A $480 Million Mystery: The Saga of Mt. Gox

Shutterstock photo

It is now over a week since Mark Karpelès was arrested in Japan and one-time Mt. Gox quasi-interim CEO Ashley Barr-alias-Adam Turner held a searing reddit AMA session . The Mt. Gox debacle is taking on some nuance, and the revelations about Karpelès’ bizarre personality might make a halfway decent movie some day, a sort of Wolf of Shibuya with an infusion of 4chanian absurdity: anime, cats, lattes, craven flouting of fiduciary duties and the occasional samurai LARP (Live Action Role Play) .

On the other hand, there is still little in the way of hard news. The Japanese police can hold Karpelès for 23 days without formal charges or the possibility of bail; they allege that he manipulated data to plump his personal accounts with around $1 million, and so far they’ve left it at that. Whether he will have to answer for the 650,000 of Mt. Gox customers’ bitcoins that disappeared last year—in a hack, he claims—is unclear.

Many are convinced that Karpelès stole their money, and it is hard to deny that he was criminally—spectacularly, sublimely—negligent. What follows is a summary of the facts and highlights from the speculation surrounding one of the most interesting stories ever to emerge from the fledgling world of digital currency.

Goxed

In 2009, Jed McCaleb founded Magic: The Gathering Online Exchange, abbreviated it as MtGox or Mt. Gox. The same year, a young-twenties Mark Marie Robert Karpelès, alias MagicalTux, arrived in Japan with his cat Tibanne. According to Ashley/Adam, Karpelès had spent some time in Israel, since he was wanted in his native France. On August 1, 2014, one year to the day before his arrest in Japan, Ars Technica and Le Monde jointly published a 2010 French court document in which Karpelès was sentence to a year in prison for fraud. He had been tried in absentia.

In the summer of 2010, McCaleb radically changed directions, turning Mt. Gox into a Bitcoin exchange. The following March he sold the domain to Tibanne, the shell company Karpelès named, of course, for his cat. The thread in which McCaleb announced the sale drips with irony—even a bit of prophecy—in retrospect. Mike Caldwell wrote, “I would leave money in MtGox if I weren't afraid of losing it there.” Karpelès was already displaying his knack for evasion with vague references to and issue being “investigated” and “addressed”—later. And McCaleb posted, “Can’t wait to see BTC hit $10!”

On December 4, 2013, according to CoinDesk , BTC hit $1,236.90 on Mt. Gox’s exchange. CoinDesk’s Bitcoin Price Index (BPI) for that day, meanwhile, was $1,147.25. Mt. Gox coins frequently traded at a premium to those on other exchanges, and the site was handling the large majority of all bitcoin transactions by 2013. Yet that popularity hardly derived from Mt. Gox’s sterling reputation.

The trouble began just a few months after Karpelès took over, on June 19, 2011. In the span of a few minutes, an attack drove the price of bitcoin on the exchange from $17 to around a penny. The price plunge was accompanied by the theft of 400,000 bitcoins, worth perhaps $8.75 million, according to a DailyTech report . Karpelès, in what would become a familiar move, took the exchange offline and announced that transactions would be rolled back to reflect accounts’ balances before the attack. The attack came in the wake of bitcoin’s first meteoric rise, from $0.74 on March 20 to $29.60 on June 8, or 4,000% in 80 days.

Another incident followed in October , when 2,609 bitcoins vanished from the exchange.

Things were relatively quiet until the infamous March 11, 2013 fork, when Mt. Gox suspended bitcoin deposits . They were at it again exactly one month later, suspending trading on April 11 due to a price crash. CoinDesk’s BPI had reached $230.00 on the 9th, up from $46.00 just a month before, but a steep sell-off brought it to $124.90 on the 11th. Some suspected a DDoS attack, but the evidence points to a selloff that caused delays and sparked a panic. At this point Mt. Gox was handling 75% of bitcoin transactions. The price continued to slide, to $68.36 on the 16th, before recovering.

A term for Mt. Gox’s frequent interventions, and customers’ resulting inability to access their funds, began to gain some currency: getting “Goxed.”

