What was really going on inside MtGox – part 1 – Bitcoins and Hacking

We’ve spoken to insiders who have given their accounts of happenings inside MtGox. There’s too much to put into one post so this is part 1.

Security

We asked about the security of the MtGox computer system.

There was money and bitcoins being sent into MtGox. It’s supposed to be a secure environment right?”

<laughs>

“Ha ha. That’s funny”

“Security’s pretty lax.”

We were told how it was common for outside security researchers (not affiliated with or working for the company) to find security bugs and send these in. They were generally not accepted and ignored. Regarding the support staff we were told:

“They didn’t know anything about security. They’d say ‘Well I tried this and it didn’t work, it’s not a bug.’ Obviously [the security researchers] would go full disclosure because we wouldn’t accept it as a bug.”

This means that security bugs in the MtGox system would be published openly on the internet by well-meaning researchers in an effort to force a solution to be found. The fact that MtGox allowed this to happen is absolutely staggering. It’s a double-whammy – the bugs were not fixed AND they ended up being made public on the internet. Any company with responsibilities like this should have at least 1 dedicated security professional who will respond thoroughly to any security bug reports, and preferably they should have a team of them. A single bug could end in disaster.

January/February meltdown

Everything started to go visibly wrong at the end of January, with bitcoin withdrawals getting “stuck”. Customers were finding the coins they tried to withdraw went through the normal withdrawal process but didn’t appear in their destination wallets. This went on for 2 weeks before withdrawals were finally deactivated completely. During most of that time, no explanation was given. We asked what was going on there:

“They didn’t really understand what was going on. They didn’t realise the seriousness of the problem.”

So everyone who tried to withdraw found their bitcoins disappeard and it took MtGox 2 weeks to actually care about it ?”

“Well they just figured it’ll go its course.”

“Mark distracted himself very much from this thing using the Bitcoin Cafe and his cash register [for the Bitcoin Cafe] and Shade 3D [a company Karpeles recently bought], and pretty much anything other than day-to-day business affairs.”

“Marion [who worked on payments] was… I’m not sure what she was doing. But things were just getting lost. And reappearing. There was no tracking going on. ”

What about customer complaints and support requests about this?”

“They had lots of templates and canned responses and it was CLICK CLICK next.”

“No one really cared. Marion told those guys just do whatever. To be fair there were a couple of support guys who really did care. But depending on who you got it could get really bad.”

My own experience with their “support” backs this up. That is why I had to fly out to Tokyo to find out for myself.

Widespread account hacking at the time of the withdrawal problems

“One guy[‘s account] got hacked and he got so desperate he emailed every single Tibanne email address he could find on the internet. Just because support would not answer him for days. ”

He got hacked?”

“Yeah his account got compromised. Support just told him to file a criminal complaint.”

So did it seem like someone hacked into the customer’s computer?”

“No no no no. What was going on was – this was the 4th February – they were talking that there must be an unfound security flaw somewhere in the codebase. We don’t know where, we don’t know what. We don’t really have access to the logs that can prove anything.”

We were told that a very large amount of accounts were being hacked at this point, in a very short period of time. This was why MtGox suddenly introduced an automatic email telling users when someone logged into their account and what the login IP address was.

“Because we just didn’t know any other way we could track this. And it was mostly chinese IP addresses. Probably proxy servers or something like that. Just someone, somewhere had insider knowledge that we did not have. Accounts were being hacked left and right. …  It’s not random. This was from approx 31st jan onwards”

“They got an email informaing them of their withdrawal. Telling them to contact support if it wasnt them.

Then theyd contact support and wait 2 weeks and nothing would happen.”

Faced with such a serious situation, any exchange like this should have without question immediately shut off account logins and traced the bug. Back in September 2013, a Reddit user called Belkor described a similar hack into his MtGox account. He had a hardware security YubiKey (similar to an online banking password generator device) but his account was still accessed. He was asleep at the time. Bypassing the YubiKey would indicate the breakin was done either internally at MtGox or by someone who had control over MtGox’s computer system.

On 10th February MtGox made an announcement to customers about a malleability bug and blamed it on the bitcoin protocol. There was a large community backlash because it was clearly a fault within MtGox and not with bitcoin. It seems very likely that this statement was a cover-up of the hacking and other problems – such as having lost everyone’s bitcoins. However it was enough to put many customers at ease, believing the problems may have really been just a techinical fault which would be fixed. MtGox continued to accept people’s deposits.

A big question is whether there is a link between this hacking and the missing 850,000 bitcoins. They are not necessarily related. Maybe if the exchange was already running low on its coin supply and a lot of account withdrawals were suddenly being made by hackers this could have pushed the situation to crisis point and caused the exchange to hit empty.

We asked a source if he thought that the malleability problem was really what caused the main bitcoin theft.

“I think it’s bullshit.”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s