They built it up on a house of cards. Perhaps it was fitting that it came crashing down like one.
Mt Gox was once the largest exchange for trading Bitcoin – before a ‘hack’ made away with most of its reserves. Overnight, the poster boy of crypto became its most hated pariah, a crypto experiment gone horribly wrong.
Join us as we take a trip into its muddied history to understand what went wrong and how things stand currently.
Magic: The Gathering Online Exchange
Yes, you read that right. Mt Gox does not stand for a famous mountain, but a collectible card game.
Magic: The Gathering is the classic game of magic and fantastical monsters that ended up spawning a whole genre. Rare, powerful cards are prized by serious players, and command good prices in the market.
So one guy had an idea. Why not make an online exchange for trading Magic The Gathering cards?
The exchange went live in late 2007, running for about two years. The response was far from incredible, and McCaleb moved on to other projects, reusing the domain for advertising his card game.
Then he discovered Bitcoin. He realized that there was a sore need for an online exchange for trading Bitcoin, and decided to pivot site for this purpose.
Thus on July 18, 2010, Mt Gox started quoting prices of Bitcoin. Its popularity boomed, and soon McCaleb found himself receiving wires of tens of thousands of dollars. He did not have the time to devote to scaling up the service and looked to sell it to someone who could. He found an enthusiastic buyer in Mark Karpelés, a French coder and Bitcoin lover.
And Mt Gox began its operations in earnest.
The Golden Years
Karpelés took the exchange to his adopted home, Japan, officially incorporating it as a company in Tokyo. Only 12% of the resulting shares went to McCaleb; the whopping 88% was in Karpelés’ name.
In the beginning, no one begrudged him his control. Karpelés worked hard to expand the exchange’s operations, taking Mt Gox from an obscure website to the de-facto platform for dealing with Bitcoins. True to his pedigree as a coder, he began by re-writing most of the backend code, making the online exchange more secure and responsive.
One of the things that set Mt Gox apart from its peers was the instant withdrawals. Users could withdraw their funds in Bitcoin, USD or even Japanese Yen at any time. This bolstered the confidence of investors and reaffirmed the exchange’s legitimacy.
Options for trading Bitcoin were few and far in-between at that time, and the transactions on the Mt Gox exchange skyrocketed. It was unarguably the most functional and trustworthy exchange out there and attracted all kinds of Bitcoin investors from around the world.
But good times rarely last.
The Rot Within MT Gox
Even when Mt Gox was processing 70% of all Bitcoin transactions, things on the inside were far from rosy. And it all fell down to one man – Mark Karpelés.
The problem was, Karpelés was never made to be a CEO. He liked the idea sure, but the day-to-day reality bored him. Managing a sizable company needs a wildly different skill set from that of a programmer, and a whole new way of looking at things.
Karpelés lacked that vision.
He treated everything as a technical problem, solvable by throwing enough software and hardware at it (not that he was particularly good at the technical problems either).
“The source code was a complete mess,” revealed one insider recently. Speaking at the condition of anonymity, the developer said that the code behind Mt Gox was a hacky mess. Apparently, no kinds of controls were used at the company, meaning that bugs and errors could be easily introduced by new work. Moreover, the sole authority for approving changes was Karpelés himself, meaning critical security fixes could be put on hold for weeks at a time until he had a spare moment to look at the code himself.
Mark Karpelés was a busy man and it seems that he had a nagging attention problem. Perhaps he was unable to handle the pressures of a management role. Or perhaps he was just unwilling to do so.
Mr Karpelés was also well known for squandering his time – and the company’s money – on useless vanity projects. Take the ‘Bitcoin Cafe’ for example.
About the fall of 2013, the CEO of Mt Gox got an incredible brainwave. How about using company money to start a cafe that accepts Bitcoin in the Mt Gox premises itself? That would be cool, right? In just a few minutes of walking from Tokyo’s largest railway station, you could walk into this very modern building and order some beer with Bitcoin! How incredible!
