Hacker News new | past | comments | ask | show | jobs | submit login
How the Bitcoins Were Stolen from Mt. Gox [video] (davidgerard.co.uk)
563 points by davidgerard on Sept 17, 2017 | hide | past | web | favorite | 186 comments

I watched this over the weekend. As someone who has spent an absurd amount of hours following this case: it breaks new ground, has great depth, and is absolutely riveting.

There are at least seven jaw dropping moments in it. One is explaining how Bitcoin wallets pre-cache the next 100 change addresses the wallet will use, so that if someone steals your wallet without you noticing it and continues to use it you will determinisically share the same change addresses on your next 100 transactions each, which both leaves a forensic trail and also resulted in Gox continuing to send money into accounts controlled by the attacker.

Also, for bonus points: Gox allocated the new addresses as deposit addresses for new customers. So when the attacker moved stolen coins, their change appeared to be deposited on Gox into the accounts of hithertofore innocent people. (The attacker retained custody of it and Mt. Gox appears to not have swept it into e.g. offline storage, which we have fairly persuasive evidence did not really exist.)

This being the Bitcoin community, what would you expect someone who suddenly has 1,000 BTC credited to their exchange account to do?

The thing that sucks is, it was impossible to tell any of this was going on. I know people will say "Well, you should have known. The signs were all there." But there were no signs. Coinbase could be the same way right now. Any exchange could.

> The thing that sucks is, it was impossible to tell any of this was going on.

It was impossible to know the details of this exact bug - but it was possible to know that something was wrong at MtGox before the takedown.

Of the two-dozen or so people I know who held Bitcoin at the time only one lost funds on MtGox - the rest had long left Gox or were never comfortable using it.

The main administrative issues were withdrawal delays[0], MtGox not being able to prove their reserves satisfactorily[1] and having accounts seized[2]. ID verification was slow, and support was almost non-existent.

If you read the forums in the ~12-18 months before MtGox went down there was a lot of conversation about what was wrong at MtGox.

The tech issues were horrible code[3] (read the description of that repo and tell me if you would trust it with bitcoin), previous hacks[4], many more hack claims and the internal trading bot being traced by outside researchers.

I don't blame anybody for not seeing these issues - there was a lot of FUD at the time and many who saw attacks on MtGox as attacks on Bitcoin. Nobody really wrote a good and concise "this is why you shouldn't use MtGox" post anywhere. Hearing after it was taken down that someone knew it was bad is useless and only self-serving.

I don't think it is possible for a third party to hold your bitcoins for you in a secure way that is also convenient. You can pick any bitcoin company or exchange and claim its insecure and you'll eventually be right for many users.

One of the only ways to avoid the problems and store your bitcoins safely but also still be able to use them is with a hardware wallet. There has been a lot of improvement since MtGox with "vault" products, better multisig implementations, better auth, and offline signing etc. but still some way to go.

[0] https://bitcointalk.org/index.php?topic=179586.0

[1] https://bitcointalk.org/index.php?topic=209362.0

[2] https://techcrunch.com/2013/08/23/feds-seize-another-2-1-mil...

[3] https://github.com/MagicalTux/btclib

[4] http://www.dailytech.com/Inside+the+MegaHack+of+Bitcoin+the+...

I was in BTC from very early on. Ironically I didn't make much money but that's another story.

I'm shocked, absolutely shocked that the Magic The Gathering Online Exchange wasn't suitable dealing with hundreds of millions of dollars.

The signs were obvious that it was being run by amateurs for anyone that spend five minutes doing a google search.

When I heard a friend had deposited more money than he could afford to lose on MtGox, I immediately jumped in the car and drove 2 hours to his house. I convinced him, basically at the point of physical violence to take his BTC out of MtGox and store them in a wallet on his computer, encrypted and backed up on several cloud sites.

One month later MtGox was hacked. I received an apology and a very nice bottle of whiskey from my friend.

I think if a friend drove two hours to my house and threatened physical violence because they disapproved of my financial and technology decisions, I would have one less friend.

If anyone cared this much about me unwittingly risking my livelihood, they'd have a friend for life.

It's only admirable in retrospect. What if Mt. Gox shot to the moon and decided to pay dividends, but your friend threatened you not to buy in?

I've been threatened by inlaws for subscribing to practices that will end in my damnation -- something much more significant than losing savings. They genuinely believe this. And I still don't think that's right, and it wouldn't be right if everything they said turned out to be true.

What would you do if someone you cared about was falling for a Nigerian scam?

He's essentially more of a brother to me, and yes it wasn't the nicest experience for anyone involved but he didn't lose his life-savings.

Your loss, right? Twice, in that case.


No matter what you're replying to, HN just doesn't have room for comments like this.


As far as I'm aware, all the exchanges are being run by rank amateurs with effectively zero oversight or accountability. They're reinventing the wheel and re-learning all of the painful lessons that the real banking sector took centuries to learn. From what I've seen, they're applying the "move fast and break things" attitude to other people's money. I wouldn't trust any of them to look after my pocket change.

I may revise my opinion if I start seeing cryptocoin exchanges founded by people whose LinkedIn profiles include job titles like "VP for Regulatory Affairs" or "Head of Risk and Compliance". Right now, I'm mainly seeing CS grads and people who spent a couple of years on a trading desk.

First employee of a major exchange here. You were correct a few years ago, but it's not strictly true anymore. Some oversight and accountability comes from the VCs that own them and sit on the boards, some from the compliance requirements of banks they work with to obtain financial connectivity, and some from people they outsource customer onboarding to or work with for additional financial settlement options. Also, third party penetration testing should be common by now. There is also something to be said for "zero legacy infrastructure", from a security perspective.

I'm still waiting for an exchange taking proof of reserves or multi-sig with other exchanges seriously.

We know it can be done, and we k ow that none of the exchanges do it anymore.

As hopeful as I am, I know that scaling number of users is much more important for exchanges than advancing security through cryptography that users can verify.

At BitMEX we do 100% offline multi-sig. Unfortunately, that also means any form of live proof-of-reserves is quite difficult to do, as the keys are offline.

Early in our history, we thought once-a-day withdrawal would be a problem customers would be quite vocal about. Instead, we found many of them appreciate what it means - that the keys aren't hooked up to a hackable webserver, but are actually protected. Accessing funds should be difficult and should require human interaction.

Pardon me for sounding ignorant, but how does this process work out procedurally each day?

All crypto on Coinbase is insured, according to:


This counts for a lot IMO. Of course there are still questions of whether and how the insurance comes through. But it's a big step to make such a declaration, and the implications on security are significant.

When they say stored 'online' they mean 'not in cold storage'. 98% (according to that article) of the crypto held by Coinbase is in cold storage and is not insured.

I wonder how many people make this exact mistake.

Which makes sense. I imagine insuring cryptocurrencies is very, very expensive, considering the risk profile.

Good point. The cold storage procedure is also impressive, but not as impressive as full insurance.

Bitcoin.de has a cooperation with Fidor, which is a regular bank in Germany.

When trading on their platform you always trade directly with one other customer. The funds are transfered directly from your Fidor bank account.

Of course, the BTC/BCH will still be on the marketplace until you remove them.

Common wisdom these days is: The only safe place for crypto coins are paper wallets (and, arguably, hardware wallets).

When looking at HSBC, corrupt rating agencies, Equifax etc, may I ask what the "real" banking sector has learned?

I honestly find this attitude fascinating. A Technology that exists since- 5 years, and yet, expertise is demanded, as if these exchanges could attract and hire the experts of banks.

The thing is, all the "new" or "high tech" parts of bitcoin can be treated as a black box, and their relevant properties summarised on a single sheet of paper. You could then hire someone with financial controls expertise to run the other side of the business - the entirely conventional money handling.

