MtGox, the largest online exchange for bitcoin trading by far, has had some staggering security issues this week.
The administrator, Mark Karpeles, also known by his handle MagicalTux, says that the site’s database was leaked in an encrypted format after an independent auditor’s machine was compromised. After some of the encrypted passwords were cracked, he claims that a hacker logged on and started a massive sell-off from an account that had enormous bitcoin holdings.
Unfortunately, there seem to be a few inconsistencies in the story. Not the least of which is that fact that no one has talked to or heard from the alleged victim, someone who supposedly was keeping 500k bitcoins in their online MtGox account.
There was definitely a massive sell-off that caused the price of bitcoins to plummet to a rock bottom valuation of $0.01 yesterday. Earlier, the price had been around $17.50.
Who ended up with the 500k coins? Enter Kevin Day.
Kevin has come forward to explain how he ended up with over half, more than 250,000, of the purportedly stolen bitcoins. Kevin happened to be logged into MtGox at the time when the share prices going steadily down during the massive sell-off. It became obvious to him that someone was intentionally crashing the market. He would only have a few minutes to get in on the trading.
Although the site was having issues at this point, Kevin managed to place an order for as many bitcoins as he could buy at $0.0101 per coin. He says that he figured some other members must have already put buys in for a penny, so he hoped his request would just edge them out by a fraction of a cent. Kevin ended up becoming the new owner of the lion’s share of the allegedly stolen bitcoins, purchasing 259684.77 BTC for only 0.0101 each, or a little under $3,000 total.
To put his profit margin into perspective, before the exchange crashed, this many coins would have been around $5 million dollars.
Although the MtGox exchange was now listing more than 250k bitcoins in Kevin’s account, there was still a hard limit on how many could be withdrawn. Kevin withdraw as many as he could, 643.27, into this personal account before the site went down.
Within the hour, MtGox was completely offline, and soon afterwards Karpeles was claiming the site was hacked.
There are a few issues with his story though.
Who is the alleged mystery victim who was holding more than 500k BTC in their online account?
This is a troubling question for several reasons. In order for a crime to have taken place, there has to be a victim. Here, we can’t immediately see one.
Since there isn’t really any reason for someone to keep that many bitcoins in their online account, it is a bit difficult to believe that one user was maintaining that many in their MtGox portfolio. In general, one only needs as many coins in the exchange as they would want to use to trade. Since no one would ever want to trade with 500k BTC at once, it doesn’t make sense to keep that sort of volume online. Selling so many coins would simply cause the market to crash, as we have just seen. That isn’t what someone who wants to see their investment rise in value would do.
Even if someone did have 500k BTC in one account, as unlikely as that is, they would have had to have had to have used an extremely short password for it to be broken as quickly and easily as this one apparently was. The stolen database passwords were still encrypted; it takes weeks or months to decrypt passwords even when they are of mid-level difficulty. In this case, it seems like the unknown account holder would have had to have been using something like a dictionary word in all lowercase for it to be cracked so quickly.
But why would someone be using a short, easy password on an account with more than $8.5 million dollars worth of bitcoins inside of it? This is especially implausible considering that anyone who accumulated that many coins would be extremely likely to know a few things about encryption.
One theory on the matter is that the hack was much more extensive than Karpeles is willing or able to admit. If this is the case, the 500k coins were probably not from one user’s account at all, but rather may have represented all of the coins on the site at that time.
But the most stunning development of all came a few hours later, when Karpeles posted the following message onto the bitcoin forums, in response to Kevin:
Kevin had only one chance that day to place his 0.01 buy order. So either he had a lot of luck, and somehow knew it was the right time to place a 0.01 buy order, or something smells fishy in there. It’s not up to me to decide, but I will report this as it has become a public matter.
Therefore I choose option 4:
Option 4: Mt Gox signals this to the competent authorities
+ We are safe
+ We may even have a chance of catching our hacker if Kevin knows him
+ We can rollback without having to worry
- Having to deal with FBI, provide logs and proof
The FBI? Really?
Here we have bitcoins, purportedly a quasi-anonymous, crypto-currency that is intended to bypass any and all government interference. The whole reason it has become so popular is due to a perceived lack of government intervention and jurisdiction.
Yet suddenly, as soon as an exchange faces trouble, (as a direct result of constantly poor security practices,) the site administrator thinks he should take the case to the FBI?
