Bitcoin’s Defining Moment? - Magic: The Gathering Online Exchange is a systemic risk to Bitcoin, a death trap for traders, and a business run by the clueless.
—Andreas Antonopoulos, BitcoinTalk forum, April 2013
Originally, I was going to dedicate this chapter to a number of high-profile Bitcoin scams but I quickly realized that glossing over the Mt. Gox fiasco would be a disservice to the reader. Mt. Gox was more than a simple theft; it was a pivotal moment in Bitcoin history. Arguably, it was the most important event so far, negative or positive, for the still-young currency. There is no doubt that it was the most publicly visible event in Bitcoin history, a factor that has an importance all of its own.
The most positive thing that can be said about the Mt. Gox fiasco—and it was exactly that, a fiasco—is that it did not kill Bitcoin. Despite the many pronouncements and predictions to the contrary, Bitcoin has gone on to further acceptance, legitimacy and funding, even though its price remains deflated compared to its peak before the collapse. This persistence shows not only the resilience of the currency but also the faith that a number of wealthy and powerful people are putting into Bitcoin.
The Tokyo-based Mt. Gox was the world’s largest Bitcoin exchange until, after months of technical issues, the exchange admitted that it had lost the majority of its customers’ bitcoins as well as a few hundred thousand of its own bitcoins. The total loss was 850,000 bitcoins, a number that at the time was worth around $480 million. Before and during its failure, the Mt. Gox exchange was run by Mark Karpelès, who had purchased it from Jeb McCaleb. Karpelès had a history of financial and tech crimes. He never hid those facts and even talked about them on his public blog but at the time his background remained largely unnoticed.
On February 28, 2014, looking more contrite than he had in his entire public life, the embattled CEO of the one-time largest Bitcoin exchange in the world sat in front of the Tokyo District court and tried to explain how he lost $480 million-worth of a currency most people in the world had never even heard of. Mark Karpelès’s company was declaring bankruptcy and, knowingly or not, closing a chapter in Bitcoin’s history.1 Karpelès, who, evoking the genius tech gurus of the mid-2000s, had famously worn a t-shirt and jeans to nearly every public appearance, was finally wearing a suit.
This change in appearance might seem like a small thing, but it personified the end not only of Mt. Gox but also of Karpelès’s—and in many ways, the Bitcoin community’s—arrogance. He would never again be able to present himself as a successful tech entrepreneur. Although Karpelès has attempted to lift his head from the sea of obscurity a few times since the fall of Mt. Gox, he is consistently shouted down by a chorus of hate.
It is a merciful end, to tell the truth, even if the case still lacks the satisfaction of justice and retribution. Since 2012, intermittent complaints had been popping up about slow withdrawals from Mt. Gox. They culminated in February 2014, when the site finally went down. Withdrawals officially halted on February 7,2 but they had already dwindled to a trickle and virtually ceased as far back as mid-January. As it turned out, Mt. Gox was insolvent long before it officially halted withdrawals. It now appears that a slow theft took place over the course of a year and was made possible because of lax security practices that Mt. Gox was either unable or unwilling to fix.
Yet for all the problems that Mt. Gox caused Bitcoin by the end of its life, the exchange was essential to Bitcoin’s early development. When Mt. Gox transitioned from a site designed to trade digital Magic: The Gathering cards to trading Bitcoin, it was instrumental in developing a market and price for Bitcoin. Previous to Mt. Gox, most Bitcoin trades took place off market. Two people would meet, usually online, and one of them would say something like, “I’ll give you 500 bitcoins for two dollars,” and the other participant would say that was either too high or too low—and they would negotiate from there.
With a central exchange like Mt. Gox, an opportunity for real price discovery and liquid markets emerged. Rather than two people trying to figure out what a bitcoin was worth to them, they could simply see what other people were willing to pay for one and what had been paid for one in the past. This allowed bitcoins to obtain a real price point and a real value.
That said, the warning signs that something was wrong at Mt. Gox were everywhere. The biggest lesson one can learn from the incident is that warning signs should not be ignored.
Bitcoin is considered a volatile currency and compared to most fiat currencies, it is. But it is far more stable now than it was in 2011 when Bitcoin’s price could jump from $1 to $30 in less than a week. At that time, it was transitioning from an obscure and mostly worthless currency to something covered by every media outlet with a technology department. It had arguably become the most successful new currency since the euro and was certainly the most visible. This increase in value and public attention should have corresponded with an increase in security at Mt.