A bitcoin exchange really isn't all that different from a metals exchange, if you substitute "physical delivery of gold" for "emit an actual on chain bitcoin transaction".

Other fintech startups have little difficulty in attracting experienced talent. You see a lot of grey hair and a lot of very distinguished CVs in that scene. Several banks run their own accelerators and angel schemes.

If cryptocoin startups can't recruit the right talent, then I think that's a strong indicator of their fundamental business value.


this is gold

I think you're mistaken when you say that there were no signs. There were many signs, and here are some of the worst. As a point of reference, Feb 7, 2014 is when Bitcoin withdrawals were frozen.

May 2, 2013: CoinLab sues MtGox, says MtGox promised to let CoinLab operate its North American branch. This makes no sense -- why would MtGox surrender its most valuable territory to a virtual unknown? -- but MtGox doesn't explain what's going on and simply shrugs their shoulders. They will be doing this a lot.

May 15, 2013: US Government seizes $5 million from a bank account held by MtGox. MtGox shrugs their shoulders.

June 20, 2013: MtGox stops USD withdrawals; bitcoin and JPY withdrawals continue to operate normally. People ask when they'll be restored, MtGox shrugs their shoulders.

July 4, 2013: MtGox says USD withdrawals are back to normal. This is a lie. When people ask why USD withdrawals are still not going through, MtGox.. well, you guessed it. They shrug their shoulders and just repeat the lie.

By this point, alarm bells should have been blaring in people's heads. Anyone who claims that this kind of crap was the norm for the bitcoin world should keep in mind that Coinbase had launched in 2012 and was running a much tighter ship.

By this point, people still had more than 6 months to get their bitcoins out.

Can I add:

August ~13th, 2013: CEO blames issues on Mizuho bank; claims that Mt. Gox was greater than 50% of Mizuho's SWIFT volume (!) and DOSed their banking systems multiple times (!!); also says that Mizuho has limited them to ~10 outgoing wires per day.


Yeah, I forgot about that one! While we're on the subject of lies they told, my favorite was in Feb 2014 when bitcoin withdrawals got frozen. The claim was that they turned off withdrawals while they dealt with the bitcoin malleability issue that was in the news at the time. It was obviously a lie but they just stuck with it.

Given the USD ~1.64 TRILLION in assets Mizuho had in 2014, presumably this claim is beyond insane? Is there some mechanism to look up SWIFT transaction volumes by bank?

Wow! Haven't seen this one before. Quite a crazy claim!

When MtGox's trade delay hit 30 mins+ (April 2013), and the price was crashing, I hopped on to IRC. I went to mtgox's channel and advocated in the strongest terms that they halt trading, like any sane exchange would do (the trade delay was a major factor in the crash).

When Tux's #2 told me he couldn't do it because Mark was asleep (time zones! etc), it became pretty clear they didn't have a clue about what they were doing.

I'm glad other people perceived the delays and realized they were unacceptable and indicative of something bad as well as bad management / development practices.

Some people have tried telling me in the past that I'm full of shit for pointing out the delays and what they meant. I moved my coin away about a month or so before the big hack.

Stay sharp, friend.

I disagree.

The presence of a persistent arb premium was what made me back off Gox. As a quant trading guy it just seemed too fishy that a one-way arb could persist. I wrote an arb engine to take advantage of the price difference but I concluded there was too much credit risk in it. Which turned out to be correct. At best the arb was explicable as slow operations getting money out of the bank, but that would in the very best case be total incompetence. Plus the forums were saying a lot of not nice things about the management, so definitely failed the sniff test. Remember it's not the balance of probabilities that matters; it's the worst case.

Coinbase, by contrast, has VC backing that you would think means they'd find someone who understood regulatory issues. They'd also have links to proper tech people who understood security and exchange coding, a pretty small subset of coders since it's quite specialised. They may not have started with everything required but chances are they've found the money to buy it by now.

>The thing that sucks is, it was impossible to tell any of this was going on.

A few months before the big collapse, I lucked into some money and started looking at arbitrage opportunities on bitcoin exchanges.

Want to know what stopped me? The cost benefit vs. risk ratio. Here's an exchange with a really dodgy past, and the price is just shooting up, and people are shouting, and damn this seems too good to be true!

(edit: I did some trial runs, and had gone through their painful verification process - the above decision came about when I was starting with the "big boy" sums of money)

Funnily enough, I have the exact same thoughts about the crypto ecosystem right now.

I think it's probably unwise to hold coins right now, and whether the scam unfolds this year or not, I'm experiencing that very same spidey-sense this seems to good to be true worry from the Mt. Gox days.

Disclaimer: I bought into Bitcoin about 7 years ago. I'm mostly out now, but I hold a small amount of Sia, BTC, and Dash.

Especially for ICOs and Eth more generally, but also for Bitcoin, Litecoin, Dash, etc.

We use our financial system to combat international crime. Why on earth would governments allow unregulated blockchains and currency transfers to circumvent their controls?

They won't remain unregulated for long. It's similar to the late 19th century markets, except the regulatory environment already exists - the SEC will go after low hanging fruit for a while to build precedent and then take down a whale, then apply all existing securities regulations to all ICO's and their advisors. That'll cut out a lot of the scammers and introduce traditional investment banks because they are licensed. The licensing process requires sponsorship, so they'll be able to push out and keep out the early players and reap the benefits.

> 15 dollar arbitrage between bitstamp and gox right now??? 15 dollar arbitrage between bitstamp and gox right now??? thats ridiculous, anyone know why?

> Because MtGox is a money black hole, absorbing all your money and refuse to pay back. The only way to exit is to buy bitcoins there and sent them elsewhere, this explains the consistent buying pressure there. An arbitrage is meaningless if your money cannot leave, right?


People including me saw the signs and exited.

It was not impossible to tell this was going on.


Note the date. I only posted that after I was sure I could beat the libel suit; was pretty sure much earlier.

>> I know people will say "Well, you should have known. The signs were all there." But there were no signs.

> It was not impossible to tell this was going on.

How do you tell, though? The comment you replied to was about the lack of signs, so claiming that signs existed doesn't really help anyone.

How would one perform investigative journalism on a Japanese company? One way might be "write down everything they say", "identify the subset of these statements that an external actor has signal on", "identify the subset of those statements that the external actor would have a social or legal obligation to confirm or deny", and "write some on-dead-tree letters."

Mt. Gox said lots of things, including some things which were, ahem, very effing improbable and yet which alleged very specific facts about people outside of the building. "We're totes solvent; all of our assets are on deposit at Mizuho", "All of our problems are due to banking partners", "The Financial Services Agency said we're compliant with all their regulations", "Japanese banks can't send more than 10 wire transfers per day; it's physically impossible because they're technologically backward", etc etc.

This is sort of similar to "But how do you know that their application is vulnerable, $SECURITY_RESEARCHER?" The answer "I bothered to look" might be unsatisfying, but it is not inaccurate.

We understand you bothered to look. We're asking "What are the specific actions you took, so that in the future, we may take them? What did you discover that led to your tweet? Was it hard evidence, or was it more of a list of worrying signs?"

Writing on-dead-tree letters is a flowery way of describing what you did, but it gives no actionable signal.

I'm sorry you lost money, sincerely. One of the reasons that I'm so vocal about my opinions on Bitcoin is that I think that, when it achieves its true value of 0, it will wipe out a lot of geeks of good will.

I cannot agree that you had insufficient notice from me regarding my opinions of Bitcoin or operations in the Bitcoin economy. That tweet went as close to the line as I could without risking arrest, contemporaneously. It was preceded by probably a few hundred comments on HN and Twitter about Bitcoin and businesses in the ecosystem.

