MtGox bitcoin debacle: huge heist or sloppy glitch?
SINGAPORE: Close to half a billion dollars worth of the bitcoin virtual currency has gone missing from an exchange in Tokyo — in what is either the bank heist of the century or a sloppy glitch, or a combination of the two.
Mark Karpeles, the 28-year-old French CEO of MtGox, which once handled around 80 per cent of the world's bitcoin trades, filed for bankruptcy at a Tokyo District Court late on Friday. His lawyer said that nearly all the bitcoins in the exchange's possession — 850,000 of them — were missing. Karpeles blamed hackers. At current bitcoin rates on other exchanges, that would mean $473 million is lost — around 7pc of all bitcoins minted.
"If the theft is true," said Campbell Harvey, a professor at Duke University's Fuqua School of Business, "it's the biggest bank heist in history," aside from when Saddam Hussein ordered his son to withdraw $1bn from Iraq's central bank in 2003.
How this happened remains a mystery. But most observers say MtGox's laxness played a key role in the debacle.
"When I first signed up to it, it was clearly not fit to be a financial services company," said Jon Rushman, who researches and lectures about bitcoin at England's University of Warwick. But things got better, he said: "It has been a process of learn-by-doing that they have discovered all sorts of things they should be doing, but were not."
No official explanation has been forthcoming beyond blaming hackers and weaknesses in MtGox's system.
A document circulating on the internet that purports to be a crisis strategy paper prepared on behalf of MtGox blamed the hole on a "malleability-related theft which went unnoticed for several years." MtGox has not confirmed the authenticity of the document.
The phrase, says Ethan Heilman, a research fellow at Boston University, refers to a bug in the bitcoin process whereby someone could trick MtGox into thinking a transaction had failed — and therefore keep repeating it.
This, say Heilman and others, could explain the disappearance of the money — even though the bug has been known for a while, and has been fixed on other exchanges.
More problematic is another part of the document's purported explanation.
Usually bitcoins' private keys — something similar to a personal bank PIN code — are stored offline, where hackers can't get them. This 'cold storage' is unconnected to the online part — the hot wallet. The document says "the cold storage has been wiped out due to a leak in the hot wallet" — a statement experts say doesn't make sense.
If true, this suggests the vast majority of MtGox’s bitcoin deposits were leaking out without anyone noticing.
This stretches credibility, says Anthony Hope, who heads compliance for Hong Kong-based bitcoin company MatrixVision. Once MtGox was aware of the malleability bug, why didn't they check their cold storage? "This is like someone saying that you put your wine in a cellar to keep cool, then someone tells you that a particular vintage had loose corks," he said. "You'd presumably go into the cellar to ensure your bottles were not affected."
At Singapore-based Coin Of Sale, Tomas Forgac said: “If this was long-term leakage which went unnoticed, it shows an unbelievable level of incompetence.”—Reuters