Wednesday, February 26th, 2014

The Great Crypto Stagecoach Robbery

Anyone holding Bitcoins—or pretty much any cryptocurrency, really—has taken a substantial hit in the last few months, with the exchange rate of dollars to Bitcoins dropping from a high of around $1200 last November to around $550 today. But it's possible that those whose Bitcoins were parked at the long-troubled Mt. Gox exchange have suffered a near-wipeout, or even a total one, in what may have been the catastrophic theft of some 744,000 Bitcoin from that exchange.

Mt. Gox was the first big Bitcoin exchange; as such it attracted the most attention, the most traffic, and the most trouble. It was hacked repeatedly because, at one time, it was simply where all the Bitcoins were. Most knowledgeable Bitcoin enthusiasts took off for more modern, more reliable exchanges long ago.

Details began to emerge Monday night in a leaked document ("Crisis Strategy Draft") of at least partial authenticity obtained by blogger Two-Bit Idiot. The document explained that Mt. Gox had been subject to years of uncaught theft. (A Hacker News post later claimed to have restored the redacted slide from the leaked document that detailed the full Mt. Gox financials.)

Mt. Gox CEO Mark Karpeles, who is apparently holed up at home in Tokyo with his cat, has since verified in an IRC chat that the document is "more or less" legitimate, though it was not prepared internally by his embattled firm. He says that he is still trying to save the company: "'Giving up' is not part of how I usually do things."

You could look at the Mt. Gox disaster this way: imagine that ordinary consumer banks had only just been invented five years ago, and they'd since exploded in popularity. All of a sudden, Bank of America's internal systems are alleged to have been broken all along and every penny that was held there is gone. The money in all the other banks is okay, seemingly—but now, the whole banking system looks very rocky and untrustworthy. How to trust any bank, if one of the biggest lost everything?

That's basically what has happened to Bitcoin over the last few weeks, since it became clear that Mt. Gox was having trouble processing transactions last November. Delays grew from weeks into months, until withdrawals were suspended in early February (temporarily, it was alleged, until a "bug" was worked out).

Warnings against using Mt. Gox have been numerous and passionate for years, though the exchange managed to patch things up enough to keep going after each successive trainwreck.

The wheels fell off the trolley completely on Monday night, with the Mt. Gox site taken offline and all trading summarily halted. A joint statement signed by the heads of the principal remaining Bitcoin exchanges appeared at roughly the same time, bemoaning Mt. Gox's "tragic violation of the trust of users." Given that Bitcoin was explicitly designed to eliminate the need for "trust"—and obviously, the exchanges are one thing, and the underlying system another—I mean I hate to laugh, but still. Interestingly, the first version of the joint statement referred to "Insolvency of MtGox," but moments later the title was altered to remove the word "Insolvency."

Perhaps this is an indication that attempts are still being made to restore at least some part of their losses to Mt. Gox account holders. The joint statement is less interesting for what it contains, however, than for what it so glaringly leaves out.

A lot of venture money has found its way into Bitcoin in the last eighteen months or so; there are millions upon millions riding on its future. As Mt. Gox's troubles mounted, many observers assumed that the Bitcoin chieftains from the competing exchanges and the core devs of the Bitcoin Foundation would rally round Mt. Gox and Karpeles, and to do whatever was necessary to ensure the solvency and trustworthiness of the currency as a whole. The Mt. Gox "Crisis Strategy Draft" linked above hints at such an outcome. Unfortunately, it also hints at the possibility of what would in ordinary banking circles be considered fraud and collusion to conceal wrongdoing. This would be an ironic turn of events in the case of Bitcoin, which, again, was expressly designed to promote openness and transparency and to minimize the possibility of financial shenanigans.

