Alleged MtGox bitcoin launderer caught – thoughts

Today’s big news is that Russian national Alexander Vinnik was arrested in Greece for alleged laundering of $4bn of money which included most of the lost MtGox bitcoins. The Greek police said that he ran a huge criminal enterprise and they claim that a specific website, believed to be the popular bitcoin exchange BTC-e, is a major part of this enterprise. The US authorities are seeking to extradite him.

The MtGox coins were sent to various exchanges for laundering, but most notably around half went to BTC-e. Some of those BTC-e coins were said to have been apparently stored directly by administrators of BTC-e, implicating the exchange in possible collusion.
Btc-e has now gone offline, and the fate of the money held in that exchange is unknown.

For more details of how this relates to MtGox, please see Kim Nilsson’s blog post on this. Kim has worked hard for years uncovering what happened to the coins but has had to keep much of it quiet until now to avoid disturbing any official investigation.

What does this tell us?

This confirms that the bulk of the missing bitcoins at MtGox were taken out of the exchange by an individual or small group over a period of time from 2011-2013, and that the money was subsequently laundered. The identity of the alleged launderer of that money is known, and there are strong alleged links to the BTC-e exchange. It appears that the launderer may actually be the operator of BTC-e. It now seems that the MtGox theft was in some way linked to a wider network of thefts from various exchanges – at least in how the money was laundered.

What this does not tell us

Vinnik is being accused of being the launderer, not the thief who took the money in the first place. The relationship between the launderer and the thief is at the moment unknown. This is the uncovering of a giant stepping-stone in the story but where that stone leads is still not quite certain.

Does this mean Karpeles did not steal the MtGox coins? Will it affect the trial?

Karpeles is on trial for embezzlement and for the large-scale trading of non-existent assets. He is not on trial for stealing the bulk of the MtGox bitcoins because there is not enough evidence for such a case. This new information should not affect the trial, and it’s almost certain that the prosecutors had this information before the start of the trial.

Assuming the laundering allegations are true, there is still an unknown link between Vinnik and MtGox. That link is the thief who supposedly compromised the hot wallet and arranged for the bitcoins to be drained over time.
It could have been Vinnik himself, it could have been Karpeles, or it could have been someone different. Perhaps Vinnik was a part of a small gang which hacked exchanges.
One big question which remains is how Karpeles could not have noticed the draining of such a massive amount of bicoins over a period of years until the exchange was almost bled dry, and also how security could have been so lax over a period of years.
I can’t imagine a situation where an exchange owner would avoid doing a quick check on exchange-held assets for a period of years, especially if that person was actively transferring them between bitcoins and USD on an industrial scale.

Might MtGox creditors see any money back if funds are seized?

It’s too early to tell based on limited information, but I think it’s pretty unlikely that we will see anything from this – and even if it did happen it would probably be years in the future.

Will there be any other implications?

I have my doubts that the $4 billion sum is a realistic figure, more likely it’s vastly inflated for impact using some carefully-picked method of measuring it. But my thoughts are that the US government could use this as the opening justification for a regulation-war with the crypto industry, especially if they manage to get hold of BTC-e’s internal records.
We could see US-led pushes for cryptocurrency regulation and prosecutions around the world, intended to help keep tabs on the flow of crypto money. It could end up being a pivotal point for the industry and for the users.

What next?

If Vinnik is extradited to the US, he’ll have the book thrown at him. A very, very heavy book thrown by the Statue of Liberty herself. The US does not like anyone who facilitates money laundering or anyone even remotely connected to such a thing. If the allegations are true then he’s likely to know the identity of the thief and other people in the network and we might see a plea deal happening which sheds more light on things.
We might learn about all sorts of related people and exchange hacks over the past few years. If someone is writing a movie script about MtGox, it’s now back to the drawing board to drink a few very long cups of tea and possibly change the focus of the story.

 

Thoughts go out to the BTC-e customers who must right now be panicking about their money.

Pre-trial update 裁判前の最新情報

日本語は英語の後にあります

The Karpeles trial will begin this coming week, but it will only last for two days in the first instance. There is likely to be a long break after that – perhaps for months.
It will be held on Tuesday 11th July at 10am JST at the Tokyo District Court, and then on Thursday 13th July at the same time.
We are not expecting anything from the realms of excitement to be visiting the courtroom this week. It will be a big media field day of course and many people will not manage to get through the door, but the trial itself is likely to consist of some standard reading out of charges and a lot of formalities. Formal advice from the court is that anyone with those glasses with eyeballs painted on the front should bring them along. If anybody makes a loud noise such as a badly-managed sneeze, expect to see 60 journalists removing their glasses in a startled manner.

As for events here at mtgoxprotest.com HQ in sunny Tokyo, a lot of activity has been going on in the past 1-2 weeks. I’ve been working almost full-time to organise various things. We now have legal support from one of the top 10 Japanese law firms, who are advising on aspects of the bankruptcy as well as other things. We’re getting the site translated into Japanese and fielding a lot of media enquiries. We tried hard to get reserved seats for creditors in the trial but it looks like this is not likely to be possible. There are a few other things we are looking into and hope to have more to report soon.

(Disclaimer – the opinions on mtgoxprotest.com will not necessarily be the same as those of the law firm.)

カルプレス被告の初公判がいよいよ今週に開かれるが、今回は二日だけの開廷となる。その後はしばらく沈黙が続く模様だー数ヶ月間にわたる可能性もあるだろう。 初公判は東京地方裁判所にて7月11日火曜日日本時間午前10時に開廷、続けて7月13日木曜日、同裁判所同時間にての開廷が予定されている。 今週の裁判が興奮の渦に巻き込まれることはないだろうと予測される。もちろんメディアにとっては大きな事件に違いなく、また限られた人数しかその門をくぐることはできないが、今回の裁判自体は起訴状朗読など、形式的なやりとりが主となるだろう。裁判所は、参加者に目玉が書かれた眼鏡を持参するよう推奨している。もしそこで誰かが大きないびきなどかけば、60人ものジャーナリストがいっせいに眼鏡を外して目を丸くするだろう。 一方、mtgoxprotest.com本部の近況についてだが、ここ1、2週間、様々な出来事が進行中だ。ほとんどフルタイムでそれぞれの仕事に注力している。日本の法律事務所からは法的サポートを得られることとなり、倒産方面やその他様々な助言を得ている。当サイトの日本語翻訳も進行中だ。多数メディアから寄せられる問い合わせにも精力的に応じている。また、今回の裁判で債権者として座席を確保しようと懸命に働きかけていたが、どうやら実現の可能性は低そうだ。この他にまだ進行中の案件がいくつかあるが、もうすぐ詳細を報告できるだろう。

免責事項:当サイトにおける意見・見解は個人もしくはmtgoxprotest.comによるもので、当該法律事務所のものとは必ずしも一致しません。

Karpeles trial

It doesn’t seem to be very widely known for some reason, but the Karpeles criminal trial has been set for 11th July 2017 at the Tokyo District Court. Yes, that’s 2 weeks from now! There has been a lot of confusion over why the charges which have been brought so far only seem to cover a subset of the suspected illegal activities at MtGox. For example, there are no charges of fraud or of violation of the Banking Act. Now that the trial date has been set, we can assume there are no other charges intended to be brought. This is a very significant point and we’ll be covering it in more detail later.

I’ll be attending the trial at least for the beginning. It would be good to see other creditors turn up. It will of course be in Japanese and I will be taking a lawyer/translator to help.

The courtroom is likely to be full up. There will be a lottery for places held on the day if too many people turn up. Do creditors have a right to a priority place? We have been advised by the prosecutor that individual creditors will not qualify for reserved places, but if they make a group request via a lawyer then it might be possible. Therefore if anyone wishes to attend please contact us and we will try to arrange it.

There will be a lot of people wanting to know what happens at the trial. So far, everything related to the investigation and charges has been almost completely opaque to the outside world. In the interests of justice we believe it’s absolutely vital that the trial is as transparent and accessible as possible. Therefore we have a plan to appoint someone to go to the court to monitor it on a permanent basis. More on this later.

Reopening

Hello and welcome back. Mtgoxprotest.com has been reconstructed and reopened! The last site went down in flames after being hacked and we had to use archives to piece it back together. We’ve lost the original comments but have all the articles. This one has a more secure hosting.

It’s June 2017 and there’s a lot of confusion and teeth-grinding right now about the MtGox situation in general. As time goes on, our money seems to be slipping further and further away and our hopes of obtaining real justice are looking very hazy.

To address the elephant in the room, I am sorry that I have been silent for a long time. I have free time right now and I promise to help in any way reasonably possible.

A lot has transpired since the last post at the end of 2014. In time we hope to address any important issues which might still be outstanding.

I’ll be landing in Tokyo this week and I’m currently in the process of sourcing a major law firm there to advise on some of the ongoing issues.

Some of the main problems are:

1) Due to a legal technicality, the assets of MtGox now exceed the level of creditor debt which has been officially recognised. This means that the proceeds from the sale of our remaining 200k bitcoins (now worth $500m) will be split and anything over a certain amount will by default go to the shareholders of MtGox, mainly Mark Karpeles. Therefore as the price of bitcoin rises, we lose more and more of their value.

2) The ever-expanding bankruptcy length.

3) The incredible lack of transparency in both the bankruptcy case and the criminal case against Mark Karpeles.

There are more, but hey let’s keep this from being too controversial on a first date.

Kolin Burges

2nd MtGox Creditors’ Meeting & Kraken Press Conference

50 angry crypto-nerds, an army of lawyers, boiling hot room… Yes it’s the MtGox Creditors’ meeting again!

Much less busy than last time round though, and no media waiting outside before the start. The number of attendees was only 40%  that of the last meeting. There were virtually no foreigners there (non-Japanese) except the Tokyo-based regulars.

The meeting itself went very much like the last one except shorter.

With regards to the missing bitcoins, we were told that there is missing customer transaction data and this is blocking the investigation. Deloitte has been doing the investigation and they’re currently not sure whether they can solve the mystery of the bitcoins because of the missing data. It seems highly unlikely that the data went missing by accident. As to who might have deleted it, I’ll leave that for your imagination to ponder.

The main news was that the bitcoin exchange Kraken is now about to begin helping with the investigation, and also helping with the proof of claims and bankruptcy distribution. I’ll get back to that later. If you lose interest in this post before the end, skip to the last couple of paragraphs before leaving.

Other than this, it was very disappointing and more of the same. It doesn’t seem that any real progress has been made in the past 4 months – at least nothing which has been reported. As there was little progress in the previous 4 months, that means the whole process looks like it’s just stumbled drunkenly over the starting line. There was the same secrecy as there was in the last meeting. Secrecy is sprinkled over everything like an artificial sweetener to hide things we’re not going to like, to cover up poor progress, and to avoid answering awkward questions etc. The meetings are supposed to be about giving out information but the feeling is they’re about conforming to the requirement for a meeting but  with the aim being to give away as little as possible.

Karpeles and his companies are seemingly not giving the $13 million back that they took from MtGox. Karpeles has disagreed that Tibanne owes $7 million, and he also claims it wasn’t a loan but it “was not intended to be repaid”. What this means is unclear. If it was a genuine payment for services, it would never have been classed as a loan. I’d say that after accounts were reconciled a few months ago there was $7 million transferred to Tibanne which was inexplicable so it was classed as a loan. Now Karpeles effectively wants that amount to be “forgotten” about! After pressure from Kobayashi to repay he now says he will try to repay it after he raises the funds. He doesn’t really have much option other than to say this, but he almost certainly doesn’t intend to actually do it. Tibanne has a bitcoin’s chance in MtGox of magically raising $7 million from nowhere. And if Karpeles knew a way to raise $7m you can bet he would be doing it in a way whereby he wouldn’t have to pay it back to us.