Except for the simple fact that Karpelés was supposed to be running a Bitcoin exchange, not setting up hip cafes.
But in a company almost wholly owned by the stoic CEO, there was no one to tell him that. So Karpelés spent his time specifying the renovations for the Mt Gox offices and the upcoming cafe, and proudly showing off his hacked up cash register that would accept Bitcoin for payments.
Then there were the times that he would drop the business of the day to order flat screen televisions or $400 lunches for the staff of the expanded Tokyo headquarters. Or brag about his Mensa membership and his above average IQ.
Truly inspiring work for the leader of world’s leading Bitcoin exchange, indeed.
It shouldn’t come as a surprise then, to note how the house of cards finally started falling apart. And the sad part? It really did take only a puff of wind to blow it to pieces.
The Long Road Down
Alright, the road wasn’t that long for Mt Gox. The scores of issues leading to its ultimate downfall took place within the span of a year. The duration between 2013 and early 2014, to be precise, culminating with the infamous ‘hack’.
But that was not the first time Mt Gox’s security suffered a serious breach.
The 2011 MT Gox hack
In June 2011, the Bitcoin exchange was hacked. The company was forced to take the site offline. Owing to the then small size of the workforce, many employees reached out to their friends for help. Bitcoin enthusiasts came to their aid from across the world, flying to Tokyo to assist the mascot of the Bitcoin revolution.
One such good Samaritan was Jesse Powell.
Powell flew down from San Francisco, rushing to the Shibuya station to be met by Roger Ver, one the world’s biggest supporters of Bitcoin. The two dashed to the Mt Gox office at once, coming to the rescue of the beleaguered company. Along with the employees of the exchange and a handful of other Bitcoin supporters, they worked through the week to get the site back online.
Mark Karpelés though, was strangely nonchalant about the crisis. When Powell and Ver turned up at the then cramped office on Saturday, they were surprised to find that the CEO had taken the weekend off. However, the demoralized volunteers continued to work, expecting the leader to get serious on Monday.
But upon returning to work, Karpelés spent much of the day in stuffing envelopes, ignoring the pressing issue of the site being offline.
It was this laxity and lack of concern that paved the way for the grand hack.
Seeds Of The Downfall of MT Gox
Unlike the popular perception, the bitcoins weren’t stolen in one fell swoop. The hack was subtle and sneaky, gradually draining away the exchange’s coffers.
In the aftermath of the 2011 hack, the company undertook a number of measures to safeguard their Bitcoin reserves. One such feature was a move the majority of the coins to ‘cold’ storage (ie. offline) and only holding a small amount of total reserves in more insecure ‘hot’ wallets (online).
Little did they know of the grave mistake they had made.
For as early as September 2011, a hacker had got their hands on the un-encrypted private keys to the Mt Gox hot wallet. By itself that would have meant little, as only a small fraction of its reserves were held online, but the hacker was devious. By taking advantage of the shared keypool of the compromised data file, the hacker was able to reuse addresses, masking the thefts as legitimate transactions.
The servers of Mt Gox interpreted the leak as genuine deposits to other accounts, and due to the way they were coded, proceeded to top-up the depleted hot wallet with steady infusions from the coins held in cold storage. Thus like a well with a hole in its bottom, Mt Gox slowly lost all its reserves in a continuous trickle, until nothing was left.
Hacks were not all that plagued the company. Shady business practices kept the exchange in headlines for a greater part of its career.
Mt Gox Problems
First there was the litigation with Coinlab. Apparently, Mt Gox had signed a contract with the company to let it take over its US based customers. But the deal never materialized. Coinlab took the exchange to court with a claim of over $75 million, which remains unresolved till date, and has now inflated to about $170 million.
Immediately after that, Mt Gox came under the scrutiny of the US Department of Homeland Security. A subsidiary of the exchange was operating in the US without the appropriate licenses, running afoul of regulations. The government ended up seizing around $5 million from the company’s bank accounts in the investigation. Furthermore, withdrawals in US dollars were affected for a while, with many users being unable to withdraw their funds. This, in turn, took Mt Gox down in the world rankings, losing its position as the number one crypto exchange.