Though most media reports and much of the Bitcoin community have been in a huge hurry to lay blame at the feet of Karpeles and Mt. Gox exclusively and at once, the story seems likely to develop in as yet unseen directions. Karpeles is hardly the only player capable of mischief in this game. Should Mt. Gox recover even somewhat, there are many who will have benefited enormously in these wild weeks of arbitrage. Indeed, those possessed of pluck (and/or recklessness) and ready Bitcoin can arrange to buy Mt. Gox Bitcoins for around $65 each (at time of writing) on the exchange at

There has been a temptation to mock the libertarians who make up a lot of Bitcoin's most passionate following, and to blame the unregulated joys of the free market for Bitcoin's current problems. But just take a look at the stock market, the startup world, the bankruptcy courts, the markets for distressed debt, the art market, the real estate market, and any number of other markets (sure, basically all of them) where hopeful neophytes ripe for the plucking and clever participants eager to benefit from insider knowledge, plus quite a lot of plain cheats, are not hard to find. The most surprising thing about the Mt. Gox episode so far might be the resilience of Bitcoin prices, which might have been expected to take a much larger tumble in the face of the disaster.

In any case, things are heating up fast for Mark Karpeles, who is presumably about to collide with a giant swarm of lawyers. Reuters reports that Japanese banking authorities are taking an interest in the affair; the Wall Street Journal reported late Tuesday that Mt. Gox has received a federal subpoena, as well.

It's not as if Mt. Gox were the only big problem facing Bitcoin in recent months, either. January saw the arrest of Charlie Shrem, the CEO of BitInstant, for selling people Bitcoins which they then allegedly used to buy drugs on the notorious Silk Road website (by that reckoning, they might as well arrest the CEO of every bank that ever held an account for a drug dealer but whatever, not good news). Warnings from the Russian central bank last month indicated that Bitcoin users could be arrested à la Shrem on money-laundering charges, simply for holding Bitcoin. Also the Chinese, fearing capital flight, clamped down on third-party platforms for moving yuan onto Bitcoin exchanges in December.

There has been no word from or from the Bitcoin Foundation as to next steps, so far. Yesterday I contacted Gavin Andresen, the level-headed Chief Scientist of the Bitcoin Foundation, for comment. "I don't have any coherent thoughts," he responded, most uncharacteristically. "I've been very busy working on getting a 0.9 release of the reference implementation out."

744,000 Bitcoins comes to around $400 million, and would rank as one of the biggest robberies in history (if you don't like to count business and government robberies). It's about 6% of the total coins mined so far (an estimate that does not account for the doubtless substantial number that have been lost since mining began in 2009, or the even larger number thought to have been retained by Satoshi Nakamoto, Bitcoin's founder(s)). Ideally, if they can't eventually be returned to their rightful owners, the coins stolen from Mt. Gox will be identified and blacklisted on the blockchain so that they can never be spent. Only a concerted and responsible effort to address the theft, if there is one, will persuade people that Bitcoin still has potential as a real medium of exchange.

So how did the thieves, if there were thieves, get away with a heist of that size? At the moment it appears that they may have been able to exploit Mt. Gox's weak security and customer service practices—in particular, its reliance on a certain transaction ID (TXID) for internal verification; this weakness has been called "transaction malleability" in news reports. When the TXID was manipulated, it might have been possible for thieves to sneak Bitcoins out of Mt. Gox undetected—but it's important to note that the blockchain (the underlying ledger that guarantees all Bitcoin transactions) is unaffected by that flaw, since TXID is generated not to guarantee or record the underlying Bitcoin transaction, but simply as a marker for support services. It appears that Mt. Gox's custom wallet software may have made use of that housekeeping number to identify transactions in its own wallet system. That's why Mt. Gox alone appears to have been hacked—if, indeed, that is the explanation for the alleged losses. (David Z. Morris has a good, simple explanation of transaction malleability at CNN Money.)

But if all this is as it has been suggested in the press and on Reddit and various blogs, it would mean that Mt. Gox had no internal auditing controls at all to verify its own transactions. As in, none. I still find that a little bit difficult to believe, despite the claims of those who insist that Mt. Gox's coins are lost forever.

Chief among these is Erik Voorhees, well-known Bitcoin honcho (of Coinapult, BitInstant and SatoshiDice) and would-be orator, who went into full-blown Libertario-Biblical mode on this point in a lavishly festooned Reddit post he wrote on Monday night. Apparently Voorhees lost some 550 BTC at Mt. Gox himself (a smallish portion of his total Bitcoin holdings, it would be fair to assume; he says he was foolish to keep Bitcoin at Mt. Gox, and disregarded his own good sense in favor of "convenience.")

