Mt. Gox Halts Trade Over Major Hack

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Mt. Gox Logo, Homepages, CEO Mark Karpeles

Mt. Gox was the largest exchange in 2013, handling over 80% of bitcoin purchase. It featured a lack of secure storage for funds, a CEO who had his focus elsewhere, and hacks which went undetected for months. There is still an ongoing bankruptcy. Luckily, at least one of the cold wallets escaped capture and can be used for disbursement. While victims have massive losses in bitcoin terms, due to the time that has passed they will most likely have minimal losses in fiat terms.

This exchange or platform is based in Japan, or the incident targeted people primarily in Japan.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16]

About Mt. Gox

Mt. Gox launched with a very simple interface[17]. At the time Mt. Gox was established, there were very few other major trading platforms for cryptocurrencies. Mt. Gox was thus able to obtain over 80% of the global trading volume for bitcoin[18].

"Mt.Gox is the world's most established Bitcoin exchange. You can quickly and securely trade bitcoins with other people around the world with your local currency!"

"It allows you to trade US Dollars (USD) for Bitcoins (BTC) or Bitcoins for US Dollars with other Mt Gox users. You set the price you want to buy or sell your BTC for."

"Buy Bitcoins at market rates with your credit card or many other payment methods." "Automate your trading with our Trading API" "Dark pools allow you to trade large quantities without moving the market."

"Fully automated, always available, 24 hours a day, Safe and Easy."

"The only multi-currency Bitcoin trading platform where you can trade with the entire world in your local currency."

Users could trade on Mt. Gox using a wide range of world currencies[18]. Mt. Gox achieved a wide popularity due to the ease with which users could sign up for services there[17].

"Buying and selling Bitcoin doesn't have to be complicated! Get trading in a few simple steps."

"4 Easy Steps:

1. Make an Account.

2. Add some funds.

3. Buy or Sell Bitcoins.

4. Withdraw your converted funds."

Basic features like SSL were provided for account security and 24/7 uptime was advertised as a selling point[18]. The Mt. Gox platform featured a "Norton Secured" seal[18].

"Mt.Gox is protected by Prolexic and certified by VeriSign, which means all communications with our servers are encrypted with SSL technology." "We're always on. Buy and sell Bitcoin 24/7/365 with the world's most sophisticated trading platform."

At the time, Mt. Gox was the leading cryptocurrency exchange, handling over 70% of Bitcoin transactions[19].

The Reality

While many people trusted the Mt. Gox platform, there were many issues happening behind the scenes.

Lack Of Secure Fund Storage

A significant portion of Mt. Gox funds were stored in hot wallets, which could be accessed by customers making withdrawals.

Transaction Malleability Vulnerability

Unfortunately the Mt. Gox platform withdrawal system had a vulnerability which would allow repeated withdrawals of the same bitcoin from the platform. This could be accomplished through changing the transaction ID in the blockchain.

CEO Unfocused on Mt. Gox Platform

The Mt. Gox exchange was started as a hobby project. CEO Mark Karpeles had moved on to other projects and was looking to sell the platform.

Limited Internal Accounting Practices

The Mt. Gox platform had limited internal accounting happening.

What Happened

On February 7th, 2014, the Mt. Gox platform stopped processing all bitcoin withdrawals from the exchange.

