HACKED

Behind the Biggest Bitcoin Heist in History: Inside the Implosion of Mt. Gox

Mt. Gox was once the biggest exchange for the virtual currency. Then half a billion dollars’ worth went missing. Emails give important clues to what happened.

TOKYO — When Mark Karpeles, the CEO of what was once the world’s largest Bitcoin exchange, said that the company had gone bankrupt because 800,000 bitcoins (worth nearly half a billion dollars at the time) had been hacked, he wasn’t exactly lying. He wasn’t exactly telling the whole truth, either, but there was an intriguing element of fact.

At least 80,000 had been hacked before Karpeles even took over the company, and that initial cyber theft began a spiral of trouble that may have led directly to the firm’s financial collapse.

This week The Daily Beast obtained internal emails, contracts,, and other documents related to the implosion of Karpeles’s company, Mt. Gox. Along with information provided by a former employee who handled accounting for the firm, the documents reveal previously unreported details about how Mt. Gox failed, and why.

According to Karpeles’s lawyer, Nobuyasu Ogata, one of the emails has been submitted to the court as evidence by the prosecution to demonstrate that Karpeles was not forthcoming with his customers. But the same email can be used to argue for his innocence on other charges. 

Mt. Gox, which was once the world’s largest exchange for the decentralized virtual currency, filed for bankruptcy protection in February 2014, when it was reported that 850,000 bitcoins, worth $450 million at the time, had disappeared or been stolen by hackers. Mt. Gox said it also lost $27 million in cash.

Originally, the company had been created as a platform for trading playing cards. Pokémon probably is the most familiar version in the West, but these were for Magic: The Gathering, a game that was popular among kids who gave up on any hope of being “cool” at high school; a dungeons and dragons sort of card game for obsessive fans.

The company we’re writing about here was called Magic: The Gathering Online eXchange, which is where Mt. Gox derived its unusual name. But in a very short time, it left the original nerds far behind as bitcoins came in and cards went out. And then, a whole lot of bitcoins went missing.

To date, 650,000 bitcoins, currently worth $292 million, remain unaccounted for, and Karpeles is facing several criminal charges—but none of them deal directly with the absent virtual currency. 

In November of last year, Japanese prosecutors finally finished bringing criminal charges against Karpeles after re-arresting him again and again in hopes that he would confess to every crime they thought he might have committed. 

It should be noted here that one of the reasons Japan’s prosecutors have a 99 percent conviction rate is that a suspect can be held up to 23 days after an arrest, without having a lawyer present during daily interrogations. If the suspect is denied bail, the police and the prosecutors have even longer to question the suspect. Eventually most people do confess to the charges against them—guilty or not.

When the prosecutors concluded their investigation into Karpeles in November, he was indicted for improper use of electronic funds and embezzling a total of over 300,000,000 yen ($2.7 million) of customer funds.

At this point in time, Karpeles’s lawyers would only say that Karpeles had made no confession to the police and that Karpeles is only guilty of sloppy accounting, mixing personal accounts and corporate accounts, not embezzlement.

Yet the documents obtained by The Daily Beast, which included correspondence between Mark Karpeles and the original founder of Mt. Gox, Jed McCaleb, suggest that Mt. Gox was plagued by problems from its earliest days, before Karpeles had even taken over the company. The Daily Beast was given internal documents including emails by a former consultant to Mt. Gox and then verified them with Karpeles’s lawyer, former employees, and sources in law enforcement.

Jed McCaleb first approached Mark about selling him Mt. Gox in January of 2011. In an email dated Jan. 18 that year, McCaleb wrote to his acquaintance Karpeles:

Hi Mark~

Get The Beast In Your Inbox!
By clicking "Subscribe," you agree to have read the Terms of Use and Privacy Policy
Thank You!
You are now subscribed to the Daily Digest and Cheat Sheet. We will not share your email with anyone for any reason

Please keep all this confidential I don’t want to start a panic and I’m not sure I’ll do it yet but I’m thinking I might try to sell mtgox. I just have these other projects I would like to devote more time to. Would you be interested? It could be very little up front and just a payout based on revenue or something. There is also an investment group that wants to fund mtgox. Probably around $158k. So you could most likely take it over with some cash.

Let me know

Thanks,

Jed.

Karpeles had become interested in Bitcoin in late 2010 and saw the Mt. Gox platform as the perfect place to set up a Bitcoin exchange. In the early days of the currency, changing fiat money (real money) into bitcoins was an arduous task.

Karpeles agreed to purchase the company from McCaleb and by Feb. 3, 2011, he had signed an agreement with McCaleb to buy the firm, under some very unusual terms.

The seller (McCaleb) wrote into the contract that “the Seller is uncertain if mt.gox.com is compliant or not with any applicable U.S. code or statute, or law of any country.” And it included an article of indemnification: “The buyer agrees to indemnify Seller against any legal action that is taken against Buyer or Seller with regards to mtgox.com or anything acquired under this agreement.”

Shortly after the handover, Karpeles became aware that Mt.Gox had already been hacked at least once and was missing a substantial number of bitcoins—a total of 80,000 to be precise.

