Episode Show Notes



REPORTER: The CEO of Mt. Gox has released a statement for the first time since the Bitcoin exchange was shut down. This, amid speculation that the CEO was in hiding following reports that an estimated 744,000 Bitcoins, worth about 350 million dollars, was stolen. Japanese authorities are currently said to be investigating the matter. JACK (INTRO): [INTRO MUSIC ] This is Darknet Diaries, true stories from the dark side of the internet. I’m Jack Rhysider. [INTRO MUSIC ENDS]

JACK: What if there was a money system that wasn’t tied to any specific country? What if that money system was both anonymous where you can’t tell who owns the money, and transparent, where anyone can see every transaction? What if that money system was completely digital where there wasn’t a need to print bill or coins? There is such a money system; it’s called Bitcoin. Bitcoin is a decentralized electronic currency. Instead of there being a big data center that handles all the transactions, in Bitcoin world the transactions are done by crowdsourcing. Anyone can join in on processing Bitcoin transactions. But why should they?

When people use their computers to help process Bitcoin transactions, they get a small amount of Bitcoin in exchange. There are a couple of other neat features of Bitcoin. It’s not tied to any particular country, it’s anonymous, and all transactions and Bitcoin are public information. When someone gives Bitcoin to another person, anyone can see that that money was moved. You might find all this confusing but just know this; Bitcoin is digital money and you can buy it in almost the same way you can buy any foreign currency; through an exchange. You give the Bitcoin exchange your dollars and they send you the digital money. You can keep your digital money in the exchange itself or move it to your own Bitcoin wallet which can be stored on your computer, or phone, or somewhere else. Bitcoin has been around for less than ten years. It first started in 2008 but for the first few years there were no exchanges.

In 2010 a web programmer named Jed McCaleb took an interest in Bitcoin and he had an old domain lying around called mtgox.com which initially stood for Magic the Gathering Online Exchange but that project only lasted a few months before he abandoned it so he reused that domain and used it to start the first Bitcoin exchange called Mt. Gox in July 2010. Being first to market of an emerging technology usually means you’re going to be the leader of the market. That was certainly the case for Mt. Gox. For the entire life of Mt. Gox, it was the dominant Bitcoin exchange for the world. Even when there were multiple other exchanges, Mt. Gox was still processing 70 percent of all Bitcoin. They were processing over 100,000 Bitcoins a day, which would well exceed 15 million US dollars. You could go to the Mt. Gox website and buy Bitcoin with US dollars, Japanese yen, British pounds, Russian rubles, and several other currencies.

You could also do the opposite; trade your Bitcoin for any of those currencies and they’ll deposit it into your bank account. Mt. Gox was the go-to place if you wanted to buy or sell Bitcoin. But all that came to a screeching halt in 2014. Suddenly, without warning, Mt. Gox went offline and shut down. Mt. Gox contained 750,000 Bitcoins when they shut down. That’s seven percent of the Bitcoins in the world, which was worth over 450 million US dollars. A statement from Mt. Gox initially said the Bitcoins were stolen. So what happened? A series of unfortunate events. [MUSIC] The technology behind Bitcoin is fairly complicated. Investigators, police, government agencies, they just don’t have the resources to really investigate and figure out what happened to the Bitcoins at Mt. Gox. In fact, a lot of it is over my head, too.

KIM: Hello?

JACK: So I called someone up.

KIM: Hi Jack, how are you doing?

JACK: Who knows a thing or two about Bitcoin.

KIM: My name is Kim Nilsson. I’m actually just a general software consultant. I work with software development mostly, but I also do blockchain analysis or as I sometimes call it blockchain archaeology since I mostly look into historical stuff.

JACK: The blockchain is the public record that stores all Bitcoin transactions. There are over [00:05:00] 300,000 transactions a day and each one of these is stored in a way that anyone can view them all. Bitcoins are stored in virtual wallets. We can see how much Bitcoin moves around from one wallet to another but we can’t determine who that wallet belongs to. That part is anonymous.

KIM: I was pretty much a Mt. Gox customer, yes. I was just using them for trading and whatnot. I wasn’t really actively observing them while they were up or anything, so I was kind of taken off-guard when Mt. Gox just went down. I didn’t lose an insane amount of money but I didn’t take it particularly well. I felt like someone needs to investigate this and I wasn’t really prepared to trust that normal law enforcement, the normal usual actors would investigate it properly considering a) what a cutting edge technical field it is and b) would they even get the necessary data and whatnot?

