 0.0101, the exchange was heavily lagging, but with some effort, he managed to place that order, then The site stopped responding completely, when he got back in, he saw:"
"06/19/11 17:51 Bought BTC 259 684.77 for 0.0101"
This "security breach ... caused ... the price of a bitcoin to fraudulently drop to one cent, after a hacker allegedly used credentials from a Mt. Gox auditor's compromised computer to transfer a large number of bitcoins illegally to himself." "On 19 June, a stream of fraudulent trades caused the nominal price of a bitcoin to fraudulently drop to one cent on the Mt. Gox exchange, after a hacker allegedly used credentials from a Mt. Gox auditor's compromised computer to transfer a large number of bitcoins illegally to himself. He used the exchange's software to sell them all nominally, creating a massive "ask" order at any price. Within minutes the price corrected to its correct user-traded value.
| Date | Event | Description |
|---|---|---|
| June 13th, 2011 | Exchange Reports Losses | The exchange made an announcement that 25,000 BTC (worth $400,000 USD at the time) were robbed from 478 accounts. |
| June 17th, 2011 | Pastebin File Leaked | A pastebin file was leaked with the user database credentials.
It was reported that a theft of bitcoins from accounts continued through the day. |
| June 19th, 2011 | Auditor Steals Bitcoins | The auditor hired to verify that the holding of Mt. Gox were sufficient used their access to sell bitcoins to their own wallet. |
Total Amount Lost
The hacker acquired an estimated 2,000 BTC through this strategy, with an additional 650 BTC purchased by other Mt. Gox users at deflated prices.”
Accounts with the equivalent of more than $8,750,000 were affected."
Immediate Reactions
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
Ultimate Outcome
"He realized that these bitcoins were most likely from hacking and wanted to behave as honestly as possible, especially since on the eve he sent his id documents for passing verification. There was a limit for withdrawal, but there was a bug that allowed you to withdraw $ 1000 many times in a day, he could also sell a huge number of bitcoins, lower the price again to 0.01 cents, and withdraw all bitcoins fitting in the daily limit, but he did not do it, he only withdraw 643 bitcoins. He hoped until the end that he would be let to keep these BTC, but there where decision to roll back all transactions, and Kevin gained only 643 BTC."
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?
Total Amount Recovered
"To prove that Mt. Gox still had control of the coins, the move of 424,242 bitcoins from "cold storage" to a Mt. Gox address was announced beforehand, and executed in Block 132749."
“None of the [withdrawn] bitcoins were returned to their rightful owners.”
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
While the issues here have been largely settled out, the Mt. Gox bankruptcy continues to play out.
Prevention Policies
Generally, minting of new coins in the database needs to have tight access control. For example, an auditor's access level should be read-only.
Regarding the lost funds, these all came from the hot wallet. Serious losses can be prevented with a multi-signature cold storage wallet, limiting the total losses to the funds available in the hot wallet. There is no need for an auditor to have access to any funds, as access can be proven by creating a small transaction or partially signing a hypothetical transaction.
References
List of Major Bitcoin Heists, Thefts, Hacks, Scams, and Losses [Old] (Jan 27)
List of Major Bitcoin Heists, Thefts, Hacks, Scams, and Losses (Feb 14)
Bitcoin Scams and Cryptocurrency Hacks List - BitcoinExchangeGuide.com (Mar 4)
The Rise and Fall of Mt. Gox – Darknet Diaries (Jun 24)
Mt Gox - Bitcoin Exchange (Oct 12)
Mt.Gox - Bitcoin Exchange (Oct 12)
The History of the Mt Gox Hack: Bitcoin's Biggest Heist (Dec 22)
Mt. Gox - Wikipedia (Dec 22)
Legendary profiles of bitcointalk. (Mar 7)
I'm Kevin, here's my side. (Mar 15)