His company Shade 3D which owes $3m has provided a repayment plan which Kobayashi didn’t accept, in other words Karpeles would not agree to pay it back in any acceptable way. He may have said something like they’d pay back a tiny sum each year. If they don’t produce a better plan they will be forced into bankruptcy by Kobayashi. That’s the realistic outcome, but the money has probably already gone.

The Bitcoin Cafe owes around $550,000 but there is a dispute with the amount and now a petition to bankrupt the company has been filed. Basically it’s not likely any significant sum of money is recoverable anyway.

Karpeles has a personal “loan” of around $1.2 million from MtGox, and he has not provided a replayment plan. In other words it doesn’t seem like he’s planning to pay it back. So Kobayashi will take legal action if this continues. How this loan came about is unknown. I’d venture he’s been gleefully throwing money around between business and personal accounts and god knows where else, and when the music stopped this is the shortfall which was not accounted for in his other company bank accounts.

Kobayashi was asked to give details of the $100,000 per month payments to Karpeles / Tibanne, and put them on the internet. He said he would take the point into consideration. He was pressed again on it but wouldn’t give any commitment. I can’t think of a valid reason for this to be hidden from us, and apparently neither can Kobayashi.

I asked in possibly the worst Japanese ever why Karpeles/Tibanne was being commissioned vast sums to help when they had already proven their incompetence, and why they couldn’t bring in an expert instead. Kobayashi said they don’t know where the information is so even if they had an expert they would be stuck. I think that basically means we’re being held to ransom because the data is in a mess. I would say Karpeles knows the information is needed to get through the bankruptcy process, so he can squeeze whatever ridiculous sums he likes for it. Any pretence that he has any sorrow for the creditors’ loss and wants to pay us back is now looking about as genuine as a goxcoin.

Kobayashi also said they don’t think it’s weird to be getting help from Karpeles. I’d say that given the allegations of massive fraud, it is rather weird! Imagine Madoff doing the investigation into his own ponzi scheme. The fact is that the data should have been signed over to a 3rd party at the very beginning, around the same time Karpeles should have been fitted with a shiny new pair of handcuffs.

Karpeles was asked why he wouldn’t give the money back which he “borrowed”. He said he wouldn’t answer. Asked why he wouldn’t answer, he said he didn’t want to answer.

Kobayashi got a grilling on why he was accepting that Tibanne and MtGox were separate entities. The point was made that MtGox never really existed as a separate company because it had no employees, and basically that it was just an artificial extension of Tibanne. Kobayashi said that they regard them as separate companies and we might think it’s illegal to keep the companies separate but it isn’t. Very poor answer.

After the creditors meeting I went to the press conference for the Kraken deal. It turned out that Kraken is not just giving some consulting help but is actually being handed over some serious responsibility. The fact that this press conference was even set up showed this. Their task is to try to track the bitcoins, but also to help with bankruptcy payouts and proof of claims.

Deloitte is currently handling the bitcoin tracing and Kraken is meeting them tomorrow to discuss the situation. Maybe the task will eventually get fully handed over to Kraken or maybe they will work together somehow.

I ended up going for dinner with Jesse Powell the CEO of Kraken and his team, along with Daniel Kelman from Bitocean, Roger Ver (who did a runner after we sat down), J Maurice aka Wiz, and some others with less rap-sounding names.

I was very impressed with Jesse’s attitude, he seems very down-to-earth and genuine (and the others at Kraken also). I asked him if it would be made public how much they were getting paid, but it turns out Kraken actually effectively paid MtGox $300,000 for the privelege of helping them! This is a world away from how things have been going so far – which is MtGox throwing around the largest sums of cash possible at people who don’t necessarily seem a natural fit for the task, and hoping everything will somehow work out. We now have quite a trusted name in the bitcoin industry, and he has said he is willing to be open with the investigation in terms of collaborating with others in the bitcoin world. But of course he can only be as open as Kobayashi allows him to be, and we don’t know yet what he will allow. 

