Skip to main content

Who stole $400 million from Mt. Gox?

Who stole $400 million from Mt. Gox?

Share this story

Mt. Gox headquarters in Tokyo.

By now, Mt. Gox's fate is more or less sealed. The Bitcoin exchange probably won't be bailed out, CEO Mark Karpeles will move on, and the rest of the Bitcoin economy will move on as if this was just a bump in the road. But as the community recovers, it's left a single, thorny question unanswered: who took $400 million worth of bitcoins from Mt Gox's vault?

The thefts "went unnoticed for several years."

According to the leaked "Crisis Strategy Draft," the thefts "went unnoticed for several years," which means the attackers had access long before price surges turned Bitcoin into a hot topic for the startup crowd. Almost from the beginning, Mt Gox's accounts were leaking money, and as the currency grew in value, the leak turned into one of the largest bank heists ever — more than 1 out of every 20 bitcoins in the world vanished without a trace. In a system built on technologically assured security and transparency, how could something like this happen?

Much of the story doesn't make sense

The polite, public explanation for this is that a transaction bug in Mt. Gox’s system enabled the theft, and the team just wasn't sharp enough to spot it — but there's a lot about the story that doesn't make sense. Mt. Gox seems to have been uniquely unprepared for the bug, targeted early, and hit with losses on an unprecedented scale. Other exchanges shut down briefly over the bug, but most reopened within a matter of days and without significant losses. Whoever was exploiting the bug prioritized Mt. Gox over all other targets, maintaining the exploit for years before any red flags were raised.

Then there's the scale of the theft: 744,408 bitcoins, roughly 6 percent of all the bitcoins in the world. Even the sloppiest of audits should have shown that something had gone wrong, that money was flowing out of Gox accounts — but the company didn't call for help until the last possible minute, when the gap had grown so large that it could no longer function. For many, the story just doesn’t add up.

Even the sloppiest of audits should have shown that something had gone wrong

In recent days, some in the community have even speculated that the heist could have been an inside job. No one has claimed that Karpeles would intentionally steal the coins — Mt. Gox was his baby, after all — but the exchange had as many as 18 employees during various stretches, any of whom could have been aware of the previously published bug. It's still likely that simple incompetence was at fault, especially given recent questions about the exchange's technical competence, but the easily-laundered nature of Bitcoin has made it especially difficult for Mt. Gox to save its tattered reputation.

The same problem cropped up for Silk Road 2.0

The same problem cropped up in the Silk Road 2.0's recent hack, which saw $2.7 million going up in smoke, putting the blame on the very same transaction bug. As soon as the hack was announced, users were accusing admins of stealing the money, calling the entire operation nothing more than a honeypot. With the money disappeared into bitcoin laundering devices and increasingly tiny trails in the public ledger, there's no way to know for sure. The getaway, however tricky, has already happened.

Whoever made the withdrawals performed one of the biggest heists in historyAnd if some in the community have doubts, the tone of the past few weeks reflects it. The turn against Gox has been strong and sudden, with intimations of not just incompetence but corruption. It reflects something more than just well-meaning developers in over their heads. One statement from competing exchanges referred to Gox as "bad actors that need to be weeded out," and in private conversations, others have referred to it straightforwardly as a cancer on the community. The sense of betrayal is personal and palpable.

If we ever find the real culprits for Gox or Silk Road 2.0 it will happen using the old-fashioned tools of the criminal justice system. Already, the same US Attorney prosecuting the Silk Road case has started to investigate Gox, calling in various Bitcoin businesses to see if there's a case to be made. Everyone involved is being watched very closely, on the bet that a sum of money that size won't stay hidden for long. But whoever made the withdrawals just performed one of the biggest heists in history — and they may still get away clean.