Mt. Gox Bitcoin Heist: Takeaways from a $3.3B Crypto Exchange Breach
Mt. Gox Bitcoin Heist: Takeaways from a $3.3B Crypto Exchange Breach

Understanding how cryptocurrency exchanges evolved into hacker fantasy islands is all in the name. MTGOX, a company remembered for the largest crypto breach in history, is an acronym for Magic The Gathering Online Exchange (MTGOX). The absurd rise and fall of MTGOX is critical to understanding the fraught state of cryptocurrency exchanges — and the high risks of investing in cryptocurrency. From cryptocurrency security systems architecture to the major players in the game, the crypto world is not for the faint of heart.

Mt. Gox Bitcoin Heist: Takeaways from a $3.3B Crypto Exchange Breach

In 2018, four exchanges (NiceHash, Coincheck, BitGrail, Coinrail, and Bithump) lost over 765 million dollars in 2018 alone. The $534,000,000 dollars stolen from Coincheck, one of Japan’s largest crypto exchanges, dwarfs the largest bank heists in history. Eye-popping as the Coincheck theft was, it’s nothing compared to the estimated 3.3 billion dollar loss MTGOX and its investors suffered. As a result, MTGOX was forced to file for bankruptcy and liquidation. In 2019, the victims of MTGOX and the company still struggle to recover.

What happened to MTGOX in 2014?

Let’s preface the story with this: cryptocurrencies (blockchains) can be fairly secure in themselves, but there is a weak link in the exchange infrastructure that transactions move through. This story underscores how those undermining weaknesses evolved and persist.

***

Collapse can come down silently. On February 23rd of 2014, the MTGOX Twitter feed went unceremoniously dead. The same day, the CEO, Mark Karpelės, resigned without explanation. When the MTGOX company website suddenly went dark on February 24th of 2014, the cryptocurrency world was turned upside down and the company that caused the ruckus was silent. Customers were left with nowhere to turn.

The events had transpired quickly in the public eye. In February of 2014, over 70% of the world’s total bitcoin trading was coursing through MTGOX. Its stability defined the cryptocurrency market. For weeks, worried investors had struggled to get answers from the Tokyo-based exchange. People complained about long delays followed by excuses when trying to cash in altcoins. Press inquiries and executive interviews were chock full of “no comment”. Next came a full suspension of withdrawals without comment as to when the exchange would come back into service.. People were taking to desperate measures. One customer flew from his home in the UK to wait in the snow outside MTGOX’s Tokyo headquarters for an answer to a simple question. “Where is my money?”

(Want to know the details of the criminal coinflow? Check out this 2017 WizSec article.)

When the silence finally broke, it was to a cold comfort. Investors were stunned by the announcement that 850,000 bitcoins (BTC) had gone missing. And the hapless company had no idea how to handle it. In fact, no one did. The fiasco was not contained to Tokyo; it was a multinational problem. The estimated value of the missing coins at the time was over $450M USD. According to professional estimates by Wallarm Labs, the value in today’s market exceeds $3 billion dollars. (Our hearts go out to the victims who lost their share of that.)

Ultimately, Mark Karpelės was arrested by the Japanese police. He had not tried to run.

So, what happened in the MTGOX hack?

The public shock gave way to an even more shocking truth. The loss of 850,000 BTC was not sudden. It wasn’t a Mission Impossible type of heist that caused the 2014 collapse of MTGOX. It was more than a hacking event. It was a hacking operation that spanned years, beginning in the infancy of MTGOX, in 2011.

Hackers were continually diverting altcoins by accessing hot wallets with stolen private keys. The money taken from hacked accounts was transferred to other wallets, where the coins could then be moved to other platforms.

For years MTGOX had faced both technical and regulatory challenges. They were annoyances, but had no direct effect on the confidence of the investors. Arguably, these sorts of obstacles were a regular and come-to-be-expected reason for the complaints. No one suspected hacking and money laundering.