Kraken have actually been talking with Kobayashi for 8 months now, giving occasional advice, and they’ve just got to the point of making a deal. They say they want to get the bitcoins returned ASAP, faster than has been planned.

Anyway I’ve got to get some sleep now. I’ve dedicated less space to the Kraken part than it deserved. If I have time tomorrow to add anything then I will. It’s a very positive and exciting development that they are now on board and that they seem to have a lot of control. So to sum up the meeting overall, I’d say it was bittersweet.

Karpeles back at MtGox office, TV reporter almost strangled!

karp-tie1-e1398925403282

1st May 2014

I’m back in Tokyo! While I was doing an interview with TV Tokyo, Mark Karpeles suddenly turned up in the background. He came out of the MtGox office wearing a suit and was waiting to get into a chauffeur-driven car. We were across the street so he didn’t see us until the TV Tokyo reporters ran over. One of them tried to talk to him and Karpeles got into the car quickly and closed the door on him, trapping the reporter’s tie! He wouldn’t open the car door to free him, it’s possible he didn’t know why he was knocking on the window. We were half expecting the car to drive away dragging him down the street. Eventually he opened the door and the reporter was freed, fun over. I wonder what he was doing at the MtGox office if he has nothing to do with the company any more. It looks like it was something official.

Where Are Our Bitcoins – Is Mark Karpeles guilty of massive fraud?

It barely needs to be mentioned that the idea of MtGox suddenly finding 200,000 missing bitcoins is ludicrous. I have strong faith in the incompetence of Mark Karpeles but I don’t believe for a second that he was unaware of these coins. There are few people in the history of the world who could claim to have lost all their assets yet completely forgotten about $150 million they had lying around.

I’ve been asked countless times in interviews whether I believe MtGox deliberately defrauded their customers. I do believe that they perpetrated fraud against their customers, but I didn’t necessarily believe that they were behind the missing bitcoins. Now it’s getting harder and harder to believe they were not involved in some way.

If 200,000 bitcoins were found, this means there could have been no record of them being taken in the first place. If this is the case, why would Karpeles have claimed/believed they were stolen? Let’s just check what MtGox actually claimed:

“We found that a large amount of bitcoins had disappeared […] We believe that there is a high probability that these bitcoins were stolen”

That’s a nice way of implying that they were stolen but in a way they can retract later if need be.

Recently a technical analysis by ETH Zurich University in Switzerland has showed that no more than 386 bitcoins could possibly have been stolen through any transaction malleability attack at MtGox, and it was probably far less. If that is the case then Karpeles would certainly know this because he has all the records. Why has he been deliberately spreading the belief that they were stolen via malleability problems?

Why won’t Karpeles explain where the “missing” coins have gone to or which wallets they were stored in? If they were taken, the evidence will all be there both on the public blockchain and internally on MtGox’s computers. All we need are the bitcoin wallet Ids and we can see for ourselves where they were transferred to. I can’t think of any possible innocent reason to conceal this information. In fact, Karpeles is required by law to disclose it to the creditors but he will not do so. Similarly, he won’t explain where the missing $28 million of customer cash deposits has gone.

If Karpeles suddenly found 200,000 bitcoins in a secure offline wallet, why would he immediately upload them into a hot wallet on the MtGox online system which he knew has been breached by hackers in multiple ways? This system was still connected to the internet at the time, and he left them sitting in there for a week! MtGox later claimed in a court statement that they did it for “security purposes”. MtGox also claimed in court documents that the last remaining 2,000 bitcoins was left sitting in the online hot wallet in March. If he believed the other coins had been hacked why on earth would he do this?

