Mt. Gox Bitcoin Meltdown: What Went WrongTransaction malleability attacks and cold-storage software bugs both cited after nearly $500 million worth of bitcoins vanish.
Mt. Gox, recently the world's third-largest bitcoin exchange, has melted down in spectacular fashion, triggering an investigation by Japanese authorities. The CEO of Tokyo-based Mt. Gox, Mark Karpeles, filed for bankruptcy protection Friday, revealing that about $500 million in bitcoins stored by the exchange have been stolen, comprising 750,000 bitcoins deposited by users of the site, and 100,000 owned by Mt. Gox.
But in the bankruptcy filing, the exchange reported that it doesn't know what technique -- or techniques -- attackers used to steal the bitcoins, exactly how many were stolen, or when the thefts occurred. While Mt. Gox suspects that the exchange was hacked, it's reviewing transaction reports to establish what happened. "As of this date, we cannot confirm the exact amount of missing deposit funds and the total amount of bitcoins which disappeared," it said.
Karpeles, speaking Friday at a Tokyo press conference called to announce the company's bankruptcy, said that unspecified weaknesses were to blame. "We had weaknesses in our system, and our bitcoins vanished. We've caused trouble and inconvenience to many people, and I feel deeply sorry for what has happened," he said, reported Wired.
[Don't count on antivirus software to protect your electronic wallet. See Bitcoin-Stealing Malware: Now In 100 Flavors.]
One likely explanation for the missing bitcoins is that hackers employed transaction malleability attacks. On February 10, Mt. Gox issued a statement -- now no longer available online -- warning that due to a "design issue," attackers could take the hashes of recent trades and claim them as their own before they'd been committed to the Bitcoin blockchain, which serves as the world's master ledger for all bitcoin transactions.
But Mikko Hypponen, chief research officer at F-Secure, said that the weaknesses may involve coding flaws that were only discovered after the exchange came under attack. "My current theory is that [Karpeles], who seemingly runs it as a dictatorship, somehow -- because he's written himself most of the code for storing the coins -- he screwed up the code, and he never really tested if he can recover the coins from the cold storage," he said in an interview Thursday in San Francisco. He was in the city presenting at TrustyCon, which was organized by RSA conference boycotters. "When they had these malleability problems, he needed to access the cold storage coins, and he realized that he'd screwed up something five years ago, and for the last five years he's been storing coins that he can't recover."
Mt. Gox, which allowed users to convert bitcoins to dollars, and dollars to bitcoins, first halted withdrawals on February 7, before going offline entirely last Monday and deleting all posts from its Twitter feed.
That shutdown triggered an investigation by Japanese authorities. "I understand that ministries and agencies concerned -- financial services, police and the finance ministry -- are looking into the matter to learn the full scope of the issue," Yoshihide Suga, Japan's chief cabinet secretary, said last week prior to Mt. Gox declaring bankruptcy, the BBC reported. "Once we have full knowledge of what happened, we will take action if necessary."
Coindesk.com reported that federal prosecutors in New York City have subpoenaed Mt. Gox and requested that it retain copies of all documents that might be relevant to a criminal investigation. But a Department of Justice spokeswoman, reached by phone, declined to comment on that report.
Mt. Gox's filing for bankruptcy came after Karpeles quit the Bitcoin Foundation last Sunday after he blamed the Bitcoin protocol itself for having allowed hackers to empty Mt. Gox's coffers. He had held one of its three elected industry-member seats.
But Gavin Andresen, chief scientist at the Bitcoin Foundation, told the BBC last month that the related design problem isn't with the Bitcoin protocol, but rather the software built by some exchanges to process transactions. "The issues that Mt. Gox has been experiencing are due to an unfortunate interaction between Mt. Gox's highly customized wallet software, their customer support procedures, and an obscure -- but long-known -- quirk in the way transactions are identified and not due to a flaw in the Bitcoin protocol," he said.
Penetration testing expert Dan Kaminsky, chief scientist of White Ops, echoed that assessment, saying that whoever built the Bitcoin protocol made it incredibly secure. "In 2011, I spent four months trying to break Bitcoin and failed, and this was very interesting, because it shouldn't have failed," he said in an interview at last week's RSA conference.
Having a wealth of data is a good thing -- if you can make sense of it. Most companies are challenged with aggregating and analyzing the plethora of data being generated by their security applications and devices. This Dark Reading report, How Existing Security Data Can Help ID Potential Attacks, recommends how to effectively leverage security data in order to make informed decisions and spot areas of vulnerability. (Free registration required.)
Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio