Pay the Devil in Bitcoin_The Creation of a Cryptocurrency and How Half a Billion Dollars of It Vanished from Japan
Page 6
All this was known as the “Mt. Gox rollback” among Mt. Gox users at the time. Karpelès rewrote almost all the code used to run the website and exchange. McCaleb’s still-existent account had certain administrative privileges, and these were also changed.
Three individuals came to help Karpelès deal with the hack: the Bitcoin Jesus (Roger Ver), Jesse Powell, and one other cyberhero. Powell is the cofounder and CEO of Kraken, a leading San Francisco–based bitcoin exchange. These people provided a support team while Karpelès was trying to put a new Mt. Gox together that would go live as quickly as possible, even if it meant working night and day and during weekends.
“Conditions in the office with all these people around made it very hard to concentrate,” Karpelès recalled. “So it took a while to rebuild Mt. Gox. I created a system to allow users to recover control over their accounts, which worked pretty well. In fact, to my knowledge, Mt. Gox is the only bitcoin exchange to have successfully recovered from such an attack. Later, in August 2011, a system of ‘cold wallets’ was put in place in order to increase security. Around that time, we also reformed the original bitcoin core software.”
But Karpelès failed to solve the problems, according to experts at WizSec, a bitcoin security firm established in 2014 in Tokyo by former Mt. Gox creditors. They launched an independent investigation in early 2014, drawing on as many sources of information as possible, including transaction data leaked by hackers and interviews with ex-employees, in an attempt to reconstruct relevant parts of Mt. Gox’s database. Bitcoin addresses, deposits, and withdrawals were matched against the blockchain to detect any irregularities.
Their conclusion was that Mt. Gox’s system had been compromised by a hacker or hackers who slowly extracted funds from the exchange between the summer of 2011 and September 2013.
In a report published in April 2015 they wrote:
Most or all of the missing bitcoins were stolen straight out of the MtGox hot wallet over time, beginning in late 2011. As a result, MtGox was technically insolvent for years (knowingly or not), and was practically depleted of bitcoins by 2013. A significant number of stolen bitcoins were deposited onto various exchanges, including MtGox itself, and probably sold for cash (which at the bitcoin prices of the day would have been substantially less than the hundreds of millions of dollars they were worth at the time of MtGox’s collapse).2
In plain English, Mt. Gox had been running on empty long before it collapsed in 2014. It had enough capital to do business, but any slowdown could mean disaster. The business it did, however, was substantial. By January 2014, Mt. Gox was handling millions of dollars in daily transactions, sometimes as much as $20 million in one working day.
If Karpelès knew just how precarious this situation was, he seems to have decided to plow on regardless. And neither the Financial Services Agency nor the Ministry of Finance nor the Bank of Japan did anything to regulate Mt. Gox, though all acknowledged that they knew of its activities.
It’s a shame that Karpelès didn’t read Spider-Man comics. As Uncle Ben said, “With great power there must also come—great responsibility!”
Karpelès had always loved Japanese manga but had relatively little interest in Western comics, so he may never have been exposed to this bit of comic book wisdom. For him, with great power came great wealth, and with great wealth, great silliness. He began to indulge himself, splurging on prostitutes, pet projects (of which, more later), and other amusements. He bought himself a custom-made bed that cost millions of yen. If he had learned to separate his personal account from that of his company and simply paid for stuff out of his own lavish salary, things might have gone better down the line.
The Mt. Gox site started accepting a dozen different currencies. Their first Japanese banking partner was Sumitomo Mitsui Banking Corporation (SMBC), but the man responsible for the account was reappointed elsewhere and his replacement felt uneasy about bitcoin. Mt. Gox switched to Mizuho Bank when SMBC was spooked by the unexplained decision taken by HSBC in Hong Kong to close Mt. Gox’s account without returning its money.
More staff were hired to cope with expanding business, making it too expensive to stay at the Cerulean Tower. In the summer of 2012, the company moved to a different section of Shibuya, just behind the Cross Tower, on the fifth floor of a small building known as Round Cross Shibuya.
