The rise and fall of Mt. Gox

 I’m Roger Ver, long time Bitcoin advocate and investor. Today I’m at the Mt. Gox world headquarters in Tokyo, Japan. I had a nice chat with Mt. Gox CEO, Mark Karpelès, about their current situation. He showed me multiple bank statements, as well as letters from banks and lawyers. I’m sure that all the current withdrawal problems at Mt. Gox are being caused by the traditional banking system, not because of a lack of liquidity at Mt. Gox. The traditional banking partners that Mt. Gox needs to work with are not able to keep up with the demands of the growing Bitcoin economy. The dozens  of  people  that  make  up  the  Mt.  Gox  team  are  hard  at  work

establishing additional banking partners, that eventually will make dealing with Mt. Gox easier for all their customers around the world. For now, I hope that everyone will continue working on Bitcoin projects that will help make the world a better place.

– Roger Ver, July 2013, during the first rumblings at Mt. Gox.91 (He later apologised.)

Bitcoin got its first big publicity push with the announcement of version 0.3 on technology news site Slashdot on 11 July 2010.

At this time, Jed McCaleb was a programmer at a loose end. He had previously developed eDonkey, an early file sharing network, which was shut down in late 2005 after being sued by the Recording Industry Association of America. He then went on to develop a game, The Far Wilds, leaving that to its community in 2009.

McCaleb saw the Slashdot post, tried and failed to buy some bitcoins, and thought an exchange would be a good idea. (Early Bitcoin core developer Martti Malmi had an exchange site, but it wasn’t very usable.96) He had run the “Magic: The Gathering Online Exchange,” a trading site for an online card game, for a few months  in  2007,  using  the  domain name  mtgox.com;97 he  quickly  wrote some exchange software in PHP and reused the name because his girlfriend liked it.

McCaleb announced the site on 17 July and it was an immediate hit, because people could buy and sell bitcoins via PayPal – using his personal account. Furthermore, users could keep both dollars and bitcoins there on the exchange to trade more quickly.

By late 2010, McCaleb was doing well from Mt. Gox, even though it was a completely amateur operation – he didn’t even talk to a lawyer about the regulatory implications of his business until December 2010, though it was taking and holding people’s actual money, uninsured, unregistered and unregulated. But he was finding it enough work to be annoying, he was tiring of attempted hacker attacks, PayPal kept cutting him off, and he worried about the amounts of money he was personally moving around.

He befriended Mark Karpelès, a French web developer. Karpelès was a massive fan of Japanese animation – his online handle MagicalTux was a reference to the anime Sailor Moon – so had moved to Japan in 2009. (He also left France before a 2010 fraud trial, in which he was sentenced in absentia to a

year’s jail.) McCaleb first offered to sell Mt. Gox to Karpelès in January 2011 and finalised the sale in February, announcing it to the world in March.

The deal used a contract they worked out between them, without either of them using a lawyer. It included terms such as:

the Seller is uncertain if mtgox.com is compliant or not with any applicable

U.S. code or statute, or law of any country.

The buyer agrees to indemnify Seller against any legal action that is taken against Buyer or Seller with regards  to mtgox.com or anything  acquired under this agreement.

It was only in April, after the handover, that Karpelès realised that 80,000 bitcoins (then worth $62,400) had already been missing when he bought Mt. Gox. McCaleb told him “maybe you don’t really need to worry about it” and suggested he  buy  up  more  BTC  to  cover  the  shortfall, shuffle  his  internal accounts around, get an investor or just mine more himself – but didn’t offer any explanation of where the coins might have got to or how.

Karpelès tried to fill the hole himself, but the price of bitcoins kept going up. By June, the missing coins were worth $800,000. Unfortunately, a nondisclosure agreement with McCaleb meant he felt he couldn’t tell anyone about the massive hole in the accounts. (He didn’t even reveal it to Mt. Gox’s own accountant until shortly before the company went bankrupt in February 2014.)

On 18 and 19 June 2011, someone hacked into Mt. Gox. The attacker shuffled hundreds of thousands of bitcoins around – only inside the exchange, not on the public blockchain, though Mt. Gox was the main trading venue to such a degree that this momentarily drove the price of one BTC from $17 down to 1 cent. (The usual surmise is that the hacker wanted to get as many coins as possible out past Mt. Gox’s $1000/day withdrawal limit.) The price oscillated between $1 and $20 for the rest of the day; this severe volatility affected other exchanges.

Around 19:15 UTC on 17 June, someone posted a complete list of 61,016 Mt. Gox usernames, email addresses and password hashes to the Bitcoin forums. Many of the passwords were “unsalted” and so could be more easily cracked. The attacker appeared to have come in through McCaleb’s administrative account, which was still active.

Karpelès went into a panic, taking much of the exchange’s Bitcoin store and putting it into offline cold wallets – keys printed on paper and stored in safety deposit boxes around Tokyo – where it couldn’t be hacked. Since the hacker’s trading was internal to Mt. Gox, Karpelès was able to roll back most of the transactions; eventual losses were a few thousand BTC, which the company could cover.

Roger Ver, who was also living in Japan by then, came over to help Mt. Gox (still a one-man operation at this stage) in dealing with the hack, and got to know Karpelès – Ver realised that Mt. Gox was critical at this time to Bitcoin’s continued growth.

In the aftermath of the hack, Karpelès’ paranoia overcame accounting considerations. He kept putting off reconciling the cold wallets with customer accounts, even as his accountant begged him to, as taking them out of cold storage would risk them being hackable. Thus, Mt. Gox was increasingly running on virtual paper money that it wasn’t keeping track of.

Mt. Gox continued in this manner through 2012 and 2013. Karpelès took on staff, but remained chronically unable to manage or delegate to them. Ver sometimes had to visit the Mt. Gox offices to make sure his own important transactions went through. The company was still by far the largest Bitcoin exchange, running on the increasing popularity of the Silk Road, as it struggled to keep up with demand – 75,000 new users joined in the first ten days of April 2013.

On 14 May 2013, the US government seized $2.9 million from Mt.  Gox, shutting down the main account it used to pay US customers, on the basis that Mt. Gox was transmitting money while having claimed not to be in the money transmission business. In June, the US seized another $2.1 million; Mt. Gox temporarily suspended US dollar transfers. In July, Roger Ver recorded his video assurance that all Mt. Gox’s problems were with the “traditional banking system.” The exchange partnered with CoinLab to serve its US customers, but this arrangement broke down soon after, Mt. Gox and CoinLab suing each other. By late 2013, customers were complaining of long delays in withdrawing US dollars, just as the Bitcoin bubble was reaching its peak.

On 7 February 2014, Mt. Gox shut down all withdrawals, of bitcoins as well as dollars. According to a leaked “Crisis Strategy Document”, Mt. Gox was insolvent after losing track of 744,408 bitcoins – about $350 million at the time. Karpelès had also been topping up the active online hot wallet with coins moved from the paper cold wallets and had not properly kept track.

The bitcoin leak was attributed by Karpelès to what became known as the transaction malleability bug. Bitcoin transaction IDs are not fixed – you can sometimes intercept an unprocessed transaction, modify the transaction ID (though not the amounts or the sender or receiver addresses) and send it on, meaning it’s added to the blockchain with a different transaction ID to the one it was sent with. This can lead to someone thinking a transaction they knew they

sent didn’t go through when it did, and sending the amount again. Once this came out, other exchanges were also attacked in this manner. This news alone crashed the bitcoin price from $700 to $600. (Researchers later ascertained from examining the blockchain that there was no way all of Mt. Gox’s claimed 750,000 BTC loss could have been due to transaction malleability attacks.)

Mt. Gox had leaked bitcoins before this. In October 2011, 2,609 BTC had been lost to a programming error that sent bitcoins to a nonexistent address. The exchange had been technically insolvent since about 2012, knowingly or unknowingly. It remains entirely unclear how much in total was hacked and how much was just lost.

On 24 February, Mt. Gox finally closed down. $400 million in customer dollars and bitcoins had gone up in smoke.

Karpelès is still dealing with the Japanese authorities, including being arrested for embezzlement in August 2015 and held in custody for several months, with his trial starting in July 2017 (though he maintains his innocence). McCaleb went on to develop the cryptocurrencies Ripple and Stellar; his LinkedIn page107 details his career back to eDonkey, but chooses to omit Mt. Gox.

Related Articles