Mt. Gox Auditor Theft
Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Mt. Gox initially launched in June 2010 and was the largest bitcoin exchanges in the world for much of it's existence[1][2]. A hacker managed to manufacture bitcoins using the credentials of an auditor, and sold them on the exchange, including to himself, then withdrew the earnings. Reports suggest that lost funds were not returned to their rightful owners.[3][4][5][6][7][8]
About Mt. Gox
Mt. Gox launched with a very simple interface[9]. At the time Mt. Gox was established, there were very few other major trading platforms for cryptocurrencies. Mt. Gox was thus able to obtain over 80% of the global trading volume for bitcoin[10].
"Mt.Gox is the world's most established Bitcoin exchange. You can quickly and securely trade bitcoins with other people around the world with your local currency!"
"It allows you to trade US Dollars (USD) for Bitcoins (BTC) or Bitcoins for US Dollars with other Mt Gox users. You set the price you want to buy or sell your BTC for."
"Buy Bitcoins at market rates with your credit card or many other payment methods." "Automate your trading with our Trading API" "Dark pools allow you to trade large quantities without moving the market."
"Fully automated, always available, 24 hours a day, Safe and Easy."
"The only multi-currency Bitcoin trading platform where you can trade with the entire world in your local currency."
Users could trade on Mt. Gox using a wide range of world currencies[10]. Mt. Gox achieved a wide popularity due to the ease with which users could sign up for services there[9].
"Buying and selling Bitcoin doesn't have to be complicated! Get trading in a few simple steps."
"4 Easy Steps:
1. Make an Account.
2. Add some funds.
3. Buy or Sell Bitcoins.
4. Withdraw your converted funds."
Basic features like SSL were provided for account security and 24/7 uptime was advertised as a selling point[10]. The Mt. Gox platform featured a "Norton Secured" seal[10].
"Mt.Gox is protected by Prolexic and certified by VeriSign, which means all communications with our servers are encrypted with SSL technology." "We're always on. Buy and sell Bitcoin 24/7/365 with the world's most sophisticated trading platform."
The Reality
It would appear Mt. Gox's security around passwords was such that they were not properly secured. If passwords were hashed, it was a weak hashing algorithm. It was possible to reverse engineer the weak hashing function with brute force attacks on the account passwords.
The Mt. Gox platform contained an SQL injection vulnerability which could allow read-only access to the database[11]. The database contained email addresses, usernames, and hashed passwords[11]. Passwords were hashed using the relatively weak MD5 hashing algorithm, and some older passwords were hashed without the extra security of a salt[11].
The truth is that Mt. Gox was unprepared for Bitcoin’s explosive growth. Our dated system was built as a hobby when Bitcoins were worth pennies a piece. It was not built to be a Fort Knox capable of securely handling millions of dollars in transactions each day.
What Happened
The account of an auditor hired by the Mt. Gox exchange was breached, allowing the attacker to arbitrarily give themselves unbacked bitcoin. These bitcoin were then sold through the exchange, causing a massive market price drop.
| Date | Event | Description |
|---|---|---|
| June 13th, 2011 | Exchange Reports Losses | The exchange made an announcement that 25,000 BTC (worth $400,000 USD at the time) were robbed from 478 accounts. |
| June 17th, 2011 | Pastebin File Leaked | A pastebin file was leaked with the user database credentials.
It was reported that a theft of bitcoins from accounts continued through the day. |
| June 19th, 2011 12:00 PM | Bitcoin Sale Price Crash | "On June 20th at approximately 3:00am JST (Japan Time), an unknown person logged in to the compromised admin account, and with the permissions of that account was able to arbitrarily assign himself a large number of Bitcoins, which he subsequently sold on the exchange, driving the price from $17.50 to $0.01 within the span of 30 minutes[11]." |
| June 26th, 2011 | Mt. Gox Relaunches. | The Mt. Gox trading platform reopened[11]. |
| August 26th, 2011 2:17 AM | Verisign Verification | The Mt. Gox trading platform announces they are now verified by Verisign, directly referencing the attack from June as part of the motivation[12]. This article also reports that the Mt. Gox exchange is listed on the Tokyo Chamber of Commerce website[12]. |
Technical Details
The Mt. Gox exchange was undergoing a transition to new management[2]. To audit the revenue, the auditor was granted an account with administrative access[2]. An attacker obtained credentials to the administrative account[2][11], potentially due to brute forcing those credentials from a database breach a week prior[11]. The attacker was able to use their access to arbitrarily increase their balance on the exchange[11]. No bitcoins added via that database adjustment were backed by real bitcoin[2].