I kept watching the situation going forward from there with great interest. There started to be leaks coming out with some of the internal Mt. Gox data. Suddenly well, actually maybe someone else can investigate this from the outside. That’s sort of where this all got started. I joined forces a little bit with some other guys and cooperated when necessary and we tried to get a hold of as much data as we could to try to figure it out. After that it’s basically just been me plowing through that and doing technical analysis on it ever since.

JACK: For the last three years Kim has been studying the blockchain and trying to personally piece together what happened to Mt. Gox. He’s trying to count how much money went in, how much money went out, and reconcile these numbers. This is no easy task. The data containing all these transactions is almost 40 gigabytes and there were hundreds of millions of records. He was trying to go through all of them to try to make sense of what happened to Mt. Gox. He spent a long time crunching this data and found brilliant ways of searching it faster. He would also ask the CEO of Mt. Gox directly for additional information. The CEO would sometimes comply. It also helped that they both lived in Japan.

KIM: As you say, one of the things that makes it quite hard to get an overview of what actually happened in Mt. Gox is that there really wasn’t any one thing, it was a lot of different things. Some of them are connected, some of them aren’t. It’s hard to get a single satisfying answer to what actually happened.

JACK: Let’s start from the beginning and try to find where Mt. Gox went wrong.

KIM: [MUSIC] Mt. Gox was founded, or reworked, as a Bitcoin exchange in 2010.

JACK: Which was likely ran by a single person at the time, Jed McCaleb. He was a web developer and personally created the site from scratch.

KIM: In January of 2011 there was two exploits related to Mt. Gox integration of Liberty Reserve withdrawals.

JACK: Liberty Reserve was a company Mt. Gox used to transfer money from one person to another. It was a service tied to their back end which allowed money to be moved around but Jed made some mistakes when adding the service to his site.

KIM: A user would just be able to inject XML to override parameters in the API request sent to Liberty Reserve to get more money than they actually withdrew from Mt. Gox.

JACK: So hackers were withdrawing more than they should be allowed to withdraw by exploiting this poorly implemented code. But that wasn’t the only issue Jed had with Liberty Reserve. Users type in how much money they want to withdraw, but…

KIM: The code forgot to check for negative inputs.

JACK: This had screwy results, allowing users to withdraw money they didn’t have. Jed found these bugs and fixed them but it wasn’t until he had already lost $50,000. Around that time, Jed McCaleb and Mark Karpelès started talking. Jed was realizing the site required more time than he could put into it. Then Mark showed an interest in taking over Mt. Gox from Jed. Mark was a web programmer from France but had recently moved to Tokyo, Japan where Mt. Gox was located.

KIM: Jed basically almost gave it away to Mark Karpelès in that very favorable price and sold it for almost no upfront money and just getting a cut of the revenue for the next six months, I think.

JACK: But just before the transfer of ownership to Mark, something terrible happened to Mt. Gox. Someone had broken into the Mt. Gox servers and stole the hot wallet file. The hot wallet is a Bitcoin wallet Mt. Gox used to conduct daily operational trades. This differs from a cold wallet, which was not stored on the Mt. Gox servers but in another location in a much safer place. The thief took the hot wallet and then transferred all the Bitcoins that were in it to their own wallet.

KIM: That was about 80,000 Bitcoins that disappeared and are actually still sitting untouched on the blockchain to this day. It’s quite possible they’ve been [00:10:00] accidentally destroyed or something. Since these 80,000 Bitcoins have been stolen there was of course, at this point, already a shortage. Mt. Gox was technically already insolvent as soon as Mark Karpelès took it over. I don’t think Mt. Gox was ever, in fact, solvent for a single moment for as long as it existed under Mark Karpelès.

JACK: That is, if all the Mt. Gox users were to try to take all their Bitcoins out of the exchange, there wouldn’t be enough for everyone.

KIM: Already by the time Mt. Gox was sold a few months later, there was a lot of money missing. So off to a bit of a bad start under his management, you could say.

JACK: Mark Karpelès is now running Mt. Gox from Tokyo, Japan. All ownership is now transferred to him and a few months go by under his management. Mark was in the process of figuring out where the Mt. Gox Bitcoins should be kept. He had some in the Mt. Gox servers in the form of a hot wallet and he had some in a secure off-line location which is a cold wallet, but he also had some on his personal computer.

KIM: During this time it appears that someone was able to get into Mark’s own computer which at this particular point in time appears to have been quite unsecured. It looks like they got it off of his personal machine from home. At the time he was unfortunately keeping 300,000 Bitcoins from Mt. Gox on his own unsecured machine, and a thief was just poking around, got lucky, and found it and ran away with it. This is a huge number of Bitcoins lost obviously, but it never got any mainstream attention because actually the thief, as it turned out, got nervous it seemed and offered to give all the Bitcoins back in exchange for a small keeper’s fee.

JACK: The thief kept 3,000 Bitcoins and gave the remaining 297,000 back to Mark.

KIM: Probably, if I were to venture a guess, they offered to give the coins back because they hadn’t been particularly careful. I don’t think it was some master hacker. It was probably just someone poking around, like I said. If I had been in their shoes I probably would have been astonished that it even worked in the first place. Presumably the deal at the time was that they gave the coins back in exchange for not being investigated.

JACK: Another month goes by. It’s now June 2011. Mark had only been running Mt. Gox for about three months.

KIM: At some point someone again got into Mt. Gox’s system. They were probably able to take a small database dump of the user’s table that contained accounts and their password hashes and everything. Whoever stole this small database dump were able to also brute-force a fair amount of the passwords including the password to Jed’s own admin account. Part of having an admin account at Mt. Gox meant you had access to a small, separate page where you can view admin tasks like manipulate account balances and things like that. Whoever got into this made good use of this little feature and started adding crazy amounts of Bitcoins to new accounts.

JACK: The hacker was creating Bitcoin out of thin air and selling them as fast as they could. Bitcoin was worth around 17 dollars at the time. This hacker sold so many Bitcoins it drove the price all the way down to one cent each. Some people bought thousands of Bitcoins at that price. The market had gone haywire and hit rock bottom. Then the thief bought back the cheap Bitcoin and tried to move the Bitcoin to another address, but Mark Karpelès saw this crash happening and shut the servers down. He knew something was very wrong and investigated. He even had help from others to investigate the situation. Mt. Gox remained offline for days. They eventually found how the hacker got in and crashed the market, so Mark rolled back the system to undo all trades during the time of the crash. Mt. Gox came back online with the price restored back to 17 dollars per Bitcoin but the hacker wasn’t completely empty-handed.

KIM: They were also able to get some actual Bitcoins out by inflating balances, trading them for a bit, and just trying to withdraw. They got about two thousand Bitcoins out that way.

JACK: It’s two thousand Bitcoins that Mt. Gox had to absorb since they were actually transferred out of Mt. Gox. A couple more months go by and Mark is looking to expand Mt. Gox to be able to do business in Europe.

KIM: In late summer 2011 there was this other exchange in Poland called Bitomat that accidentally destroyed their own Bitcoin holdings. I think they had their wallet in a virtual machine that accidentally wiped it or something like that. That destroyed 17,000 Bitcoins. At this point Mt. Gox was sort of looking to [00:15:00]expand and have local licenses and whatnot to operate in local markets. They were trying to get a foothold in Europe. Mark looked at this as a chance to get into Europe by acquiring Bitomat and whatever company registrations they had in exchange for covering this debt, basically. Mt. Gox absorbed all of Bitomat including the 17,000 Bitcoin in customer holdings.

JACK: At this point Mark had only been running Mt. Gox for about five months and is already missing $50,000 in cash and a massive 100,000 Bitcoin. While Mark’s skillset was mostly in programming, he believed Mt. Gox could be turned around and become a very profitable company. He had every intention on making it a success. He was just in a little over his head. Not another month goes by and there is another breach.

KIM: Yep, another incident where someone seems to have gotten into the system. They have access to the database. Recall that the June hack, as well, involved getting information out of the database. This time around though, there definitely seems to be that the attacker has right access to the database as well, that they can make changes directly to it and they make – they alter account balances, they’re able to wipe accounts. They tried to wipe their tracks as well in this way. Because of that, this incident is a bit harder to track because all of the evidence seems to have been wiped. I’ve reconstructed some of it by basically sketching out the gaps where there should have been logs but there aren’t any, or there are orphan records in the database that suggest that something has been deleted and whatnot. Probably by the best estimates, something a bit short of 80,000 Bitcoins was taken out of Mt. Gox.

JACK: Mark did not detect this breach until after the Bitcoins were already transferred out of Mt. Gox, so he wasn’t able to stop this theft from happening. Now Gox is now missing almost 200,000 Bitcoins. The very next month another breach occurs and this one, the biggest one of all.

KIM: [MUSIC] The hot wallet, wallet.dat got stolen by someone with access to the system.

JACK: Once again, the hacker broke into the Mt. Gox server and stole the Bitcoin wallet from Mt. Gox. The thief quickly moved the Bitcoin into their own wallet but because they had control of the main hot wallet from Mt. Gox, any new deposits into that wallet, the thief would also be able to take those funds, too. For the longest time Mt. Gox didn’t detect any of this activity.

KIM: This theft went on until at least a good chunk into 2013. That’s almost a full two years.

JACK: By the time it was finally detected and stopped, the thief had been able to siphon 650,000 Bitcoins from Mt. Gox.

KIM: This is the big theft that most people will be thinking of when they talk about the Mt. Gox missing Bitcoins.

JACK: You might be wondering why didn’t Mark encrypt the wallet? Well ironically, the feature to encrypt Bitcoin wallets was released a few weeks after the theft took place. There simply wasn’t a technology out there to encrypt Bitcoin wallets at the time. You might also wonder why Mt. Gox was target for so many attacks.

KIM: Bitcoin is basically incentivized hacking in that now that you have things like crypto-currency you can actually steal actual money just by hacking computers whereas previously you could just acquire the means of stealing the money and whatnot. You can get data in holding them for ransom and whatnot but with Bitcoin and other crypto-currency you can actually steal the actual money from digital systems. That increases the risk by a magnitude, easily, in that it now is a lot more lucrative for hackers to attack your systems. Mt. Gox had the – it was a double-edge sword in that it pioneered a lot of the markets [00:20:00] but also since it was the first, it’s not like this was some big established company that spent millions developing secure software or anything. It was just an amateur code base that they were then trying to keep patched and somehow handle the load over the years. It was never a professional exchange in the sense that people who deposited money probably thought or wanted it to be.

JACK: Even though by this time Mt. Gox had lost over 800,000 Bitcoins, the problems didn’t stop there. Another error in the code base of Mt. Gox had a problem processing transactions.

KIM: This showed up in the Mt. Gox system as a deposit to user accounts even though there was no new Bitcoins coming in. It was misidentifying those transactions as putting new Bitcoins into user accounts. It was a bit under fifty accounts; they got free Bitcoins for about 45,000 Bitcoins in total.

JACK: There went another 45,000 Bitcoins. During that month of October 2011, Mark Karpelès deployed a new wallet system into Mt. Gox that he had programmed himself in an attempt to have a more secure service but near the end of 2011 his new wallet system had a programming error.

KIM: This is an instance where he actually had a bug in his code. That meant that a number of withdrawals actually sent Bitcoins to unspendable addresses, which is the same as destroying Bitcoins. That lost about 2,500 Bitcoins that became destroyed because of this. The irony is that this is basically the only real instance of Mark’s replacement wallet actually losing any significant funds.

JACK: Mt. Gox didn’t have any more thefts or break-ins since the new wallet software was added. It seems like his improved security was working. But Mark knew he was missing so many Bitcoins and Mt. Gox was insolvent. He tried to keep all these breaches and thefts under wraps and hidden from the public. He didn’t want to ruin the reputation of Mt. Gox being the leader of Bitcoin exchanges so he tried to keep these breaches secret. Things went okay for Mark and Mt. Gox in 2012. No significant breaches occurred, no big programming errors that resulted in a loss of Bitcoin, and Mt. Gox continued to dominate the market as the largest Bitcoin exchange. It appeared that Mark had finally gotten things under control and was slowly recouping his losses.

By mid 2013 Mt. Gox was handling 70 percent of the world’s Bitcoin trades which was around 150,000 Bitcoins a day. Even though it was the leader of Bitcoin exchanges there weren’t that many employees working for Mt. Gox. Mark did a lot of the programming himself but he did have a few other developers helping out. It’s not clear whether Mark thought he could just handle it himself, or he had a hard time trusting others, or maybe he didn’t have the money to hire staff.

[MUSIC] In 2013 Mt. Gox wanted to expand into the US so it agreed to use a company called CoinLab to handle all North American transactions. Mt. Gox gave them five million dollars to get started with, but for some reason this deal went bad and CoinLab filed a lawsuit against Mt. Gox because of a breach of contract. CoinLab was seeking 75 million dollars and they kept the five million dollars that Mt. Gox gave them. I believe this lawsuit is still going on today. Later in the summer of 2013 the US Department of Homeland Security issued a warrant to seize money from Mt. Gox. They had been in violation of acting as an unregistered money transmitter in the US. In total, DHS seized five million dollars from Mt. Gox. It was also discovered that Mark was running a trading bot.