Gox but it did not. In June 2011, thousands of bitcoins went missing. A lot of blame was passed around and it was eventually discovered that the loss was the result of the former owner’s account being hacked. The user controlling that account artificially created bitcoins in the Mt. Gox system and dumped them onto the market, driving the price to less than a dollar. He then bought back the now-cheap coins and withdrew them from the Mt. Gox system. The estimates on the number of lost bitcoins ultimately settled around 2,500. Although about 500,000 bitcoins had been “sold” on the exchange, Mt. Gox reversed the transactions so only a few thousand of the bitcoins were left unrecovered.
Mt. Gox was able to move on despite this hack. It was still the world’s largest Bitcoin exchange with a strong position in an exploding market. Instead of turning things around and paying closer attention to security, Mt. Gox would go on to inadvertently burn thousands of bitcoins by accidentally sending them to Bitcoin addresses that didn’t exist, essentially taking them out of the Bitcoin ecosystem forever.
Thanks to the security blog WizSec, we have since discovered that Mt. Gox was slowly leaking bitcoins throughout 2011 and 2012, and that by the end of 2012 it was virtually insolvent.
No one knows for sure who stole the Mt. Gox bitcoins. There are several theories, each of which seems to have a reasonably large stack of supporting evidence.
The explanation put forth by Mt. Gox and Mark Karpelès is a recurring one in the world of Bitcoin: a hacker got access to the Mt. Gox wallets and managed to steal hundreds of thousands of bitcoins over a long period of time. The Mt. Gox team had simply failed to notice the theft. This explanation actually makes a lot of sense, because it involves all the human dynamics needed for such a heist to be successful. There was a group of people resting on a large sum of money, confident in their place but incompetent in their task. That is a completely understandable situation if you assume Karpelès and company were caught off guard by the sudden increase in the value of and attention to Bitcoin.
There are also the limitless skills and treachery of the shadowy and anonymous hacker, a caricature that has been a constant in nearly every media portrayal of Internet crime since the very concept of Internet crime entered the public imagination. This hacker is a cliché but one grounded in truth. There really are shadowy, anonymous hackers with near-limitless talents who make a career out of doing the kinds of things we end up reading about in the news. These people aren’t unique to Bitcoin. Just ask Target.
The second theory is possibly the most popular, likely because Karpelès is so easy to hate. This theory is a simple one: Karpelès is scamming everyone. Proponents of this idea insist that Karpelès stole from his own company and is simply waiting for the legal process and public scrutiny to pass. Once this happens, he will take the hundreds of thousands of bitcoins that he has secret control over and cash out in some anonymous way. For this theory to be accurate, Karpelès has to be both extremely daring and extremely stupid.
When you lose hundreds of millions of dollars in Bitcoin, public scrutiny isn’t simply going to pass. Karpelès’s life is in danger and the Internet has an infinite memory. Yet no one ever said that Karpelès isn’t daring and stupid. The suspicious timing of the start of the Bitcoin leak, which started immediately after the completion of a proof-of-solvency test—an audit where a third party confirms a company has the funds they say they do—adds credence to the theory, as do the actions of the so-called Willy and Markus bots I will discuss in a few pages.
Another theory seems more plausible but lacks a concrete perpetrator. It is likely that other Mt. Gox employees had access to the inner security workings of the exchange and any of them could have siphoned the coins. Employee involvement would explain why Mt. Gox didn’t notice anything for nearly a year. With no obvious suspects other than Karpelès himself, this explanation is ultimately unsatisfying. Finally, a lower-profile employee would certainly find it easier to sneak away unnoticed than Karpelès, the CEO.
The last theory is the latest to appear and involves the same two government officials we met in the previous chapter. As you’ll recall, in 2015, DEA agent Carl Mark Force IV and Secret Service agent Shaun Bridges were involved in the Silk Road investigation before being arrested for allegedly committing several crimes as the investigation took place, including the theft of hundreds of thousands of bitcoins from the Deep Web marketplace. According to prosecutors, Force had contact with Mark Karpelès during the investigation. According to emails found in court documents, Karpelès had reached out to authorities expressing his interest in helping them investigate bitcoins coming in to the exchange from illegal sources.
Instead, Force allegedly pressured the Mt. Gox CEO into doing business with him. After Karpelès refused, the government seemingly coincidentally seized two million of Mt. Gox’s fiat reserves. Force allegedly sent Karpelès the message, “Told you should have partnered with me!” shortly after the seizure. Although there is currently no publicly available evidence that either Force or Bridges was directly involved with the Mt. Gox theft, the apparent corruption of the two officers has led to speculation that they were involved in some way.