Twenty twelve was obviously busy. In order to tackle business operations in North America and to avoid the complex licensing regulations there, Mt. Gox signed a contract with a Seattle bitcoin service, CoinLab, in November, after a summer filled with negotiations. CoinLab was relatively new on the scene, but they had gained attention due to large funding from venture capitalists. They also managed the Bitcoin Foundation.
It seemed to be a good deal for both parties. CoinLab had a small but passionate team that could use the extra business and advice from an experienced company like Mt. Gox. And Mt. Gox, with CoinLab handling its US and Canadian clients, wouldn’t have the hassle of getting a license to function there.
As it happens, four financial experts gave differing answers to the question of whether a license was required at all. Some said that bitcoin was not regulated, so a license would be unnecessary. Others said a license was required but would be nearly impossible to get. The money-transmitting-business (MTB) license covering all US states cost almost $50 million. Mt. Gox didn’t have $50 million to invest at the time.
According to Karpelès, CoinLab assured him that they could handle the license situation.
The Financial Crimes Enforcement Network (FinCEN), an agency within the US Treasury Department, ruled in March 2013 that “a person is an exchanger and a money transmitter if the person accepts such decentralized convertible virtual currency from one person and transmits it to another person as part of the acceptance and transfer of currency, funds, or other value that substitutes for currency.” FinCEN’s mission is to safeguard the US financial system from misuse and to combat money laundering. In line with that mission, they took a hard line with money-transmitting businesses. The new “guidance” issued in March appeared to indicate that all money-transmitting businesses using virtual currency had to get an MTB license where anti–money laundering and know-your-client (KYC) measures were enforced and the people they did business with were identified.
A few months after the partnership began, problems started to arise.
On May 2, 2013, CoinLab filed a $75 million lawsuit against Mt. Gox, accusing it of not giving them full access to their North American clients, and continuing to serve customers there. Later that month, as part of the investigation into Silk Road, the US government seized a total of $5 million from Mt. Gox’s accounts in North America and Karpelès’s private account.
“With CoinLab threatening us legally,” Karpelès said sadly, “Mizuho Bank recommended that we find another bank. Then a few weeks later, they refused to handle any outgoing international remittance transactions. We had no better alternative than to start using Japan Post Bank to do our computer transfers, at a maximum of ten per day, while our lawyers in the US were discussing with the prosecutors whether they could cancel the fund seizure.”
Negotiations with other banks outside Japan did not work out. Eventually the company created a working relationship domestically with Japan Net Bank to solve their money-transfer issues.
To all appearances, Mt. Gox was still a success. It was still the largest bitcoin exchange. During the month of May 2013, it traded an average of $18 million a day, which was 70 percent of all bitcoin exchange transactions.
This wasn’t enough, though. Karpelès wanted more. He wanted to set up a bitcoin coffee shop to attract more Japanese users, with a staff of beautiful bitcoin baristas. He would call it the Bitcoin Café, with a proper accent above the e—he is a Frenchman, after all. People would pay for their hot coffee and croissants with bitcoins. It would show the Japanese people how simple bitcoins were to use. It would also act as a community center for bitcoin fans.
On Aug
ust 29, 2013, Karpelès officially launched the café project. He even had the coffee mugs specially designed. But all this took more time than expected, and it wasn’t able to open on schedule.
Around November, he bought the company Shade 3D, allegedly in order to have a side business and guarantee the availability of cash in case he needed it.
And while he was busy with these sidelines, bitcoin was constantly in the news overseas.
On October 1, the FBI arrested Ross Ulbricht, the alleged founder of Silk Road. That same month, Mt. Gox acquired a money-service-operator license in Hong Kong. On October 29, the Las Vegas start-up Robocoin launched the world’s first bitcoin ATM.