Lies and Manipulations
All of this information was gained long after the company went bankrupt. At that time, no one, not even the employees of the exchange knew what was taking place.
Except for Mark Karpelés, of course.
It is unknown at which exact point did the ‘King of Bitcoin’ came to know about the hack. However, what is known is that Mr. Karpelés was aware of the situation way before the publicized announcement. After all, the key premise of a cryptocurrency like Bitcoin is the immutability of transactions. Anyone can take a peek into its public ledger, and determine the full history of transactions. And what do you think the analysis revealed?
The entire reserve of Mt Gox had been emptied by mid 2013.
That is eight months before the fact was made public knowledge.
But why did Karpelés keep sitting on this crucial piece of information? Why did Mt Gox continue to accept deposits from trusting investors, knowing full well of its impending collapse?
Just one word: Hubris.
You see, Mark Karpelés thought that the situation could still be salvaged. At first, he hid the information from everyone. He secretly retrieved all the paper wallets containing the exchange’s private keys, and spent his nights poring through them.
But it soon became clear that not one of the hundreds of pieces of paper held a code leading to a single Bitcoin – their entire reserves had vanished.
Willy Bot a.k.a ‘The Obligation Exchange’
Even at this point, Karpelés believed that he had the situation under his control. You see, for a while now, the enterprising CEO had been running what he liked to call an ‘obligation exchange’. Experts prefer the term ‘Willy bot’.
Basically, Karpelés was running an automated trading bot behind the scenes at Mt Gox for years. While it may seem like a small thing, it is not; a trading bot with administrator privileges could – and did – wreak havoc, gaming the whole system for the company’s benefit.
The Willy Bot was responsible in a great part for the Bitcoin bubble of 2013-14. Karpelés had designed the program to systematically buy batches of Bitcoin in short intervals. To hide its operations, the bot spread its operations across a variety of accounts.
It dipped into the company’s coffers to purchase a whopping 250,000 Bitcoin. This unprecedented buying spree pushed the prices to new highs, taking the crypto beyond the triple digit territory for the first time. This sparked a renewed interest in Bitcoin, and by extension, it elevated awareness of Mt Gox, which at that time was the premier Bitcoin exchange.
The Willy bot was long suspected by trading veterans on the platform. Its existence – and affiliation with the exchange itself – was all but confirmed on 7th January, 2014. On that day, the Gox trading API was suspended for a short window of close to 90 minutes. No one throughout the world was able to execute trades during the period – except for our very own Willy bot.
The program continued to buy increments of Bitcoin, faithfully sticking to its algorithm even through the downtime.
An Engineered Bubble
This incident proved Mt Gox’s guilt in the scheme, and gave investigators tell-tale clues to what was really going on. One of these investigators was WizSec, a private blockchain firm consisting of the one-man-army of Kim Nilsson.
Nilsson painstakingly traced the thousands of transactions to each and every account belonging to the bot, and combed through the database to calculate the impact. The results were staggering: about 30% to 50% of transactions on the exchange could be attributed to Karpelés’ trading bot.
So when Karpelés discovered his reserves were empty, he threw the Willy bot into overdrive. First, the bot drove up the prices to create a false mood of market optimism, bringing in a flurry of deposits to the depleted exchange. Once Mt Gox started folding up in earnest, Willy got to work liquidating its considerable assets, capitalizing on the artificially high prices to recoup some of its losses. This exacerbated an already bad situation, driving Bitcoin prices into the floor.
But it wasn’t enough.
After all, Mt Gox had lost 850,000 Bitcoins. Small moves like these only extended its operational lifeline of the exchange, buying it a few more months of breathing space. So Karpelés moved to plan B.