I appreciate that you want a list of steps you can take in the future. I have described a way to reproduce the unpaid, unpublished original research project which I did, in sufficient detail for any competent researcher to reproduce it.

You think that that series of steps is not actionable. I respectfully submit that you are not capable of reproducing it; these are two different things. You are illiterate in the language that the research was conducted in. I'm sorry; that is true, and it is the nicest possible way to phrase it unambiguously.

You should, in the future, not make investments which you are incompetent to evaluate the risk factors of. If you must, you should secure the advice of competent professional advisors. If you believed yourself competent to evaluate the risks of doing business with Mt. Gox or believed the quality of the advice you had to be adequate, you should be skeptical of your self-assessments of your competence or your ability to evaluate competence in a professional advisor, and apply this skepticism to your reasoning process about future investments.

(For context, I edited out "if you'd made a ruckus on HN, you could've prevented a lot of suffering" from my previous comment. Mostly because I disagreed with myself that it was up to Patrick to do that.)

Patrick, I respect your writing. But your answers are rarely straightforward. Even now, when you risk nothing, you refuse to reveal precisely what you knew and how you came to know it. I'm skeptical that you knew anything of consequence, and I think this is a way for you to appear prescient. But if you say you discovered something, we have no choice but to believe you on reputation alone. I wish you'd share with us what the Great Sages know, but who can blame you for wanting to stay a member of their ranks? It's only through secrecy and obfuscation that you can maintain the aura.

    > you refuse to reveal what precisely
    > you knew and how you came to know it
I see, in his previous comment:

    > Mt. Gox said lots of things, including
    > some things which were, ahem, very effing
    > improbable and yet which alleged very
    > specific facts about people outside of the
    > building
and then a list of those facts that could be fact-checked.

What could he, as an outsider, possibly have written to a bank that would let him determine whether Gox was solvent?

The simplest answer is "nothing," but we're meant to believe otherwise.

We could go through each item on that list and try to reverse engineer which entity he wrote and what he asked, but this indicates he isn't being straight with us. That's fine; it's his right. But it's a little odd. If someone performed some badass investigative journalism that could've blown the whistle on the Gox case long before anyone knew about it, who wouldn't want to brag about it after the fact? Especially when it'd be so easy to illustrate the steps taken.

We're talking basic questions like "What did you write?" and "What did they say?" But we're meant to guess.

I think a large part of the problem of "verifying" Gox was that people desperately wanted the story to be true.

If a big-name bank operated a bitcoin exchange that was repeatedly hacked, came up with a mountain of excuses about why people can't withdraw, made nonsensical claims about doing business (e.g. 10 wires/day, not trading in the USA etc.), no-one would use them.

(edit: in The Real World, I imagine they'd have been shut down in seconds flat thanks to regulations, but for the sake of convenience let's pretend regulations don't exist)

Instead, we had a plucky new underdog that people wanted to believe was creating history.

You see a business destined to fail, I see a line of incompetent exchanges playing Russian roulette. One of them died and the rest got lucky.

Bitstamp, Bitfinex, Cryptsy, more I've forgotten, were the competitors really more reliable?

I've been in a position to see some absolutely insane stuff happen on exchanges [most of it gets quietly buried), and I really don't think MtGox was anything remarkably different.

I don't think patio11 is claiming he did any in-depth investigation, and is saying that when the company seemed to start having problems they made odd claims like a bank cannot process more than X payments per day sound unlikely enough that they indicate a person lying to cover their ass

you're being pretty unreasonable. he took a look at the body of evidence, including statements from the company itself, did some follow-up (i doubt the specifics actually matter), and got a really bad feeling about it. the technical term for this is 'spidey sense'. also 'bad juju'. or 'his bullshit detector went off'.

what if the answer you're looking for is, "he called up someone at mizuho, went and got a beer, and the guy let it slip that that gox is broke."

then what? hmm? haha what are you going to do about that? that's how the vast majority of insider information (note i didn't say insider trading) is passed. are you going to replicate that the next time around on a specific asset that's about to crash, or a specific company that's going to go insolvent? good luck, friend. this is how the world works; you clearly were not in on it, none of us were, that's why a bunch of people were left holding their dicks in one hand and an empty wallet in the other (i don't deal in bitcoin because i'm too dumb to comprehend it, but i saw the carnage online).

at the end of the day he believed something differently than most. it's not any more complicated than that. that's how people generally make a bunch of money, or in this case, prevent from losing a bunch of money.

also, he lived or lives in japan and speaks japanese, so that's probably going to be the major hurdle for you to grasp his process - he has a lot more day to day context of how all this stuff works in that country. unless of course, you live there too, in which case, that's even worse for you. sorry pal.

then what? hmm?

Then... That's the answer. Obviously. The point is, he's given no answer yet made grandiose claims.

I suppose it's lucky he doesn't feel like telling tall tales. He could cook up something convincing.

Please produce the research you claim to have conducted, instead of simply calling others incompetent.

«when it achieves its true value of 0»

People who say that are people who don't understand fiat money's ONLY purpose is to track who owes what. It's debt-based. If Alice pays 1 unit of currency to Bob is because Bob gave her a product or service worth 1 unit of currency. Bitcoin is great at tracking "debt": universal, electronic, decentralized, robust, inflation-proof.

The "true value of 0" reflects the huge confidence of legacy providers (Patrick/Stripe) that crypto will sink. They may well be correct but for a community of "Entrepeneurs", it's entertaining to see the same patterns of technology disruption applying to the so called distruptors.

> when it achieves its true value of 0

I don't understand how someone can hold the opinion that Bitcoin has no value. At the very least, it enables a lot of crime, which is valuable to criminals.

Technically, the true value of any currency as time -> infinity is zero. I have no doubt that at some point in the future, USD will be worth less then the paper it's printed on.

The problem is that most of us can't wait until time -> infinity.

Then why doesn't it say "Mt. Gox is probably insolvent"? It's also not very helpful to say "Told ya so" rather than "These are the signs to look for in general."

The adjective I would have chosen was not "probably", but being any more explicit than I was might have earned me a "What did you know, when did you know it, and what was your part in this?" from either of two government agencies who could deport me by either pressing a button or failing to press a button.

Now that no one has the power to deport you, do you mind if we pose those questions? The answers would be informative for anyone who has to weigh which exchange to be using at any given time.

I'm not patio11, but in all seriousness, it is true that just the inexperience and immaturity of the people building these exchanges is sufficient evidence on its own.

Here's me telling someone not to build a BitCoin trading platform on September 11th, 2011: https://news.ycombinator.com/item?id=2974770

Here's how that went over the next couple of years: https://en.bitcoin.it/wiki/Bitcoinica https://www.dailydot.com/business/bitcoin-exchange-bitcoinic...

In a way, the issue here is that if you want to operate in this space, you do need to take the discussion about BitCoin being money seriously. (Even if you don't think it's "money", it's still definitely a money-like asset.)

Wouldn't that have disqualified Coinbase? Also it's not really responsive to "What are some signs an exchange is insolvent?"

Being run by obvious amateurs is a sign of insolvency.

Again: That would identify Coinbase as insolvent, right? Why or why not?

I remember how amateurish Coinbase was in the early days, and you can look up a lot of the controversy on HN. People have been coming out saying they haven't processed $5k deposits, that they haven't responded to support claims in months, and on and on. If you're looking for "This exchange is run by amateurs," look no further than Coinbase.

Yet it's not that simple. Coinbase has somehow managed to become the #1 exchange to go to if you're a US citizen that needs an easy way to convert BTC into USD. So I just don't get this line that if an exchange is run by amateurs, it's a sign of insolvency. We have evidence that demonstrates that's not true.

