Lost in translation: the tangled tale of Mt. Gox's missing millions
Mismanagement apparently allowed a massive bitcoin heist
By Tim Hornyak and Jeremy Kirk | Published: 15:09, 07 March 2014
Japanese authorities are trying to unravel what happened at Mt. Gox, the popular Bitcoin exchange that collapsed last week, and recent revelations are only serving to thicken the plot, not clarify it.
The tale of the Tokyo-based exchange appears to be like the code its software ran on; the latter was deemed "a spaghetti mess" by a company source who spoke on condition of anonymity.
Mt. Gox filed for bankruptcy protection in the Tokyo District Court on Feb. 28, saying that some 750,000 customer bitcoin and 100,000 of its own bitcoin had vanished, possibly stolen. Based on the valuation of the volatile cryptocurrency at the time of the filing, that is roughly US$474 million. An additional ¥2.8 billion (about $28 million) in cash was unaccounted for.
Tokyo police are now scratching their heads. "The National Police Agency seems to lack the ability to analyze the bitcoin trading history of Mt. Gox," a government official told a source probing the investigation.
What really happened? Mt. Gox has never quite escaped the adolescent image associated with its origins as a market for trading cards used in the fantasy game "Magic: The Gathering," even as it changed gears and rocketed to success as the world's largest forum for trading in bitcoin, the digital currency launched in 2009.
The site had 1 million customers as of December 2013, according to a document posted on the Web that was purported to be a leaked business plan.
Presiding over it all was CEO Mark Karpeles, who uses the online moniker MagicalTux. The attendant image of Karpeles as a stage magician may now inflame Mt. Gox customers who suspect their losses are due to sleight of hand, not sloppiness or outside thieves.
In the weeks before it went bust, Mt. Gox suspended bitcoin withdrawals to outside wallets, blaming a bitcoin software bug known as transaction malleability and warning that it could be used for fraudulent purposes.
After all, Mt. Gox had been attacked before. In June 2011, $8.75 million in bitcoin was apparently purloined by hackers using stolen passwords.
In April 2013, Mt. Gox's website was coming under distributed denial-of-service (DDoS) attacks combined with frantic, frequent trades by a surge of new customers as the price of bitcoin climbed as high as $266.
'People trust us with a lot of money right now'
At that time, nearly a year ago, Gonzague Gay-Bouchery, Mt. Gox's head of marketing, talked with IDG News Service about the company's travails.
"We don't have a life, and we want to see our kids," he said. "And we want our customers to be very happy."
The site choked and sputtered, unable to cope with the massive amounts of traffic. Customers became angry, leaving Mt. Gox to attempt to quell a public relations disaster and a very real threat from cyberattackers trying to manipulate bitcoin's market price. Gay-Bouchery detailed Mt. Gox's plans for a faster trading engine that would be resistant to cyberattacks.
"Like everything, it takes a lot of time to make something bulletproof," he said. "We cannot release something half-baked."
He acknowledged that Mt. Gox was struggling to cope with new users, which numbered as many as 20,000 a day that month. The company hired more staff to more quickly complete anti-money laundering identity checks on its customers.
"I would really like to stress that people trust us with a lot of money right now," Gay-Bouchery said. "We want to do everything by the book. We may appear slow in many aspects, but we are taking our time to do it right."
In June, Mt. Gox had cut off U.S. dollar withdrawals, prompting widespread concerns over its solvency.
The following month, around July 2013, Bitcoin entrepreneur Roger Ver visited Mt. Gox's Tokyo headquarters. He published a video saying he believed the company's withdrawal problems were caused by the "traditional banking system, not because of a lack of liquidity at Mt. Gox."
"The traditional banking partners that Mt. Gox needs to work with are not able to keep up with the demands of the growing bitcoin economy," Ver said at the time.
But on Feb. 25, the day Mt. Gox's website went blank, Ver retracted his earlier statements in another video.
