
How the Bitcoins Were Stolen from Mt. Gox [video] - davidgerard
https://davidgerard.co.uk/blockchain/2017/09/17/kim-nilsson-of-wizsec-how-the-bitcoins-were-stolen-from-mt-gox/
======
patio11
I watched this over the weekend. As someone who has spent an absurd amount of
hours following this case: it breaks new ground, has great depth, and is
absolutely riveting.

There are at least seven jaw dropping moments in it. One is explaining how
Bitcoin wallets pre-cache the next 100 change addresses the wallet will use,
so that if someone steals your wallet without you noticing it and continues to
use it you will _determinisically share the same change addresses on your next
100 transactions each_ , which both leaves a forensic trail and also resulted
in Gox continuing to send money into accounts controlled by the attacker.

Also, for bonus points: Gox allocated the new addresses as deposit addresses
for new customers. So when the attacker moved stolen coins, their change
appeared to be deposited on Gox into the accounts of hithertofore innocent
people. (The attacker retained custody of it and Mt. Gox appears to not have
swept it into e.g. offline storage, which we have fairly persuasive evidence
did not really exist.)

This being the Bitcoin community, what would you expect someone who suddenly
has 1,000 BTC credited to their exchange account to do?

~~~
sillysaurus3
The thing that sucks is, it was impossible to tell any of this was going on. I
know people will say "Well, you should have known. The signs were all there."
But there were no signs. Coinbase could be the same way right now. Any
exchange could.

~~~
jdietrich
As far as I'm aware, all the exchanges are being run by rank amateurs with
effectively zero oversight or accountability. They're reinventing the wheel
and re-learning all of the painful lessons that the real banking sector took
centuries to learn. From what I've seen, they're applying the "move fast and
break things" attitude to other people's money. I wouldn't trust any of them
to look after my pocket change.

I may revise my opinion if I start seeing cryptocoin exchanges founded by
people whose LinkedIn profiles include job titles like "VP for Regulatory
Affairs" or "Head of Risk and Compliance". Right now, I'm mainly seeing CS
grads and people who spent a couple of years on a trading desk.

~~~
addHocker
I honestly find this attitude fascinating. A Technology that exists since- 5
years, and yet, expertise is demanded, as if these exchanges could attract and
hire the experts of banks.

~~~
pjc50
The thing is, all the "new" or "high tech" parts of bitcoin can be treated as
a black box, and their relevant properties summarised on a single sheet of
paper. You could then hire someone with financial controls expertise to run
the other side of the business - the entirely conventional money handling.

A bitcoin exchange really isn't all that different from a metals exchange, if
you substitute "physical delivery of gold" for "emit an actual on chain
bitcoin transaction".

------
remcob
A year ago I was doing a very similar analysis using both the 2011 and 2014
leaked databases. They are publicly available (won't post a link, but I'm sure
you can find it). My interest was in the privacy aspects of bitcoin.

Besides recovering user wallets using the exact same procedure as mentioned
there, it was also possible to connect wallets to user email addresses. It
only works for accounts in the 2011 leak, as the latter doesn't contain email
addresses.

So if you were using Mt. Gox at some point, especially before 2012, you should
assume your Bitcoin addresses can be linked back to your identity. Assume this
includes all your addresses, not just the Mt. Gox one, as it is often possible
to link addresses from the same user together.

In another experiment, I did a simple clustering on WikiLeak's public donation
address. There's a button there to generate a 'unique anonymous donation
address'. The clustering found about 200 of these supposedly anonymous
donation addresses. At this point I had email addresses linked to 'anonymous'
Wikileaks donations — Bitcoin doesn't offer privacy.

These are just two examples out of a list of discoveries. I decided not to
commercialize this work on moral grounds, but other companies do offer
'blockchain intelligence' services.

~~~
3pt14159
Bitcoin does offer privacy, you just don't need to take the offer. I
personally choose not to take the offer because I don't do anything illegal
and I pay my capital gains dutifully.

But if you ever want to set up a challenge I'll pay for something anonymously
to prove my point. It's not impossible, it's just annoying.

~~~
remcob
> It's not impossible, it's just annoying.