You're not thinking probabilistically nor in terms of risk. There's no way to know for sure that an exchange is insolvent or at risk of becoming insolvent, but there are signs that increase the probability. Being run by amateurs is one such sign. Other signs are lack of insurance, persistent withdrawal issues, persistent arbitrage opportunities, lack of security reviews, poor technological practices (there are posts about the original Mt Gox codebase's poor handling of passwords for example, before Mark took it on), and misleading public statements.

If you bought the line that traditional banks were simply unable to process more than 10 wires a day, rather than it being that Mt Gox was so risky that they refused to process 10 wires a day, then you need to work on critical thinking. Likewise, exhortations that banks were placing restrictions on exchanges because "they were scared of Bitcoin" rather than being because these partners were shady and didn't have sufficient controls should have been met with suspicion.

And yes, Coinbase was also risky. The fact that things worked out doesn't mean it wasn't risky to begin with. I didn't give them any money for the first several years they were in business specifically because I saw them as high risk. In hindsight, Coinbase had the benefit of having backing by VCs with real business experience and subsequently hiring people with experience in the space, which reduced risk.

It's entirely possible that keeping your money out of Coinbase was the correct ex ante advice, despite their subsequent success. They may well have gotten lucky and succeeded (at least so far) despite their experience.

I don't have any particular knowledge or experience with CB or BTC in general. Just pointing out that it's possible success was despite great risk, and the advice to avoid may have been entirely correct given the evidence at the time.

Do you have evidence of Coinbase's solvency? Because it seems to me this is all based on blind trust. If there is real evidence, of course that trumps the blind trust issue, but without it, it's generally a good bet that amateurs lack the skills, experience and resources to ensure proper handling of financial transactions.

Real banks are also not trusted blindly; they get audited a lot by central banks and other regulators. And they still mess up and get flamed to hell for it. The chance that amateurs in a completely unregulated field do it better is very unlikely.

Yes, it's a warning sign. I don't think anyone should store more value in Coinbase than they are willing to lose.

I don't think its black and white. If all exchanges are run by people who don't know what they are doing not all will fail but a high percentage than if run by more experienced players.

Having said that bankers would be part of the inexperienced group.

This looks like a completely generic tweet. I don't understand why there was any doubt about a libel suit.

Really, memories of the alleged $20,000 per week consulting gigs which were miraculously abandoned surface again.

I strongly disagree. Comparing Coinbase to MtGox is insane. For starters MtGox had their US bank accounts seized a year prior to the company imploding.

As I remember it when first started getting interest in Bitcoin and looked for an exchange in November '13 the sentiment was unanimous in the community: Mt Gox will fail sooner or later, never put money/coins here. But it also looked like a lot of Americans didn't want to hear that because it was the only (as I remember it) exchange where depositing and withdrawing dollars for Americans was convenient.

Edit: just saw that other comments say the same thing with more detailed informations, at least it add a data point that even an amateur saw it

Oh, there were signs. Just because you couldn't see them doesn't mean they didn't exist.

I moved my coin from Mt.Gox about a month before the last major hack because just the thought of using it made the hairs on the back of my neck stand up. Something was amiss and I felt it.

The most glaring issue was that of inexplicable server load. When you are dealing with a service that handles money or valuable assets, things like this are very bad omens and should never be brushed off. It was clear that either A) the website was experiencing unusual traffic (in this case, I believe what came out was that the one of the attackers were testing their method.. supposedly this same method was used in the Silk Road hack) or B) the staff was not equipped to properly and securely run a server and were an attack to take place, they would not be ready to handle it. One bad security practice with such a critical service is indicative of generally bad security practices and lack of accountability.

You have to pay attention to your gut. If something feels amiss, and the service is critical, you have to assume that something is indeed amiss.

What standard did you set in terms of deciding whether a BTC exchange was trustworthy or not? What did you do to determine whether Mt. GOX was trustworthy and had met that standard? How did they gain your trust?

You can just assume zero trust. Transfer in what you can afford to lose. Split your big trades into a lot of small trades across exchanges keeping a maximum amount in flight at any time. Money is only safe if it confirmed in your crypto wallet, or in your bank account but beyond and period where the transaction could be reversed.

That's pretty much the rule in software. Which is why you have so much software that appears to be working but behind the scene is made of horrible hacks by devs who have no idea of what they are doing.

as others have pointed out there were signs - but I would say that this is true for most financial institutions if you are paying attention. I remember before Lehman's went down I saw them having a Christmas party and I joked with a friend I didnt think they could afford that anymore - and sure enough not long after they were gone.

Isn't bitcoin in a unique position to show the balance held by the holding entity at any given time?

Yea if you keep your own bitcoin wallet, which if it's in mtgox or a similar exchange is not the case.

It'd be akin to buying up a bond fund vs. keeping a stack of treasury notes in your house. Only here the broker or whatever who is running the bond fund has only been up and running for <10 years, has basically no SEC oversight, and when your funds don't show up in the right amount of time your official method of recompense is "yea just wait awhile longer, we're going through a massive growth phase and are having difficulty dealing with the scale". Oh and in this hypothetical world, this is also the #1 broker in the world who handles >50% of all trades.

Yes, https://freedom-to-tinker.com/2015/10/26/provisions-how-bitc... (cryptocurrencies in general, I believe)

Is there anything stopping exchanges (or other parties) from manipulating the price of Bitcoin by having millions of bots repeatedly buy/sell coins amongst themselves? If not, is there any way of detecting whether this is or isn't happening right now?

Sure, the same as what prevents anybody from single handedly moving the price of any asset. Liquidity.

How sure are you about this? Karpeles has admitted at trial to running bots on Mt. Gox, and such bots are implicated in the rise of Bitcoin's price up to $1000 in 2013:



If Mt. Gox successfully manipulated the price of Bitcoin using bots how do we know other exchanges aren't doing the exact same thing right now?

That doesn't always work.


> The story of how this works begins in 27 industrial warehouses in the Detroit area where a Goldman subsidiary stores customers’ aluminum. Each day, a fleet of trucks shuffles 1,500-pound bars of the metal among the warehouses. Two or three times a day, sometimes more, the drivers make the same circuits. They load in one warehouse. They unload in another. And then they do it again.

No, there are many assets which are "cheap" to move singlehandedly, yet are not (often) moved that way because of regulation

Some exchanges prove their reserves from time to time.


I see how that shows their assets, but does it reflect their liabilities too? If not, it's not necessarily a proof of solvency.

I spent some time messing with Bitcoin libraries, not an expert by any means. Generating a new private key (and the corresponding address) is trivial. Generating a transaction is a bit less trivial, but not that hard. As far as I understand, you don't need a change address to send the money to another, the change can go straight back to the original address. Random example:


So all that mess with the deterministic change addresses is simply due to the laziness of the developers, who didn't bother to generate addresses and transactions using relatively simple crypto, and instead chose to use the existing software, which they didn't really understand.

On the other hand, if the servers were hacked, almost nothing would help them. They should have kept most of their deposits in cold storage.

>There are at least seven jaw dropping moments in it. One is explaining how Bitcoin wallets pre-cache the next 100 change addresses the wallet will use, so that if someone steals your wallet without you noticing it and continues to use it you will determinisically share the same change addresses on your next 100 transactions each, which both leaves a forensic trail and also resulted in Gox continuing to send money into accounts controlled by the attacker.

hence why if your wallet is compromised you're supposed to move all of your existing funds to a new wallet. generating new keys every time sucks because it creates a problem of having to constantly back up your wallets (every time you make a transaction), which sucks from a usability point of view.

