Launching a crypto exchange is a huge undertaking akin to building and launching a ship that has to endure storms, waves, and pirate attacks. It would take months of planning to carefully design, build, and crew a ship to make sure it can endure challenges in the open sea. Or, one might build a ship by himself and go sailing across the seven seas hoping for the best, which is what Mark Karpeles did with Mt. Gox, resulting in a catastrophic shipwreck that was unlike anything the world had seen. Mt. Gox Bitcoin was a Tokyo-based cryptocurrency exchange that operated from 2010 to 2014 and in February 2012 handled 92.88% of global Bitcoin transactions, but due to poor security and management suffered multiple hacks, with the biggest one happening in 2014 with approximately 850,000 BTC lost, which scuttled the exchange, and only around 140,000 BTC are supposed to be repaid to the people who lost Bitcoin to the hack, but given the long legal process, the repayment keeps getting delayed.
What Does Mt. Gox Stand For?
Mt. Gox stands for hubris and blind defiance to take a step back and rethink one’s strategy when faced with challenges. Instead of hiring experts or asking literally anyone what to do, Mark Karpeles decided to do everything himself until Mt. Gox sank. Strictly speaking, what does Mt. Gox stand for? Magic: The Gathering Online Exchange because it was meant to be a website where users could trade Magic: The Gathering Online cards. The site was launched by Jed McCaleb in 2007, but he turned it into a Bitcoin exchange in 2010 and sold it to Mark Karpeles in 2011.
Mt. Gox Launch and Early Problems
A newly built ship goes through a solemn baptism ceremony before its first voyage. The purpose of the ceremony, which varies across the world but most often includes smashing a bottle of champagne against its hull, is to prove to the world that the ship is seaworthy. There was nothing of the sort before Mt. Gox was launched under the auspices of Mark Karpeles, the mad captain who immediately put Mt. Gox through a gauntlet of waves that shook the exchange to its core. On May 1, 2011, Mt. Gox was hit by a DDoS, which is a series of waves of internet traffic, starting out slowly and ramping up to 6,000 waves a second, making Mt. Gox unusable. The DDoS was initiated by the Russian owner of BTCEX, a now-defunct Bitcoin exchange that was a direct competitor to Mt. Gox, who was allegedly owed 100 BTC (then worth $1.6 each) by Mark. He, or someone posing as him, posted in broken English in a BitcoinTalk forum thread and accused Mt. Gox of manipulating the BTC price and cutting into his profits, hence the debt. He asked for Bitcoin donations using an invalid address 1AvGzvwCxELCaJsxdzunhYTzTL6GVa2xvR and invited “haxorz” to send an email to BTCEX and join him in bringing Mt. Gox and the exchange rate down. It all sounded like a bad joke until Mark confirmed that it was real, adding that 60% of DDoS connections came from Vietnam.
Owner of BTCEX tries to rally "haxorz" to bring down Mt. Gox
The purpose of the DDoS attack was not to disable the platform entirely but to make the BTC price drop. The creator of the attack would turn off the DDoS, execute his trades, and then restart the DDoS attack so that the price drops due to panic selling and because nobody else can trade in time. When the BTC price drops low enough, he would disable the DDoS, buy BTC, and rinse and repeat for infinite riches.
The Rise of BTC Amidst Lawlessness
An urban legend says that there are no laws on the open sea. Called “Terra Nullius” (Nobody’s Land), international waters beckon wannabe criminals to test their luck at being a pirate. The truth is that the legend is completely true — any country may impose its laws in Nobody’s Land and punish any pirate it catches however it wants. It’s the rule of the strongest in the open sea, and that’s exactly what Mt. Gox experienced. The exchange was in Japan, which had no cryptocurrency laws at the time, giving Mark the freedom to do with Mt. Gox anything he wanted. Criminals could also do anything they wanted with it thanks to Mark’s shoddy security practices, setting the stage for the Mt. Gox Bitcoin shipwreck. Meanwhile, people rushed to trade BTC on Mt. Gox, which by May 10 shot up to $5 and kept doing Barts and Reverse Barts on an hourly basis. Mark was happy because he was rumored to make $50,000–70,000 profit a day from it. On June 2, BTC broke the $10 barrier, and the BTC trading frenzy began in earnest. By June 8, 2011, BTC was selling for $27, with one Hacker News poster bragging about earning “$30k/month” thanks to Mt. Gox Bitcoin sales. An early CPU miner who managed to hoard 73,000 BTC, he regretted not being able to unload his stash fast enough because Mt. Gox had a $1,000 daily withdrawal limit due to using a US-based payment processor called Dwolla.
