Mt.Gox exchange: the largest hack in the history of cryptocurrencies

Published in

Coinmonks

9 min readNov 29, 2022

Mt.Gox, which began operations in 2010, was one of the world’s first bitcoin exchanges. The platform accounted for 70% of the total trading volume of the first cryptocurrency by the beginning of 2014. What happened? Let’s take a look together!

Mt.Gox ceased operations in 2014 due to a discovered “hole” in user balances caused by a hacker attack. Between 2011 and 2013, the attackers were able to withdraw 650,000 BTC from the exchange without being detected. This was the biggest cryptocurrency hack in history.

Mt.Gox has been in the process of civil rehabilitation since 2018, which includes the payment of remaining cryptocurrency on the exchange’s accounts to affected customers. Around 25,000 users applied for compensation in total.

The organizers and perpetrators of the Mt.Gox hack have yet to be identified. In the United States, Alexander Vinnik, the former administrator of the Russian BTC exchange, is facing charges of laundering cryptocurrency stolen from Mt.Gox.

Who founded Mt.Gox and when?

The history of Mt.Gox did not begin with cryptocurrency. In 2007, Jed McCaleb, the future co-founder of the Ripple and Stellar crypto projects, registered the site mtgox.com. He launched a platform there called “Magic: The Gathering Online EXchange” for trading cards of a popular fantasy game. In an abbreviated version, the name of the service sounded like Mt.Gox.

After learning about cryptocurrency in the summer of 2010, McCaleb decided to transform Mt.Gox into a bitcoin exchange. A year later, McCaleb sold it to French developer Mark Karpeles, who lived in Japan, citing a lack of time for project development.

According to Rollingstone, Karpeles received Mt.Gox virtually for free. In exchange, he was obliged to pay McCaleb 50% of the profits in the first 6 months of ownership and 12% in the future.

Meanwhile, Mt.Gox gained popularity quickly. In 2011, the user base of the platform had already numbered tens of thousands of customers. And by 2013, the volume of bitcoin trading on the site amounted to about 70% of the global total.

The first hacking on the exchange

Mt.security Gox’s issues began before the platform was sold. Later, it was revealed that in March 2011, Karpeles informed McCaleb of the loss of approximately 80,000 BTC in user funds. As a result, they ignored it. Karpeles stated that the stolen funds were transferred to a blockchain address owned by Craig Wright, the creator of Bitcoin SV, in 2020. Some speculate that he is responsible for the subsequent platform hacking.

The first publicly recorded attack on Mt.Gox occurred in June 2011. The hackers managed to steal at least 25,000 BTC, which was about $400,000 at that time. As a result, the bitcoin price on Mt.Gox collapsed from $17 to almost zero.

Based on the results of an internal investigation, Karpeles concluded that the attackers had hacked the old administrator account of Jed McCaleb, which allowed access to funds and personal data of the exchange’s clients.

Mt. Gox was restored about a week after the attack, and Karples demonstrated that he controls bitcoins on the platform’s wallets by making a confirmation transaction, as well as compensating customers for losses.

Success and new issues (2011–2013)

Following the initial attack, Mt.Gox gradually recovered, and by 2013, it had become the world’s largest bitcoin trading platform. The company relocated its headquarters to Tokyo’s prestigious business district, and Karpeles was an active media speaker in the bitcoin industry.

As it turned out later, despite its external successes, Mt.Gox faced significant internal difficulties. For example, it had no control over the code’s quality or security. Furthermore, the project lacked a financial accounting and control system for balance sheets and reserves. Simply put, no one tracked the flow of money and cryptocurrencies.

The majority of Mt.Gox users were from the United States, but the exchange lacked a license to operate there. As a result, in May 2013, US authorities seized approximately $5 million in project funds stored at the Dwolla processing service. Nonetheless, Mt. Gox obtained a cash operator license from FinCEN.

However, in June, the crypto exchange suspended dollar deposits after the Japanese bank Mizuho refused to service its accounts. Users also began to complain loudly about lengthy withdrawals of funds.

Re-hacking and closing Mt.Gox

In February 2014, Mt.Gox abruptly halted bitcoin withdrawals. According to the platform’s press release, the attackers used a bug in the bitcoin code to double spend coins, which they applied to the exchange’s blockchain address. After that, the platform finally halted all conclusions.

By the end of the month, the bitcoin price on Mt.Gox was only 20% of the market average, indicating investors’ confidence that the project would no longer be able to solve the problems that had arisen. On February 24, all trading operations on the platform were halted, and the platform’s website went offline a few hours later.

As it turned out later, the exchange team discovered the theft of approximately 750,000 BTC from users, which went unnoticed for several years. As a result, the platform turned out to be insolvent. On February 28, Mt.Gox announced bankruptcy and closure.

How many bitcoins were stolen from Mt.Gox?

As specified in the bankruptcy application, in addition to the user cryptocurrency, criminals stole 100,000 BTC from the stock exchange.

Thus, the total amount of thefts amounted to 850,000 BTC, or about 7% of the entire cryptocurrency issue at that time.

The total amount of thefts was estimated at $440–480 million. As of September 2022, when the price of bitcoin was approximately $20,000, it was already about $17 billion.

In addition to bitcoins, $28 million in fiat money also “disappeared” from Mt.Gox bank accounts in Japan.