In an email interview last week, Ver recalled his meeting with Mt. Gox: "I watched him [Karpeles] log into his online bank account in real time and saw the balances with my own eyes. They had a huge amount of U.S. dollar liquidity at that time."
Ver doubts that transaction malleability, a long-known issue that in some cases can be exploited to make fraudulent withdrawals, was the sole cause of Mt. Gox's wipeout.
"The problem was clearly caused by poor code or other mismanagement at Mt. Gox," Ver said.
"I think there was a lack of corporate culture," said a source close to the company who observed obliviousness to major problems. "I just really don't know how they managed to stay open as long as they did."
"The environment was completely dysfunctional," said the company source, who worked at Mt. Gox owner Tibanne. "There was no testing or staging of code. Just development and production. It's a financial exchange and they're handling customer money. At least I would expect a workflow that encompasses these things."
Mt. Gox management ignored warnings that the software platform was "a spaghetti code mess" and showed little interest in cracking down on security flaws, the source said, adding that Karpeles grew bored of run-of-the-mill business tasks.
"Mark loved to circumvent the (development) process because he had direct access to all the servers," the source said. "So whenever he wanted to change something he would just change it on the live side, and that was that."
Karpeles could not be reached for comment. In a statement related to Mt. Gox's bankruptcy filing, the company described problems with the bug in the bitcoin system, saying, "We believe that there is a high probability that these bitcoins were stolen as a result of an abuse of this bug and we have asked an expert to look at the possibility of a criminal complaint and undertake proper procedures."
The errors in the Mt. Gox code likely allowed for bitcoins to be slowly siphoned off the exchange over time without anyone noticing, said the source, who added that one possibility is that the site's cold storage, essentially an offline vault used by bitcoin exchanges, either did not exist or was lost.
"Accounts were being hacked left and right," the source said. "But victims would contact support, made to wait two weeks and nothing would happen."
Mt. Gox's approach to money was equally questionable. Its account with Mizuho Bank was not segregated between customer funds and operational funds, the source said.
This week, an audio recording surfaced on the Web that purports to be a conversation held in late January between Karpeles and a Mizuho Bank official, who are speaking in Japanese. After airing his concerns about bitcoin, the official repeats the bank's decision that Mt. Gox's account must be closed.
Instead of becoming alarmed, Karpeles seemed more interested in his pet project to open a Bitcoin Cafe beside the company's headquarters, the source said.
But soon the problems would become too large to ignore.
Neither Karpeles nor his deputy, Gonzague Gay-Bouchery, outwardly showed signs of worry just two weeks before Mt. Gox filed for bankruptcy protection, said Bruce Fenton, board member of The Bitcoin Association.
In emails and phone calls, Fenton approached both men around Feb. 14 to discuss a possible investment in Mt. Gox, an effort aimed at sorting out the company's problems. Of top concern was whether Mt. Gox had its bitcoins.
"We asked them flat out if they had [the bitcoins]," Fenton said in a phone interview Tuesday. "Gonzague said they had them."
The talks failed to progress as Mt. Gox's situation deteriorated, Fenton said.
The document titled "Crisis Strategy Draft," leaked on Feb. 25, suggests that the company had lost 744,408 bitcoins and outlined an implausible plan for recovery. Many people, including Fenton, felt the document was fake.
Fenton then emailed Karpeles asking about the company's bitcoin holdings. Karpeles didn't directly answer, instead saying there would be an announcement on Feb. 28, the day of its bankruptcy filing at Tokyo District Court.
"I just thought it [Mt. Gox] was profoundly poorly managed," Fenton said.
As a small protest gathered outside the company offices and Mt. Gox suspended withdrawals, management issues couldn't be ignored anymore. As part of his final act in the Mt. Gox drama, Karpeles was bowing in ritual Japanese apology at the bankruptcy press conference.
"I am deeply sorry for causing trouble," he said.