$47 000 USD

JUNE 2011

JAPAN

MT. GOX

DESCRIPTION OF EVENTS

"Mt.Gox is the world's most established Bitcoin exchange. You can quickly and securely trade bitcoins with other people around the world with your local currency!" "It allows you to trade US Dollars (USD) for Bitcoins (BTC) or Bitcoins for US Dollars with other Mt Gox users. You set the price you want to buy or sell your BTC for." "Buy Bitcoins at market rates with your credit card or many other payment methods." "Automate your trading with our Trading API" "Dark pools allow you to trade large quantities without moving the market."

 

"4 Easy Steps: 1. Make an Account. 2. Add some funds. 3. Buy or Sell Bitcoins. 4. Withdraw your converted funds." "Fully automated, always available, 24 hours a day, Safe and Easy."

 

"Mt.Gox is protected by Prolexic and certified by VeriSign, which means all communications with our servers are encrypted with SSL technology." "We're always on. Buy and sell Bitcoin 24/7/365 with the world's most sophisticated trading platform." "Buying and selling Bitcoin doesn't have to be complicated! Get trading in a few simple steps." "The only multi-currency Bitcoin trading platform where you can trade with the entire world in your local currency."

 

"On 13 June 2011, the Mt. Gox bitcoin exchange reported some 25,000 BTC (US$400,000 at the time) robbed from 478 accounts. Then on Friday 17 June, Mt. Gox's user database leaked for sale to pastebin, signed by ~cRazIeStinGeR~ and tied to auto36299386@hushmail.com. The theft of Bitcoins from Mt. Gox accounts continued, reportedly, throughout that day."

 

“On June 19, 2011” an “auditor was hired to verify that Mt. Gox had sufficient bitcoin and cash reserves to cover its holdings, but the hacker was able to use the auditor’s computer to steal bitcoins from the exchange. The hacker used the auditor’s access to sell bitcoins to his or her own wallet, causing the price of bitcoin on the exchange to plummet. The hacker acquired an estimated 2,000 BTC through this strategy, with an additional 650 BTC purchased by other Mt. Gox users at deflated prices.”

 

This "security breach ... caused ... the price of a bitcoin to fraudulently drop to one cent, after a hacker allegedly used credentials from a Mt. Gox auditor's compromised computer to transfer a large number of bitcoins illegally to himself." "On 19 June, a stream of fraudulent trades caused the nominal price of a bitcoin to fraudulently drop to one cent on the Mt. Gox exchange, after a hacker allegedly used credentials from a Mt. Gox auditor's compromised computer to transfer a large number of bitcoins illegally to himself. He used the exchange's software to sell them all nominally, creating a massive "ask" order at any price. Within minutes the price corrected to its correct user-traded value. Accounts with the equivalent of more than $8,750,000 were affected."

 

"The forum has a thread with the title “I'm Kevin, here's my side”. In which the user toasty tells how once he saw that gigantic sell order was burning through the bids at exchange, the price dropped from 17.5$ dollars to 10$, Mt. Gox processed orders slowly, it all lasted a minutes, there were many orders to buy bitcoin for $ 0.01, so he placed his order for $ 0.0101, the exchange was heavily lagging, but with some effort, he managed to place that order, then The site stopped responding completely, when he got back in, he saw:"

 

"06/19/11 17:51 Bought BTC 259 684.77 for 0.0101"

 

"He realized that these bitcoins were most likely from hacking and wanted to behave as honestly as possible, especially since on the eve he sent his id documents for passing verification. There was a limit for withdrawal, but there was a bug that allowed you to withdraw $ 1000 many times in a day, he could also sell a huge number of bitcoins, lower the price again to 0.01 cents, and withdraw all bitcoins fitting in the daily limit, but he did not do it, he only withdraw 643 bitcoins. He hoped until the end that he would be let to keep these BTC, but there where decision to roll back all transactions, and Kevin gained only 643 BTC."

 

"To prove that Mt. Gox still had control of the coins, the move of 424,242 bitcoins from "cold storage" to a Mt. Gox address was announced beforehand, and executed in Block 132749."

 

“None of the [withdrawn] bitcoins were returned to their rightful owners.”

Although Mt. Gox is today synonymous with their most famous hack, at this time in June 2011 it was a massive exchange in full operation. A hacker managed to manufacture bitcoins using the credentials of an auditor, and sold them on the exchange, including to himself, then withdrew the earnings. Reports suggest that lost funds were not returned to their rightful owners.

HOW COULD THIS HAVE BEEN PREVENTED?

Generally, minting of new coins in the database needs to have tight access control. For example, an auditor's access level should be read-only.

 

Regarding the lost funds, these all came from the hot wallet. Serious losses can be prevented with a multi-signature cold storage wallet, limiting the total losses to the funds available in the hot wallet. There is no need for an auditor to have access to any funds, as access can be proven by creating a small transaction or partially signing a hypothetical transaction.

 

Check Our Framework For Safe Secure Exchange Platforms

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.