Mt. Gox Bitcoin Hack Teaches Us Today
Today marks the eighth anniversary of the fall of Mt. Gox, the once-popular online exchange that at one point accounted for the majority of all Bitcoin transactions.
Tokyo-based Mt. Gox, whose domain (MtGox.com) was originally registered in 2007 to host a trading site for the wildly popular “Magic: The Gathering” game cards, began operating as a rudimentary bitcoin exchange in late 2010. However, as business began to drive huge traffic, the owner sold the platform to Mark Karpeles.
Karpeles, an avid programmer and Bitcoin enthusiast, beefed up the web platform’s code to handle an increased volume of Bitcoin transactions and buy and sell orders. But ultimately, the exchange’s failure demonstrated that he did not do a sufficient job in the technical or management aspects of the business, as he tried fulfilling the role of Mt. Gox’s chief executive officer with little experience.
On February 24, 2014, Mt. Gox suspended trading and went offline. Eventually, it came to light that Mt. Gox’s infrastructure had been exploited by attackers multiple times over the course of several years, who slowly robbed the exchange of its bitcoin by manipulating parts of transactions data — a characteristic known as transaction malleability — leading Mt. Gox to believe that certain withdrawals had not happened, prompting it to re-send requested funds multiple times.
Earlier that month, Mt. Gox had gone offline for a few hours and its team issued a press release blaming the Bitcoin protocol itself for being faulty in its transaction watching mechanism. When receiving a withdrawal request, the exchange would observe the Bitcoin blockchain for a confirmation of the withdrawal transaction ID — a hash constructed from the transaction’s information. However, a transaction ID is only final once the transaction gets confirmed on the blockchain, a characteristic that let attackers alter parts of the transaction data — not including the inputs and outputs — and thus alter the transaction ID. The result? Mt. Gox’s database would not show a successful withdrawal as the transaction ID that the exchange was watching for would never get into a block, but the attacker would still receive the bitcoin as the altered transaction did get confirmed.
While this accounting discrepancy was, surprisingly, never spotted, on February 24, 2014 an internal Mt. Gox document was leaked, detailing how big of a hole it had really carved itself into. The document indicated that over 744,000 bitcoin were stolen, worth about $35 million then and almost $30 billion now. But Mt. Gox’s final vulnerability exploit was not its first.
A Troubled Bitcoin Exchange
The company’s security flaws started being leveraged by hackers three years earlier, in 2011, when thousands of bitcoins were drained from the exchange in at least four separate occasions.
On March 1, 2011, thieves managed to make a copy of a Mt. Gox hot wallet’s wallet.dat file and stole 80,000 BTC. In May, an even greater amount of the peer-to-peer currency was stolen from the exchange as hackers accessed 300,000 BTC being stored in an off-site wallet on an unsecured, publicly-accessible network drive. The thieves returned 297,000 bitcoin shortly after, however, keeping only a 3,000 BTC “keeper’s fee.” The next month, an attacker managed to access an internal administrator account and manipulate prices, temporarily crashing the market and later stealing 2,000 bitcoin.
In September of the same year, a hacker managed to get read-write access to Mt. Gox’s database, which enabled them to create new accounts on the exchange, inflate user balances and withdraw 77,500 BTC — after which they covered their tracks by deleting most of the evidential logs. In the following month, a bug in the CEO’s new wallet software led to 2,609 BTC being sent to an unspendable null key.
In 2013, a hacker once again obtained a copy of Mt. Gox’s wallet.dat file and stole a staggering 630,000 BTC.
By 2014, Mt. Gox was such a troubled exchange that people began offering their bitcoin held in Mt. Gox at a discount for “real” bitcoins — a fallback mechanism encountered by those who found themselves stuck, unable to withdraw any BTC from Mt. Gox. The seller would transfer bitcoin from their Mt. Gox wallet to the buyer’s Mt. Gox wallet, an internal transaction that didn’t require a proper withdrawal of funds, while the buyer would transfer on-chain bitcoin from their wallet to the seller’s self-custody wallet.
Mt. Gox’s withdrawal issue was so severe that an Australian Mt. Gox user flew all the way to the exchange’s headquarters in Japan to protest and question Karpeles about why they couldn’t remove their funds from the exchange. Citing “technical issues” as opposed to egregious management errors that preceded the withdrawal matter, Mt. Gox executives refuse to cite details of what was going on behind the curtains. After the user left back to Australia, Mt. Gox formally announced all withdrawals were frozen indefinitely.
Centralized Architectures Are Still Security Holes
Despite a series of isolated hack cases in the preceding years, Mt. Gox eventually drowned itself through years of management-level neglect and faulty software.
Speaking of software, one internal worker disclosed that Mt. Gox did not use a version control system at all — a reality that may seem absurd for a business that handled as much financial value as Mt. Gox did. Moreover, all code changes had to be approved by CEO Karpeles, meaning urgent bug patches could sit at his desk for weeks until he came around to review and push them to the main code. In fact, a code testing suite did not even exist for many years; new features and bug fixes relied solely on a human check before being implemented to the thousands of users relying on the exchange for their bitcoin purchasing, selling and custodying.
Although Mt. Gox’s approach to technical infrastructure and software development represent the ultimate level of centralization, as it relied heavily on Karpeles, ultimately, all centralized systems suffer from the same drawbacks, inherent to their centralization, and represent a single point of failure.
Therefore, even though increasing security and robustness in a centralized exchange is paramount, the true answer for long-lasting security and wealth preservation lies in decentralized systems. While centralized exchanges and services perpetuate the flawed traditional financial system that Bitcoin was created to replace, the decentralized P2P monetary system enables anyone to exert total control over their finances. However, for that sovereignty future to happen, users need to hold their bitcoin on their own self-custody wallets.
Mt. Gox Highlights The Importance Of Self-Custody
Mt. Gox declared bankruptcy later on in February 2014, shedding light on the series of hacks that ensued through its faulty withdrawal-checking software that didn’t account for transaction malleability — a possibility that had been publicly known since at least 2011.
Even though the exchange tried blaming Bitcoin itself, it was clear that the only system to blame was its own — a bad custom implementation that cost thousands of people their lives savings. Even Bitcoin entrepreneurs who supposedly knew of the dangers of third-party custody and the importance of self-custody lost hundreds of bitcoin in Mt. Gox’s downfall because of convenience.
Therefore, even though Mt. Gox’s decay was detrimental to Bitcoin and its perception around the world in the short term, it was arguably the most important reminder that users could have received about the importance of self-custodying one’s bitcoin holdings.
What was true then is still true today: It is only through complete ownership of private keys that a Bitcoin user can control the amount of bitcoin they presume to own. However, users still keep millions of bitcoins in centralized exchanges.
Withdraw Your Bitcoin Now
It is never too late to get into self-custody. Even though the best day to withdraw your bitcoin from a centralized exchange or third-party custodian was yesterday, the second-best day is today.
Do not postpone withdrawing your bitcoin — it is the most asymmetrical investment you can make. Self custody can provide assurances that can last generations. From the simplest self-custody setup to a more robust one, a Bitcoin enthusiast will only be turned into a Bitcoiner when they see their BTC out of an exchange and on a self-custody wallet.
Start small, configuring a simple mobile wallet for example and withdrawing a portion of your bitcoin holdings, so you can see that it can be done. Incrementally transfer coins out of the centralized wallet and into your own until all of your funds are under your control. There are even white-glove self-custody services available for users afraid of messing up.
Whatever you end up doing, do not keep your bitcoin holdings on a centralized exchange.