Bitcoin Core now uses deterministic wallets by default for new users (like most other Bitcoin software), so all keys are generated from the initial seed in the wallet and a single backup is enough to cover them for all time.

Does this mean if your wallet (or backup) is stolen the hacker will be able to deterministically guess your keys for all time?


Jesus, really? That’s awful. Are there no ways to mitigate or fix this?

You could not use a deterministic wallet instead.

But by default, non-deterministic wallets have the next 100 addresses pre-generated. That's a lot for people not making a lot of bitcoin transactions. The "protection" that non-deterministic wallets give in case you're hacked is probably no use to most people.

If you ever notice funds from your wallet are stolen, even if you were using a non-deterministic wallet, your thought should be to reinstall your OS and move any remaining funds to a fresh new wallet. Not to keep using that wallet while the attacker keeps grabbing from it and telling yourself the problem will go away 100ish transactions later.

I guess there's attack vectors where an attacker gets hold of an ancient backup of yours that a non-deterministic wallet could have helped. If you think that type of attack is likely against you, you should just manually swap out to a new wallet (synced up to your backup schedule) instead of depending on the non-deterministic wallet's keypool being depleted occasionally.

So... basically no, there isn’t. Yikes.

The case that non-deterministic wallets actually protect anyone is slim (attacker only has access to ancient backups of the victim), and outweighed by the risk to the user that their backups will silently become out of date as their wallet's original keypool is depleted. I think everyone should forget about non-deterministic wallets. They're a historical quirk with few parallels to other systems.

I find your presumption that a Bitcoin wallet's balance should be immune to an attacker who gets a copy of it to be surprising and unfair. It's the same situation with any cryptographic keys: if an attacker steals your PGP keys, then they can use them to decrypt data or sign data for all time. If you want to protect against the situation of an attacker getting your old data, then it's up to you to rotate your keys (/wallet) and update your backups.

Proper key management is a hard problem. This is a fact that the cryptocurrency scene has been relearning for years now.

If your wallet is stolen, you create a new wallet.

so if you buy an exchange that uses the standard wallet not only do you have to transfer all your coins to new addresses you also have to generate new wallets for those addresses

A year ago I was doing a very similar analysis using both the 2011 and 2014 leaked databases. They are publicly available (won't post a link, but I'm sure you can find it). My interest was in the privacy aspects of bitcoin.

Besides recovering user wallets using the exact same procedure as mentioned there, it was also possible to connect wallets to user email addresses. It only works for accounts in the 2011 leak, as the latter doesn't contain email addresses.

So if you were using Mt. Gox at some point, especially before 2012, you should assume your Bitcoin addresses can be linked back to your identity. Assume this includes all your addresses, not just the Mt. Gox one, as it is often possible to link addresses from the same user together.

In another experiment, I did a simple clustering on WikiLeak's public donation address. There's a button there to generate a 'unique anonymous donation address'. The clustering found about 200 of these supposedly anonymous donation addresses. At this point I had email addresses linked to 'anonymous' Wikileaks donations — Bitcoin doesn't offer privacy.

These are just two examples out of a list of discoveries. I decided not to commercialize this work on moral grounds, but other companies do offer 'blockchain intelligence' services.

Bitcoin does offer privacy, you just don't need to take the offer. I personally choose not to take the offer because I don't do anything illegal and I pay my capital gains dutifully.

But if you ever want to set up a challenge I'll pay for something anonymously to prove my point. It's not impossible, it's just annoying.

> It's not impossible, it's just annoying.

Indeed it is not impossible. It does requires a tremendous amount of expert knowledge. (And people with such knowledge usually have successful careers not requiring this sort of privacy).

The Bitcoin client got a lot better over the years as more privacy-enhancing features were added, but it's still far from perfect. For example, traffic analysis on the peer-to-peer network will still give you IP addresses.

Creating an anonymous wallet is easy: Create a wallet on an air-gapped computer, send any transaction from a public computer over TOR to https://blockchain.info/pushtx. Make sure your transactions look average and uncorrelated in all dimensions.

Now you need to fund this account without revealing your identity. This is much harder. Mining your own block would be the most anonymous way.

Well I don't understand why I'm being downvoted then.

I very much agree with you, although for some amounts it isn't too hard to get a wallet funded without resorting to block mining. For example, meet up in person and buy with cash. Not tenable for hundreds of thousands or millions of dollars in a hurry, but certainly possible for tens of thousands, which is what most unaffiliated low level drug dealers want (so they can buy drugs via Tor and resell them in person for cash).

The thing is, most people fail to appreciate that security and privacy is a continuum. Just because the NSA could figure out who you are if they were highly motivated to do so, doesn't mean that Immigration Germany can, and when you have prostitutes getting human trafficked through employment visa programs, Bitcoin is a whole lot more private than banking. And if you know you are on the other side of an NSA level attacker, then it is still possible to maintain privacy, it's just exceptionally unpleasant and slow.

But once you have the private nodes set up, it's the easiest way of moving hundreds of millions of dollars across boarders. This is why I think it's going to be made illegal. Big gangs have some smart enough cyber guys and they'll use Bitcoin as a shadow banking system. But right now what gives Bitcoin its intrinsic value is greed: People think it might be the currency of the future and they rightly deduce that it will dramatically increase in value if it is. If governments uniformly ban transactions with cryptocurrencies this will collapse like beanie babies.

This is what I think will probably happen, although it is possible that governments try to get in and semi-regulate it enough to stop its usefulness by organized crime.

> I don't understand why I'm being downvoted then

Probably because this bit here:

> I personally choose not to take the offer because I don't do anything illegal

Seems to be implying that those who do choose to "take the offer" and pay for things anonymously _are_ doing something illegal. (E.g. The "nothing to hide" argument.)

Obviously that statement wasn't central to your point, but it likely rubbed a few people the wrong way regardless.

(I did not downvote, you raised a valid point that I responed too. Though your postsounded a bit like the "I have nothing to hide" argument, which has been debunked many times before.)

Currently the easiest way to regulate is at the entry and exit points, i.e. the exchanges. Taxes need to be payed in fiat and you will need to explain where that fiat came from. No need for governments to do anything on the blockchain.

In my limited experience with regulators (mostly in Europe), I found that they actually rather like the idea of a more democratic financial system. Their primary concerns are human trafficking, protecting citizens from scammers and collecting taxes. I was honestly pleasantly surprised by their progressive attitude.

I wrote a blog post about wanting privacy back in 2008 that went hyper viral, I'm familiar with the arguments and used to believe in them fully.

I don't anymore. Not to the libertarian extreme that most people associated with Bitcoin mean. Maybe in the European context (right to be forgotten) where you functionally have privacy, but law enforcement can issue court ordered warrants to stop crime.

I've seen too many evil people do evil things with their money. I'm not allowed to talk about the specifics, but I've advised some organizations on how to deal with organized crime and when you're on the other side of it you really see how weak most of our law enforcement really is against real crime and how the only thing slowing these guys down is that they can't access our banking / investment systems and that they are generally pretty unsophisticated with technology. If all of that changes I don't know how we stop them.

Privacy will always be an arms race, but I don't think that unregulated crytpocurrencies are going to be a force for good consequences in the world. Maybe blockchains for international settlements between banks, where a newly multipolar world makes a unified global order harder, but I'm not even sure we need them there either.

To me the best thing to come out of cryptocurrencies is that there is now a profit motive for companies to prioritize cybersecurity. I'm already seeing it make a huge difference. Giving that up would be a tough pill to swallow for FVEY because we're the most vulnerable to cyber attack.