CEO Mark Karpelės was arrested in 2015 for fraud and embezzlement charges unrelated to the attack. He was convicted of falsifying data to inflate holdings value. It’s unclear if Karpelės acted with malice. The harm, however, was clear to his victims. Five years later, lawsuits continue.

Mt. Gox Bitcoin Heist: Takeaways from a $3.3B Crypto Exchange Breach

From Magic the Gathering to the Russian Mafia, the story unfolded into more unimaginable criminal turns. Insiders were part of the criminal enterprise. At the very top of the criminal ladder wasn’t Karpelės. BTC-e exchange owner Alexander Vinnik was discovered to be the “COO” of the hacking-and-laundering enterprise. Investigators found connections between Vinnik and underworld characters from the Russian Mafia and parliament alike. Karpelės appeared to be totally unaware of Vinnik’s scheme. While Karpelės spent 10 months in Japanese prison, Vinnik absconded to Greece, avoiding capture until 2017. Following an anonymous tip, Vinnik was finally arrested. He was connected to over $4,000,000,000 USD of laundered BTC from MTGOX and other locations. He awaits extradition on US Justice Department warrant. But, this should-be-mustachioed villain is still caught up in dubious affairs. The Russian authorities have been vying for extradition to Russia, arguing that Vinnik will be treated unfairly elsewhere.

The MTGOX hack may as well have been written in a black hat hacker comic book.

[Here’s a fun video from Fortune Magazine.]

Lasting Consequences of Crypto-crime

The MTGOX hack was an attack that would have sweeping consequences. Bitcoin value dropped 36% globally during the two months surrounding the collapse of MTGOX. “The Tokyo-based platform’s closure cast a long shadow over the market, triggering a more than two-year slump in cryptocurrency prices and undermining faith in the exchanges that serve as gatekeepers in an industry that often operates with little to no regulation.” Forbes’ Cybersecurity. It makes sense. Cryptocurrency isn’t a loss of value the way Beanie Babies are.

Karpelės was heavily punished for foolheartedly endeavoring to run the largest bitcoin exchange in the world without security considerations. Karpelės was incarcerated for 11 months. He claimed he endured over 50 days of intense interrogation.

Outside criminal liability, civil court may mean lifelong consequences for Karpelės. In 2017, Karpelės discovered 200,000 BTC in a hardware wallet he had mysteriously forgotten about. He says he doesn’t want it, which makes sense when you consider the looming lawsuits.

As of March 2019, an Illinois court blocked an attempt by Karpelės to dismiss a US lawsuit against him. Don’t cry too much for him, though. According to a Reddit post wherein Karpelės apologized for his bumbling, he stands to get 160,000 bitcoin should MTGOX bankruptcy go forward.

In his words:

The value of the recovered 160,0000 BTC is almost $633M USD per March 2019 estimates. That’s a lot of money to wipe Karpelės’ tears with.

Four years after filing for bankruptcy (2018), the defunct MTGOX remains tied up in ongoing legal proceedings in an effort to repay lost funds to customers and creditors. Legally, the initial filing for bankruptcy was suspended. Hope remains alive that civil rehabilitation of the company might turn its insolvency into some sort of recovered funds.

Karpelės is fighting for civil rehabilitation of MTGOX, arguing it’s the only way to get money back to people. That money includes the millions he stands to gain if bankruptcy goes forward.

Takeaways from MTGOX: Cryptocurrency Exchange Security RisksThe MTGOX fiasco highlights three things:
  1. The aimless evolution that is heir to an obvious lack of security of cryptocurrency exchanges
  2. A perilous lack of regulationsoverseeing an international market holding billions in virtual currency
  3. The bountiful opportunity for hackers, who understandably love the previous two facts

While scandalous incidents like MTGOX feature criminal cyberattacks as the cherry on the bad-business sundae, it also reveals how problematic crypto exchange security can be. Years of poor management, regulatory problems, and other security challenges preceded the hack of MTGOX. But the effect of these huge security breaches is a lowering of consumer trust in cryptocurrency, which may be well deserved. It also threatens companies who aren’t thinking towards redesigning security protocols and regulations with cryptocurrency security as the cornerstone of its architecture.