Exactly how much data is Karpeles planning on giving to the FBI? Would he be providing them the entire MtGox userbase? IP addresses?
How about all of the transaction logs?
MtGox has around 60,000 or so users who I’m sure would not take very kindly to that prospect of all of their personal and financial data being shared with a federal agency. What’s even more amazing is that Karpeles is planning this even when he has absolutely no obligation to do so. There isn’t even a request for any user data currently from any government office, let alone a warrant. Karpeles seems to believe it’s appropriate to simply give even more data away.
And he does have a lot of data to give away. This is an email from Karpeles to a user who requested a raise on his withdraw limit:
Hi,
To increase your bitcoin withdraw limit, there is no need for any document, just let me know your mtgox account user name, and the daily limit you wish for.
To increase your withdraw limit (by default $1000 per 24 hours and $10000 per 30 days), please provide your account name, the copy of an official ID document (such as passport, driver’s license, etc…) and the copy of an utility bill at your name and address.
We will review your document and increase your withdraw limit based on your risk profile.
Please note that you can also send a notarized color copy of your ID document to this address (remember to include your mtgox account name) via registered mail (fedex, etc) :
What a goldmine of information.
Threatening to provide data to the FBI defeats the entire purpose of an alternate currency. It is supposed to operate in a sustainable manner, outside of the jurisdiction and purview of any government agencies. That can’t be done when government officials have insider records of every financial translation ever made on the exchange.
They aren’t even going to need a warrant to obtain them.
What’s even more confusing is that MtGox is owned and operated in Japan, and the hacker is purportedly from Hong Kong. So how would the FBI have any jurisdiction over the case, even if they were inclined to investigate it?
It doesn’t seem that Karpeles has a clear grasp on how exactly the FBI would help. Maybe he is just naive, but what makes Karpeles think that the FBI would investigate the theft rather than him, for owning a potentially illegal and unlicensed financial trading operation?
Credit goes to bitrebel from the bitcoin forum for his prescient description of how such a conversation would likely turn out:
Mark: Hi Mr FBI agent… My Name is Mark from Mt Gox…
FBI: What does it stand for?
Mark: Oh, it stand for Magic the Gathering Online Exchange.
FBI: What the fuck is that?
Mark: Well, it’s really irrelevant to anything. I’m here to report a theft from a hacking break-in.
FBI: What happened?
Mark: Well, I run this online bitcoin exchange…
FBI: What the fuck is that?
Mark: Well, bitcoins are a form of digital currency that is not really currency.
FBI: Well, if it’s not currency, then what is it?
Mark: It’s a series of encrypted numbers that keep transactions between people anonymous. Nobody can know who bought or spent them.
FBI: Yes, go on… please keep talking…
Mark: So, you see, I run this exchange from Japan, and someone logged in from Hong Kong and tried to make a huge sell off of 500,000 bitcoins at once.
FBI: and who owned these bitcoins?
Mark: We don’t really know, because it’s anonymous.
FBI: Okay, go on. Keep talking…
Mark: So, then this person we suspect of being the hacker, Kevin, had placed a buy right after the hacker logged in and tried to make his sell off.
FBI: And what evidence do you have that Kevin is the hacker?
Mark: None, it’s just that if we don’t have anyone to blame, then we have to payout the full 500,000 bitcoins from our own purse.
FBI: Were these accounts protected somehow?
Mark: No, not really.
FBI: What is the current value of the bitcoins stolen?
Mark: No way to really know for sure.
FBI: How do we know you didn’t steal them from yourselves or other members, and try to sell them all off, thus laundering them through your own exchange, and buying them back up at .01 each, allowing you to make off with 500,000 bitcoins worth 2 million dollars, but Kevin came in and made equal buy orders, thus cutting your stolen profits in half?
Mark: Well, we can’t really prove that we didn’t, but Kevin logged in 5 minutes after the hacker did!
FBI: Come with us, please.
Bye Bye, Mt Gox!
Karpeles seems intent on going this route, although it’s difficult to imagine how such a scenario would be in anyone’s best interest. The unbridled enthusiasm Karpeles seems to have towards giving away users’ personal information is staggering, and should be a strong warning for anyone considering using MtGox once it is back online.
As an old Russian proverb says, “When you dance with the bear, you don’t get to stop just because you’re tired.”