Indeed it is not impossible. It does requires a tremendous amount of expert
knowledge. (And people with such knowledge usually have successful careers not
requiring this sort of privacy).

The Bitcoin client got a lot better over the years as more privacy-enhancing
features were added, but it's still far from perfect. For example, traffic
analysis on the peer-to-peer network will still give you IP addresses.

Creating an anonymous wallet is easy: Create a wallet on an air-gapped
computer, send any transaction from a public computer over TOR to
[https://blockchain.info/pushtx](https://blockchain.info/pushtx). Make sure
your transactions look average and uncorrelated in all dimensions.

Now you need to fund this account without revealing your identity. This is
much harder. Mining your own block would be the most anonymous way.

~~~
3pt14159
Well I don't understand why I'm being downvoted then.

I very much agree with you, although for some amounts it isn't too hard to get
a wallet funded without resorting to block mining. For example, meet up in
person and buy with cash. Not tenable for hundreds of thousands or millions of
dollars in a hurry, but certainly possible for tens of thousands, which is
what most unaffiliated low level drug dealers want (so they can buy drugs via
Tor and resell them in person for cash).

The thing is, most people fail to appreciate that security and privacy is a
continuum. Just because the NSA could figure out who you are if they were
highly motivated to do so, doesn't mean that Immigration Germany can, and when
you have prostitutes getting human trafficked through employment visa
programs, Bitcoin is a whole lot more private than banking. And if you know
you are on the other side of an NSA level attacker, then it is still possible
to maintain privacy, it's just exceptionally unpleasant and slow.

But once you have the private nodes set up, it's the easiest way of moving
hundreds of millions of dollars across boarders. This is why I think it's
going to be made illegal. Big gangs have some smart enough cyber guys and
they'll use Bitcoin as a shadow banking system. But right now what gives
Bitcoin its intrinsic value is greed: People think it might be the currency of
the future and they rightly deduce that it will dramatically increase in value
if it is. If governments uniformly ban transactions with cryptocurrencies this
will collapse like beanie babies.

This is what I think will probably happen, although it is possible that
governments try to get in and semi-regulate it enough to stop its usefulness
by organized crime.

~~~
remcob
(I did not downvote, you raised a valid point that I responed too. Though your
postsounded a bit like the "I have nothing to hide" argument, which has been
debunked many times before.)

Currently the easiest way to regulate is at the entry and exit points, i.e.
the exchanges. Taxes need to be payed in fiat and you will need to explain
where that fiat came from. No need for governments to do anything on the
blockchain.

In my limited experience with regulators (mostly in Europe), I found that they
actually rather like the idea of a more democratic financial system. Their
primary concerns are human trafficking, protecting citizens from scammers and
collecting taxes. I was honestly pleasantly surprised by their progressive
attitude.

~~~
3pt14159
I wrote a blog post about wanting privacy back in 2008 that went hyper viral,
I'm familiar with the arguments and used to believe in them fully.

I don't anymore. Not to the libertarian extreme that most people associated
with Bitcoin mean. Maybe in the European context (right to be forgotten) where
you functionally have privacy, but law enforcement can issue court ordered
warrants to stop crime.

I've seen too many evil people do evil things with their money. I'm not
allowed to talk about the specifics, but I've advised some organizations on
how to deal with organized crime and when you're on the other side of it you
really see how weak most of our law enforcement really is against real crime
and how the only thing slowing these guys down is that they can't access our
banking / investment systems and that they are generally pretty
unsophisticated with technology. If all of that changes I don't know how we
stop them.

Privacy will always be an arms race, but I don't think that unregulated
crytpocurrencies are going to be a force for good consequences in the world.
Maybe blockchains for international settlements between banks, where a newly
multipolar world makes a unified global order harder, but I'm not even sure we
need them there either.

To me the best thing to come out of cryptocurrencies is that there is now a
profit motive for companies to prioritize cybersecurity. I'm already seeing it
make a huge difference. Giving that up would be a tough pill to swallow for
FVEY because we're the most vulnerable to cyber attack.

But once politicians start getting assassinated or ransomed for BTC, I doubt
that cryptocurrencies will survive. It might be the very flaws in the
usability of Bitcoin that allow us enough privacy for normal actions, without
the extreme privacy that would enable cyber criminals to operate with
impunity.

------
SilasX
>Although I knew that 80,000 BTC had already missing from Mt. Gox when Jed
McCaleb sold it to Mark Karpèles — McCaleb suggesting to Karpèles “maybe you
don’t really need to worry about it” — hackers had already cleaned out Mt. Gox
while McCaleb owned it. He had sold Karpèles an insolvent exchange.

I didn't know that part. Puts things in a different light. I always assumed
McCaleb was gone before any of the shenanigans happened.

