More than a decade has passed since the theft of 850,000 bitcoins from the rattled owners from across the globe. The incident still surfaces frequently in the context of crypto exchange security. The incident was a case of renegade entrepreneurism to some while others perceive a devastating combination of “poor management, neglect, and raw inexperience”.
Around 3 years later the company went bankrupt. However, this was no shocker to people with knowledge of the inner functioning of the company. Apart from the disappearance of $460 million, apparently robbed by hackers, and another $27.4 million missing from its bank accounts, the event is said to be a result of slack and casual attitude on the part of the CEO.
We’ll subsequently get deeper into the premise that led to washing $460 million out of the exchange.
Late in 2006, programmer Jed McCaleb ideated building a website for the Magic: The Gathering Online fantasy-based card game service, to allow the user’s trade “Magic: The Gathering Online” cards like stocks. In January of the following year, McCaleb purchased the domain name mtgox.com an acronym for “Magic: The Gathering Online eXchange”.
In late 2007, post an initial beta-release, the website went live for about three months before McCaleb went for other projects.
In mid-2010, McCaleb decided that exchange was required for trading in bitcoin and fiat currency. On 18 July 2010, McCaleb launched Mt Gox as an exchange and price quoting service. He deployed it on the now spare mtgox.com domain name.
The Sell-Out, Security Breach, user DB leak, and Invalid address
In March 2011, McCaleb sold Mt Gox to French developer Mark Karpeles in hopes of passing the torch to an abler someone who can take the idea to the next level. Karpeles was living in Japan. McCaleb retained 12% shares while Karpeles now owned 88%.
On June 13, 2011, the Mt. Gox bitcoin exchange was reportedly robbed of some 25,000 BTC (US$400,000 at the time) from 478 accounts. Next, on Friday 17 June, Mt. Gox’s user database was compromised for sale to Pastebin, signed by ~cRazIeStinGeR~ and tied to firstname.lastname@example.org. The Bitcoins continued to disappear from Mt. Gox accounts, reportedly, throughout that day.
On June 19, a series of fraudulent trades resulted in the nominal price of a bitcoin fraudulently drop to one cent on the Mt. Gox exchange. This happened after a hacker allegedly logged in with credentials from a Mt. Gox auditor’s compromised computer transferring a large number of bitcoins illegally to his own account. He also utilized the exchange’s platform to sell them all nominally, thus, creating a massive “ask” order at any price. Within minutes, the price stood at its correct user-traded value. Accounts valued at over $8,750,000 were affected. To establish that Mt. Gox still retained the control of the coins, the transfer of 424,242 bitcoins from “cold storage” to a Mt. Gox address was declared beforehand, and executed in Block 132749.
Beneath the glamorous outdoors, Mt. Gox was a disaster in waiting. The exchange, as it turned out, didn’t implement any kind of version control software — a standard if not a mandatory tool in any sort of professional software development environment. This implied that any coder could have accidentally overwritten a colleague’s code had they been working on the same file.
Moreover, the world’s largest bitcoin exchange had only newly introduced a test environment. Further implying that, until then, untested software changes were straightaway dished out to the exchange’s customers. Needless to say that this is not the kind of approach you’d find on any professionally run financial services website.
Finally, there had been just only one person to approve changes to the site’s source code: Mark Karpeles. This suggests that bug fixes — or even security fixes — would be queued for weeks before Karpeles made it to the code. “The source code was a complete mess,” remarked an insider.
Finally, could the Mt. Gox disaster have been avoided?
In 2014, after an insider version of the inner working of the exchange surface, the general view did tilt to say it could have been avoided.
Given that no code is unbreakable, regular guarding of rails through security fixes and enforcing professional security can make break-ins difficult. Also in the worst case, it could even recover lost or stolen cryptocurrency. The scenario, as it appears, could be registered as a clear case of taking security for granted.
Having said that back in 2011, bitcoin was all of two. The technology was fairly nascent. Not a lot could have been expected of young tech-entrepreneurs who revolutionized the digital currency space through continued innovation.