Key Event Timeline - Mt. Gox Halts Trade Over Major Hack
Date Event Description
February 7th, 2014 Exchange Withdrawals Halted Mt. Gox halts all withdrawals from the exchange platform, citing a transaction malleability bug in the bitcoin core software[19].
February 24th, 2014 Mt. Gox Exchange Shuts Down The Mt. Gox exchange platform completely shuts down and returns a blank page. No trading is possible on the platform after this point. Also at this point, leaks start to surface of 744,408 bitcoin being missing[19].
February 28th, 2014 Mt. Gox Files For Bankruptcy Mt. Gox files for bankruptcy. The exchange declared bankruptcy on February 28, 2014, attributing the success of the attackers to storing most of the stolen cryptocurrency in a web-based hot wallet, which had a vulnerability exploited by the hackers[19].
August 2015 Karpeles Arrest Imminent After cooperating with authorities, Karpeles appears poised for an arrest. Karpeles spent 11 months in detention before bail was granted. “I was interrogated for eight hours each day,” Karpeles recalls. “I was asked about the missing bitcoins. I was even asked if I was Satoshi Nakamoto, the creator of Bitcoin. I was asked to sign confessions and statements in Japanese. Sometimes, the prosecutor would have pre-written statements for me in the morning they wanted signed.”
September 2016 US Authorities Get Mt. Gox Database "In September 2016, U.S. authorities received a copy of the Mt. Gox database and used it to track the stolen bitcoins."
July 25th, 2017 Alexander Vinnik Arrested US authorities traced the bulk of the theft to a Russian named Alexander Vinnik, who is subsequently arrested in Greece.
July 26th, 2017 11:56:05 AM MDT WizSec Post About Alexander Vinnik WizSec reports that the 2017 investigation into the MtGox case revealed that a Russian national, Alexander Vinnik, was a chief suspect involved in the MtGox theft or laundering of its proceeds. Vinnik was arrested in Greece, accused of running a large-scale money laundering operation with over $4 billion USD trafficked through Bitcoin since 2011. The theft involved the stealing of MtGox's hot wallet private keys in September 2011, leading to the compromise of about 630,000 BTC. The hacker regularly transferred stolen coins to wallets controlled by Vinnik, who later moved them to platforms like BTC-e for sale or laundering. The investigation linked Vinnik to other stolen coins from Bitcoinica, Bitfloor, and other thefts. Vinnik, known by the online identity "WME," played a crucial role as a money launderer in the MtGox case, and his arrest was considered a major breakthrough in the investigation. Further disclosures were expected as the investigation progressed[20][21].
November 9th, 2018 1:00:52 PM MST CryptoPotato Lessons Learned CryptoPotato published a "Lessons Learned from the Biggest Crypto Hacks in History" in which Mt. Gox is listed at number 2. The article discusses the Mt. Gox hack having a substantial impact on the cryptocurrency industry. The article emphasizes the need for heightened security in the crypto industry and advises users to be cautious about where they store their funds, suggesting the use of wallets offering cold storage, conducting due diligence on services, and prioritizing security.
March 15th, 2019 Karpeles Prosecution On March 15th, 2019, Karpeles was found guilty of data manipulation[22]. He is also found innocent of embezzlement and breach of trust charges. The Tokyo District Court sentenced Karpeles to a suspended term of two years and six months, contingent on maintaining a clean record for the next four years.
May 2021 Civil Rehabilitation "In May [2021], the trustee presiding over the Mt. Gox civil rehabilitation case opened the voting on how to partially reimburse victims who lost money to the in hacks dating back nearly a decade."
November 16th, 2021 Rehabilitation Plan Put Together Courts start to put together a rehabilitation plan to pay back creditors[23].
July 11th, 2022 4:30:18 PM MDT Andrei Jikh Video Andrei Jikh releases a video about "arguably one of biggest events in all of bitcoin's history which is the release of Mt. Gox's bitcoins". The release of the Mt. Gox bitcoins is next month in August. 137,890 bitcoin (worth 3 billion dollars) are about to flood the market[23].
March 9th, 2023 2:05:09 AM MST BTC Repayment Deadline Moved Cryptocurrency news site CryptoSlate reports that Mt. Gox has extended the deadline for its BTC repayment registration process from March 10 to April 6[24]. The extension was approved by the court, considering various circumstances related to the progress of rehabilitation creditors in the Selection and Registration process. Mt. Gox trustee Nobuaki Kobayashi stated that creditors who don't complete their registration by April 6 won't be eligible for repayments. Additionally, the base repayment period has been extended from September 30 to October 31. The registration portal allows affected users to register information and choose a repayment method, including lump-sum payment, bank remittance, crypto payment, or fund transfer service provider[24].
March 10th, 2023 1:34:11 AM MST Discussions About Deadline Being Moved In discussions on Reddit about the repayment extension, concerns are expressed regarding delays and skepticism about creditors receiving their funds[25]. Some participants express doubt that victims will receive anything soon due to bureaucratic hurdles, while others see the forced holding of BTC as a positive, creating potentially strong long-term holders. A creditor who chose the Bitstamp option reassures against worries of a sell-off and emphasizes the plan to hold BTC while liquidating BCH and Yen. There's speculation about the fate of BCH, and questions arise about the possibility of further deadline extensions. The overall sentiment is a mix of skepticism, forced holding optimism, and uncertainty about the impact on the crypto market[25].