In early May Coinlab, which was supposed to take over Mt. Gox’s North American operations, sued the company for breach of contract to the tune of $75 million. When Gawker broke the story , it reached out to Karpelès for comment. He said he was unaware of the lawsuit.

More problems soon emerged from North America. The Department of Homeland Security seized Mt. Gox funds that were held by Dwolla, a Des Moines-based money transfer service. The warrant cited probably cause that Mt. Gox was operating a money transmitting service without a license. It also mentioned an interesting detail: the Wells Fargo account through which these funds passed was in Karpelès’ own name.

The company halted US dollar withdrawals in June and, despite its own claims to the contrary, was effectively shut out of the US market from that point on. American customers were left stranded. Karpelès insisted, “We have no problems with liquidity and we never have,” and a message from Mt. Gox blamed the banks.

The idea that banks simply felt threatened by the currency, however, was little comfort to its US customers. The BPI sloshed around the $100 mark for the summer, but Mt. Gox’s price was much higher , since there wasn’t much else to do with captive dollars than buy bitcoin at whatever premium. In August, Mt. Gox prices’ spread over Bitstamp’s exceeded 12%.

Meanwhile Monsieur Karpelès…

While his customers were waiting for the privilege of withdrawing their money from Mt. Gox, Karpelès tweeted about programming errors on taxis’ TV screens. More than once . Hilarious, Mark. According to Robert McMillan, writing for Wired , Karpelès was habitually unconcerned with the state of Mt. Gox and the assets it held. Identified bugs would go unfixed for long stretches as Mt. Gox’s leader allowed his priorities to invert: his $1 million Bitcoin Cafe became his focus despite the Coinlab suit—of which Gawker had to inform him—and Homeland Security’s seizure of $5 million in Mt. Gox customers’ funds (or perhaps Karpelès’ funds; it was all in the same account, after all).

During the June 2011 hack, when Jesse Powell flew in from the other side of the world to get the site up and running again (whether he was even compensated is not clear), Karpelès took the weekend off.

The Reckoning

On February 4, 2014, a CoinDesk survey began polling Mt. Gox customers. Responses indicated that 70% of users who’d made withdrawal requests hadn’t received their funds and that the “median waiting time was between one and three months.” On February 7 the exchange halted withdrawals : “To understand the issue thoroughly, the system needs to be in a static state. We apologize for the sudden short notice.”

Three days later, the company issued a statement blaming “transaction malleability,” a bug that enables attackers to alter the hashes for certain transactions, making completed transfers appear as though they’ve failed and thus setting themselves up to be double-paid . This explanation amounted, according to Andreas Antonopoulos , to blaming the core developers for Mt. Gox’s “incompetence.” In a reversal of the normal trend, the price of bitcoin on the exchange dropped to $135 , a fraction of the cost on other exchanges. The market did not expect the company to make due on its obligations.

On February 24, Mt. Gox took its site down and wiped its Twitter feed. Meanwhile, an internal document —since confirmed as authentic—began circulating publicly. The highlight: “At this point 744,408 BTC are missing due to malleability-related theft which went unnoticed for several years.” The company filed for bankruptcy on February 28, declaring that it had lost a total of 850,000 bitcoin, including 100,000 of its own, worth around $480 million at the time and representing 7% of the world total.

Did He Do It?

The $480 million question. For the most part, people have regarded Karpelès as a pathetic figure, a geek who didn’t have an entrepreneurial bone and got in over his head. McMillan’s Wired piece certainly lends itself to that interpretation: the image of poor Karpelès fawning over the cash register he hacked while his business splits at the seams inspires as much pity as anger.

But what if he took it? What if the “hack” is all a ruse? There’s a chance we’ll find out, now that he’s in police custody. But it seems that the Japanese authorities might be uninterested in the stolen bitcoin; a Tokyo district court ruled Thursday that bitcoin is ‘“not subject to ownership” claims,’ according to the Japan Times.

