After the CEO’s Indictment the Great Mt. Gox Bitcoin Mystery Deepens

More than $100 million is still missing from the defunct crypto-currency exchange in Japan, and experts say it may never be found.

TOKYO — Last Friday, Japanese prosecutors filed criminal charges against Mark Karpeles, 30, the French CEO of the collapsed Tokyo-based bitcoin exchange Mt. Gox. The alleged crime: embezzling over $50 million of his clients’ money. The police had detained him, at that point, for more than 40 days.

Mt. Gox, once the world’s largest exchange for the decentralized virtual currency, filed for bankruptcy protection in February 2014, when it came to light that 850,000 bitcoins, worth $450 million at the time, had disappeared or been stolen by hackers. Mt. Gox said it also lost $27 million in cash.

To date, 650,000 bitcoins, currently worth over $100 million, remain unaccounted for. And while Karpeles is facing several criminal charges, none of them deal directly with the missing money. Case not solved.

Who took the haul? We may never know, unless Karpeles knows—and comes clean. But analyses by Internet security experts, laid out at a meeting with the press in Tokyo on Monday, give new insights into how the scam came to be. One of the culprits, “Willy Bot.”

For the moment, as far as Karpeles is concerned, it’s unlikely he’ll be granted bail—only about 30 percent of prisoners in Japan get that chance. And the police strategy seems to have been to arrest him on minor charges and keep arresting him until he confessed to something larger. You can see what the cops were thinking: Japanese people accused of a crime are more likely to confess, even when they didn’t do it. In one infamous case, a rogue hacker managed to trick the Japanese cyber cops into making four false arrests and some of the accused obligingly made false confessions. But Karpeles hasn’t confessed at all.

The Mt. Gox case was further complicated because the cyber crimes unit and the white-collar crime division of the Tokyo Police department (Investigative Division Two), did not always see eye to eye. Karpeles cooperated with the cyber crimes unit; the white-collar crime division saw him as just a criminal.

The interrogation of Karpeles has had some surreal moments, according to those close to the investigation, with the interrogators asking him several times over several days if he was actually Satoshi Nakamoto, the mythical creator of bitcoin—whose identity is shrouded in mystery. Karpeles did not confess to that, either.

On August 1, Karpeles was taken into custody over claims of fraudulently manipulating computer data between 2011 and 2013, and later rearrested for pocketing $2.7 million worth of bitcoins, most of them belonging to Mt. Gox’s clients, to purchase a $48,000 luxury bed and several software development rights.

After Mt. Gox filed for bankruptcy in February 2014, the initial charges were that “Karpeles created false information that $1 million had been transferred into an account held under his name, when in fact it had not been,” the police said in a statement. The police did not mention why the amount showed up fraudulently in Karpeles’s account.

After the collapse of his business, Karpeles’s former employees accused him of stealing from client accounts to cover the operational costs of the business, according to informed sources. In May 2013, federal agents had seized $5 million from Mt. Gox North America, including $50,000 from Karpeles’s personal account. This may have prompted illegal transfers later that year amounting to about $1 million.

Mark Karpeles’s legal team at the Ogata Law Office in Tokyo said that the accusations of embezzlement are unfounded: “The money that our client used for investments came from his company’s income, $28 million in total, not from his clients’. Mr. Karpeles therefore did not commit embezzlement by law.”

The lawyers told The Daily Beast, “If a bitcoin exchange in Japan, under Japanese laws, is not considered operating as a bank, then it’s even more far-fetched to say he committed embezzlement.”

Get The Beast In Your Inbox!

Daily Digest

Start and finish your day with the top stories from The Daily Beast.

Cheat Sheet

A speedy, smart summary of all the news you need to know (and nothing you don't).

By clicking “Subscribe,” you agree to have read the Terms of Use and Privacy Policy
Thank You!
You are now subscribed to the Daily Digest and Cheat Sheet. We will not share your email with anyone for any reason.