In November, the bitcoin price exceeded $1,000 on Mt. Gox. In December, the number of verified customers on the exchange surpassed a million. The de facto value of a single bitcoin was whatever it was being sold for on Mt. Gox.
Mt. Gox had become the Dow Jones of the bitcoin world.
At this point, Karpelès had moved from his home in Tokyo’s Setagaya Ward to a new apartment in Meguro Ward due to domestic issues with his ex-wife, Kyoko. His new home was on the twenty-eighth floor of the luxurious apartment complex La Tour Aobadai.
Despite his wealth and growing fame, Karpelès was spending most of his free time eating junk food, watching anime, and compiling code. As his friend and colleague Julien Laglasse, a Frenchman living in Tokyo, says: “Mark is happy as long as he has a pizza, a coke, a computer to work on, and his two cats around him. He is not a greedy guy.” The trouble was, he wasn’t a careful guy either, and someone who was managing millions of dollars of clients’ money and a staff of over forty needed to be.
Before the shit hit the fan, someone on the Internet Relay Chat #mtgox publicly announced that Mt. Gox could be attacked via the method known as “transaction malleability” and explained how to do it. As a consequence of the warning, Karpelès improvised a way to block that attack immediately. Later that month, he received an e-mail from a shady character offering to sell information about angry Silk Road vendors trying to attack Mt. Gox. He ignored it.
But there came a point when reality couldn’t be ignored any longer. On February 7, 2014, Mt. Gox temporarily halted all withdrawals. The measure was taken due to the theft or disappearance of hundreds of thousands of bitcoins owned by Mt. Gox customers, as well as by Mt. Gox itself.
In a press release three days later, the company said it had suspended withdrawals because of a software flaw that would allow traders to defraud the exchange. However, what really happened was that Karpelès was beginning to confront the fact that a colossal sum was missing. To be precise, he was either just realizing that this had happened or found himself in a position where he had to admit the money wasn’t there—and that it hadn’t been there earlier. Only Mark Karpelès really knows the truth.
The announcement drew the ire of the bitcoin community because the flaw was allegedly well known and others in the business had already accounted for it. Mt. Gox was blaming the software when it should have taken direct responsibility itself. Its excuse reflected badly on the currency.
Jason Maurice, once at WizSec and now a freelance security adviser, believes that Karpelès misjudged the severity of the security issue and didn’t implement a correct fix when it was needed. According to Maurice, it was only in early February 2014 that Karpelès understood the danger of the bug and came up with a proper solution, but by then it was too late. The damage had been done.
“Basically he dismissed a multimillion-dollar bug in his software that any decent software engineer would immediately have realized was a major issue,” Maurice said in our talks with him. “Any other financial institution would have a quality assurance team to find something like that, but for Karpelès it was all up to him.”
In addition to leaking money through the bug, the company might accidentally have been giving it away.
“Essentially, Mt. Gox was a dysfunctional organization,” said someone who once worked for the company.
Nobody was doing accounting reconciliation, and there was an exploitable fault in the transaction system that allowed people to get more or less paid twice. Think of it this way: if bitcoins were like frozen hamburger patties being served at a diner with a touchscreen menu, someone figured out a way of tapping the screen to get two for the price of one. Then one day somebody at the diner went to the freezer and realized they were completely out of hamburgers—and they’d only served half the customers they thought they had.
The bitcoins were poorly secured, digitally and physically.
Former employees from the exchange claimed that at some point they stored about 90 percent of their bitcoins in paper wallets and USB keys. By moving bitcoins into a paper wallet—a printed document that contains all the necessary data to operate one or more private keys—the keys are no longer digitally stored where they might be subject to attacks. However, if the paper wallet is lost, the bitcoins in the wallet are also lost. Apparently, paper wallets at Mt. Gox were often haphazardly stored in the office, buried in sofas, or pushed behind desks. Karpelès denies this, saying that he shredded them once they had been inserted in the system “for security reasons.”
