More than 18 months after the MtGox bitcoin exchange filed for bankruptcy in February 2014, little is still known about what happened to the 850,000 missing bitcoins. The now defunct Tokyo-based company claimed hacker malleability attacks—illicit alterations of transaction ID numbers—were responsible for the disappearance. MtGox users who traded the virtually currency for fiat money suspected fraud. Whatever the reasons, the fallout appears to have been a financial calamity for Bitcoin investors: the value of a bitcoin dropping from a peak of over $1,000 prior to the exchange’s collapse to around $232 today.
Although investigators remain tight lipped about their findings, Tokyo Metropolitan police took Mark Karpeles, the CEO of MtGox, into custody in August on charges of manipulating company accounts and stealing from exchange users. Then on 11 September prosecutors issued a warrant for his arrest, accusing him of embezzling US $2.7 million of clients’ money. Karpeles, 30, a French national, has reportedly denied wrongdoing.
Yet these charges represent only a tiny fraction of the 850,000 bitcoins worth around $200 million at today’s exchange rate, or about half-a-billion dollars at the time of the MtGox collapse. So the wait to hear what really occurred continues.
“It is only natural for law enforcement, trustee and the forensics team not to give reports when there is an ongoing criminal investigation,” says Pauline Reich, director of Asia-Pacific Cyberlaw, Cybercrime and Internet Security Research Institute in Tokyo. “It will take time. Patience is needed.”
Investors had hopes raised for a quicker explanation when Kraken Bitcoin Exchange, a leading San Francisco-based exchange, was selected last November by the trustee to help the investigation and aid in the distribution of MtGox’s remaining assets to creditors. So far, though, Kraken has remained silent and refused to comment for this story.
One entity not happy to wait for answers is WizSec, a bitcoin security firm established last year in Tokyo by three former MtGox bitcoin investors. The company began conducting its own independent investigation in spring 2014 based on leaked MtGox transaction data published online by hackers, non-public leaked sources, interviews with former MtGox staff and others connected with the company.
Kim Nilsson, head of WizSec, spoke to the foreign press in Tokyo on 14 September and shed some light on the difficulties the authorities are facing, though he pointed out that because a substantial portion of his sources are unverifiable leaked data, he could not claim it to be one hundred percent reliable. However he believes it likely gives a good indication of the state of MtGox customer accounts at the time.
“MtGox had very bad accounting to the point where it might have been non-existent,” said Nilsson. “This has left the case full of holes, which the police will have to extrapolate to fill.”
A major problem, he said, was that clients’ bank accounts and company accounts had been comingled, at least early on after the company’s launch in 2010. “So company funds and clients’ deposits were stored in a single account and used for company expenses.”
WizSec has published two reports on its findings, the latest this February. According to the report’s executive summary:
Most or all of the missing bitcoins were stolen straight out of the MtGox hot wallet over time, beginning in late 2011. As a result, MtGox was technically insolvent for years (knowingly or not) and was practically depleted of bitcoins by 2013.
Christian Decker of the Swiss Federal Institute of Technology Zurich, and co-author of Bitcoin Transaction Malleability and MtGox study [pdf] with colleague Roger Wattenhofer disagrees.
“While it’s possible that at the change of ownership [when Karpeles purchased the exchange around March 2011], MtGox was not completely covering its liabilities, it is very unlikely that it was missing a major part of its funds,” Decker told Spectrum. “This is backed by the fact that some of the bitcoins sold on the platform did not enter the Bitcoin economy until later, i.e., they had not been mined then and couldn’t have been stolen then.”
The malleability study also discounts MtGox’s claim that malleability attacks were responsible for the loss of 850,000 bitcoins. The study concludes “…barely 386 bitcoins could have been stolen using malleability attacks from MtGox or from other businesses.”
But there are areas where the experts are in full agreement. “The main problem with MtGox was not with the bitcoin technology, but with how the company was run,” said Nilsson. “It doesn’t matter if you use the strongest bank vault in the world if you leave the keys out.”
Reich concurs. “This is about the bookkeeping at MtGox and not about the technology.”
“The alleged theft is due likely to insecure handling of funds by MtGox in their internal systems,” says Decker. “This would have been the case even if their allegations that transaction malleability was to blame, since they were using faulty network nodes internally.”
As for future expectations, “I believe the technology that powers bitcoin is strong and solid and will definitely make it into the financial industry before the (bitcoin) currency itself does,” said Nilsson. And Decker notes that while Bitcoin technology is still new and experiencing growing pains, “Academia and the industry are continuously working on improving the security of systems built on top of it.”