This is all very reminiscent of the pre – bankruptcy protection times when we couldn’t get our money out. We were all left to guess what was going on. We were served up with a menu of misdirection, half-truths, withholding of information, and probably all-out lies. I have to think that there is still quite some cover up going on here. I think it’s likely the coins were not stolen from outside the company, at least not during any recent hacks. It’s possible the bitcoins have been missing for years, and the company could have been fraudulently taking people’s deposits all that time and trying to cover it up. If this was the case it would have been a classic ponzi scheme.

On Thursday 27th March Mtgoxrecovery.com published 3 court documents in their case against MtGox. They are doing a great job of forcing the company to account for their actions and ensuring they don’t get away with cheating the system. It is their belief that Karpeles would not have announced the finding of the 200,000 bitcoins on 20th March if he had not been forced to by mtgoxrecovery.com reporting it to the court on 11th March. (And I know that other parties have been reporting it to the court too).

The monthly civil rehabilitation report which MtGox filed on March 10th does not mention the found 200,000 bitcoins. This bitcoin “discovery” is by far the most important event since the start of the civil rehabilitation. Why would this have been concealed from the monthly report?

In the court documents, mtgoxrecovery.com highlight several inconsistencies in the official court statements of MtGox, some of which are covered in this blog post. It’s quite shocking that they are submitting what clearly seems to be unfactual information to the court. Their explanations for their suspicious actions do not make sense. In my view they are blatantly trying to mislead the court and their creditors, and they are making a mockery of the civil rehabilitation process.

Some quotes from Mtgoxrecovery.com in the court documents:

“[MtGox] has been conducting transactions that raise a danger of hiding most of its assets”

It is becoming increasingly questionable whether any ‘loss of bitcoins’ actually occurred”.

We cannot help but coinsider that [MtGox] had hidden such enormous assets of approximately 200,000 bitcoins at the time of filing for commencement of civil rehabilitation proceedings”

As is well known, Mr Karpeles […] lacks credibility”

MtGox’s real plan?

The civil rehabilitation procedure is MtGox’s attempt to keep the company running in the long term, it is not any form of bankruptcy procedure. It protects them from lawsuits and bankruptcy. They have made it clear that their plan is to reopen the exchange. The question is how? I have no doubt that their hope is to use our bitcoins as part of this.

In the application for Civil Rehabilitation proceedings, they claimed the value of the lost bitcoins was 13,472 yen ($130) per bitcoin! Clearly untrue. They used the crazy fake trading price on their exchange at the time it closed down. If they were able to get away with only paying us back at a rate of $130 per bitcoin whilst keeping their company running, they might be able to use the ‘found’ 200,000 bitcoins to not only ‘fully’ pay us back, but they could end up left over with a huge 9-figure dollar profit at the end of it – depending on the price of the bitcoins when cashed in.

Mtgoxrecovery.com are pushing to end the civil rehabilitation, which would be a good thing for all of us. Karpeles should not be allowed to continue running the company and continue controlling our assets in mysterious, unexplained ways. Hopefully the court will do the right thing and we will see the procedure struck off. There will be a hearing on May 9 to decide this.

If it’s allowed to continue, we will still have the ability to vote against whatever the plan might be but it could add several months onto the time we wait to receive any money back.

I will be putting an article up later this week which shows how you can help to stop this from going ahead.

What was really going on inside MtGox – part 1 – Bitcoins and Hacking

We’ve spoken to insiders who have given their accounts of happenings inside MtGox. There’s too much to put into one post so this is part 1.

Security

We asked about the security of the MtGox computer system.

There was money and bitcoins being sent into MtGox. It’s supposed to be a secure environment right?”

<laughs>

“Ha ha. That’s funny”

“Security’s pretty lax.”

We were told how it was common for outside security researchers (not affiliated with or working for the company) to find security bugs and send these in. They were generally not accepted and ignored. Regarding the support staff we were told:

“They didn’t know anything about security. They’d say ‘Well I tried this and it didn’t work, it’s not a bug.’ Obviously [the security researchers] would go full disclosure because we wouldn’t accept it as a bug.”