Technical Details

Transaction Malleability Bug

Transaction malleability is a vulnerability in blockchain technology that allows for the alteration of cryptographic hashes, such as digital signatures, used to identify cryptocurrency transactions[26]. In the bitcoin network, this can allow someone to modify unconfirmed transactions, potentially leading to delayed confirmation, fraud, and double-spending[27].

Transaction malleability occurs when an attacker alters certain details of unconfirmed transactions, such as the transaction's unique ID or "transaction ID" (TXID), before it is confirmed and added to the blockchain[27]. This manipulation can lead to different cryptographic hash computations and generate new TXIDs for seemingly different transactions, complicating the tracking and verification process[27]. By modifying transaction IDs, attackers can execute various types of malleability attacks, including transaction ID modification, invoice duplication, fee manipulation, double-spending, and data corruption[27]. The consequences of this vulnerability are significant, as hackers could exploit it to conduct double-spending attacks and commit fraud, endangering the integrity of the entire Bitcoin network[27].

Withdrawal failure, email customer service and ask for withdrawal to be retried.

https://www.coindesk.com/markets/2014/02/12/what-the-bitcoin-bug-means-a-guide-to-transaction-malleability/

Total Amount Lost

The hack resulted in the loss of 744,408 Bitcoins from customers and 100,000 BTC belonging to the company, with the total stolen amount valued at approximately $473 million[19].

The total amount lost has been estimated at $300,000,000 USD.

Immediate Reactions

On February 7, 2014, Mt. Gox temporarily halted all BTC withdrawals, extending to all trading activities on February 24, and eventually going offline[19].

"On February 7th, MtGox halted all BTC withdrawals from the exchange, citing a transaction malleability bug in the core Bitcoin software. When withdrawals had still not resumed after 2 weeks, users began to suspect that MtGox may not be able to pay its customers.

On February 24th, Mt. Gox suspended all trading, then went offline completely, returning a blank page. News outlets reported on a leaked “crisis strategy draft” plan, which declared MtGox’s insolvency after losing 744,408 BTC of customer funds (valued at over $2 billion USD at today’s prices) as well as 100,000 of its own bitcoins."

Ultimate Outcome

Case Listed Everywhere

As Mt. Gox was the largest exchange at the time, the situation was highly notable. The My. Gox situation was included in almost every list of cryptocurrency exchange hacks including Bitcoin Magazine[28], Kyle Gibson[29], a list published on BitcoinTalk[30], SlowMist[31], and BitcoinExchangeGuide[32] (TBD Fix link).

Insolvency Filing

"It didn’t take long for the information to become public, with Mt. Gox eventually filing for bankruptcy on Feb. 28."


"At a news conference, Karpeles claimed the exchange had been hacked. He apologized and promised to recover the missing cryptocurrency. The cybercrimes unit of the Metropolitan Police Department launched an investigation into the matter and Karpeles offered to cooperate with the inquiry."

"Naturally, those following the news have always wondered whether or not Mt. Gox had been hacked in the first place? Given the complexity of the issue, it was always going to be a difficult question to answer."

The Mt. Gox website was updated to provide information related to the bankruptcy, and allow users to check their balances which they had on the platform[33].

Transaction Malleability Resolution

Following Mt. Gox's downfall, other incidents of exploitation of transaction malleability came to light, including Silk Road 2.0 losing $2.7 million worth of Bitcoin to an unknown hacker[26]. A study published in 2014 found that no major exploitations of transaction malleability had occurred before the Mt. Gox attack[26].

Transaction malleability can be exploited to alter the unique ID of a monetary transaction before confirmation, potentially leading to erroneous transactions or other disruptions in the network[26]. Solutions such as Segregated Witness (SegWit) have been proposed to address this issue and enhance the security of blockchain transactions[26][27].

Investigations Through 2015

"In 2015, agents from the U.S. Treasury Department and Federal Bureau of Investigation, as well as members of Japan’s National Police Agency, met with Karpeles in Tokyo. They asked for Karpeles’ cooperation in an ongoing investigation involving an international hacker suspected of hacking several cryptocurrency exchanges, including Bitcoinica in 2012."