But once politicians start getting assassinated or ransomed for BTC, I doubt that cryptocurrencies will survive. It might be the very flaws in the usability of Bitcoin that allow us enough privacy for normal actions, without the extreme privacy that would enable cyber criminals to operate with impunity.

> Now you need to fund this account without revealing your identity. This is much harder. Mining your own block would be the most anonymous way.

Just route a transaction through zcash's private ledger?

I mean, they can be purchased with cash for one. There are private sites that let you meet up with sellers and transfer completely off the "grid" so to speak.

This approach is propably fine for small one-off transactions, but:

* Anonymous cash is difficult and illegal to scale.

* 'private sites' can not be trusted (they will be subpoenaed, hacked, wiretapped, etc.).

* Sellers will learn your identity, and can not be trusted.

* You or the seller may be followed.

As someone that does research into Bitcoin privacy I can tell you that strong privacy guarantees are extremely hard to achieve in Bitcoin.

1. Your IP address can often be associated with the Bitcoin transactions you create.

2. TOR can make this harder, but fingerprinting a particular Bitcoin wallet between TOR and clearnet is very possible.

3. Almost all tumblers in current use must be trusted not to violate your privacy, that is they know who is who and must be trusted to not tell third parties. I would suspect that some tumblers are run by LEOs. Even if a tumbler is keeping your secrets they may not offer that much protection against blockchain analysis. It is hard to tell that a tumbler is actually providing any on-blockchain privacy.

Bitcoin and cryptocurrency privacy is likely to dramatically improve over the next five years, but right now there isn't much actually deployed.

A.) Privacy and legality are not strongly connected or related. Privacy is self-preservation. It is very common that you want something that someone else doesn't want. For instance, while you work at company X you may want to see if you can get a job at company Y. You don't want your current boss to know this, before you actually are sure about company Y.

B.) If you look closely the privacy here is not just defined by using the right tools. It's also usage patterns. For instance drawing money from two accounts for the same transaction gives people high confidence that the same person controls both accounts. So it's a lot tougher than "just taking the offer".

>Although I knew that 80,000 BTC had already missing from Mt. Gox when Jed McCaleb sold it to Mark Karpèles — McCaleb suggesting to Karpèles “maybe you don’t really need to worry about it” — hackers had already cleaned out Mt. Gox while McCaleb owned it. He had sold Karpèles an insolvent exchange.

I didn't know that part. Puts things in a different light. I always assumed McCaleb was gone before any of the shenanigans happened.

The talk really put Karpeles in a slightly better light. He bought into an exchange that was a raging dumpster fire from a security and accountability standpoint and managed to stop the horrorshow by rewriting the wallet handling software.

Of course it was way too late at that point. The whole place had already been robbed blind. Still, it seems like if he had gotten there sooner maybe that weird arbitrage bot could have made up the difference somehow and actually bailed out the company.

> The talk really put Karpeles in a slightly better light.

I disagree wholeheartedly. Karpeles bought an insolvent exchange, and specifically chose not to invest the money necessary to bring it back to solvency. He could have simply bought 80,000 BTC in order to make the exchange solvent (Bitcoin was trading at less than a dollar per coin at that time). Instead, he chose to defraud his customers by attempting to make up the missing money by front-running trades and other dishonest tactics.

In addition, he failed to implement basic accounting measures which resulted in him not even being aware of the fact that he would go on to be hacked multiple more times.

> Still, it seems like if he had gotten there sooner maybe that weird arbitrage bot could have made up the difference somehow and actually bailed out the company.

The "weird arbitrage bot" was fraud, plain and simple. If it had worked, it would have worked by effectively stealing value from active traders on Mt. Gox. Of course, Karpeles was too incompetent to even implement this fraud correctly, and he ended up inadvertently subsidizing traders rather than stealing from them.

Yeah that sheds a new light on just how shady this was from the start. No wonder Jed had to sell to someone who was basically incompetent.

It is also interesting that the thefts seem to stop after they moved to the new wallet software.

My notes for folks who don't like video: https://gist.github.com/patio11/598ec35c6c1675c97d93383f41b3...

But seriously, if you care about this at all, watch the video. It is one of the best conference presentations I've ever seen.

Fascinating, thank you.

I hope you also have time to reply to the comments from Sillysaurus3 and several others, regarding the reasoning and sources behind your impressive early prediction of MtGox's failure.

> MtGox was essentially insolvent for most of its existence.

This is the biggest worry. How could they have not known about their books? This shows the fundamental flaw in cryptocurrencies. There will always be highly motivated and very technical people (Russia and China looking at you) willing to spend hours, days, months attacking or searching for exploits and vulnerabilities to extract coins. This differs from traditional banks which requires a physical bank robbery.

Ultimately the incentives for illegal activities, theft, and fraud is just to high without oversight and a central trusted authority.

> This shows the fundamental flaw in cryptocurrencies.

You're missing a word: "...flaw in cryptocurrency-centralization entities". Actually cryptocurrencies are achieving the opposite: they're decentralizing security.

Exchanges are just a bridge to that world.

Put a non-trivial amount of btc in a wallet with a moderately secure password. Oh you'd rather not? It will be swept up almost instantly by any of a myriad of wallet cracking programs running 24/7 for just that purpose.

I think nodesocket's point was that to expect the run of the mill computer user, who barely understands what a browser is, to have the security chops to withstand constant attacks from people who not only know what a browser is, but have also devoted substantial time to understanding as many exploits to the crypto-currency systems as they can and who have monetary incentive to continue refining that understanding in pursuit of most likely consequence free(apart from their soul) illicit monetary gains, to look at the dynamics at play here, it is not a stretch to assume that expecting widespread adoption in any form is likely to be a losing proposition.

What does "decentralizing security" mean? Everyone with any currency to protect will have to implement the digital equivalent of 36 inch fortified walls? Why would they want to do that when most people are satisfied with outsourcing this to service providers who specialize in such things?

For some scenarios there is a case to be made for "user defined security" or some-such, possibly even a few legitimate ones that aren't socially hostile. But it's hard to make any convincing case(without using any "semantic sugar," "empty calorie" buzzword-laden phrases like "decentralizing security") against nodesocket's point that the lay of the land of crypto-currency seems hopelessly tilted towards those who would like to exploit it in these ways.

Unless you're exaggerating to make a point, you should qualify your challenge to indicate that you're talking about old-school "brain wallets" that nobody uses anymore. Every modern wallet app uses BIP32/BIP44/BIP39 standards that guarantee a minimum of 128 bits of good entropy.

Yes, people will still refuse to back up their wallets by writing down the 12- or 24-word seed phrase, and others will get phished. They'll lose their funds, just as they already do with their Steam and eBay accounts. Your point is valid that Bitcoin allows a tremendous amount of control that many people will use first and foremost to shoot off their own limbs. But brain-wallet crackers are no longer a threat.

>Yes, people will still refuse to back up their wallets by writing down the 12- or 24-word seed phrase

Stupid question here, but what is wrong with doing that?

That seed phrase is the entire secret key making up a deterministic wallet (HD wallets, BIP32, are pretty much the only kind of consumer Bitcoin wallet today). If you don't write it down, and your phone dies or you lose it, then all your money is gone forever. In case that's an insufficient answer, here's the mechanism:

Bitcoin addresses are (usually) based on ECDSA public keys. When you send Bitcoin to someone, you're saying "send this to whoever can sign for the following public key [XYZ]. Signed, [ABC]." You had private key [abc] for [ABC], and you got the bitcoin you sent from someone else who said "send this to whoever can sign for the following public key [ABC]. Signed, [MNO]." ("said" means published to the global blockchain ledger.)

Back in the bad old days, the Bitcoin app would generate a new private/public key pair for every address. This meant that if you didn't back up wallet.dat frequently, you were screwed because your old backup might have only the old keys in it, not the new ones since the last backup.