The two agents also allegedly revealed to members of the Dark Web marketplace that Karpelès was cooperating with them, lending credence to the theory that it was a hacker—possibly one working in conjunction with a Mt. Gox employee, since Karpelès was making some powerful enemies in the Internet underground.
Assigning blame in the Mt. Gox case is not something that can be done in this book. The case is nearing the JFK-assassination level of conspiracy and complexity. Several books could easily be written about what happened, what is alleged to have happened, and what might have happened. When the trials are completed and investigators reveal everything they know, I suspect those books will appear. In the meantime, I will leave the determination of guilt to the investigators who are heavily involved in the case.
Some information, however, can be gleaned from the investigation of WizSec, an online security researcher. Bitcoin began leaking out of the Mt. Gox hot wallets in 2011; this process continued until 2012. Those coins were sent to temporary addresses before being sent to a larger gathering address and then to exchanges for either mixing or sale. Some of the coins were even deposited back into Mt. Gox itself.
A different exchange, Kraken, was awarded arbiter status in the Mt. Gox case. That means it had control of the remaining funds and would be working with the authorities on how they should be distributed. Kraken has not been completely forthcoming with details and records for independent investigators, which is not unusual and might even be a legal requirement. It is also unclear how thorough the Mt. Gox records were. Nevertheless, through extensive blockchain analysis, information present in the Mt. Gox database leak and the proof-of-solvency completed by Mt. Gox in 2011, WizSec was able to track the likely holdings of Mt. Gox from that time until its failure in early 2014.
How, exactly, did someone drain some of the largest wallets of a completely traceable currency without anyone noticing? Reports indicate that Mt. Gox didn’t continuously monitor its cold storage wallets (i.e., Bitcoin wallets that aren’t connected to the Internet and are therefore theoretically safe from theft) but would use them to periodically refill its hot wallets when they ran low, due to normal variance in daily trading.
WizSec explained on his website how this situation could lead to a slow draining of wallets that could go unnoticed by Mt. Gox’s internal security:
One possibility is that without any monitoring of the storage or comparing incoming and outgoing amounts, Mt. Gox staff may have blindly kept pouring their cold storage into their leaking hot wallet, assuming that they were just dealing with frequent swings in deposits/withdrawals and that on average the cold storage was being refilled at roughly the same rate they were draining it.
In any case, Mt. Gox had less Bitcoin than its customers believed it held. By 2012, its reserves were depleted and things only got worse from there.
In 2013, a string of strange trades caused some to suspect there was an unusual amount of bot trading at Mt. Gox. Bots are scripts that buy and sell Bitcoin on the various exchanges. Although bot trading is common in Bitcoin trading today, the activity of these bots was curious. Trading bots normally act out the desires of their owners: buy if Bitcoin hits one price, sell if it hits another. It is actually a bit more complex than this, with bots able to make decisions within parameters in order to buy and sell continuously throughout the day.
The point is bots don’t act much differently than a rational day trader would if that day trader could stay awake for 24 hours a day. These bots weren’t acting like rational day traders. They were instantly buying up groups of bitcoins at seemingly random prices. It is now suspected, though not confirmed, that this was done to ease the effects of operating with a fractional reserve, in which there is less money in the system than customers own. One bot’s activity in particular was so bizarre it gained a nickname: the Willy bot.
The evidence of inside involvement in this unusual bot activity comes from transaction details that were leaked in late 2013. The accounts linked to suspicious bot behavior only acted one at a time. They would appear, purchase about $2.5 million worth of bitcoins, and then never act again. These accounts were responsible for $112 million in trades. The bots never sold any of the 270,000BTC they purchased.
This trading activity wasn’t the bots’ only suspicious characteristic. The first known Willy bot account had a user ID number that was higher than the current level of regular customer IDs, suggesting that it was created outside of the normal user account creation system. This led some to dig deeper, which brought about the discovery of a precursor bot—dubbed Markus by its discoverer—that also had a higher-than-normal user ID number and was behaving similarly.
The Markus bot had operated without paying any transaction fees to Mt. Gox. In addition to having Japan listed as its region, the bot had a Tokyo IP address like Mt. Gox, though the IP address could have easily been faked. Strangest of all, however, was that the bot seemed to have made large purchases at a static price rather than a variable price based on the current sale offers for Bitcoin. This detail led to fairly grounded speculation that the pre-Willy bots—and possibly the Willy bot itself—weren’t actually buying any bitcoins at all.