Early BTC miner brags about selling Bitcoin for $27
Hackers Come on Board Mt. Gox
A ship’s crew works and lives together, developing a tight bond. The crewmen trust each other with their lives and establish strict procedures for inviting and handling strangers on board. There was nothing of the sort on Mt. Gox, where anyone could waltz in and start rummaging through anyone’s belongings. That was all due to a critical vulnerability called CSRF (Cross-Site Request Forgery), which allowed anyone to disguise themselves as any Mt. Gox user and take their Bitcoin. On June 13, Mt. Gox reported to the public that 25,000 BTC of user funds were stolen from 478 accounts. On June 18, a BitcoinTalk forum user named “phantomcircuit” revealed the CSRF, which allowed an attacker to hijack active session cookies from Mt. Gox users and issue commands on their behalf. The attacker could drain users’ Mt. Gox accounts while changing their email addresses to the attacker’s to prevent any email notifications from reaching them. In a May 2014 interview with ArsTechnica, Jed McCaleb blamed the shoddy Mt. Gox security on Mark. Jed said that he heard that Mark rewrote the entire Mt. Gox codebase shortly after he bought the platform. As for his involvement with Mt. Gox, Jed stated that he only had a 12% stake in the company, with the other 88% owned by Mark’s company, Tibanne.
Bitcoin Sinks to 1 Cent in Seconds
When a ship starts taking on water, its days are numbered as it will struggle to stay upright. But, it might still be able to sail for a little bit. Mt. Gox started taking on water on June 20 around 3 AM Japan time when the price of Bitcoin on it dropped from $17.5 to $0.01 in a matter of minutes. It was because someone sold nearly 500,000 BTC on Mt. Gox, which took the exchange about half an hour to execute while making it unresponsive to commands and trades. The biggest single trade was for 261,383.763 BTC, which were sold at $0.01. Within an hour, there was almost the same volume of trades but in the reverse direction, with the hacker and panicked traders buying that same BTC, making the price surge to $20.
Bitcoin flash crash to 1 cent on Mt. Gox, recorded by BitcoinChannel on YouTube
Just a couple minutes later, there was a massive move of Bitcoin, this time for 432,077 BTC, which was about 6.6% of all Bitcoin in circulation at the time. This move didn’t occur through Mt. Gox but it was recorded on the Bitcoin blockchain. Mark later said that it was Mt. Gox moving its assets from one wallet to another as a safety precaution, but people were skeptical that it was him. Mt. Gox later stated that someone used a Hong Kong IP to access a compromised Mt. Gox user account to first sell nearly 500,000 Bitcoin in it, then immediately buy them back, and then try to withdraw all that Bitcoin. The explanation tried to soothe user fears by stating that the trades that happened after the price crash will be rolled back, with Bitcoin price hopefully going back to $17.5. Mt. Gox was shut down for a week, prompting other Bitcoin exchanges to shut down for a little bit to prevent panic selling and because many users have the same password across websites.
Hackers Copy the Mt. Gox Passenger Manifest
People got their wits together and pored over the details. The simplest explanation they could find was that a Mt. Gox auditor had his computer hacked and the Mt. Gox database was copied, which is equivalent to a ship’s list of passengers being copied. The hacker stole encrypted details of 61,016 user accounts in the database, with 1,765 of them being vulnerable to brute force guessing, which is what the hacker did until he revealed some information. The database copy happened two months or more prior to the hack, which is when Mark was migrating his systems to have stronger database protections, hence the auditor. Users who hadn’t logged in to Mt. Gox for over two months were vulnerable, while all other users had their passwords automatically encrypted with better protection when they logged in the next time. Luckily, the hack didn’t do much actual damage, because it didn’t seem well prepared at all. It was as if the hacker accidentally logged into someone’s Mt. Gox account, getting away with only 2,000 BTC, a figure that was later confirmed by Jed and Mark. A few hours later, as Mark and his team were doing damage control, some of the people who had a compromised Mt. Gox account received an email from Bitcoin@unknown.com, which stated:
The first warning sign that Mt. Gox security was abysmal
The Mt. Gox database was seen circulating in public a few days before the flash crash, and later research into it revealed that someone offered the database for sale on June 17, but that offer wasn’t taken seriously. The email warning did not seem malicious, but it confirmed that user information, such as email addresses, was indeed leaked.