That approach doesn’t make much sense anyway: appealing to courts and regulators to restore bitcoin is very nearly a contradiction in terms. The whole point—for now—is that it is unregulated, that there is no FDIC (or Japanese equivalent), no lender of last resort, no authority to meddle or arbitrate. Keeping more to the spirit of the enterprise, vigilantes hacked Karpelès’ and Tibanne’s files and published transaction records. Some have claimed to see their own transactions in the records, indicating that they are authentic. The Goxed hackers also doxed Karpelès.

Still, there is no universally accepted evidence that Karpelès pocketed any of the money (besides the $1 million theft the Japanese authorities are pursuing). Some have claimed to identify particular chunks of stolen bitcoin in the blockchain, but redditers say a lot of things.

Other theories strike a middle ground between theft and incompetence: there is evidence that Mt. Gox was running a deficit six months before it declared bankruptcy , and that it had been using customers’ funds to pay for other customers’ withdrawals. Or a variant: Karpelès was doing something similar when bitcoin was worth little to nothing, and the resulting debt ballooned along with the price.

Rick Falkvinge’s theory , while just as speculative as the rest, has been borne out by more recent events. He compared Mt. Gox’s story to a previous putative hack, in which mybitcoin.com went down without explanation; they explained two weeks later that their deposits had been stolen, but that they’d recovered around half the total. Based on the hunch that Mt. Gox was a “copycat scam,” Falkvinge predicted that Mt. Gox would “offer their clients a portion of the holdings back, a portion probably lower than 50% (just to drive the point home), and that offer should appear on or about March 11, 2014.”

He was wrong, of course. Mt. Gox did not announce that it had recovered 200,000 bitcoins —24% of the total—until March 20. Gox’s assertion that this amount had been found in an “an old-­format wallet which was used prior to June 2011” is as suspicious as the mybitcoin.com parallel, given Ashley Barr/Adam Turner’s revelation that, for all he knows, all of Mt. Gox’s bitcoin may have been stored in (a) hot wallet(s). That is, every satoshi was online and vulnerable to attack at all times, instead of being stored offline in so-called “cold storage.”

Karpelès did claim to have cold wallets, but never gave anyone else at Mt. Gox access to them. If he had died or disappeared, all of that money would be gone. He attempted to assuage his colleagues’ fears on this issue by claiming—no joke—“that if he died there would be hints that one of his best friends could follow to find and unlock the cold-wallets. When I [Ashley/Adam] asked said friend, he said he had no idea what Mark was talking about.”

Nor did he ever let anyone see the company’s financials, including the acting CEO. In light of this stranger-than-fiction theater of bad practices, it is hard to see Karpelès as innocent of anything, and even harder to listen to his advice about how to run a bitcoin exchange . But all of this “evidence” (reddit AMAs are not exactly testimony) is still circumstantial, and could mean that he lost $480 million in bitcoin through blatant incompetence rather than stealing it.

But then there’s this tantalizing coincidence. The hack that supposedly made off with Mt. Gox’s coins supposedly began in 2011. In June 2011, when Mt. Gox was supposedly under attack from hackers, Karpelès went on vacation rather than helping address the issue.

Oh, and even if he didn’t hack his own company, he might have been behind Willy, the bot that some claim drove bitcoin prices upward during the bubble period . Ashley/Adam: “I had never considered it wasn't Mark.” Or maybe he was the real Dread Pirate Roberts , and Ulbricht was framed (kidding on that one).

A New Era?

But who cares? Mt. Gox’s victims will never get their bitcoin back, because along with renouncing governments, fiat, banks and regulators, they renounced oversight, protections and recourse. That is not to say that those who made that choice were stupid or naive. Many made an informed decision, took a risk, and accepted the consequences when it turned out badly. Others were gazing moonwards and failed to see there was a trade-off.

So are bitcoin’s Wild West days coming to an end? Did the cuffs going click on Karpelès’ wrists mark the beginning of a new era ? Will the community accept a modicum of oversight, compromising their fierce independence in exchange for safeguards? Japanese finance minister Taro Aso is talking about regulating exchanges . What will come of it remains to be seen.

The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.

The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.