Background
For a quick refresher course on the various incidents and thefts from MtGox, see my 2017 presentation on the topic. In short, there were multiple different thefts from MtGox, including but not limited to:- The main theft, responsible for over 600,000 BTC gradually stolen throughout 2011–2013, began when the hot wallet was stolen on September 11, 2011.
- Approximately 2,000 BTC was stolen and the market was crashed after someone gained access to the admin account of original owner Jed McCaleb in June 2011.
- A side wallet containing 300,000 BTC was stolen from Mark Karpelès' computer in May 2011 (these funds were returned by the thief).
- During the handover from McCaleb to Karpelès, circa 80,000 BTC was stolen after the hot wallet was stolen from McCaleb's server on March 1, 2011.
The last item is the incident we'll cover in this post. Again, this is not the same theft as the main theft, nor is it the same as the June 2011 hack.
What we know
The first public mention of this theft was when journalists published emails from Karpelès' criminal trial in which a missing 80,000 bitcoins was being discussed by Karpelès and McCaleb (specifically, how to recover from the loss). A chat log between Karpelès and McCaleb from the time of the incident in question has also become public as part of a 2017 lawsuit against MtGox and its administrators, and details MtGox's response to the hack.After repeated leaks of large volumes of internal accounting data from MtGox (which I have been researching and further refining over a period of several years), we can reconstruct most if not all blockchain activity for the exchange all the way back to 2010/2011, identifying deposits and withdrawals. Basic blockchain reconciliation involves matching up blockchain transactions with accounting records, and especially looking for unusually large transactions that move funds out of the wallet without accounting records.
Turns out that in all of the blockchain there is only one transaction that fits the bill, and it raises plenty of red flags:
- It completely emptied the exchange's hot wallet at the time (save for a fraction of a BTC). This is extremely implausible for legitimate withdrawals, since even if any customers with that high a balance existed, they would not have known to withdraw exactly that amount.
- There is no logged withdrawal corresponding to this transaction.
- The change output was a reused address, something the bitcoind wallet never does (standard behavior is to use a new private key for every change output). However, this does happen when starting a second wallet instance from a copy of a wallet.dat file due to the embedded "keypool". The wallet file contains the "next" 100 keys already pregenerated, so the copy will initially use the same sequence of "new" keys as the original wallet for things like change outputs. These "overlapping" change addresses are a recognizable fingerprint of a copied/stolen wallet.dat file.
A slice of the transaction graph around the theft transaction allows us to conclude with a high certainty that this is indeed the MtGox hot wallet (all surrounding transactions are normal MtGox deposits and withdrawals), with the theft transaction standing out like a sore thumb.
The chat log between McCaleb and Karpelès is consistent with and corroborates these findings, including the fact that Karpelès identified the same transaction back in 2011. Their hack response found that the server had been hacked and rooted and had its logs wiped, though contrary to early suspicions that the hackers used the unprotected wallet RPC interface to empty the wallet, our forensic examination shows that it's more likely the hackers had full access to the files and copied the wallet.dat file.
Note: In early 2011 all wallet.dat files were still unencrypted and not protected by passwords. Encrypted wallets were introduced with Bitcoin version 0.4 released in late September 2011 — alas just slightly too late for MtGox, whose main wallet got stolen again just weeks before then...
Timeline
Timestamps use block times where applicable, so take this into account, i.e. events happened in time for transactions to get included in a block with that timestamp.- During January 2011, Jed McCaleb is looking for someone to take over MtGox. One of the people he is talking to is Mark Karpelès. In anticipation of this, McCaleb moves the majority of customer funds out of the main hot wallet and into a side wallet held by himself.
- In February 2011, a sale agreement between McCaleb and Karpelès is finalized, and the two begin preparing the handover, which ends up taking several months as McCaleb gradually turns over various credentials and assets.
- At some point on or prior to March 1, 2011, hackers gain access to the main MtGox server. The server also hosts a WordPress installation on the same machine and database, so this is a possible entry point since WordPress has historically been notorious for its many security vulnerabilities.
- Shortly before 17:30 UTC, the hackers copy the wallet.dat of the hot wallet hosted on the server. The top of the keypool (i.e. the next "new" key that will be returned) in the wallet at this time is 1GPuT4JD1yKTEGnw2csTCqSAtS3DRiTD69.
- At 17:30 UTC, the wallet on the server uses this key as a change address for a withdrawal transaction.
- Almost two hours later, at 19:26 UTC, the hackers have loaded the stolen wallet.dat file into a wallet instance on their own machine and move all accessible bitcoins to the address 1FeexV6bAHb8ybZjqQMjJrcCrHGW9sb6uF.
- The MtGox hot wallet manages to keep running and processing withdrawals thanks to new incoming customer deposits, but it's running on fumes. The stolen bitcoins amount to about a third of all customer deposits at the time, with the rest being held by McCaleb.
- On March 3, McCaleb notifies Karpelès about the theft with a now infamous "something bad happened" chat message. Karpelès helps McCaleb secure the machine and move MtGox over to new hosting.
- The stolen coins remain in the same location unmoved to this day, prompting theories that the hackers may have lost the private keys.
Frequently Asked Questions
- If these are stolen coins, why hasn't the MtGox trustee stated so or filed a police report?
- The MtGox trustee has not published or commented on any thefts or addresses, nor are police investigations public, so the lack of public statements is not a data point either way. The theft (including the transaction/address) is known to both the trustee and Japanese police and has been discussed in both Japanese and US courts.
- Can the stolen bitcoins be recovered?
- Only if the thief is found and still has the private key and can be compelled to return the funds, which are all pretty big ifs. Bitcoins can't really be claimed or "confiscated" in normal terms, especially when the owner is unknown — you'd need to convince network participants to hard fork to move the coins, which is very unlikely to happen. This grim outlook for recovery probably helps explain why you don't hear the police or the trustee talk about this and other thefts.
- If the MtGox data comes from leaks, how can you trust it?
- I don't "trust" it. All data sources are part of the overall forensic examination, which means all assumptions are tested and all conclusions are scrutinized for inconsistencies. This degree of caution is why I can speak confidently, because I do weigh the evidence and test any hypotheses, and what I eventually report is what has stood the test of time.
- How can you trust the word of Karpelès, a known scammer/liar/thief/etc.?
- See above; I don't. I've evaluated his statements on this matter along with everything else and found them consistent with the evidence.
- Surely this is all just circumstantial evidence?
- Maybe, but it's several pieces of evidence that all consistently point in a single direction. And if we're evaluating the relative weight of the evidence, well that depends on what evidence we're weighing it against, doesn't it? To the best of my knowledge, there is only one coherent story behind these coins that is supported by any evidence at all.