~~~
jandrese
The talk really put Karpeles in a slightly better light. He bought into an
exchange that was a raging dumpster fire from a security and accountability
standpoint and managed to stop the horrorshow by rewriting the wallet handling
software.

Of course it was way too late at that point. The whole place had already been
robbed blind. Still, it seems like if he had gotten there sooner maybe that
weird arbitrage bot could have made up the difference somehow and actually
bailed out the company.

~~~
jamoes
> The talk really put Karpeles in a slightly better light.

I disagree wholeheartedly. Karpeles bought an insolvent exchange, and
specifically chose not to invest the money necessary to bring it back to
solvency. He could have simply bought 80,000 BTC in order to make the exchange
solvent (Bitcoin was trading at less than a dollar per coin at that time).
Instead, he chose to defraud his customers by attempting to make up the
missing money by front-running trades and other dishonest tactics.

In addition, he failed to implement basic accounting measures which resulted
in him not even being aware of the fact that he would go on to be hacked
multiple more times.

> Still, it seems like if he had gotten there sooner maybe that weird
> arbitrage bot could have made up the difference somehow and actually bailed
> out the company.

The "weird arbitrage bot" was fraud, plain and simple. If it had worked, it
would have worked by effectively stealing value from active traders on Mt.
Gox. Of course, Karpeles was too incompetent to even implement this fraud
correctly, and he ended up inadvertently subsidizing traders rather than
stealing from them.

------
patio11
My notes for folks who don't like video:
[https://gist.github.com/patio11/598ec35c6c1675c97d93383f41b3...](https://gist.github.com/patio11/598ec35c6c1675c97d93383f41b39b0b)

But seriously, if you care about this at all, watch the video. It is one of
the best conference presentations I've ever seen.

~~~
herendin2
Fascinating, thank you.

I hope you also have time to reply to the comments from Sillysaurus3 and
several others, regarding the reasoning and sources behind your impressive
early prediction of MtGox's failure.

------
nodesocket
> MtGox was essentially insolvent for most of its existence.

This is the biggest worry. How could they have not known about their books?
This shows the fundamental flaw in cryptocurrencies. There will always be
highly motivated and very technical people (Russia and China looking at you)
willing to spend hours, days, months attacking or searching for exploits and
vulnerabilities to extract coins. This differs from traditional banks which
requires a physical bank robbery.

Ultimately the incentives for illegal activities, theft, and fraud is just to
high without oversight and a central trusted authority.

~~~
spraak
> This shows the fundamental flaw in cryptocurrencies.

Hardly... but if it did, it doesn't mean they're still not worth using and
developing.

And traditional banks don't require a physical robbery to be hacked.

~~~
StillBored
Well, they can also reverse transactions, and physically extracting more than
a few thousand from an account can be a painful process at most banks,
particularly if the money was recently transferred. They just tell you, "sorry
we don't have that much cash on hand, it will take us X days to get it, please
return on Y."

~~~
nickonline
In a world with fast payments, that money can be washed and moved and out a
dozen atms quite quickly

~~~
lukeschlather
That's why payments typically take a few days to clear. Bitcoin is designed
for instantaneous payments with no rollback, which is an anti-feature.

~~~
gizmo686
Bitcoin explicitly does not have instantaneous payments. The standard view is
to wait for 6 blocks before considering a transaction as "confirmed"
Confirming a transaction at 0 blocks leaves you open to a very low cost double
spend attack.

------
MBCook
The really low/inconsistent frame rate and A/V sync issues makes this really
hard to watch.

Luckily the audio is fine.

Is there a better version somewhere?

