Mt. Gox Allegedly Hacked: "This Could Be the End of Bitcoin"
Rumours of a $350 million hack against the Bitcoin exchange has the cryptocurrency community alarmed.
Image: Shutterstock/Julia Zhakarova
Update 25 Feb 2014: Blockchain's CEO Nicolas Cary got back to me and shared the company's response to the Mt. Gox episode, which you can read here. Asked if he thought this could be the beginning of the end for Bitcoin, he responded, "Absolutely not. This is just one service that has slowly been deteriorating into obscurity. Bitcoin is secure, the network is robust, and the amazing innovation happening in this space will continue."
Read an update about Mt. Gox and Bitcoin's "human problem" here.
Following a string of warning signs that something was seriously wrong, the website of popular Bitcoin exchange Mt. Gox has been offline as of late last night. Go to the address and, at least for now, all you’ll see is a blank page. If you’re looking for bitcoins you had tied up in Mt. Gox, you might be faced with a similar void as rumours spread online that the exchange is insolvent after an alleged hack of 744,408 bitcoins—about $350 million at today’s exchange rate.
With many details unconfirmed and Mt. Gox and its CEO Mark Karpeles keeping schtum for now, it’s difficult to know for sure exactly what went down, but here’s the story so far: Just over two weeks ago, Mt. Gox suspended bitcoin withdrawals owing to “technical issues.” As the oldest Bitcoin exchange, and at one point the largest, this had a knock-on effect on the currency’s ecosystem as a whole, and its price dropped around $200. The exchange explained the issue was a result of “transaction malleability,” a known weakness in the Bitcoin protocol, and one that others pointed out could have been avoided.
If that was a sign that Mt. Gox was dying, more recent activities looked even more foreboding. On Sunday, Karpeles resigned from the board of the Bitcoin Foundation. All tweets from Mt. Gox’s feed were deleted. Last night came the first reports that Mt. Gox’s website was down—the final nail in the coffin?
News of a hack spread shortly before the site went blank, owing to an alleged leaked document about the company's recent difficulties. Wired reported that Bitcoin entrepreneur Ryan Selkis posted the document, titled “Crisis Strategy Draft” on his blog. Selkis wrote, “I have several sources close to Mt. Gox that have confirmed the numbers and am attempting to reach Gox executives for comment.” However, the authenticity of the document is still under question; we’ll update as and when more light is shed on the truth of its contents.
A Bitcoin price index chart for Mt. Gox over the past day. Image: Coindesk
If it is true, it’s bad news for Mt. Gox and anyone who was still desperately hoping to get bitcoins back from them—and more importantly, for Bitcoin altogether. The document explains that while Mt. Gox was rushing to find a workaround to the transaction malleability issue, “the truth, it turns out, is that the damage had already been done.” It continues, “At this point, 744,408 BTC are missing due to malleability-related theft which went unnoticed for several years. The cold storage has been wiped out due to a leak in the hot wallet.”
Chilling words indeed. Mt. Gox is clearly in trouble, but the consequences run deeper in the Bitcoin community. Whether the exchange was hacked or not, and whether people get their money back or not (I wouldn’t hold your breath), this whole episode is a reminder of some of the major flaws of Bitcoin.
The whole premise of Bitcoin is based on a decentralised system. But the fact is, there were always people who had more power over the future of the currency: the exchanges, for one. Despite all the "Vires in Numeris" idealism, to actually use Bitcoin, you have to go through an exchange at some point, which means you have to put your trust in whoever’s running it. You have to trust that they know what they’re doing, and that they’re not going to pull any dishonest stunts.
Of course, when this trust fails—as in the case of Mt. Gox—there’s little recourse. Because another key feature of Bitcoin, at least as it stands currently, is that it’s unregulated. If a hacker cracks your regular bank details and empties your account, you should be able to get you money back. If a hacker breaks into a Bitcoin exchange, or your Bitcoin wallet, there’s no system in place to reimburse you. Some companies are working to address this issue—by pushing for government regulation or offering insurance—but that’s not happened yet.
It’s hardly the first time Bitcoin has seen hacks and thefts—it’s certainly not true, as the AP reported, that “supporters of the virtual currency have said its cryptography makes it immune to theft or counterfeiting”—but a disruption of this scale, in an exchange of this scale, necessarily casts a shadow over the whole cryptocurrency community.
In the apparent leaked document, Mt. Gox recognises this. “At the risk of appearing hyperbolic, this could be the end of Bitcoin, at least for most of the public,” one page proclaims. It's a valid point—among those who haven’t yet dabbled in cryptocurrencies, who’s going to put their trust in a system that can lose hundreds of millions like that?
Other organisations have jumped to Bitcoin’s defence in a clear attempt to distance themselves from the troubles of Mt. Gox and, essentially, save the currency's reputation. A joint statement was issued last night by Coinbase, Kraken, bitstamp.net, BTC China, Blockchain.info, and Circle, in which the companies called out Mt. Gox as a “bad actor.” “This tragic violation of the trust of users of Mt.Gox was the result of one company’s abhorrent actions and does not reflect the resilience or value of bitcoin and the digital currency industry,” they wrote.
They seem to back some sort of regulatory system, or at least effective oversight, if Bitcoin is to weather this storm and users’ interests are to be protected in the future:
Acting as a custodian should require a high-bar, including appropriate security safeguards that are independently audited and tested on a regular basis, adequate balance sheets and reserves as commercial entities, transparent and accountable customer disclosures, and clear policies to not use customer assets for proprietary trading or for margin loans in leveraged trading. It does not appear to any of us that MtGox followed any these essential requirements as a financial services provider.
I've reached out to some of the exchanges for more information on what they want to see happen, and will update if I hear back (see update above).
Meanwhile, Mt. Gox—again, if the leaked documents are authentic—appears to see itself as still vital to the Bitcoin economy. Perhaps rather incredibly, the documents set out a vague business plan to bounce back with a rebrand. Domain Investing reported that the name gox.com was sold to Mt. Gox (which previously operated at mtgox.com) this week, and the address currently forwards to the (blank) Mt. Gox homepage. This supports the suggestion in the documents that Mt. Gox will attempt to rise from the ashes as Gox—with a new CEO. The Guardian also pointed out that in the source code of the inactive Mt. Gox page, an HTML comment reads “