Mt. Gox Auditor Theft
Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Mt. Gox initially launched in June 2010 and was the largest bitcoin exchanges in the world[1][2]. A hacker managed to manufacture bitcoins using the credentials of an auditor, and sold them on the exchange, including to himself, then withdrew the earnings. Reports suggest that lost funds were not returned to their rightful owners.
About Mt. Gox
Mt. Gox launched with a very simple interface[3]. At the time Mt. Gox was established, there were very few other major trading platforms for cryptocurrencies. Mt. Gox was thus able to obtain over 80% of the global trading volume for bitcoin[4].
"Mt.Gox is the world's most established Bitcoin exchange. You can quickly and securely trade bitcoins with other people around the world with your local currency!"
"It allows you to trade US Dollars (USD) for Bitcoins (BTC) or Bitcoins for US Dollars with other Mt Gox users. You set the price you want to buy or sell your BTC for."
"Buy Bitcoins at market rates with your credit card or many other payment methods." "Automate your trading with our Trading API" "Dark pools allow you to trade large quantities without moving the market."
"Fully automated, always available, 24 hours a day, Safe and Easy."
"The only multi-currency Bitcoin trading platform where you can trade with the entire world in your local currency."
Users could trade on Mt. Gox using a wide range of world currencies[4]. Mt. Gox achieved a wide popularity due to the ease with which users could sign up for services there[3].
"Buying and selling Bitcoin doesn't have to be complicated! Get trading in a few simple steps."
"4 Easy Steps:
1. Make an Account.
2. Add some funds.
3. Buy or Sell Bitcoins.
4. Withdraw your converted funds."
Basic features like SSL were provided for account security and 24/7 uptime was advertised as a selling point[4]. The Mt. Gox platform featured a "Norton Secured" seal[4].
"Mt.Gox is protected by Prolexic and certified by VeriSign, which means all communications with our servers are encrypted with SSL technology." "We're always on. Buy and sell Bitcoin 24/7/365 with the world's most sophisticated trading platform."
Include:
- Known history of when and how the service was started.
- What problems does the company or service claim to solve?
- What marketing materials were used by the firm or business?
- Audits performed, and excerpts that may have been included.
- Business registration documents shown (fake or legitimate).
- How were people recruited to participate?
- Public warnings and announcements prior to the event.
Don't Include:
- Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
- Anything that wasn't reasonably knowable at the time of the event.
There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.
The Reality
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
It would appear that the security around passwords was such that they were not properly secured. If passwords were hashed, it was a weak hashing algorithm. It was possible to reverse engineer the weak hashing function with brute force attacks on the account passwords.
The Mt. Gox platform contained an SQL injection vulnerability which could allow read-only access to the database[5]. The database contained email addresses, usernames, and hashed passwords[5]. Passwords were hashed using the relatively weak MD5 hashing algorithm, and some older passwords were hashed without the extra security of a salt[5].
The truth is that Mt. Gox was unprepared for Bitcoin’s explosive growth. Our dated system was built as a hobby when Bitcoins were worth pennies a piece. It was not built to be a Fort Knox capable of securely handling millions of dollars in transactions each day.
What Happened
At some point prior to June 13th, 2011, an SQL injection vulnerability was exploited to gain read-only access to the Mt. Gox database. This allows for the attacker to remove 25,000 bitcoin from 478 accounts. By that Friday, June 17th, the database had been leaked and was for sale on the pastebin website[5].
After being purchased by Tibanne Co. Ltd. in March 2011[5], Mt. Gox was underdoing a transition to new management[2]. That sale deal included an ongoing portion of the revenue to be provided to the seller[2] for a limited time period[5]. To audit the revenue, the seller was granted an account with administrative access[2].
An attacker obtained credentials to the administrative account[2][5], potentially due to brute forcing those credentials from the database breach a weak prior[5]. The attacker was able to use their access to arbitrarily increase their balance on the exchange[5], with none of those balances backed by real bitcoin[2]. The attacker was then able to sell that fake bitcoin on the exchange platform and withdraw 2000 bitcoin from the platform[2][5].
The actions of the seller resulted in a price drop from approximately $17.50 USD to $0.01 USD on the exchange[5]. Some additional funds were lost through traders on the platform taking advantage of the resulting price fluctuation[2]. The service was finally relaunched on June 26th, 2011[5].
