Eight Years After the Fall of Mt. Gox – What Have We Learned?

Mt. Gox, the infamous Bitcoin exchange, collapsed on February 24, 2014, after their 744,000 BTC – amounting to billions at present — were robbed.

This year commemorates the eighth anniversary of the demise of Mt. Gox, an online exchange that once accounted for the vast majority of Bitcoin transactions.

About Mt. Gox

Mt. Gox, founded by McCaleb and based in Tokyo, began functioning as an essential crypto exchange in late 2010. The domain (MtGox.com) was initially purchased in 2007 to conduct a trading site for the enormously popular “Magic: The Gathering” game cards. However, as the business grew in popularity, the proprietor leased the platform to Mark Karpeles.

Karpeles, a devoted programmer and Bitcoin aficionado, tried to improve the web platform’s code to handle a higher volume of Bitcoin exchanges and purchase orders. However, the exchange’s demise proved that security was not handled properly at all. 

Mt. Gox ceased trading and shut down on February 24, 2014. Eventually, it was discovered that attackers had repeatedly exploited Mt. Gox’s infrastructure for several years, which gradually burgled the exchange of its Bitcoin. 

How? Without going into technicalities, it was all done by trying to manipulate transaction data — known as transaction malleability — which led Mt. Gox to genuinely think that specific withdrawals had not occurred, triggering it to re-send requested funds repeatedly. Hackers, on the other hand, got BTC as the modified transactions were confirmed.

While this accounting issue was never revealed, on February 24, 2014, a critical Mt. Gox document was released, exposing how deep the company had dug themselves. According to the paper, over 744,000 bitcoins were stolen, valued at approximately $35 million at the time and nearly $30 billion now. 

A Bitcoin Exchange in Peril

Interestingly, Mt. Gox’s ultimate vulnerability exploit was not its first. Hackers began exploiting the company’s security shortcomings three years before the final incident, and thousands of bitcoins were taken from the exchange on at least four consecutive instances.

On March 1, 2011, criminals copied the wallet.dat file from an Mt. Gox hot wallet and took 80,000 BTC. In May, hackers stole an even more enormous sum of BTC from the exchange, gaining access to 300,000 BTC held in an offline wallet on an unprotected, publicly available network disk.

The thieves quickly returned 297,000 BTC, retaining only a 3,000 BTC “keeper’s fee.” The following month, an attacker gained access to internal admin privileges and manipulated prices, temporarily collapsing the market and taking 2,000 bitcoins.

In September of that year, a hacker gained read-write access to Mt. Gox’s database, allowing them to develop new accounts on the exchange, boost customer balances, and withdraw 77,500 BTC — after which they erased their tracks by erasing the majority of the evidence logs. Then, a malfunction in the CEO’s new wallet software resulted in the transfer of 2,609 BTC to an unrecoverable null key.

The cases don’t stop here! In 2013, a hacker obtained a duplicate of Mt. Gox’s wallet.dat file and plundered a whopping 630,000 BTC.

Then in 2014, after Mt. Gox had become such a troublesome exchange, users began selling their Bitcoin stored via Mt. Gox at a bargain for “actual” bitcoins – a fallback mechanism used by those who were stuck, unable to extract any BTC from Mt. Gox. The seller would send Bitcoin from their Mt. Gox wallet to the buyer’s Mt. Gox wallet, an inside transaction that did not involve a legitimate withdrawal of funds.

The withdrawal problem at Mt. Gox was so profound that an Australian Mt. Gox consumer travelled to the exchange’s head office to protest and confront Karpeles about why they couldn’t take their coins. Mt. Gox executives did not want to explain what was happening behind the scenes, citing “technical difficulties” rather than glaring management failures that led to the situation. Mt. Gox formally confirmed that all withdrawals were halted permanently once the user returned to Australia.

Centralised Architectures Continue to Be Security Flaws

After a slew of hacking incidents in the years that followed, Mt. Gox eventually sank due to years of management incompetence and poor software.

When it comes to software, one inside employee revealed that Mt. Gox did not provide a version control system at all, which may appear preposterous for a company that controlled as much financial value as Mt. Gox. Furthermore, all code modifications had to be confirmed by CEO Karpeles, which meant that essential bug fixes could languish at his office for weeks before he came around to evaluate and publish them to the program block. A code development suite did not even exist; new features and bug patches were applied to the multiple users that relied on the exchange for Bitcoin purchasing, selling, and having custody.

Though Mt. Gox’s technical equipment and application production methods represent the pinnacle of centralisation due to its reliance on Karpeles, it is not only Mt. Gox. Usually, all centralised losses around the globe arise from the same limitations inherent in centralisation and illustrate a point of failure.

Thus, while strengthening security and resilience on a trading floor is critical, the natural solution for long-term safety and asset preservation rests in decentralised networks. While institutional exchanges and services maintain the broken traditional financial structure that Bitcoin was supposed to improve, a decentralised monetary system allows anybody to have complete control over their resources.

However, for that democratic future to come true, users should first have their safety ensured. The good news is that if you decide to enter the crypto market, SSL-protected sites like immediate-edge.io or any other similar platform can help you put data security on a pedestal. 

Mt. Gox Demonstrates the Importance of Self-Custody

Mt. Gox filed bankruptcy in February 2014, elaborating on a series of hacks that occurred due to its flawed withdrawal-checking software, which failed to account for transaction adaptability. The sad part is that those issues have been widely disclosed since 2011.

Although the exchange attempted to blame Bitcoin, it was evident that the only technology to blame was its own – a terrible custom version that cost thousands of people their entire life savings. Even Bitcoin merchants who allegedly were aware of the risks of third-party storage and the significance of self-custody lost lots of Bitcoin as a result of Mt. Gox’s demise. 

What we’ve learned? Mt. Gox’s demise is still likely the most significant lesson users could have obtained about the significance of self-custody! In the end, it should be YOU who has control of your digital assets!