And finally, the lesson is not that we ought to seek out "regulation" to save us from the evils and incompetence of man. For the regulators are men too, and wield the very same evil and incompetence, only enshrined in an authority from which it can wreck [sic] amplified and far more insidious destruction. Let us not retreat from our rising platform only to cower back underneath the deranged machinations of Leviathan.


We are at risk from accidents. We are at risk from fraud, from corruption, and from evil. We are at risk from journalists seeking headlines and from politicians seeking power and glory. We are at risk from the very market we are trying to build—a market which cares not about our portfolio, our ambitions, or our delicate sympathies.

So purple it is about the shade of an eggplant. But about that last part, he ain't wrong.

Maria Bustillos is a journalist and critic in Los Angeles.

11 Comments / Post A Comment

rjones (#24,094)

I'd suggest that the resiliency of Bitcoin prices is at least somewhat dependent on the fact that it is almost impossible to actually convert Bitcoins into standard currency in any large scale way.

Also Mt Gox was originally an acronym for Magic the Gathering Online Exchange, so when you consider what that site started out as perhaps current developments aren't all that surprising.

barnhouse (#1,326)

@rjones er, that is not true about shifting bitcoins into fiat. You have to jump through a few hoops to set up accounts but you can very easily move millions at a time if you have established connections at the big exchanges. Hence the appeal of Bitcoin as flight capital in China.

As for the original name of Mt. Gox, founder Jed McCaleb sold to Karpeles in 2011, and it's not clear that anything but bitcoin was ever traded there (the Wayback Machine's records indicate very little activity before that year.) There's been talk that McCaleb is working on a new bitcoin-related project right now.

barnhouse (#1,326)

@johnsmane This guy is Canadian, and they have fewer options. But also he does not seem like the sharpest tool in the shed. Why did he not just go to Cavirtex? Did he not want to wait a week or whatever? (News flash, you have to wait for dollar funds to clear to open an ordinary bank account, too!) In any case, it is beyond easy to trade bitcoin in the U.S. and SEPA countries. (With a little patience!)

johnsmane (#261,664)

@barnhouse Cavirtex is discussed here

BadUncle (#153)

I can't understand currency without a Neal Stephenson epic.

You Know What? (#258,220)

Hi, sorry, old guy here, what's a "core devs"? You explain TXID and blockchain (somewhat) but core devs?
In the big picture it seems every currency (any "value" assigned to anything really) is merely a belief system.
I still enjoy trading slips of green paper to others for goods and services however and will continue to do so at least until President Nugent takes the oath of office. Then all bets are off.

barnhouse (#1,326)

@You Know What? Oo! Sorry about that. A 'core developer' is a programmer with the authority to commit permanent changes to a software project. (The Bitcoin Foundation modeled its organizational structure on that of the Linux Foundation, another not for profit org dedicated to the smooth operation of an open source software project.)

riotnrrd (#840)

'And finally, the lesson is not that we ought to seek out "regulation" to save us from the evils and incompetence of man.'

This is hilarious.

I will reiterate: Money is Fiction. It is given the value we believe in, no matter if you call it "fiat currency" or "flat slabs of gold". Just because it has no physical presence, does not invalidate it. On the other hand, you can indeed valuate it any old way you like. In Brazil, for example, they were suffering from spiraling uber-inflation, got themselves a bunch of economists together and said, " how do we stop this?" The answer was the RUV, the Real Unit of Value. Basically, a gallon of milk was one Real, and the minimum anyone needed to live on was assumed to be 1000 Reals a month. All other prices were attached to these figures, and pretty much everyone in the country decided to use Reals instead of Cruzeros.

Cruzeros were a shared delusion, now the Real is the shared delusion. Everyone just… decided to use a different money, so money isn't real.

barnhouse (#1,326)

@Sten Ryason@facebook Too right. Also, Brazilian currency history = utterly fascinating. I heard the inventors of the Plano Real interviewed years ago on the radio (a couple of academics!) and nearly lost my mind from excitement. So neat! You pop into the store and there are two prices displayed at once: Fantasy One, cruzeiros, and Fantasy Two, reais. It's not entirely impossible that we could see the same thing happen with cryptocurrency.

Post a Comment