This means that security bugs in the MtGox system would be published openly on the internet by well-meaning researchers in an effort to force a solution to be found. The fact that MtGox allowed this to happen is absolutely staggering. It’s a double-whammy – the bugs were not fixed AND they ended up being made public on the internet. Any company with responsibilities like this should have at least 1 dedicated security professional who will respond thoroughly to any security bug reports, and preferably they should have a team of them. A single bug could end in disaster.

January/February meltdown

Everything started to go visibly wrong at the end of January, with bitcoin withdrawals getting “stuck”. Customers were finding the coins they tried to withdraw went through the normal withdrawal process but didn’t appear in their destination wallets. This went on for 2 weeks before withdrawals were finally deactivated completely. During most of that time, no explanation was given. We asked what was going on there:

“They didn’t really understand what was going on. They didn’t realise the seriousness of the problem.”

So everyone who tried to withdraw found their bitcoins disappeard and it took MtGox 2 weeks to actually care about it ?”

“Well they just figured it’ll go its course.”

“Mark distracted himself very much from this thing using the Bitcoin Cafe and his cash register [for the Bitcoin Cafe] and Shade 3D [a company Karpeles recently bought], and pretty much anything other than day-to-day business affairs.”

“Marion [who worked on payments] was… I’m not sure what she was doing. But things were just getting lost. And reappearing. There was no tracking going on. ”

What about customer complaints and support requests about this?”

“They had lots of templates and canned responses and it was CLICK CLICK next.”

“No one really cared. Marion told those guys just do whatever. To be fair there were a couple of support guys who really did care. But depending on who you got it could get really bad.”

My own experience with their “support” backs this up. That is why I had to fly out to Tokyo to find out for myself.

Widespread account hacking at the time of the withdrawal problems

“One guy[‘s account] got hacked and he got so desperate he emailed every single Tibanne email address he could find on the internet. Just because support would not answer him for days. ”

He got hacked?”

“Yeah his account got compromised. Support just told him to file a criminal complaint.”

So did it seem like someone hacked into the customer’s computer?”

“No no no no. What was going on was – this was the 4th February – they were talking that there must be an unfound security flaw somewhere in the codebase. We don’t know where, we don’t know what. We don’t really have access to the logs that can prove anything.”

We were told that a very large amount of accounts were being hacked at this point, in a very short period of time. This was why MtGox suddenly introduced an automatic email telling users when someone logged into their account and what the login IP address was.

“Because we just didn’t know any other way we could track this. And it was mostly chinese IP addresses. Probably proxy servers or something like that. Just someone, somewhere had insider knowledge that we did not have. Accounts were being hacked left and right. …  It’s not random. This was from approx 31st jan onwards”

“They got an email informaing them of their withdrawal. Telling them to contact support if it wasnt them.

Then theyd contact support and wait 2 weeks and nothing would happen.”

Faced with such a serious situation, any exchange like this should have without question immediately shut off account logins and traced the bug. Back in September 2013, a Reddit user called Belkor described a similar hack into his MtGox account. He had a hardware security YubiKey (similar to an online banking password generator device) but his account was still accessed. He was asleep at the time. Bypassing the YubiKey would indicate the breakin was done either internally at MtGox or by someone who had control over MtGox’s computer system.

On 10th February MtGox made an announcement to customers about a malleability bug and blamed it on the bitcoin protocol. There was a large community backlash because it was clearly a fault within MtGox and not with bitcoin. It seems very likely that this statement was a cover-up of the hacking and other problems – such as having lost everyone’s bitcoins. However it was enough to put many customers at ease, believing the problems may have really been just a techinical fault which would be fixed. MtGox continued to accept people’s deposits.

A big question is whether there is a link between this hacking and the missing 850,000 bitcoins. They are not necessarily related. Maybe if the exchange was already running low on its coin supply and a lot of account withdrawals were suddenly being made by hackers this could have pushed the situation to crisis point and caused the exchange to hit empty.

We asked a source if he thought that the malleability problem was really what caused the main bitcoin theft.

“I think it’s bullshit.”