Mt. Gox Bitcoin Heist: Takeaways from a $3.3B Crypto Exchange Breach

The enormity of the cryptocurrency security problems is so obvious that cybercrime goes under-reported to consumers. And, it may also be a great cover for failures in asset management and company insolvency. That is the suspicion cast on Italy’s BitGrail after the company’s founder, Francesco Firano, blamed hackers for a $195M loss of cryptocurrency. How can an alleged hack not be 100% provable? Simple: transaction dates aren’t recorded to BitGrail’s blockchain. And there is no one telling them — or anyone else — they have to be.

“Many international exchanges are essentially unregulated, and even U.S.-based cryptocurrency exchanges are not protected by any sort of consumer insurance along the lines of FDIC coverage for bank deposits.” Fortune

The MTGOX scandal ended nefariously, but started innocently. The Magic card exchange unwittingly evolved into the world’s largest BTC exchange. What we learn from MTGOX is that cryptocurrency exchanges have evolved unplanned. Security was a second thought instead of a central part of the architecture. The problems of this legacy are unresolved. There is a systemic risk-prone design flaw in the exchange architecture. (Read more about that in Why Are Crypto Exchanges Hacked So Often?)

What Can You Do?

Years may have breezed by since the 2014 hack of cryptocurrency exchange giant MTGOX, but the crypto world still bears the scars. It’s like a gash across the face of every crypto boom and bust. The lessons learned should remain just as visible.

Mt. Gox Bitcoin Heist: Takeaways from a $3.3B Crypto Exchange Breach

First, read expert security advice on what you should consider before investing in virtual currency. But really, the problem is bigger than our personal wallets can cover. This is a problem of systemic shortcomings.

Cryptocurrency architecture needs to be redesigned with security in mind. The best advice in the meantime may be to leave assets in a local wallet. Do your due diligence on exchanges. Are they local? What security measures are they taking? Even if hot and cold wallets can be secured, the layers surrounding virtual currency, the transport of data and funds, and the laws that regulate exchanges are perilously lacking.

Even when exchanges are hacked, the customer and larger public may never know:

“Some exchanges never announced [successful] hacks because attackers only stole GAS, not coins themselves and users never knew about these incidents.” [Forbes]

Yes, there is hope for the future of virtual currency. It may well be the future of the entire monetary system. However, it will take new security-centered thinking, regulation, and powerful AI that will protect cryptocurrency consumers and businesses alike.

The Takeaway: Cryptocurrency Systemic Risk

Bigger than a few blackhat hackers and exploitative businessmen with Russian Mafia connections, the problem with cryptocurrency goes back to its roots in Magic the Gathering. We aren’t trying to pick on virtual playing cards. However, billions of dollars isn’t play money.

The architecture and regulations of cryptocurrency exchanges have not been constructed with the same security-first mindset that other currency markets have. Wells Fargo got to begin with hard, cold bars of gold and build out a security supply chain that grew around new security risks to new forms of currency. It grew from shotgun mercenaries to complex regulations and banking relationships with an international network of governance. Cryptocurrency has erupted, gigantic and whole, into the world with little cryptocurrency security. The cryptocurrency market was born around virtual currencies on trading platforms that were ill-equipped for the high volume of real money at risk. They suffered being born without notice, without the oversight of governing bodies. Like a street urchin, its resilience is noble, but its place in the world remains contentious.

Mt. Gox Bitcoin Heist: Takeaways from a $3.3B Crypto Exchange Breach

What we need to takeaway is higher demands and the deep work of securing distributed exchanges at all layers and in all locations. We need technological innovation, international coordination, and (despite crypto’s iconoclastic dreams) governance. Creating the technological, cultural, and legal infrastructure to support transformative monetary innovations will create real evolution instead of market mires.

New GigaOm Report:
Path to DevOps Success

Strategy and technical consideration
for successful enterprise DevOps.

I want the guide