~~~
romseb
Here is the complete "Breaking Bitcoin" event:
[https://www.youtube.com/watch?v=eCE2OzKIab8&feature=youtu.be...](https://www.youtube.com/watch?v=eCE2OzKIab8&feature=youtu.be&t=6965)

~~~
Atheros
That has the same problem.

------
gesman
_no platform should be trusted with your cryptocurrency_

 _NONE_

Use it for what it's good at - buy or trade. As soon as transaction is over -
move it to fully deterministic offline wallet.

~~~
nightcracker
What does the 'deterministic' mean in this context? What would be a non-
deterministic wallet?

~~~
AgentME
Deterministic wallet means that all of the keys/addresses that are used by the
wallet are generated from the wallet's initial seed. (As opposed to the older
classic style where 100 keys are pre-generated randomly, and more keys are
randomly generated as needed.) The benefit of a deterministic wallet is that a
single backup is enough to cover all of the funds that will ever be kept in
the wallet. (In the classic wallet style, if you don't make a new backup
regularly every 100 addresses, then funds in later addresses won't be
accessible through the backup.)

~~~
gesman
Also - it's a perfect non-electronic way to have your funds.

Seed could be a sequence of words (this thing needs to be backed up and stored
safe!)

Huge advantage is that you can save the seed in safety deposit box in a bank,
written on paper - totally non electronic way.

Then you can recreate wallet from seed at any time and manage your funds.

~~~
pocketsquare2
Sorry, but how is that any more non-electronic than storing your ATM PIN in a
safe? Given that the weakest security link is invariably human.

~~~
AgentME
The ATM situation has a ton of links including your bank and the possible
records of everywhere you've used your debit card.

If your bitcoin private key only exists on a piece of paper and not on any
networked computers, then there's no way that malware or a company being
hacked or an exchange going down is going to affect its balance.

------
paulpauper
It seems like one of the ways exchanges are beefing up security is by making
everyone submit tons of verification documents in order to do anything

~~~
Harkins
No, that's about complying with Know Your Customer and Anti-Money Laundering
laws so they are committing fewer felonies.

~~~
jandrese
But honestly, that kind of verification is going to cut into a big chunk of
the userbase. Nobody wants to submit 3 different forms of ID to buy some drugs
or launder some money.

~~~
CodeWriter23
ID or not, it’s not a particularly smart idea to run illegal transactions
through a system that records those transactions in a redundantly backed up
and publicly viewable distributed database.

~~~
jandrese
That's why tumblers exist.

------
BigJohnatan
"There are multiple “holy crap!” moments." Thanks. I enjoyed it.

------
DonHopkins
>"I know PHP! How hard could running an exchange be?" -Mark Karpelès

This is the same guy who infamously wrote:

>"PHP can do anything, what about some ssh?" -Mark Karpelès

[https://web.archive.org/web/20100701145902/http://blog.magic...](https://web.archive.org/web/20100701145902/http://blog.magicaltux.net/2010/06/27/php-
can-do-anything-what-about-some-ssh/)

>"quick'n'dirty bitcoin signing lib because too lazy to reimplement ECDSA in
pure PHP" -Mark Karpelès

[https://github.com/MagicalTux/btclib](https://github.com/MagicalTux/btclib)

ಠ_ಠ

The Dunning Kruger effect runs deep in that that one. It's no surprise he was
drawn to PHP, given Rasmus Lerdorf's disdainful anti-intellectual attitude
about computer science, programming, security, and unit testing. Birds of a
feather!

If you didn't already know about the inventor and lead developer of PHP's
anti-intellectual attitude, here are some classic quotes:

[https://en.wikiquote.org/wiki/Rasmus_Lerdorf](https://en.wikiquote.org/wiki/Rasmus_Lerdorf)

"There are people who actually like programming. I don't understand why they
like programming." -Rasmus Lerdorf

"I'm not a real programmer. I throw together things until it works then I move
on. The real programmers will say "Yeah it works but you're leaking memory
everywhere. Perhaps we should fix that." I’ll just restart Apache every 10
requests." -Rasmus Lerdorf

"I do care about memory leaks but I still don't find programming enjoyable."
-Rasmus Lerdorf