KIM: [MUSIC ] I don’t know who had the original idea. There was an e-mail leaked where Mark and Jed is discussing it and Jed is, amongst other things, suggesting that maybe you can make trades on your own exchange to shift this liability back and forth between Bitcoins and fiat money as a way to recover the funds, if you can basically trade the losses back. Of course, require you to be a trader that can make reliable profits and Mark doesn’t seem to have been a trader that was able to make profits. If anything he seems to have bought high and sold low.

JACK: This trading bot he was running was called the Willy Bot and there’s a paper that explains it in detail. At the time the paper came out it was just speculation, though. But the speculation proved to be spot-on.

KIM: The way Mark had implanted this internal trading mechanism, it actually kept all the logs so it’s possible to get quite accurate information of what work was done or not. He didn’t seem to wipe any logs or anything like that.

JACK: By analyzing the logs and adding up the trades, this bot resulted in Mark [00:25:00] losing an addition 50 million dollars and 22,000 Bitcoins. In February 2014 Mt. Gox suddenly, without warning, halted all withdrawals from its site. Mark stated they were addressing some security concerns but a few weeks later Mt. Gox, the largest Bitcoin exchange on the market, shut down entirely. [MUSIC] The website went offline and simply returned a blank page. Protests began outside the Tokyo office. Thousands of customers were furious. Mt. Gox had closed his doors, seemingly holding onto 850,000 Bitcoins but in reality the Mt. Gox coffers were entirely empty. At the end of February Mt. Gox had filed for bankruptcy in Tokyo, stating they had lost 850,000 Bitcoins which was worth 470 million dollars. Nobody believed that Mark had lost this many Bitcoins. That’s seven percent of all the Bitcoins in the world.

People just couldn’t grasp how such a large amount of Bitcoins could become lost. But as you heard it was lost, just not all at once. The next month, when looking through some of the old Mt. Gox systems that were in use in 2011, Mark Karpelès found a wallet in the system that still had 200,000 Bitcoins. This brought the total losses down to 650,000 Bitcoins. In August 2013, Tokyo police arrested Mark Karpelès. Not for losing the 650,000 Bitcoins but on charges for embezzlement and fraud. Japanese prosecutors accused him of falsely adding Bitcoins into the accounts of investors and then moving that to his own wallet. He has continued to plead innocent to these charges.

As far as the thieves go who stole the money from Mt. Gox, only one person has been caught and arrested. His name is Alex Vinnik and is a Russian national and was arrested in Greece. He was arrested for money laundering but evidence shows that he had some of the Bitcoins that were stolen from Mt. Gox. However, just because he had them doesn’t mean he stole them. He was just accused of laundering, not of stealing the Bitcoin. The year after his arrest, Mark Karpelès was released on bail and is currently residing in Tokyo. He’s still undergoing the legal process of his arrest in the Mt. Gox bankruptcy.

Those 200,000 Bitcoins he found have sat untouched since he found them. The bankruptcy case restricts him from touching them but since 2014 when Mt. Gox filed for bankruptcy, the price of Bitcoin has skyrocketed. At the time of this recording it’s now worth over $10,000 per Bitcoin. Mt. Gox owes their creditors 450 million dollars which is what the Japanese courts have locked in as what he owes. But his 200,000 Bitcoins are now worth two billion dollars. If he were to pay off all his creditors today, he may then get to walk away with over one billion dollars.

KIM: For sure, the industry and the community has learned a lot since Mt. Gox. Like I said, most of the reason for Mt. Gox being so unprepared to fill its own shoes, so to speak, was because it was the first of its kind. There was no real best practices back in 2011 or anything like that and as anyone has been in any initially successful start-up can tell you, it can be really hard to keep up with actually investing the time needed to keep your technology up to date.

JACK: One big thing we’ve learned from Mt. Gox is that it’s not a good idea to leave your Bitcoin on the exchange unless you’re actually trading it. For long-term storage it’s best to keep a Bitcoin wallet on your own computer that you control. This way it can’t be stolen from an exchange but you still need to be careful, protect your computer from thieves, though. When determining if an exchange is reliable, check to see if it complies with audits. For Bitcoin exchanges to operate in the US they must adhere to strict audits but some exchanges even take it a step further and agree to even more strict audits. It’s also good to use an exchange that has a good reputation and not something that’s just popped up yesterday. A lot of lessons can be learned from Mt. Gox.

KIM: Yeah, it’s quite a wild ride.

JACK: And it will be interesting to see what happens next, not just to Bitcoin but also to Mt. Gox and Mark Karpelès.

JACK (OUTRO): [OUTRO MUSIC] You’ve been listening to Darknet Diaries. For show notes and links, check out darknetdiaries.com. Music is provided by Podington Bear.



Transcription performed by LeahTranscribes