In March 2014, Mt.Gox reported the “sudden” discovery of about 200,000 BTC stored at an address of the old format, which was used until June 2011. At the same time, the address was active just a few days before its “discovery”. This reduced the total amount of cryptocurrency losses to 650,000 BTC, although it did not save Mt.Gox from closure.

The details of hacking Mt.Gox

The second and largest hacking of Mt.Gox was the result of a low level security and numerous management errors. According to the findings of WizSec’s research, the second and largest attack began back in 2011. Here is what the experts found out:

In September 2011, hackers managed to steal the private key from the hot bitcoin wallet of the Mt.Gox exchange. Thanks to him, the attackers gained control over the flows of users’ cryptocurrencies to the exchange;
Using this private key, hackers have been quietly, but regularly, emptying the exchange’s accounts for more than one year;
In mid-2013, when the volume of deposits on the exchange slowed down, hackers immediately withdrew 630,000 BTC from the Mt.Gox wallet.

How is Alexander Vinnik’s arrest connected to Mt.Gox?

Since many of the affected Mt.Gox users were from the United States, the country’s authorities launched an investigation.

At the end of July 2017, the administrator of the largest Russian BTC-e crypto exchange, Alexander Vinnik, was detained in Greece.

He was accused of laundering Mt. Gox’s stolen funds. According to the US Department of Justice, a criminal organization led by Vinnik was able to launder nearly 307,000 BTC from the 850,000 BTC stolen from Mt.Gox through BTC-e.

Several countries, including the United States, France, and Russia, asked for Vinnik’s extradition to stand trial in Greece. He was extradited to France in 2020 and sentenced to five years in prison and a fine of 100,000 euros. Vinnik will be extradited to the United States in the summer of 2022. He faces up to 55 years in prison.

Investigation and trial

In May 2016, the Canadian crypto exchange Kraken, which assisted in the investigation, completed the process of collecting and analyzing creditors’ claims. According to Kraken, 24,750 users applied for payments.

According to the decision of the Tokyo District Court, which became the main instance for the consideration of the Mt.Gox case, the process of reimbursing creditors moved from bankruptcy proceedings to civil rehabilitation. In the first case, creditors would receive compensation equivalent to assets at the time the company filed for bankruptcy, in the second — “physical” bitcoins or an equivalent amount in fiat currency at the time of payments.

In February 2021, the court approved a plan to reimburse bitcoin creditors, and only in July 2022, the trustee of Mt.Gox, Nobuaki Kobayashi, announced the beginning of preparations for the reimbursement of funds. At the time of preparation of the material, mid-September 2022, no exact figures and dates regarding payments were indicated.

Mark Karpeles’ further fate

On August 1, 2015, the Japanese police arrested the former head of Mt.Gox, Mark Karpeles. He was charged with fraud, misappropriation of funds and manipulation of the exchange’s computer system to artificially increase the balance of accounts.

However, Karpeles was released from prison in July 2016 on bail of approximately $95,000. In March 2019, he was found guilty of document forgery and sentenced to two years and six months in prison, which was later replaced with four years probation.

In the spring of 2022, Karpeles announced his intention to open a crypto rating agency and distribute NFT to former Mt.Gox clients.

How many cryptocurrencies are left on the Mt.Gox addresses?

It is known that Nobuaki Kobayashi, the trustee of Mt.Gox, managed to sell some of the assets in BTC and BCH in early 2018, before switching from bankruptcy to civil rehabilitation. Kobayashi sold 24,658 BTC and 25,331 BKM for a total of $406 million from April to May 2018.

According to the Cryptoground service, which tracks the balance of the Mt.Gox wallet, there are a total of 137,891 BTC and 137,891 BCH on the exchange’s accounts, which is more than $2.3 billion at the exchange rate as of September 15, 2022.

Which compensation will Mt.Gox’s clients get?

Exact data on bitcoin payments to creditors is not available in public documents. However, a CoinLab representative stated in 2021 that they will only be able to reimburse 0.23 BTC for each bitcoin stolen from Mt.Gox users.

After a while, special companies began to appear, offering to buy out creditors’ claims on the exchange. For example, at the end of 2019, the Fortress investment group wrote to the creditors of the bankrupt Mt.Gox exchange, offering to redeem their claims for $5,000 per bitcoin. The advantage of the offer was the possibility of receiving payment without having to wait for the completion of a lengthy trial.

In dollar terms, 0.23 BTC will cost about $4,600 at a price of $20,000 per bitcoin at the exchange rate on September 15, 2022. At the time of filing for bankruptcy in 2014, the price of bitcoin was at $489. This represents almost a tenfold profit in dollar terms, despite the loss of more than three quarters of assets in bitcoin.

In the fall of 2021, a compensation plan was published, which was approved by the court. However, so far payments to former Mt.Gox users have not started.

What are your thoughts? If you have anything to add to the Mt.Gox topic, please leave your comments below!
Follow Sunflower Corporation on Medium or Twitter for regular updates about trending Crypto news.

Sunflower Corporation — a new cryptocurrency derivative exchange focused on the best trading experience and tech excellence.

We offer BTC/USDT perpetual futures with up to x100 leverage, as well as the most trending instruments. When you trade with us you get a customizable trading terminal, a variety of charts, tools for technical analysis, a wide range of order types, and an option of “stop loss” and “take profit” orders.

New to trading? Try crypto trading bots or copy trading