On Monday, June 13th, 2011, the Mt. Gox bitcoin exchange reported that 25,000 BTC (US$400,000 at the time) had been robbed from 478 accounts. Then, on Friday 17 June, Mt. Gox's user database leaked for sale to pastebin, signed by ~cRazIeStinGeR~ and tied to auto36299386@hushmail.com. The theft of Bitcoins from Mt. Gox accounts continued, reportedly, throughout that day."
“On June 19, 2011” an “auditor was hired to verify that Mt. Gox had sufficient bitcoin and cash reserves to cover its holdings, but the hacker was able to use the auditor’s computer to steal bitcoins from the exchange. The hacker used the auditor’s access to sell bitcoins to his or her own wallet, causing the price of bitcoin on the exchange to plummet.
"The forum has a thread with the title “I'm Kevin, here's my side”. In which the user toasty tells how once he saw that gigantic sell order was burning through the bids at exchange, the price dropped from 17.5$ dollars to 10$, Mt. Gox processed orders slowly, it all lasted a minutes, there were many orders to buy bitcoin for $ 0.01, so he placed his order for $ 0.0101, the exchange was heavily lagging, but with some effort, he managed to place that order, then The site stopped responding completely, when he got back in, he saw:"
"06/19/11 17:51 Bought BTC 259 684.77 for 0.0101"
This "security breach ... caused ... the price of a bitcoin to fraudulently drop to one cent, after a hacker allegedly used credentials from a Mt. Gox auditor's compromised computer to transfer a large number of bitcoins illegally to himself." "On 19 June, a stream of fraudulent trades caused the nominal price of a bitcoin to fraudulently drop to one cent on the Mt. Gox exchange, after a hacker allegedly used credentials from a Mt. Gox auditor's compromised computer to transfer a large number of bitcoins illegally to himself. He used the exchange's software to sell them all nominally, creating a massive "ask" order at any price. Within minutes the price corrected to its correct user-traded value.
| Date | Event | Description |
|---|---|---|
| June 13th, 2011 | Exchange Reports Losses | The exchange made an announcement that 25,000 BTC (worth $400,000 USD at the time) were robbed from 478 accounts. |
| June 17th, 2011 | Pastebin File Leaked | A pastebin file was leaked with the user database credentials.
It was reported that a theft of bitcoins from accounts continued through the day. |
| June 19th, 2011 12:00 PM | Bitcoin Sale Price Crash | "On June 20th at approximately 3:00am JST (Japan Time), an unknown person logged in to the compromised admin account, and with the permissions of that account was able to arbitrarily assign himself a large number of Bitcoins, which he subsequently sold on the exchange, driving the price from $17.50 to $0.01 within the span of 30 minutes[5]." |
| June 26th, 2011 | Mt. Gox Relaunches. | The Mt. Gox trading platform relaunched[5]. |
| August 26th, 2011 2:17 AM | Verisign Verification | The Mt. Gox trading platform announces they are now verified by Verisign, directly referencing the attack from June as part of the motivation[6]. |
Total Amount Lost
Loss accounts very widely, with some estimates as large as 500,000 bitcoin[2]. The losses in this case stem from two sources[2].
The first source of loss was a theft of 2000 bitcoin from a hacker directly withdrawing from the platform[2][5].
The second source of loss was a reported 643.27 bitcoin which were purchased by other Mt. Gox users at deflated prices[2].
According to BitcoinTalk, the equivalent loss was estimated to be $46,970.91 USD[2].
In addition to the lost funds, the Mt. Gox database was leaked which included hashed passwords of multiple users[2].
The hacker acquired an estimated 2,000 BTC through this strategy, with an additional 650 BTC purchased by other Mt. Gox users at deflated prices.”
Accounts with the equivalent of more than $8,750,000 were affected."
Immediate Reactions
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
Mt. Gox posted a press release on their website shortly after the events unfolded[5].
For a brief period, the number of Bitcoins in the Mt. Gox exchange vastly outnumbered the Bitcoins in our wallet. Normally, this should be impossible.
In it, they questioned the attacker's motive, given that a lot more damage could have been done[5].
Perhaps the attack simply was not well-orchestrated but the possibility exists that the attacker was more interested in making a statement, hurting Mt. Gox’s reputation, or hurting the public image of Bitcoins in general than he was in any monetary gain.
Users were notified of the database breach and instructed to change any shared passwords[5].
We strongly encourage all our users to immediately change the passwords of any other accounts that now or previously shared a password with their Mt. Gox account, if they have not done so already.