The following email on April 28, 2011, which reportedly has been submitted into evidence by both sides in the trial, was probably the beginning of Mark Karpeles’s nightmare:

From: Jed McCaleb <[email protected]>

Date: 2011/04/28 22:33

To: Mark Karpeles <[email protected]>

I can’t tell how big an issue it will be to be short 80k BTC (*80,000 bitcoin) if the price goes to $100 or something. That is quite a bit to owe at that point but mtgox should have made a ton of BTC (Bitcoin) getting to there. There is also still the fact that the BTC (Bitcoin) balance will probably never fall below 80k. So maybe you don’t really need to worry about it.

There are 3 solutions I have thought of:

- Slowly buy more BTC with the USD that Gox Bot has. Hopefully you would fill up the loss before the price got out of hand.

- Buy a big chunk of BTC (really just moving the BTC debt to the USD side) If BTC goes up this is a huge win. Problem is there isn’t enough BTC for sale on mtgox. Maybe you could find someone on the forum to do it.

- Get those crystal island people to investThey have 200+ BTC so they could fill in the gap.

Maybe you could just mine it

The Daily Beast has been trying to reach Jed McCaleb for several weeks both through his email accounts and social media accounts but he has not responded.

Kim Nilsson, a computer security expert at WizSec who has been analyzing the case for over two years, says, “Assuming the emails are genuine considering the timing, both Mark and Jed were aware of some 80,000 BTC that seem to have already been missing before the large June 2011 hack, and Jed was suggesting possible approaches to recovering from it.” The question then remains: did either of them put these plans into action—for example creating a trading bot (a software application that runs automated tasks) to cover the loss.

That is still an unresolved mystery.

In April 2011, 80,000 bitcoins were worth approximately $62,400.

Maybe Karpeles figured he could make it back up as he went along. But luck was not on his side. As he would try to fill the hole, the price of bitcoins kept rising. By June 2, 2011, the value for the missing BTC had jumped to over $800,000.

Unfortunately for Karpeles, he had signed a non-disclosure agreement that left him unable to discuss the loss, and he faced the Sisyphean task of recovering the missing bitcoins on his own—a problem that became greater by the day and sometimes by the hour as the value of bitcoins skyrocketed.

In June of 2011, Mt. Gox was hacked once again. Investigators at the time believed that hackers might have gained access to Jed McCaleb’s administrator account, which was still active.

Karpeles’s reaction to the hack was to move the majority of the bitcoins off-line into what is called “cold storage” and place them in safety deposit boxes dispersed through various banks in Tokyo. He only left enough online to make sure transactions could be carried out. But having moved the bitcoins off, Karpeles neglected to reconcile the amounts of cold storage with other customer accounts. Karpeles became increasingly paranoid about hackers—almost obsessive.

An individual who worked at Mt. Gox handling accounting told The Daily Beast, on condition we not identify him by name because of his role in the investigation, “Mt. Gox was not an investment company, according to my opinion. It was like a pachinko parlor gift exchange.” (Pachinko is a Japanese variant of pinball with a payoff.)

The man in charge of accounting says he urged Karpeles to reconcile the BTC (Bitcoin) balance, the on-line balance, and the fiat (cash) balance several times but was spurned.

“I told him, ‘I want to know where are the bitcoins, and we need to reconcile,’ and Mark replied, ‘mendokusai’ [it’s a pain in the ass]. He said it was too difficult and too risky, because to reconcile the balance, you need to put the bitcoins from the cold storage onto a hot wallet, and there is the risk that it could be hacked, so he didn’t want to do it.”

A “hot wallet” refers to bitcoins online—a situation that makes them more vulnerable to cyber predators.

Karpeles insisted that bitcoins in a cold-wallet, sometimes printed out on sheets of paper, were much more secure. He thought it was difficult to know how much each “cold wallet” is worth until you put the BTC back on-line—or make notations on the paper wallets when creating them.

The virtual money was becoming makeshift paper money, and there were masses of it.

The accounts manager understood what Karpeles’s concerns were from a cyber security perspective but still felt that not reconciling the accounts was dangerous.

“I didn’t think it was reasonable not to reconcile, but I thought it’s his company, he’s the CEO, so I said okay.” 

Former employees of Karpeles say that he might have made it all work. They claim rogue U.S. government agents seized $5 million of Mt. Gox funds in summer 2013 in retaliation for Karpeles’s refusal to cooperate with them. This seizure supposedly cut into the firm’s operating reserves, which may have been the beginning of the end, at least according to the former Mt. Gox accountant.

In the meantime, Karpeles voluntarily assisted U.S. authorities in their investigation of the online black market Silk Road, evidently hoping that would buy him some sort of immunity.    

It didn’t.

“The first time I got the signal that the bitcoins were missing, it was when Mark told me, sometime in early February [2014],” said the accountant. “He called me in his office, and he said, ‘There is a chance that Mt. Gox might have to file for bankruptcy.’ And he asked me to go to the law firm Baker & McKenzie the next day to discuss with them.” 

The accountant recalls that Karpeles was eerily calm at the time—but that Mark was always that way. “He was like a more stoic version of the Cheshire Cat. He was always smiling. He could probably tell you, ‘Oh, the entire office is on fire and we’d better leave before we burn to death’ and it would be the same expression.”

The Japanese courts will determine if Karpeles has committed criminal acts, but the latest revelations would make anyone ask: Is he a con-man, a victim, a fall-guy, or all of the above?

One thing seems clear—Karpeles bought a company already missing tens of thousands of bitcoins.

Did the thief who took them take hundreds of thousands—worth hundreds of millions of dollars—more? Someone did, in the heist of the century, and to solve it, the police need to make a case that depends on more than coercion and confession.