Platform Purchase And Management Transition
On June 19, 2011, after being purchased by Tibanne Co. Ltd. in March 2011[11], Mt. Gox was underdoing a transition to new management[2]. That sale deal included an ongoing portion of the revenue to be provided to the seller[2] for a limited time period[11]. To audit the revenue, the seller was granted an account with administrative access[2].
Attacker Obtaining Credentials
At some point prior to June 13th, 2011, an SQL injection vulnerability was exploited to gain read-only access to the Mt. Gox database. This allows for the attacker to remove 25,000 bitcoin from 478 accounts. By that Friday, June 17th, the database had been leaked and was for sale on the pastebin website[11].
On Monday, June 13th, 2011, the Mt. Gox bitcoin exchange reported that 25,000 BTC (US$400,000 at the time) had been robbed from 478 accounts. Then, on Friday 17 June, Mt. Gox's user database leaked for sale to pastebin, signed by ~cRazIeStinGeR~ and tied to auto36299386@hushmail.com. The theft of Bitcoins from Mt. Gox accounts continued, reportedly, throughout that day."
This breach happened a week prior to the audit and was likely how the attacker obtained credentials to the administrative account[2][11].
Attacker Increases Bitcoin Balance
The attacker was able to use their access to the auditor's account to arbitrarily increase their balance on the exchange[11], with none of those balances backed by real bitcoin[2].
Attacker Sells Funds To Themselves
The attacker was then able to sell that fake bitcoin on the exchange platform and withdraw 2000 bitcoin from the platform[2][11].
"06/19/11 17:51 Bought BTC 259 684.77 for 0.0101"
"On 19 June, a stream of fraudulent trades" caused by this "security breach ... caused ... the price of a bitcoin to fraudulently drop to one cent, after a hacker allegedly used credentials from a Mt. Gox auditor's compromised computer to transfer a large number of bitcoins illegally to himself." The attacker "used the exchange's software to sell them all nominally, creating a massive "ask" order at any price. Within minutes the price corrected to its correct user-traded value."
Total Amount Lost
The first source of loss was a theft of 2000 bitcoin from a hacker directly withdrawing from the platform[2][11].
The second source of loss was a reported 643.27 bitcoin which were purchased by other Mt. Gox users at deflated prices[2]. The actions of the seller resulted in a price drop from approximately $17.50 USD to $0.01 USD on the exchange[11].
According to BitcoinTalk, the equivalent loss was estimated to be $46,970.91 USD based on a lower bound of 2643.27 BTC[2].
Loss accounts very widely, with some estimates as large as 500,000 bitcoin[2]. Some additional funds were lost through traders on the platform taking advantage of the resulting price fluctuation[2]. Accounts with the equivalent of more than $8,750,000 were reportedly affected.
In addition to the lost funds, the Mt. Gox database had been leaked prior to the incident, which included hashed passwords of a significant number of users[2].
Immediate Reactions
Mt. Gox posted a press release on their website shortly after the events unfolded[11].
For a brief period, the number of Bitcoins in the Mt. Gox exchange vastly outnumbered the Bitcoins in our wallet. Normally, this should be impossible.
In it, they questioned the attacker's motive, given that a lot more damage could have been done[11].
Perhaps the attack simply was not well-orchestrated but the possibility exists that the attacker was more interested in making a statement, hurting Mt. Gox’s reputation, or hurting the public image of Bitcoins in general than he was in any monetary gain.
Users were notified of the database breach, instructed to change any shared passwords, and instructed to use more secure passwords[11].