The BIP32 scheme works kind of like this (simplified):

  24 words -> 256-bit secret, called [defghi].
To generate a new address, take [defghi] and add a path to it, like "44/0/0/1" and then do a cryptographic hash on it, creating a new secret:

  [defghi-44/0/0/1] -> [jklm]
Then [jklm] becomes one of the private keys in your wallet. Next time you need another key, use "44/0/0/2," "44/0/0/3," etc.

So what's nice about this is that the 24 words are the only thing you need to reconstruct your whole wallet. You no longer have to keep on backing up your Bitcoin wallet except for the very very very first time when you first create it.

But if you don't write down that list of words, and something happens to your phone/PC, goodbye bitcoin.

Your wallet can be reconstructed from that seed phrase. Writing it down and putting it somewhere safe is one way to back it up, securing your funds against drive failure.

Good info, thanks.

Your answer to my comment also seems to forget what cold storage is. With cold storage, you can forget about zero-days and whatnot. It's the way to go for mass adoption (we just need to make it more user friendly).

«the run of the mill computer user, who barely understands what a browser is, to have the security chops to withstand constant attacks from people»

That's why we invented hardware wallets, which physically separate coins from the computer. You don't need to be tech savvy to use one. And to date, there hasn't been a single case of bitcoins stolen from a hardware wallet.

Is there a good overview of the types of wallets, their architecture and evolution?

As someone trying to get into blockchain stuff, this is kinda wild.

Also, what exactly is a wallet? If the coins are really just outputs in a hashed block how do you 'access' them?

> Is there a good overview of the types of wallets, their architecture and evolution?

A wallet is a userland abstraction where it groups together all of your keypairs.

With each keypair (ECDSA) you have a public and private key. The address is derived from a hash and encoding of the public key. The private key is used to sign a script that unlocks the transaction outputs you have access to.

For this reason, your balance is also a userland abstraction. A balance is the sum of all the outputs you have the ability to unlock by signing the input.

Whats important to understand about transactions is that you need to spend the entire input. If you have 10 coin sitting in an output and want to send 7 to someone, you need to structure the transaction so that the 3 change goes back to you as well

The way fees work is that the miner picks up any difference between the outputs and the input, for ex.

    10 input  => output 1 = 7btc to address1 (recipient)
              => output 2 = 2.9btc to address2 (change)
              => diff 0.1 btc transaction fee
You now have a balance of 0 in your input address, and you're left with 2.9btc in your change address which will become the input on your next transaction

There is no reason why the change address cannot be the same as the input, but it means a loss of privacy since you can then see the 2.9 btc was change, thus output1 was the recipient, and you link the future transaction back to yourself as well.

If you then want to send 11 coin to someone, you can combine other inputs:

     2.9btc input => output 1 = 11btc to address3 (recipient)
     10btc input  => output 2 = 1.89btc to address4 (change)
                  => diff 0.1 btc transaction fee
This is how wallet identification works as described in the OP - you can assume that any inputs shared in a transaction are from the same owner since they were signed together. If you parse the blockchain and continue grouping common inputs like that you end up with a graph of wallets. Sometimes it only requires a single transaction to group together entire clusters - especially if you're using wallet software that selects inputs to use in sequence, doesn't create change correctly, or if you sweep all your smaller and smaller inputs into an aggregate address

What the original wallets did, and what OP explains, is they would pre-generate the next 100 keypairs and add them to the end of the list, and with each transaction that requires change it would move the pointer for next change address up one

All of your addresses start as either receive addresses, or as change addresses, and end up becoming your balance addresses until they are spent

To backup these wallets you had to backup every key pair, which is why most modern wallets use deterministic keys usually derived from a mneumonic. HD wallets use a master key pair, where the private key is usually derived from a mneumonic. That key pair is then used to generate the key chains that are used as receive and change addresses. It means you only need to backup your master keypair or your master mnemonic and can then generate and check all the key chains

The new wallet format is defined in bip32 [0] while the mnemonic to generate seeds is defined in bip39[1] - which you can test using a browser client app[2] (don't store coin using these - generate them securely)

Most wallets now support these deterministic wallets, including bitcoin core

The three main wallet types are full node, thin node (SPV) or web wallet

You can run a full node with Bitcoin Core[3] or Bcoin[4] (a Javascript implementation) - both support pruning the blockchain at a specified block height

The most popular SPV clients are Electrum[5] cross-platform, breadwallet for ios/android[6]. SPV uses block headers and peer queries (sometimes using bloom filters for privacy) to query your unspent transaction outputs and to verify transactions (there are variations of the architecture). The bcoin project also allows you to run an SPV client in the browser or via node (i'm really starting to like this project - they were the first to implement p2p authentication and encryption which is specified in bip150/bip151)

Electrum supports Trezor and hardware wallets, multisig wallets, 2FA wallets and have their own mnumonic and deterministic wallet format (but it also just involves saving a seed for the master key)

Web wallets store your wallet (usually) encrypted on their server and then unpack and decrypt in your browser client, then making HTTP API queries to verify transactions, get your unspents, broadcast transactions etc. The most popular are Blockchain.info[7] (disclaimer: I worked for them) and GreenAddress[8] - you can use blockchain.info via a tor hidden service at blockchainbdgpzk.onion

Good ways of getting started if you're more interested in the tech is Electrum (web wallets tend to obfusacte a lot of what is going on to make them easy to use), a full node with Bitcoin Core or running bcoin - and running them on testnet so you can build and broadcast your own transactions without fear of losing funds (the scripting language has also evolved a lot).

The other Javascript lib you can use to create transactions is bitcoinjs-lib[9] - there are libs available for deterministic wallets and some good transaction/script abstractions.

[0] https://github.com/bitcoin/bips/blob/master/bip-0032.mediawi...

[1] https://github.com/bitcoin/bips/blob/master/bip-0039.mediawi...

[2] https://iancoleman.github.io/bip39/

[3] https://bitcoincore.org/

[4] https://github.com/bcoin-org/bcoin

[5] https://electrum.org/

[6] https://breadwallet.com/

[7] https://blockchain.info/wallet/#/home

[8] https://greenaddress.it/en/

[9] https://github.com/bitcoinjs/bitcoinjs-lib

This is a excellent reply, thanks for taking the time. I appreciate it.

Roughly, a wallet is a public/private key pair. You use the public key to receive money, and the private key to send money. If anyone hacks your private key, they can take all your money.

> Put a non-trivial amount of btc in a wallet with a moderately secure password. Oh you'd rather not? It will be swept up almost instantly by any of a myriad of wallet cracking programs running 24/7 for just that purpose.

Most people refuse to invest in Bitcoin because of the possibility of a crash, so this is a completely pointless challenge.

Not sure the point your meaning to make.

I was simply explaining that many crypto-currency systems are demonstrably more adversarial and user-hostile environments than most other currencies. Not only are they more adversarial, they are more adversarial in a way that most computer users aren't equipped to comprehend.

Are "hostile" and "adversarial" the right words for the point you're trying to make? Cryptocurrencies are powerful, and they offer no recourse in case of user error. You might say the same of a chainsaw or a nail gun, but nobody would call them "hostile" or "adversarial."

Yeah but when you're using a chainsaw there is no one who is attempting to weight the machine in a certain direction potentially putting you in danger. And there is no one with an incentive to do so.

Isn't bitcoin just turning into an ongoing drama between the small group of miners that have most of the hash capacity and the small group of developers that choose what to implement?

Or are you talking about other cybercurrencies that use different schemes to maintain consensus?

There will always be drama within Bitcoin since it is money, and there will always be people who want to get their hands on and control that money.