"I don't know how to stop it, there was never any intent to write a
programming language [...] I have absolutely no idea how to write a
programming language, I just kept adding the next logical step on the way."
-Rasmus Lerdorf

"I was really, really bad at writing parsers. I still am really bad at writing
parsers." -Rasmus Lerdorf

"I really don't like programming. I built this tool to program less so that I
could just reuse code." -Rasmus Lerdorf

"I actually hate programming, but I love solving problems." -Rasmus Lerdorf

"For all the folks getting excited about my quotes. Here is another - Yes, I
am a terrible coder, but I am probably still better than you :)" -Rasmus
Lerdorf

Then there was the time that Rasmus Lerdorf cut an official but fatally flawed
public release of PHP 5.3.7 without bothering to run the unit tests, which
would have caught his sloppy bug he just checked in that broke crypt().

This guy who thinks he's "probably still better than you" had to admit that
maybe he "went a bit too fast" when he didn't actually bother to run any of
the unit tests first before releasing a new version of PHP with a terrible
security flaw in crypt(), because so many of the tests produced error
messages, and even though the tests caught his bug, he didn't feel it was
worth the hassle of wading through all those pesky error messages to see if
he'd introduced yet another security related bug.

I sure hope no online banks depend on the crypt() function!

> 5.3.7 upgrade warning: [22-Aug-2011] Due to unfortunate issues with 5.3.7
> (see bug#55439) users should postpone upgrading until 5.3.8 is released
> (expected in a few days).

[https://www.reddit.com/r/programming/comments/jsudd/you_see_...](https://www.reddit.com/r/programming/comments/jsudd/you_see_rasmus_lerdorf_creator_of_php_wrecking/)

>r314434 (rasmus): Make static analyzers happy

>r315218 (stas): Unbreak crypt() (fix bug #55439) # If you want to remove
static analyser messages, be my guest, but please run unit tests after

[http://svn.php.net/viewvc/php/php-
src/trunk/ext/standard/php...](http://svn.php.net/viewvc/php/php-
src/trunk/ext/standard/php_crypt_r.c?r1=314438&r2=314437&pathrev=314438)

[https://plus.google.com/113641248237520845183/posts/g68d9RvR...](https://plus.google.com/113641248237520845183/posts/g68d9RvRA1i)

>Rasmus Lerdorf

>+Lorenz H.-S. We do. See [http://gcov.php.net](http://gcov.php.net)

>You can see the code coverage, test case failures, Valgrind reports and more
for each branch.

>The crypt change did trigger a test to fail, we just went a bit too fast with
the release and didn't notice the failure. This is mostly because we have too
many test failures which is primarily caused by us adding tests for bug
reports before actually fixing the bug. I still like the practice of adding
test cases for bugs and then working towards making the tests pass, however
for some of these non-critical bugs that are taking a while to change we
should probably switch them to XFAIL (expected fail) so they don't clutter up
the test failure output and thus making it harder to spot new failures like
this crypt one.

"I throw together things until it works then I move on." -Rasmus Lerdorf

~~~
thieving_magpie
That's honestly amazing how much of an impact he's had on software
development. Interesting post.

------
boatski
I sure would like to have the 25BTC back that I lost from them.

------
anc84
Direct link to video:
[https://www.youtube.com/watch?v=l70iRcSxqzo](https://www.youtube.com/watch?v=l70iRcSxqzo)

Content around it is just filler to promote the author's book.

------
EGreg
Why does everyone call it Mount Gox or Mt Gox when it was the Magic the
Gathering Online Exchange?

~~~
neotek
It was _formerly_ the Magic the Gathering Online Exchange. When it became a
bitcoin trading platform it was renamed Mt. Gox.

~~~
cperciva
Was it actually ever a MtG exchange? I thought the domain name was purchased
for that purpose but it was never actually used that way.

~~~
davidgerard
McCaleb had a site for this purpose at the address, but it's not clear how
much happened on it:

[http://web.archive.org/web/20070817170606/http://mtgox.com:8...](http://web.archive.org/web/20070817170606/http://mtgox.com:80/gwt/mtgox.php)

The Wayback Machine has copies of the front page from May to September 2007.