We strongly encourage all our users to immediately change the passwords of any other accounts that now or previously shared a password with their Mt. Gox account, if they have not done so already.While we are making great strides with the advancement of our security, we should remind our users that they too play an important role in securing their accounts. Please use a long password—the standard is not whether a person could guess it but rather whether a computer could guess it—and computers can guess pretty fast. Please do not share passwords across services—where passwords are shared, a compromise at one service means a compromise at all services. Help us help you.
Ultimate Outcome
Mt. Gox took a number of significant steps to improve the security of user accounts[11]. The Mt. Gox platform was able to relaunch on June 26th, 2011[11].
The new Mt. Gox site features SHA-512 multi-iteration, triple salted hashing and soon will have an option for users to enable a withdraw password that will be separate from their login passwords. Other security measures such as one-time password keys are planned for release very soon as well.Going forward, we are certain that the launch of the new site will exceed the rightful expectations our users have of the service. We only hope that we can once again earn the trust of the Bitcoin community. In the meantime, we sincerely appreciate the patience all our users have shown
"He realized that these bitcoins were most likely from hacking and wanted to behave as honestly as possible, especially since on the eve he sent his id documents for passing verification. There was a limit for withdrawal, but there was a bug that allowed you to withdraw $ 1000 many times in a day, he could also sell a huge number of bitcoins, lower the price again to 0.01 cents, and withdraw all bitcoins fitting in the daily limit, but he did not do it, he only withdraw 643 bitcoins. He hoped until the end that he would be let to keep these BTC, but there where decision to roll back all transactions, and Kevin gained only 643 BTC."
The thief of the 2000 BTC has reportedly never been caught[2].
Kevin's Side Of The Story
"The forum has a thread with the title “I'm Kevin, here's my side”. In which the user toasty tells how once he saw that gigantic sell order was burning through the bids at exchange, the price dropped from 17.5$ dollars to 10$, Mt. Gox processed orders slowly, it all lasted a minutes, there were many orders to buy bitcoin for $ 0.01, so he placed his order for $ 0.0101, the exchange was heavily lagging, but with some effort, he managed to place that order, then The site stopped responding completely, when he got back in, he saw" that the order had gone through.
Proving Control of Bitcoins
"To prove that Mt. Gox still had control of the coins, the move of 424,242 bitcoins from "cold storage" to a Mt. Gox address was announced beforehand, and executed in Block 132749."'
Collapse of Mt. Gox Exchange
The Mt. Gox exchange would go on to accidentally destroy bitcoin in October 2011, have a user report their accounts hacked in July 2013, and eventually spectacularly collapse in February 2014.
Coverage
The situation is included in a list published by Kyle Gibson[13], another list shared on BitcoinTalk[14], and a list published on the BitcoinExchangeGuide[15].
Total Amount Recovered
Mt. Gox publicly stated that they would cover the 2000 bitcoin that had been lost[11].
Unfortunately, the 2000 BTC withdrawn did have real wallet backing and they will be replaced at Mt. Gox’s expense.
Mt. Gox reverted all balances and trades to a previous state[2]. While many users claim that they lost money after the reversion, Mt. Gox claims that it has made right all affected users[2].
“None of the [withdrawn] bitcoins were returned to their rightful owners.”
Ongoing Developments
While the issues related to the auditor theft have been largely settled out, it may have played a role in the eventual collapse of the platform. The Mt. Gox bankruptcy continues to play out into the future.
Individual Prevention Policies
When using any third party custodial platform (such as for trading), it is important to verify that the platform has a full backing of all assets, and that assets have been secured in a proper multi-signature wallet held by several trusted and trained individuals. If this can't be validated, then users should avoid using that platform. Unfortunately, most centralized platforms today still do not provide the level of transparency and third party validation which would be necessary to ensure that assets have been kept secure and properly backed. Therefore, the most effective strategy at present remains to learn proper self custody practices and avoid using any third party custodial platforms whenever possible.
Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
The primary issue was that the auditor had the ability to adjust balances in the database. Given that unfortunate situation, additional controls on withdrawals could have prevented the withdrawal. Having an impartial body to assess the damage and assist with any recovery can be beneficial.
Reducing Access To Funds
Generally, minting of new coins in the database needs to have tight access control. For example, an auditor's access level to the database could have been read-only. There is no need for an auditor to have access to any funds, as control over the wallet can be proven by creating a small transaction or partially signing a hypothetical transaction.
All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.
Multi-Signature Withdrawals
The attacker was able to withdraw over 2,000 bitcoin from the Mt. Gox exchange from the hot wallet, with no additional scrutiny. Large losses can be prevented by implementing a multi-signature on large withdrawals.
Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.
Impartial Industry Insurance Fund
While it is more likely that the Mt. Gox platform can cover a loss of this size, an industry insurance fund can assess and assist victims who may have lost funds in this case.
Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
The primary issue was that the auditor had the ability to adjust balances in the database. A further review of the access controls around the funds would likely have found this deficiency. Having an impartial body to assess the damage and assist with any recovery can be beneficial.
All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.
Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ Mt. Gox - Wikipedia (Accessed Dec 22, 2021)
- ↑ 2.00 2.01 2.02 2.03 2.04 2.05 2.06 2.07 2.08 2.09 2.10 2.11 2.12 2.13 2.14 2.15 2.16 2.17 2.18 2.19 List of Major Bitcoin Heists, Thefts, Hacks, Scams, and Losses [Old] (Accessed Jan 28, 2020)
- ↑ https://www.reddit.com/r/Bitcoin/comments/onceag/the_good_old_days_im_kevin_and_im_the_guy_who/
- ↑ https://coingape.com/trending/the-biggest-bitcoin-controversy-kevin-days-mt-gox-nightmare-of-16-billion/
- ↑ https://bitcointalk.org/index.php?topic=20207.0
- ↑ https://www.heise.de/news/Tibanne-Mutterfirma-von-Mt-Gox-ebenfalls-insolvent-2535266.html
- ↑ https://news.bitcoin.com/tag/tibanne/
- ↑ https://en.wikipedia.org/wiki/Mark_Karpel%C3%A8s
- ↑ 9.0 9.1 Mt Gox - Bitcoin Exchange - February 3rd, 2011 - Internet Archive (Accessed Oct 13, 2021)
- ↑ 10.0 10.1 10.2 10.3 Mt.Gox - Bitcoin Exchange - January 12th, 2012 - Internet Archive (Accessed Oct 13, 2021)
- ↑ 11.00 11.01 11.02 11.03 11.04 11.05 11.06 11.07 11.08 11.09 11.10 11.11 11.12 11.13 11.14 11.15 11.16 11.17 11.18 11.19 11.20 11.21 Mt. Gox Press Release - Archive September 19th, 2011 10:26:35 AM MDT (Accessed Feb 2, 2023)
- ↑ 12.0 12.1 Mt.Gox (K.K. Tibanne): Now Verified by VeriSign - Mt. Gox Archive May 5th, 2012 11:50:00 AM MDT (Accessed Feb 10, 2023)
- ↑ 100 Crypto Thefts: A Timeline of Hacks, Glitches, Exit Scams, and other Lost Cryptocurrency Incidents (Accessed Jan 25, 2020)
- ↑ List of Major Bitcoin Heists, Thefts, Hacks, Scams, and Losses - BitcoinTalk (Accessed Feb 15, 2020)
- ↑ Bitcoin Scams and Cryptocurrency Hacks List - BitcoinExchangeGuide.com (Accessed Mar 5, 2020)
Cite error: <ref> tag with name "darknetdiaries" defined in <references> is not used in prior text.
Cite error: <ref> tag with name "blockonomimtgox" defined in <references> is not used in prior text.
Cite error: <ref> tag with name "consensystimeline" defined in <references> is not used in prior text.
Cite error: <ref> tag with name "bitcointalklegendaryprofiles" defined in <references> is not used in prior text.
Cite error: <ref> tag with name "kevinsidebitcointalk" defined in <references> is not used in prior text.