The bot activity has nothing to do with the theft itself. WizSec has all but proven that the missing Mt. Gox coins were already missing by the time the bots came onto the scene. What it does seem to indicate, however, is that someone at Mt. Gox might have been trying to cover something up as early as 2012.
As I mentioned above, the Markus bot had an unusually high user ID number: 698630. In the 2014 leak, there were two versions of the April 2013 transaction log: a condensed but provably unmodified version with usernames taken out, and a regular version that included usernames and could have been modified. In the former version, Markus can still be identified by comparing its transactions to the transactions in the latter version that includes usernames.
The bot’s unusual purchase prices appeared modified to fall in line with what one would expect, and its high ID number was changed to 634. In the leak that occurred in 2011, there was a user with the customer ID 634. It belonged to “MagicalTux”—the same username that Mark Karpelès used on BitcoinTalk, his blog, and Twitter.
After the Markus bot had apparently ceased trading, the Willy bot continued, at times making up 90 percent of the total trading volume in an hour. It should be noted, however, that no definitive link, other than patterns in trading behavior, was ever established between the Markus bot and the Willy bot.
Things soon went from bad to worse. Already seemingly covering up losses with bot trading activity, Mt. Gox had its Wells Fargo and Dwolla (a PayPal-like service) accounts seized by the US government, subtracting a few more million in fiat from its reserves. This seizure led to the first instance of officially halted withdrawals. They would eventually resume, though with sporadic interruptions.
For a short time in late 2013 and 2014, Mt. Gox attempted to blame its issues on a known flaw in the Bitcoin protocol: the transaction malleability exploit. It works as follows. A malicious actor, playing the part of a miner or a full node, would submit false versions of other users’ transactions with a different destination ID. The system should be able to prevent this by checking the transaction ID’s hash and the sender’s signature, but it neglected to do this in an older version of Bitcoin. If a malicious actor can change the user ID and get the modified version of the transaction confirmed on the blockchain before the legitimate one does, then that malicious actor has gained the ability to interrupt and redirect Bitcoin transactions.
Although the transaction malleability bug was a real issue, it was never exploited to the degree that it could account for even a fraction of the bitcoins lost during the Mt. Gox collapse. The numbers simply don’t add up. A paper published on arXiv.org completely discredited the official excuse that the transaction malleability bug had caused Mt. Gox’s financial woes. The paper concluded that only 386 bitcoins in the entire Bitcoin ecosystem were involved in possibly successful transaction malleability exploit attempts before Mt. Gox prevented user withdrawals. There is no possible way that it could have contributed significantly to the failure of Mt. Gox.
As accusations mounted and more customers expressed their dissatisfaction, Karpelès eventually stepped down from the Bitcoin Foundation, much later than many felt he should have. The start of 2014 was turbulent with more users complaining about withdrawal issues on a daily basis. By February, most people assumed no more money, fiat or Bitcoin, was coming out of Mt. Gox. One American flew to Japan from Indiana to personally ask Karpelès for his money back. It was perhaps the first Bitcoin-related act of political theater that took place outside of the Internet.
We can now return to the last day of February 2014 and to the defeated and dejected Karpelès sitting in that suit in front of the Japanese District Court and filing for bankruptcy. Mt. Gox would be shut down and there would be no redemption story for it or its CEO. The man who reportedly forced his employees to call him “the king” had lost his kingdom. The dream was over and Karpelès looked as if he knew it. If Karpelès were the perpetrator of the theft, he didn’t look as if he expected to end up there.
Mt. Gox’s final breath caused a huge ripple effect that broke into the mainstream consciousness and shaped many people’s perceptions of Bitcoin. Those perceptions continue to color Bitcoin’s reputation today.
The Weekly Standard published an article with the title “Bitcoin is Dead.” Salon wrote about how the Mt. Gox hack—along with the (likely bogus) “doxxing” (i.e., exposure) of a California man as Satoshi Nakamoto—spelled the currency’s doom. Everyone from Reuters to Yahoo seemed to be anticipating Bitcoin’s demise. A few saw a silver lining but most thought it was the end. Senator Joe Manchin of West Virginia called for an outright ban on Bitcoin. Even the long-time Bitcoin blogger, security researcher, and cryptocurrency evangelist twobitidiot (real name Ryan Selkis) lamented “Bitcoin’s Apocalyptic moment” upon learning the news.