According to another former employee, Mt. Gox “rented safety-deposit boxes in banks. When they needed to refill the transaction accounts, they took the bitcoins out of storage and deposited them in the system. There was no reconciliation in the accounting sense between the cold storage and the transactions done. As long as money was coming in at a steady pace, no one realized they might actually have been losing a lot of money. And when they did, all hell broke loose.”
In February 2014, Karpelès informed this person that an estimated 850,000 BTC was unaccounted for—at the time, the equivalent of close to $462 million. He told him that users, exploiting flaws in the system, had probably siphoned off the bitcoins over several months. In particular, there seemed to be a system glitch that made it possible to get a payment reissued.
Teikoku Databank, Japan’s largest and most respected credit-rating agency, had reviewed the company in July 2013, months before the collapse. The bank gave it a D4, the worst-possible rating a company can receive on their scale. One of the reasons for the low rating was the lack of qualified accounting staff at the company. There is also the possibility that Teikoku Databank simply had no idea of how to account for the value of bitcoins—a problem not unique to them.
Mt. Gox had survived hacks, system failures, and seizures by the authorities, but now things looked hopeless for them. Thousands of customers were unable to withdraw deposits, and Karpelès wasn’t talking to the press. Speculation was rampant as to what exactly had happened, and the bitcoin world was in a panic.
Key members of the Mt. Gox staff and consultants gathered and brainstormed for a way to keep the company solvent, protect its assets, and move forward. They drafted a document—a “Crisis Strategy Draft”—that was meant to show investors the problems and possible solutions. On February 24, Karpelès resigned from the board of the Bitcoin Foundation, of which he was a founding member along with Gavin Andresen (the chief scientist), Charlie Shrem, and Roger Ver, among others. He reportedly told the organization of the troubles on the horizon.
The final nail in the coffin was the unauthorized release of the Crisis Strategy Draft, the supposed plan for saving the company. The document was unfinished.
“The Crisis Strategy Draft had only been shown to a few people, including the Winklevoss twins, who were active investors in the industry and SecondMarket executives. If, prematurely, it got into the public domain, it would be disastrous,” another former employee said. A few days after being put together, the document was leaked to the blogger the Two-Bit Idiot, who published it on the web on Monday, February 24, 2014, at 6:23 p.m., EST. It spread across the Internet within hours.
The media were soon all over the story. (It was at this point that we began covering it.)
If the document hadn’t been leaked, Mt. Gox might have survived.
Mt. Gox suspended all trading after internal investigations discovered a loss amounting to 744,408 BTC. The accounting practices at the firm were so slipshod, however, that even what seemed like an “exact” sum wasn’t accurate. On February 25, after confirming with their lawyers that the end was near, they shut down entirely. Since Karpelès still wasn’t sure exactly how many bitcoins were missing, he started scanning the paper wallets and confirmed that the cupboard was bare.
On February 28 at 11:39 a.m., EST, the Daily Beast published “Inside Japan’s Bitcoin Heist,” reporting the amount of missing bitcoins to be 820,000 BTC—the closest figure yet to Karpelès’s initial calculation.
Mt. Gox filed for bankruptcy protection with the Tokyo District Court. It declared liabilities of about ¥6.5 billion ($64 million at the time). The company said they had lost almost 750,000 BTC belonging to its customers and about 100,000 BTC of its own, then worth around $462 million.
Karpelès remembers that day well. “I went to the Tokyo District Court with my lawyers in the afternoon and, by the end of the afternoon, the order was given. With just thirty minutes to prepare, we then gave a press conference. The room was full.”
He answered the questions in his French-accented Japanese without forgetting to make the deep bow of atonement and apology expected of a CEO.
“The press conference in itself went okay, although one cameraman decided to ask questions in English, which I wasn’t prepared for. But the worst thing was the walk to the taxi outside, with all the reporters surrounding me, getting closer and closer. Once in the taxi, the driver had to struggle hard to get out of there. I was followed all the way to the Baker & McKenzie offices, where I was finally able to rest a bit before driving home.”