Mark Shows Off His Bitcoin Treasure Chest
On June 22, The Guardian published an article titled “LulzSec rogue suspected of Bitcoin hack” linking Anonymous and LulzSec, two notorious hacker groups, to the Mt. Gox hack, which the latter denied. In the article, the owner of another Bitcoin exchange, Britcoin’s Amir Taaki, said that, until Mark can prove otherwise, everyone should assume that Mt. Gox has no Bitcoin at all. He also said that he notified Mark of the database leak a few days prior to the flash crash, but got no response. On June 23, Mark had to react in some way, because the drama around the flash crash and the potentially missing Bitcoin was intensifying. The rumor in the public was that the 432,077 BTC move was due to the hacker stealing Mt. Gox funds. People looked into where that BTC came from and saw that it was a transaction for 432,109.87654321 BTC executed the day earlier. Note the sequence of numbers: they go 1-2-3-4-5-6 when read right to left. It seemed like a joke and something a hacker group, such as LulzSec, would do "for the lulz." To many people, that was all the proof they needed that a hacker had indeed got hold of the funds and that Mt. Gox was going under. To prove that Mt. Gox still had user funds and to poke fun at that rumor, on that day Mark moved 424,242.42424242 BTC from one Mt. Gox wallet to another.
Mark showing off his seemingly inexhaustible supply of Bitcoin
Mt. Gox Sails on, Seemingly Unharmed
On June 26, Mt. Gox resumed trading. The exchange forced all users to reset passwords and verify their accounts once again. The new password encryption was much stronger, but for some users not even that was good enough and they wanted something better. On June 30, Mt. Gox issued a press release that shed new light on the flash crash. There was no auditor, as people first thought, and the story was much wilder. When Mark bought Mt. Gox, he promised Jed a part of the commissions made. To ensure that Mark is paying him the right amount, Jed got an admin-level account with unlimited access to the Mt. Gox backend and editing privileges (?!), which is how the hacker caused the mess. Because Mt. Gox trades essentially happened in a spreadsheet and that admin account had edit access to the spreadsheet, the hacker was able to conjure and give Jed’s account nearly 500,000 Bitcoin, the sale of which caused the flash crash. The 2,000 BTC that the hacker cashed out were real, but Mt. Gox promised to cover them from its funds.
Mt. Gox Revamps Its Security
In July 2011, Mt. Gox started taking small steps to bail out water, plug the holes, and right the ship. The first step was adding support for YubiKey hardware tokens that allow passwordless access while minimizing the risk of phishing and account hijacking. The exchange released an Android app that month as well. By February next year, Mt. Gox will start using Prolexic, a Florida-based DDoS protection service, and VeriSign for authentication. In September 2013, one Reddit user complained about his account being hacked despite having Yubikey, indicating the hacker was an insider at Mt. Gox or had total control over Mt. Gox systems. In August, Mt. Gox acquired Bitomat, a Polish website that was the third largest Bitcoin exchange at the time. It collapsed and lost 17,000 BTC of user funds, which came shortly after another exchange, MyBitcoin, collapsed as well, which caused the Bitcoin price to plummet to single digits. Bitomat’s users were allowed to use the same username and password on Mt. Gox, and they were refunded by Mt. Gox, which then announced allowing deposits in Polish zloty via bank transfers. The motive for the acquisition of Bitomat was to maintain community confidence. In September, Mt. Gox started enforcing anti-money laundering policies. This involved suspending accounts that raised red flags, with the owners of those accounts having to send over their paperwork. By October, the Mt. Gox app was accepting 17 currencies total and had an iOS version too.
Mt. Gox Appears To Sail Steadily
On February 1, 2012, Mt. Gox released its first transparency report, revealing key growth metrics. The investment in security paid off — 22,000 people were signing up to Mt. Gox each month for a total of 122,000. Mt. Gox was processing 92.88% of all USD-BTC trades on the market, with its users depositing $2.7 million to the exchange in January alone. The gross turnover for Nov 2010–Nov 2011 was 15 million USD, 6 million EUR, and 240,000 GBP. Revenue for the same period was $337,000 and 52,400 BTC, while monthly operating expenses were ¥5,000,000. Another transparency report, this time from August, showed that Mt. Gox grew by leaps and bounds. There were now 192,000 users, who deposited 3.1 million in USD in the 30 days prior, and the trade volume in the Jan-Aug period reached $105 million. But, Mt. Gox lost some market share to competitors, most notably TradeHill, and was handling 87% of USD-BTC trades on the market. There were no upgrades in terms of security or server hardware, the maintenance of which cost $5,000 a month, between the two reports.