A certified accountant in Tokyo also said that if the prosecutors are charging Karpeles with embezzlement for this amount of money, “a majority of other businesses in Japan could be charged for the same crime.”

Amid accusations of fraud and embezzlement worth $2.7 million dollars, the prosecution’s statements have not even touched upon the 650,000 missing bitcoins (worth an estimated $390 million at the time).

In other words, Mark Karpeles may have been a sloppy manager but if he’s guilty of filching 650,000 bitcoins, the police haven’t pinned it on him yet.

The Tokyo Police Public Relations Office was not available for comment and the prosecutor’s office refused to give information to a news organization not part of its “press club.”

Monday at the Foreign Correspondent’s Club of Japan, however, a group of white-hat hackers gave their take on the Great Mt. Gox Robbery.

“Mt. Gox was not only possibly hijacked, it was used to manipulate the bitcoin market by a hacker or group of hackers,” said Kim Nilsson, 33, a Swedish bitcoin security expert and author of an independent report that investigated Mt. Gox’s missing currency.

Wiz Sec (Wiz Securities), the independent group led by Nilsson, a software engineer based in Tokyo, published its first interim report on February 19, giving the clearest account of “what could have happened to Mt. Gox.

The report details the activities of a robot program, nicknamed “Willy Bot,” which seems to have been running all the time except between 2:00 and 5:00 a.m. Japan time. Experts estimate Willy was put into the Mt. Gox system and started running sometime in 2013, and was buying hundreds of thousands of coins with fake money within Mt. Gox.

Sometime in December 2013, a number of traders, including the Wiz Report investigators, began noticing suspicious bot behavior on Mt. Gox.

Basically, a random number between 10 and 20 bitcoins would be bought every 5 to 10 minutes, non-stop, for at least a month on end until the end of January 2014. Since Willy was buying in such a recognizable pattern, the investigators figured it would be easy to find in the Mt. Gox trading logs that were leaked near the time of the bankruptcy. However, the logs only went as far as November 2013. Luckily, the investigators were able to detect the buying pattern in the last few days of November.

The Wiz Sec report is based on data leaked by the hacker(s) of Mt. Gox accounts from February 28 to March 2. Wiz Sec investigators say they matched the data with information they collected elsewhere. The data was potentially deleted from Mt. Gox servers but a part was left visible by the perpetrator(s).

Nilsson explained that the act perpetrated by the anonymous person or persons is clearly voluntary and illegal. The bitcoin trading data showed that Willy the automated trading robot was used to manipulate the market and possibly steal coins as well.

The computer software, because it had database access, was trading different accounts at Mt. Gox, using fake money by creating new accounts and setting the balance of those accounts to millions of dollars. “The bot would spend that fake money on the exchange buying up a few bitcoins every few minutes, which would usually take a day or so to spend,” one of the researchers working with Nilsson explained. “Spending $2 million buying bitcoins off of the market is something that can be done only slowly over time.”

“Until we get the full database we can't really be sure exactly how the bitcoins were stolen,” said Nilsson, “There could have been multiple hackers in multiple countries. It could have all been done inside Japan and we don't know. But there is a lot of evidence pointing to inside Japan.”

Nobuaki Kobayashi, the appointed trustee of Mt. Gox, and members of his team were unavailable for comment.

Clearly, there was negligence and a lack of security. Some creditors of Mt. Gox say Karpeles is responsible as CEO of the company for securing everyone’s money. “I don’t think he is personally the thief we are looking for,” said Nilsson. “It could have been someone else, an external hacker or somebody else within the company.”

Karpeles faces 5 to 10 years in prison if convicted of these crimes after the trial. But then what?

“It is a journalist’s duty to keep asking questions,” Nilsson concluded Monday. “Mark Karpeles has been charged with what at the moment appears to be quite minor crimes compared to the whole Mt. Gox case. If he is convicted of this and if the case is closed, there will be unanswered questions left and possibly another criminal out there who did steal the coins and who will get away with it. Journalists have to continue asking questions to all the parties, not just reporting what the authorities have chosen to charge and convict one man of.”