Naked Security Naked Security

Mt. Gox founder Mark Karpeles arrested – but not over missing Bitcoinage

Mt. Gox founder Mark Karpeles has always denied any wrongdoing in the implosion of his Bitcoin exchange. But he's just been arrested anyway, apparently for overstating his financial situation by US$1,000,000 almost a year before the bankruptcy..

From a marketing point of view, 2014 could have been a much better year for the cryptocurrency known as Bitcoin.

Bitcoin isn’t really a currency, at least in the traditional sense, because there’s no central regulatory authority that issues coins and banknotes or controls the total amount of the currency in circulation at any time.

In the Bitcoin world, “coins” are “minted” (or, more accurately, mined) by getting lucky in what is effectively an arithmetic lottery based on cryptography.

In place of an issuing authority with a list of all the banknote serial numbers that exist, Bitcoin revolves around a public, distributed database called the block chain that keeps a record of which “coins” have been mined so far, and how they’ve been spent.

→ The arithmetic in the Bitcoin system limits the total number of bitcoins that can ever be mined to about 21,000,000. The block chain acts as a pseudo-anonymous register of all bitcoins mined so far. This prevents two people coming forward and claiming to “own” the same coin, or part thereof. The block chain therefore acts as the Bitcoin ecosystem’s arbiter to stop people saying, “Hey, I never got paid,” or, “Hey, I never spent that amount, it still belongs to me.”

Ironically, that means Bitcoins are much safer under your metaphorical mattress than stored in an online account.

But unless you can find other people who are willing to trade bitcoinage with you directly, a Bitcoin stash isn’t very liquid – with some notable exceptions, you can’t simply jump online and spend it, or go into a shop and make an impulse purchase.

This has led to a proliferation of Bitcoin exchanges, where you can trade bitcoinage for regular currency, albeit at rather volatile rates.

Of course, that means that an exchange actually has to have real currency available for the times that customers want to convert some of their bitcoins into regular money.

It also means, if you want quick and easy access to your bitcoin account, that the exchange needs to keep at least some of your stash of digital money in what is known as hot storage – essentially, accessible online where a determined hacker might very well be able to get at it.

With little or no regulation, and no central authority to repudiate disputed transactions or ownership, you aren’t going to get your hot wallet back if a crook makes off with it.

Responsible exchanges keep some, most, or even all, of your bitcoins (usually, you can choose how to divvy up your stash) in cold storage.

Cold wallets are supposed to to be offline, for example saved to removable storage devices and locked in a vault, just as the majority of the cash on hand might be be at a regular bank.

That doesn’t protect you against bitcoin crime entirely: an insider could steal your bitcoins, or an exchange’s idea of “offline storage” might not be quite as far removed from remote network access as you might like.

And, with little or no regulation, we’ve seen a procession of Bitcoin exchanges that have lost some or all of the digital assests in their possession, such as:

May 2012. An exchange called Bitcoinica allegedly had $225,000 stolen, followed by another $90,000 later the same year.

September 2012. $250,000 was stolen from boutique exchange Bitfloor after an encryption lapse during a server upgrade.

November 2013. Small exchanges in Australia, China and Denmark “vanished along with the money” after claiming they’d heen hacked.

March 2014. Poloniex lost $50,000 due to a coding error (known as a race condition) in its Bitcoin withdrawal database.

March 2014. Flexcoin closed down after hackers processed a fraudulent transfer of $600,000, with reports suggesting that was everything that Flexcoin had on deposit, gone in one shot.

But the Big Daddy of Bitcoin implosions was that of Mt. Gox, pronounced “Mount Gox,” although originally a domain name that was short for MTG Gathering Online Exchange, a website devoted to the fantasy trading card game Magic: The Gathering.

And, just like magic in reverse, early in 2014, Mt. Gox, based in Japan, filed for bankruptcy.

The reason was the rather significant problem that the company had managed to “lose” about $500,000,000’s worth (half a billion dollars!) of its customers’ bitcoins.

What happened is still not clear, although a person claiming to be “Mt. Gox’s first employee” has recently commented at some length on Reddit what he claims is a partial explanation of how the company came to run out of money.

(NB. The Reddit thread makes fascinating reading, but there is no way to verify any of it, so: reader beware.)

Of course, running out of money by spending too much is not the same as losing 650,000 bitcoins.

The vanishing bitcoins still haven’t been explained, although a Japanese newspaper openly suggested, on New Year’s Day 2015, that 99% of the loss was an insider job: cybercrime committed by a person or persons inside the company.

Mt. Gox founder Mark Karpeles has always denied any wrongdoing, but he’s just been arrested anyway.

Apparently, Karpeles is not being charged over the missing bitcoins, but rather for overstating his financial position by US$1,000,000 back in February 2013.

The 650,000 missing bitcoins remain just that: missing.