Bitcoin Breaks All-Time-High Prices
In March 2013, Bitcoin was trading at all-time-high figures on Mt. Gox. It went to $50, $60, and then $120 and $142, rising by up to 15% in a day. The platform then introduced new withdrawal rules: each user could still only withdraw $1,000 a day, but the limit on Bitcoin withdrawals was increased from 200 to 1,000 BTC a day for customers who haven’t been verified. For those who decided to get verified, there was a limit of $50,000 a day. For those who needed more, there was an extra level of verification, making the user “trusted” and allowing monthly withdrawals of $500,000 and 10,000 BTC a day. On March 12, 2013, Mt. Gox temporarily halted all deposits to the platform. There was no hack this time, but something much more troublesome: Bitcoin was causing problems and potentially allowed the same funds to be spent twice. The cause was an upgrade in Bitcoin mining software from version 0.7 to version 0.8 that split the community so that those who mined on 0.8 were creating a separate Bitcoin blockchain compared to the 0.7 miners. The issue was in how the versions treated very large blocks, causing 0.7 software to reject blocks made by 0.8 as invalid.
Bitcoin was not ready for so many transactions and upgrading the Bitcoin network to make it so became an issue. Bitcoin devs did test the update before deploying, but nobody saw that problem coming, so they urged the miners to go back to the 0.7 version until they figured out a solution. That was the first sign of impending doom for Mt. Gox, which was experiencing runaway growth based on a cryptocurrency that wasn’t ready for it. Bitcoin’s decentralized nature makes it difficult to scale up, update, and upgrade, and the Bitcoin Core developer team doesn’t have any way to force the community to update or revert to an older version. Satoshi designed Bitcoin with that in mind and so that only the longest blockchain matters. Miners have to come to an agreement on which version is the right one and mine on it, but there is a potential for upsets and disruptions in the Bitcoin network whenever there is a miner disagreement, such as during network upgrades.
Mt. Gox Heaves and Buckles Under BTC Weight
On April 11, 2013, Mt. Gox was again barely functional. Even when trading was possible, it happened with a 5–6 second delay that turned into a 10-minute delay due to the sheer volume of traffic and trades. BTC price fell from $266 to $110 in a few hours, and people thought it was another DDoS but it was panic selling. Mark posted on the official Facebook page that Mt. Gox had experienced 20,000 new user signups in just one day and a tripled trading volume, for which the platform wasn’t ready. Reddit user “runeks” wrote and ran a script to figure out how many trades Mt. Gox can handle. He gathered trading data from the 9–14 April period and discovered that, at most, Mt. Gox handled 37 trades per second. According to some commentators, that was a respectable number and far above what regular exchanges have to deal with. Other commentators said that it’s pathetic for a public website and that Mt. Gox needs to seriously ramp up its capabilities or it will forever be hammered by waves of traffic and trades. Runeks also noted that 37 transactions per second was after the upgrade, while before it was 23.
Other Bitcoin exchanges were experiencing a massive volume of Bitcoin trades too, though it’s not certain that they were all under a coordinated global DDoS. Bitcoin started getting media attention and was being mentioned in mainstream podcasts and news articles, so an influx of users made sense. On April 11, Mt. Gox entered a 12-hour shutdown to fast-track the trading engine upgrade and sort things out for more users and more orders. Besides all other problems Mt. Gox had, it had no minimum Bitcoin trading amount, no fixed fees on orders, and no cooldown period on placing orders, allowing users to run bots or scripts to rapidly trade minuscule amounts of Bitcoin and create a huge backlog of orders. Mt. Gox collected only a percentage fee from each trade and only sometime in 2013 raised the minimum amount for trading above 0.001 BTC. In other words, Mt. Gox was about to crack, yet people were still flocking to it in hopes of grabbing a few cheap Bitcoin.
Bitbully’s Malware Story
On April 11, 2013, a BitcoinTalk forum user “bitbully” posted how he got robbed of 34 BTC through Mt. Gox malware, which received coverage from TechCrunch in the article “Java Applet Attack Wipes Out Bitcoin Accounts On Mt. Gox.” Bitbully received a link to a website that supposedly had important news on Mt. Gox. He clicked the link, but nothing happened. One hour later, bitbully was notified that 34 BTC had been withdrawn from his Mt. Gox wallet. After analyzing the incident, he discovered that the link contained a specially crafted payload that included a Java applet, a trojan, and a keylogger.
Bitbully ignored the blatantly fake URL because he was in panic mode
The hack exploited the fact that Mt. Gox was unreliable and known to suddenly crash. Mt. Gox users were constantly expecting another disaster, making them panic at the earliest sign of trouble, which made them ignore caution to save their funds. That happened to bitbully as well. When he clicked the link and activated the Java applet, the malware, which was designed to target Mt. Gox users, went into action and hijacked his active Mt. Gox account session to execute the withdrawal while changing the account password. He could only helplessly watch as the transaction was immediately confirmed.
Blink, and the 34 BTC are gone
Commentators blamed bitbully and anyone else who didn’t pay attention to the warning signs, but the victims blamed Mt. Gox. Ultimately, bitbully’s 34 BTC were refunded by Mt. Gox. Meanwhile, the price of Bitcoin fluctuated between $60 and $160 due to uncertainty and panic trading. At that point, Mt. Gox was processing up to $1 million in withdrawals daily.
Layer 7 DDoS Attacks and a Lawsuit
On April 24 of the same year, Mt. Gox issued a press release explaining that they were experiencing a special kind of DDoS attack that was targeting elements of the Mt. Gox interface. Layer 7 refers to the application protocol layer that includes protocols such as FTP and HTTPS. That kind of attack is difficult to detect and stop, delaying Mt. Gox’s plans to adopt another cryptocurrency, Litecoin. People thought that the blue times are over, that Mt. Gox will bounce back, and they will all have a ball.
The perfect encapsulation of Mark's attitude towards Mt. Gox and its users
On May 3, 2013, Mt. Gox was sued for $75 million for breach of contract by Coinlab, a US-based startup that was supposed to handle Mt. Gox’s users in the states and Canada. The deal was that Coinlab would take over North American clients in February 2013, which didn’t happen. The owner of Coinlab, Peter Vessenes, was a board member of the Bitcoin foundation at the time and started the company expecting results that didn’t materialize. Since his company was venture-backed, he was feeling the pressure to deliver results or shut down, hence the lawsuit, which did have legal grounds but was sloppily written.
What Is Mt. Gox?
Mt. Gox is an exchange that never should have been launched and that was destined to sink and drag gullible people and their riches with it to the bottom of the ocean. But, thanks to Mt. Gox’s popularity, Bitcoin rose to global fame through media articles detailing the Mt. Gox Bitcoin disaster. What is Mt. Gox? It’s a defunct Bitcoin exchange that shut down in 2014 due to poor security and management, it was founded by Jed McCaleb as an online exchange for Magic the Gathering Online cards and was later repurposed to a Bitcoin exchange and sold to Mark Karpeles, who ran it (to the ground) between 2011 and 2014.
Who Stole Bitcoin From Mt. Gox?
The Mt. Gox Bitcoin heist is one of the most outrageously devastating thefts in the history of Bitcoin. Over the course of years, hackers slowly drained Bitcoin from Mt. Gox users’ accounts through glitches and hacks, with Mark telling the exchange’s support to ignore user complaints. Who stole Bitcoin from Mt. Gox? Alexey Bilyuchenko and Aleksandr Verner were charged by the U.S. Department of Justice with conspiring to steal and launder approximately 647,000 BTC from Mt. Gox between 2011 and 2014. They are the two named hackers but it’s likely there were more accomplices who will never face justice.
Smooth Sailing With PlasBit
Mt. Gox shows what happens when an immature entrepreneur with a superiority complex runs an exchange, but there are opposite examples too and we should discuss them. In this case, I found the perfect antithesis to Mt. Gox in PlasBit. There, I’ve found a team of experienced people with steady hands who can steer an exchange with finesse through troubles and challenges to bank the unbanked. They’re not in the business for the money and they aren’t running PlasBit to take on as many users as possible. The people at PlasBit run a tight ship, are properly paranoid about their users’ funds, and from what I’ve seen can handle all the waves and storms without PlasBit’s voyage ending up in a shipwreck.