While we are making great strides with the advancement of our security, we should remind our users that they too play an important role in securing their accounts. Please use a long password—the standard is not whether a person could guess it but rather whether a computer could guess it—and computers can guess pretty fast. Please do not share passwords across services—where passwords are shared, a compromise at one service means a compromise at all services. Help us help you.
Ultimate Outcome
Mt. Gox took a number of significant steps to improve the security of user accounts[5]. The Mt. Gox platform was able to relaunch on June 26th, 2011[5].
The new Mt. Gox site features SHA-512 multi-iteration, triple salted hashing and soon will have an option for users to enable a withdraw password that will be separate from their login passwords. Other security measures such as one-time password keys are planned for release very soon as well.
Going forward, we are certain that the launch of the new site will exceed the rightful expectations our users have of the service. We only hope that we can once again earn the trust of the Bitcoin community. In the meantime, we sincerely appreciate the patience all our users have shown
"He realized that these bitcoins were most likely from hacking and wanted to behave as honestly as possible, especially since on the eve he sent his id documents for passing verification. There was a limit for withdrawal, but there was a bug that allowed you to withdraw $ 1000 many times in a day, he could also sell a huge number of bitcoins, lower the price again to 0.01 cents, and withdraw all bitcoins fitting in the daily limit, but he did not do it, he only withdraw 643 bitcoins. He hoped until the end that he would be let to keep these BTC, but there where decision to roll back all transactions, and Kevin gained only 643 BTC."
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?
The thief has reportedly never been caught[2].
Total Amount Recovered
Mt. Gox publicly stated that they would cover the 2000 bitcoin that had been lost[5].
Unfortunately, the 2000 BTC withdrawn did have real wallet backing and they will be replaced at Mt. Gox’s expense.
Mt. Gox reverted all balances and trades to a previous state[2]. While many users claim that they lost money after the reversion, Mt. Gox claims that it has made right all affected users[2].
"To prove that Mt. Gox still had control of the coins, the move of 424,242 bitcoins from "cold storage" to a Mt. Gox address was announced beforehand, and executed in Block 132749."
“None of the [withdrawn] bitcoins were returned to their rightful owners.”
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
While the issues here have been largely settled out, the Mt. Gox bankruptcy continues to play out.
Prevention Policies
Generally, minting of new coins in the database needs to have tight access control. For example, an auditor's access level should be read-only.
Regarding the lost funds, these all came from the hot wallet. Serious losses can be prevented with a multi-signature cold storage wallet, limiting the total losses to the funds available in the hot wallet. There is no need for an auditor to have access to any funds, as access can be proven by creating a small transaction or partially signing a hypothetical transaction.
References
- ↑ Mt. Gox - Wikipedia (Dec 22)
- ↑ 2.00 2.01 2.02 2.03 2.04 2.05 2.06 2.07 2.08 2.09 2.10 2.11 2.12 2.13 2.14 2.15 2.16 2.17 List of Major Bitcoin Heists, Thefts, Hacks, Scams, and Losses [Old] (Jan 27)
- ↑ 3.0 3.1 Mt Gox - Bitcoin Exchange - February 3rd, 2011 - Internet Archive (Oct 12)
- ↑ 4.0 4.1 4.2 4.3 Mt.Gox - Bitcoin Exchange - January 12th, 2012 - Internet Archive (Oct 12)
- ↑ 5.00 5.01 5.02 5.03 5.04 5.05 5.06 5.07 5.08 5.09 5.10 5.11 5.12 5.13 5.14 5.15 5.16 5.17 5.18 5.19 5.20 Mt. Gox Press Release - Archive (Feb 2, 2023)
- ↑ Mt.Gox (K.K. Tibanne): Now Verified by VeriSign - Internet Archive (Feb 10, 2023)
Cite error: <ref> tag with name "kylegibson" defined in <references> is not used in prior text.
Cite error: <ref> tag with name "bitcointalklist" defined in <references> is not used in prior text.
Cite error: <ref> tag with name "bitcoinexchangeguide" defined in <references> is not used in prior text.
Cite error: <ref> tag with name "darknetdiaries" defined in <references> is not used in prior text.
Cite error: <ref> tag with name "blockonomimtgox" defined in <references> is not used in prior text.
Cite error: <ref> tag with name "consensystimeline" defined in <references> is not used in prior text.
Cite error: <ref> tag with name "bitcointalklegendaryprofiles" defined in <references> is not used in prior text.
Cite error: <ref> tag with name "kevinsidebitcointalk" defined in <references> is not used in prior text.