"By August 2015, many assumed the police were going to arrest Karpeles for some reason or another. The special investigation unit that deals mainly with white-collar offenses had taken control of the case, suggesting that the Frenchman would be arrested in order to extract some kind of confession."

"Karpeles, however, didn’t confess. The police subsequently arrested him on two other charges, with none of the indictments having any direct connection to hacking. Karpeles spent 11 months in detention before bail was granted."

“I was interrogated for eight hours each day,” Karpeles recalls. “I was asked about the missing bitcoins. I was even asked if I was Satoshi Nakamoto, the creator of Bitcoin. I was asked to sign confessions and statements in Japanese. Sometimes, the prosecutor would have pre-written statements for me in the morning they wanted signed.”

"Kim Nilsson, a Swedish engineer who had lost 12 bitcoins in the collapse of Mt. Gox, began sharing information with federal authorities in the United States while Karpeles was in detention. They specifically analyzed the block chain, the public ledger of all bitcoin transactions."

Tracing To Alexander Vinnik

"In September 2016, U.S. authorities received a copy of the Mt. Gox database and used it to track the stolen bitcoins."

"Tigran “Blockchain Wizard” Gambaryan, an agent in the Internal Revenue Service who has extensive experience in cryptocurrency crime, led a joint task force that looked into the case."

"The task force concluded that Mt. Gox had been hacked by an outsider who had siphoned off more than 600,000 bitcoins in a period between 2011 and late 2013. It was able to trace the bulk of stolen bitcoins to one individual, a Russian bitcoin exchange operator named Alexander Vinnik."

Alexander Vinnik Arrest

"On July 25, 2017, U.S. authorities had Vinnik detained in Greece. He was indicted on 21 counts of money laundering and several other charges, some relating to Mt. Gox."

"During Karpeles’ trial in the Tokyo District Court, Ogata argued that Karpeles had only been detained because the police had hoped to extract a confession from him. When Ogata tried to enter Vinnik’s indictment into evidence, prosecutors objected, claiming the Russian should be presumed innocent until proven guilty. The fallacy of such an argument was not lost on the panel of judges, who specifically referred to the indictment in their ruling."

"Vinnik is expected to be extradited to France. And so it seems the man behind the Mt. Gox theft may have finally been identified. It’s a shame the domestic investigation into the case failed to add much to the end result."

Karpeles Criminal Prosecution

"On March 15, [2019,] the court found Karpeles guilty of data manipulation and handed out a suspended prison sentence of 2½ years. He was found not guilty on a separate charge of embezzling millions of dollars through customer accounts. It’s perhaps just worth noting that the odds of a partial not guilty verdict in Japan after indictment are less than 1 percent."

"The Nikkei Shimbun noted the indictments had nothing to do with the initial investigation of the hacking. “The Metropolitan Police Department investigation into the missing bitcoins has, in fact, been terminated,” the paper said."

Former Mt. Gox CEO Mark Karpeles has been found guilty of manipulating exchange data in a Tokyo court, but innocent of embezzlement and breach of trust charges. The Tokyo District Court sentenced Karpeles to a suspended term of two years and six months, contingent on maintaining a clean record for the next four years. While prosecutors sought a 10-year sentence for embezzlement, the defense argued that Mt. Gox's collapse was not due to Karpeles' wrongdoing but claimed he worked to prevent it. Karpeles has consistently maintained his innocence and apologized for the impact on those involved[22].

Total Amount Recovered

The bankruptcy process is still underway.

Ongoing Developments

The bankruptcy process is still underway.

Civil Rehabilitation

In 2018, the case was moved to civic rehabilitation, allowing creditors to potentially receive their bitcoin in its original form[22]. "In May [2021], the trustee presiding over the Mt. Gox civil rehabilitation case opened the voting on how to partially reimburse victims who lost money to the in hacks dating back nearly a decade."

"Those who don’t vote are deemed to have voted against the proposal, according to the trustee. A minimum threshold of 50% of votes is required in order for the proposal to pass, so there is a chance the proposal could fail even if the majority of votes actively cast vote in favor of acceptance."