He discreetly reached out to important stakeholders of the cryptocurrency world, such as the Winklevoss twins, looking for a buyer for the beleaguered company. With a fresh infusion of funds, he believed, the exchange could recover from this crisis, with the new owner recovering his investment with the profits in the future.
Unfortunately, it didn’t work. No one wanted to take up that kind of liability and instead advised Karpelés to bite the bullet and file for bankruptcy.
The MT Gox Crash
On 7 February 2014, Mt Gox froze all Bitcoin withdrawals. Even now, they refused to give a real reason. The company claimed to have found some vulnerabilities in the Bitcoin protocol itself, stating that it was pausing withdrawals “to obtain a clear technical view”
Of course, customers weren’t happy. Many suspected that something was wrong and decided to do something about it. Kolin Burges showed this anger when he hopped on a flight from London to Tokyo, and took vigil outside the company headquarters, holding a plain placard reading, “MTGOX WHERE IS OUR MONEY?”
Other protesters soon joined him, and maintained pressure on the deceitful exchange for more than two weeks, until Mt Gox finally suspended all trading entirely. Soon, the website went offline, and the twitter account was scrubbed clean. Panicked investors speculated nervously on community forums, wondering what was happening.
Then on 28 February, Mt Gox filed for bankruptcy. Leaked documents revealed the severity of the issue; 744,408 bitcoins belonging to customers had been ‘lost’, along with 100,000 belonging to the company itself. And so Mt Gox was declared insolvent.
In the ensuing chaos, the defrauded depositors bayed for Karpelés’ blood, with most accusing him of stealing the Bitcoins himself. He started receiving hate mail, and even death threats, but with little to link him to the theft, he managed to evade arrest. Until the exposure of the Willy Bot scheme.
The use of an internal trading program to game the system got Karpelés arrested on charges of manipulating electronic data. Later, the criminal charges of embezzlement and breach of trust were added when it came to light that the bot had inflated its account balance to fraudulently acquire Bitcoins, and later sold them to generate cash.
But before he got arrested, Karpelés discovered something that would change the case forever, making the Mt Gox bankruptcy process one of the most bizarre in history.
Lost and Found
The date was March 7, 2014. The place was a palatial penthouse with a panoramic view of Tokyo. The characters were Mark Karpelés and his tabby cat (alright, only Mark Karpelés).
The beleaguered CEO had spent a week under a self-imposed house arrest, avoiding media and protesters that had swarmed the Mt Gox offices. In between poring through the deluge of hate mails that had flooded his inbox, he spent his days meticulously checking and double-checking the exchange’s old digital wallets, in the off-chance that some Bitcoins might be left.
After about a dozen wallets had come up empty, he was beginning to lose all hope, when suddenly he hit gold. His latest scan turned up 200,000 Bitcoins stashed in a forgotten archived file on the cloud. The coins had missed the 2011 transition to cold storage and had thus accidentally survived the purge that swept the rest of the exchange’s coffers clean. Karpelés was relieved; he believed this to a solution to his worries allowing creditors to be partly repaid. Alas, it was not to be.
What it actually sparked was a long and protracted legal battle that continues to date. The discovery of a hidden cache of Bitcoins only deepened the suspicions surrounding Karpelés, with many believing he was only coughing up a part of the theft to wiggle out of responsibility. Moreover, with the company facing multiple lawsuits from Coinlab, there were quite a lot of different parties demanding a slice of the compensation.
This meant that the case dragged out for four years, during which time the coins were frozen in the company’s bankruptcy estate. And in these four years, something happened that took the case from a little strange to outright bizarre: the price of Bitcoin shot up to astronomical heights, taking the value of the meager 200,000 coins to beyond anything the exchange ever owed. At the peak of the Bitcoin bubble, the assets could have brought in over $4 billion, paying the outstanding liabilities ten times over.
The Bankruptcy issue
But there was a cinch.
Under Japanese bankruptcy code, the value of creditors’ claims were capped at what they were worth back when the company went insolvent; ie. $483 per Bitcoin.