The concerns, it should be said, were valid. One could be forgiven for expecting the 2014 Mt. Gox collapse to be the end of the currency. A total of 3.5 percent of all the bitcoins that can ever exist disappeared in the Mt. Gox theft. It wasn’t hard to imagine this was Bitcoin’s end.
In mid-March 2014, 200,000 of the bitcoins owned by Mt. Gox were discovered in a long-forgotten wallet. That gave some hope to the people looking for restitution but there is no hope of reviving Mt. Gox.
The legal process that followed the collapse of the exchange has been painfully slow, which is sure to cut into that 200,000BTC stash as expenses mount. The claims process for former Mt. Gox customers started more than a year after the collapse. No one seems to know when that claims process is going to be completed. In the meantime, cash is flowing out of the remaining funds to large investors and to pay Mark Karpelès’s legal expenses. It seems unlikely that, with so many drains on the funds, there will be much left for actual Mt. Gox customers.
And yet Bitcoin didn’t die. One could argue it was permanently maimed but it has managed to carry on. The Mt. Gox collapse served as a warning to the rest of the community, helping shape future developments in the Bitcoin infrastructure.
Bitcoin is a decentralized currency. Centralizing where the community holds those coins eliminates some of Bitcoin’s advantages. Mt. Gox essentially functioned as a bank by holding on to everyone’s currency, eliminating the decentralized aspect. Banks and their malfeasance are often cited as a driving force behind people’s interest in Bitcoin. Unfortunately, unlike banks, Mt. Gox was free from regulations and lacked insurance. It incorporated all the negative aspects of banks with none of the oversight that has been applied to them over the decades. With such a large number of bitcoins in one place, Mt. Gox became a huge target for malicious actors and acted as a central point of failure. Still, a centralized marketplace where people can buy and sell bitcoins is essential to price discovery and ultimately the entire Bitcoin ecosystem.
This conundrum led to various projects attempting to create a decentralized exchange. A few have been completed: BitHalo, Nxt’s marketplace, and Blocknet are scheduled to be released or receive major upgrades by the time this book goes to print. If anyone will use them—or if they are released at all—remains to be seen.
A decentralized exchange would allow users to trade bitcoins for fiat without depending on a third party. As opposed to over-the-counter trades, a decentralized exchange could have an order book and a price that changes based on market demand. Although the concept of a decentralized exchange had existed before the Mt. Gox collapse, it was this event that instantly moved the idea to the top of nearly everyone’s to-do list. Sadly, most Bitcoin trading today is still performed using centralized servers. No decentralized service has hit that sweet spot of usability, security, and privacy. Once it does, the issue of integrating this decentralized exchange with traditional financial systems will still exist.
Even more important than the push toward decentralization was the realization that Bitcoin’s short childhood was over. Real money was being put into the system, and with real money come real criminals. Bitcoin had become a target, not of governments or banks but of the very people it appealed to. It is the technically inclined who stand as Bitcoin’s biggest asset and its biggest threat. Bitcoin’s value exists because of its utility and that utility is completely wrapped up in how secure it is. Regardless of how strong the base protocol of Bitcoin itself is, third parties can hurt its reputation. It only takes one hacker to seize a stash of bitcoins and ruin years of built-up trust and good will.
That said, the smart money continued to bet on Bitcoin even after the Mt. Gox fiasco. While the price was in a steady decline for the remainder of 2014 and the first three quarters of 2015, venture capitalist money funneled in as never before. The year 2014 was a record-breaking one for cryptocurrency investments and as of this writing, 2015 was already on track to beat that record. More recently, financial giants Goldman Sachs, USAA, and NASDAQ all announced they were jumping on the Bitcoin bandwagon and were exploring technologies based on the blockchain.
The list of merchants that accept Bitcoin has also continued to grow and now includes Microsoft, PayPal’s Braintree, Dell, DishNetwork, Expedia, Overstock.com, The American Red Cross, RE/MAX London, Save The Children, Edward Snowden’s legal defense fund, and countless others.21,22 One Bitcoin exchange, Circle, is registered and compliant with the New York Department of Financial Services. During the 2016 US presidential race, Rand Paul, a major candidate for the Republican nomination, was accepting Bitcoin donations.
I don’t pretend to know what the future of Bitcoin looks like. However, Mt. Gox was arguably the worst thing that could have happened to Bitcoin and it didn’t kill the currency. Bitcoin has moved on and looks stronger now than it did in late 2013. That counts for something.