General Prevention Policies

Mt. Gox could have been avoided through smaller hot wallets. Using a multi-sig for cold fund storage and having accountability to ensure all funds are fully backed would also have significantly reduced the damage.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. A Look Back on Some of the Most Devastating Crypto Hacks - Fintech Singapore (Feb 27, 2020)
  2. Crypto Exchange Hacks in Review: Proactive Steps and Expert Advice - CoinTelegraph (Mar 2, 2020)
  3. Top 6 Biggest Bitcoin Hacks Ever - CoinSutra (Mar 2, 2020)
  4. The Rise and Fall of Mt. Gox – Darknet Diaries (Jun 25, 2021)
  5. Mt. Gox Civil Rehabilitation Voting Deadline Ends Friday - CoinDesk (Oct 10, 2021)
  6. Mt. Gox Shows Bitcoin's Growing Pains - WSJ (Oct 14, 2021)
  7. Solving the world's largest bitcoin heist - The Japan Times (Oct 14, 2021)
  8. Hackers Allege Mt. Gox Still Controls "Stolen" Bitcoins - Slashdot (Apr 10, 2022)
  9. The One Simple Reason Why Bitcoin Went Down (Again) Over the Weekend - Ceo.ca (Apr 10, 2022)
  10. Bitcointalk history of MtGox and how a Bitcointalk post caught the MtGox hacker. - BitcoinTalk (Dec 22, 2021)
  11. https://forkast.news/ftx-failure-wake-up-call-security-mt-gox-karpeles/ (Accessed Aug 9, 2024)
  12. https://www.engadget.com/2014-03-09-bitcoin-mark-karpeles-mt-gox-blog-hack-database.html?guccounter=1
  13. https://www.businessinsider.com/crypto-mt-gox-founder-mark-karpeles-reddit-ama-2018-4
  14. https://forkast.news/mt-gox-may-bitcoin-mark-karpeles-ungoxed-nft/
  15. https://www.theverge.com/2013/4/1/4154500/mt-gox-barons-of-bitcoin
  16. https://en.wikipedia.org/wiki/Mark_Karpel%C3%A8s
  17. 17.0 17.1 Mt Gox - Bitcoin Exchange - February 3rd, 2011 - Internet Archive (Oct 12, 2021)
  18. 18.0 18.1 18.2 18.3 Mt.Gox - Bitcoin Exchange - January 12th, 2012 - Internet Archive (Oct 12, 2021)
  19. 19.0 19.1 19.2 19.3 19.4 19.5 Lessons Learned from the Biggest Crypto Hacks in History - CryptoPotato (Feb 26, 2020)
  20. Breaking open the MtGox case, part 1 - WizSec (Jan 31, 2024)
  21. Breaking open the MtGox case, part 1 - WizSec Archive July 26th, 2017 11:56:05 AM MDT (Jan 31, 2024)
  22. 22.0 22.1 22.2 Mt. Gox’s Mark Karpeles Found Guilty Over Data Manipulation in Tokyo Court - CoinDesk (Jan 4, 2024)
  23. 23.0 23.1 Andrei Jikh - The Wealth Transfer Just Started - YouTube (Jul 16, 2022)
  24. 24.0 24.1 Mt. Gox pushes deadline for BTC repayment registration to April - CryptoSlate (Jan 31, 2024)
  25. 25.0 25.1 Mt. Gox pushes deadline for BTC repayment registration to April - Reddit (Jan 31, 2024)
  26. 26.0 26.1 26.2 26.3 26.4 Transaction malleability problem - Wikipedia (Feb 7, 2024)
  27. 27.0 27.1 27.2 27.3 27.4 27.5 What is Bitcoin Transaction Malleability - Doubloin (Feb 7, 2024)
  28. Infographic: An Overview of Compromised Bitcoin Exchange Events - Bitcoin Magazine (Jan 30, 2020)
  29. 100 Crypto Thefts: A Timeline of Hacks, Glitches, Exit Scams, and other Lost Cryptocurrency Incidents - Kyle Gibson (Jan 25, 2020)
  30. List of Major Bitcoin Heists, Thefts, Hacks, Scams, and Losses - BitcoinTalk (Feb 15, 2020)
  31. SlowMist Hacked - SlowMist Zone (Jun 26, 2021)
  32. Bitcoin Scams and Cryptocurrency Hacks List - BitcoinExchangeGuide.com (Mar 5, 2020)
  33. MtGox Homepage Archive March 18th, 2014 9:46:27 AM MDT (Oct 13, 2021)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Mt._Gox_Halts_Trade_Over_Major_Hack&oldid=5934"