Needless to say, the already despondent creditors were devastated. But the punchline was still coming; the surplus of the sale would accrue to the shareholders of Mt Gox. Which, at a holding of 88%, primarily meant Mark Karpelés.
It would be funny, if it weren’t so tragic.
Move for Civil Rehabilitation
While most creditors lacked the resources to do anything about it, Richard Folsom wasn’t your everyday Bitcoin depositor. As an American who had worked for Bain & Co. in Tokyo before founding one of the first private equity shops in Japan, Folsom had both the knowhow and the financial chops to challenge the decision in court.
He roped in Nishimura & Asahi, the biggest law firm in Japan, to get the investors their due. Shin Fukuoka, the partner leading the effort, formulated a plan: What if Mt. Gox wasn’t technically bankrupt anymore?
And so the November of 2017 saw them filing a petition for the civil rehabilitation of Mt Gox in court, putting aside the current bankruptcy process.
Cracking the Case
While the world was busy arguing over the fate of the last remaining 200,000 coins, a lone crusader was navigating the treachours waters of the internet, hunting for the rest of the missing 650,000 coins. The crusader was Kim Nilsson, the software engineer and reputed bug hunter who had earlier prepared the famous Willy report, shedding light on the extent of the shenanigans pulled by Karpelés during Mt Gox’s final years.
Nilsson was not a blockchain developer, but he like solving puzzles and that was how he approached the problem. Along with other like-minded Mt Gox customers, he founded WizSec, a blockchain security firm dedicated to cracking the case.
But in time, the excitement of other members petered out, and one by one they all dropped out of the project. All but Nilsson himself.
Over the next four years, he continued to work on the case in secret, painstakingly tracing the path taken by the stolen coins. Then in early 2016, he hit the jackpot. His analysis revealed that the entirety of the stolen funds had been transferred to digital wallets belonging to the same person. In a rare stroke of luck, Nilsson even stumbled across an old post by the same user, using the handle WME.
Nilsson kept an eye on the account, and was eventually rewarded when one day the user posted a letter from his lawyer, revealing his real name to the world. The shrewd investigator sent off an e-mail to Gary Alford, a special agent with the IRS in New York, who has helped catch cyber criminals.
His persistent efforts culminated in the arrest of Alexander Vinnik, a Russian IT specialist. Prosecutors charged him with laundering 530,000 of the stolen Bitcoins through BTC-e, an exchange set up by him for the express purpose of doing away with the funds stolen from Mt Gox.
But there was no recovering the coins; the hackers had sold the coins right away, and the trail ended where the money turned into fiat. And you know what is the funny thing? Due to the then low prices of Bitcoin, the hackers made with only about $20 million (compared to their potential value of $10.6 billion at peak prices).
Talk about underwhelming.
The Light at the End of the Tunnel
The arrest of Vinnik brought some closure to the scandal that had haunted the Bitcoin world for nearly half a decade. There was still the question of the remaining Bitcoins, which had appreciated 5000% in the interim, far exceeding the exchange’s outstanding debts.
To settle all remaining debts and liabilities of the defunct exchange in a fair and transparent manner, the court appointed Nobuaki Kobayashi, a top restructuring lawyer of Japan as the Mt Gox trustee. Kobayashi took over the Mt Gox website, using it to post updates on the bankruptcy process and started collecting the details of depositors.
He was helped out in this venture by Jesse Powell, the one time benefactor of Mt Gox who had gone on to found a crypto exchange of his own, Kraken. Together, the Mt Gox website and the Kraken interface started accepting claims of depositors who had pending balances on the defunct exchange before its collapse.
The response, needless to say, was overwhelming. The trustee was flooded with claims from thousands of users, and he spent the better part of nearly two years reviewing them for legitimacy. This review process was finally completed by the summer of 2016, with over 24,750 claims being approved. Priced at the old rate of $483 per Bitcoin, the claims total to a little over $432 million, much to the disappointment of the investors who were hoping to benefit from the price rise of Bitcoin in the recent years.
The actual mechanism of releasing the funds, however, remained elusive for a long, long time. Many depositors, losing hope of ever seeing their funds returned to them, sold their claims at a loss to others, such as Thomas Braziel, managing partner of hedge fund B.E. Capital Management, who purchased $1 million in creditors’ claims at a discount.
Then on 22 June 2018, the impossible happened. The Shin Fukuoka led Nishimura & Asahi’s civil rehabilitation petition was accepted by the Tokyo District Court. The Japanese court halted Mt. Gox’s bankruptcy proceedings, paving the way for the distribution of the 170,000 each of Bitcoin and Bitcoin Cash being held in reserve. The remaining 30,000 coins had been liquidated by the Mt Gox trustee during the high prices of last year, and are being held separately in the bankruptcy estate of the exchange.
All in all, creditors are due to receive more than $1.2 billion for their lost coins. The amount, while much lower than what they might have got at the peak prices of last year, is still much greater than what the bankruptcy process would have entailed.
And the greatest supporter of this move, surprisingly enough, was Mark Karpelés. Still fighting a trial that he does not expect to escape conviction from (given Japan’s 99% conviction rate), Karpelés now wants nothing more to do with Bitcoin or Mt Gox. He knows that if he were to benefit from the windfall of the exchange’s bankruptcy, he would soon be inundated with a torrent of lawsuits.
By going down the path of civil rehabilitation, the exchange has also managed to sidestep the pesky lawsuit by Coinlab, which had been holding up the bankruptcy process. The trustee now aims to set aside a legal fund to amicably settle the issue without scuttling the way forward.
For a while, there was much confusion surrounding the developments. The Mt Gox trustee once again called for creditors to file claims; apparently, the entire review process would have to be repeated again to be considered under the new civil rehabilitation process.
This obviously caused much distress amongst creditors, many of whom no longer possessed the credentials of their Mt Gox accounts, having successfully completed the last review process all those years ago. The depositors were sent into a panic trying to re-register themselves on the barely functional Mt Gox site, or the Kraken exchange which was once again helping out with the claims process.
The last date for this filing passed on 22 October, leaving a significant number of depositors unable to lodge their rightful claim under the new system. While the air is still far from clear, it is possible that the earlier verified claims would still be honored.
So if you were not able to register your claim this time, do lose hope, you might still be compensated.
The Bitcoin Cash Conundrum
Last year’s fork of Bitcoin into Bitcoin Core and Bitcoin Cash also posed a new set of problems. While the new coins mean there is a greater pool of funds to distribute from, they also mean one more digital asset to allocate. Therefore, to keep the matter simple, the Mt Gox trustee has decided to allocate Bitcoin Cash in proportion to each creditor’s Bitcoin claim. This would save depositors from going through another review process for the forked cryptocurrencies, and yet ensure their rightful share in the proceeds.
Those who registered on Kraken get an additional benefit; when the payout takes place, Kraken account holders will likely get their funds directly on their accounts without much fuss. As to when that will happen, your guess is as good as mine. While the court appointed date of February 14, 2019 is not too far away, it is unlikely to be that soon, considering the mountain of new claims that need to be reviewed.
But however long it takes, one thing is certain; creditors are getting their Bitcoins back, half a decade after they lost all hope of regaining them.
Lessons To Learn From MT Gox
When all is said and done, cryptocurrency exchanges are inherently unsafe. Nothing can replace the security of a private key held by yourself. No matter how famous or reportedly secure an exchange is, it can always be compromised.
Before its fall, Mt Gox was the world’s leading Bitcoin exchange, like how Coinbase and Kraken are today. Its fall illustrates the perils of entrusting your crypto to centralized exchanges. Self custody wallets are the way to go, be it a fancy hardware wallet or the good old piece of paper.
TotalCrypto believes that you should only keep a bare minimum of coins on any exchange for trading purposes, and move the rest of them as soon as possible. Remember, transactions on the Blockchain are irreversible, so once your coins are gone, they are gone for good.