For centuries, banks have partnered with the state to monopolize their rents and profits at the expense of competitors. The ultimate example of this is central banking cartels.

> small group of miners

There is a small group of mining pools that together can block certain upgrades to the system. A couple of those pools combine to more than 50% of the hashpower. But they are pools, and pools are made up of lots of contributing miners, who may leave for another pool at any moment.

> small group of developers that choose what to implement

Relative to the total number of Bitcoin miners, company employees, or wallet users, the number of developers is the smallest group. Developers choose what code they wish to write, unless someone is paying them to write certain things. But developers cannot force anyone to run their code. Hence, the ultimate power of consensus is with the node operators of the system.

But all of this is beside the point that parent comments were making about the danger of centralized bank-like services such as exchanges. The decentralized, trustless nature of Bitcoin is such that you can download the client and verify your funds from the Genesis block until today, without needing to trust anyone.

> This differs from traditional banks which requires a physical bank robbery.

A traditional bank is still susceptible from similar attacks. Difference being, at banks they're just balance sheets in a database, so forensics and backups can be used to restore balances. Traditional banks also have decades of experience protecting their data.

It's not a flaw in cryptocurrency, it's cryptofanatics discovering that we have banking regulations for a reason.

>This differs from traditional banks which requires a physical bank robbery.

Not really. Recent example: http://www.telegraph.co.uk/news/uknews/crime/11414191/Hacker...

> This shows the fundamental flaw in cryptocurrencies.

Hardly... but if it did, it doesn't mean they're still not worth using and developing.

And traditional banks don't require a physical robbery to be hacked.

Traditional banks have insurance.

An uninsured Bitcoin exchange, once the first few coins have been stolen, becomes a secret game of musical chairs to see who gets left without the coins they deposited.

Well, some cryptocurrency exchanges have insurance too. For example Coinbase/GDAX is insured by Lloyd's of London, and their USD accounts even have FDIC insurance:


And that insurance is the state.

Are you expecting gasps of horror in response to your simplistic statement? Oh, no, not the state!

Not everybody here is an anarcho-capitalist.

No not expecting gasps of horror at all! Just saying the bank can be bailed out and consumers expecting this can feel a bit safer with their deposits

Oh, I apologize for misinterpreting you. So many of these threads end up with people who think they can replace government with Bitcoin, and I read it in that tone.

Incidentally, I believe that there is also a considerable amount of private insurance involved in banking.

Thanks to be fair my comment was short and mysterious and in the context of the HN community it's probably been taken the less charitable way.

In the UK there is deposit insurance provided by the government as the last stop and that's an amount per financial institution.

Well, they can also reverse transactions, and physically extracting more than a few thousand from an account can be a painful process at most banks, particularly if the money was recently transferred. They just tell you, "sorry we don't have that much cash on hand, it will take us X days to get it, please return on Y."

A central bank hack lead to $58 million being transferred and withdrawn in cash in just a few days. Permanently lost/irrecoverable... https://en.m.wikipedia.org/wiki/Bangladesh_Bank_robbery

In a world with fast payments, that money can be washed and moved and out a dozen atms quite quickly

That's why payments typically take a few days to clear. Bitcoin is designed for instantaneous payments with no rollback, which is an anti-feature.

Bitcoin explicitly does not have instantaneous payments. The standard view is to wait for 6 blocks before considering a transaction as "confirmed" Confirming a transaction at 0 blocks leaves you open to a very low cost double spend attack.

How do you physically extract more than a few thousand from a cryptocurrency exchange?

Has a US customer ever lost money from a bank getting hacked?

The really low/inconsistent frame rate and A/V sync issues makes this really hard to watch.

Luckily the audio is fine.

Is there a better version somewhere?

Just finished watching. As I expected so much of it is PowerPoint slides that the video issues are obnoxious but not fatal.

It was a very interesting (and pathetic, for MtGox) talk. Went way faster than I expected because it was so interesting. Presenter did a great job.

Here is the complete "Breaking Bitcoin" event: https://www.youtube.com/watch?v=eCE2OzKIab8&feature=youtu.be...

That has the same problem.

no platform should be trusted with your cryptocurrency


Use it for what it's good at - buy or trade. As soon as transaction is over - move it to fully deterministic offline wallet.

What does the 'deterministic' mean in this context? What would be a non-deterministic wallet?

Deterministic wallet means that all of the keys/addresses that are used by the wallet are generated from the wallet's initial seed. (As opposed to the older classic style where 100 keys are pre-generated randomly, and more keys are randomly generated as needed.) The benefit of a deterministic wallet is that a single backup is enough to cover all of the funds that will ever be kept in the wallet. (In the classic wallet style, if you don't make a new backup regularly every 100 addresses, then funds in later addresses won't be accessible through the backup.)

Also - it's a perfect non-electronic way to have your funds.

Seed could be a sequence of words (this thing needs to be backed up and stored safe!)

Huge advantage is that you can save the seed in safety deposit box in a bank, written on paper - totally non electronic way.

Then you can recreate wallet from seed at any time and manage your funds.

Sorry, but how is that any more non-electronic than storing your ATM PIN in a safe? Given that the weakest security link is invariably human.

The ATM situation has a ton of links including your bank and the possible records of everywhere you've used your debit card.

If your bitcoin private key only exists on a piece of paper and not on any networked computers, then there's no way that malware or a company being hacked or an exchange going down is going to affect its balance.

It seems like one of the ways exchanges are beefing up security is by making everyone submit tons of verification documents in order to do anything

No, that's about complying with Know Your Customer and Anti-Money Laundering laws so they are committing fewer felonies.

But honestly, that kind of verification is going to cut into a big chunk of the userbase. Nobody wants to submit 3 different forms of ID to buy some drugs or launder some money.

ID or not, it’s not a particularly smart idea to run illegal transactions through a system that records those transactions in a redundantly backed up and publicly viewable distributed database.

That's why tumblers exist.

More insidiously, if you're level N verified then the exchange will probably tell you that you need to be level N+1 verified to withdraw any of your money.

But no amount of identity verification can prevent exchanges from being hacked or from defrauding their own customers.

"There are multiple “holy crap!” moments." Thanks. I enjoyed it.

>"I know PHP! How hard could running an exchange be?" -Mark Karpelès

This is the same guy who infamously wrote:

>"PHP can do anything, what about some ssh?" -Mark Karpelès


>"quick'n'dirty bitcoin signing lib because too lazy to reimplement ECDSA in pure PHP" -Mark Karpelès



The Dunning Kruger effect runs deep in that that one. It's no surprise he was drawn to PHP, given Rasmus Lerdorf's disdainful anti-intellectual attitude about computer science, programming, security, and unit testing. Birds of a feather!

If you didn't already know about the inventor and lead developer of PHP's anti-intellectual attitude, here are some classic quotes:


"There are people who actually like programming. I don't understand why they like programming." -Rasmus Lerdorf

"I'm not a real programmer. I throw together things until it works then I move on. The real programmers will say "Yeah it works but you're leaking memory everywhere. Perhaps we should fix that." I’ll just restart Apache every 10 requests." -Rasmus Lerdorf

"I do care about memory leaks but I still don't find programming enjoyable." -Rasmus Lerdorf

"I don't know how to stop it, there was never any intent to write a programming language [...] I have absolutely no idea how to write a programming language, I just kept adding the next logical step on the way." -Rasmus Lerdorf

"I was really, really bad at writing parsers. I still am really bad at writing parsers." -Rasmus Lerdorf

"I really don't like programming. I built this tool to program less so that I could just reuse code." -Rasmus Lerdorf

"I actually hate programming, but I love solving problems." -Rasmus Lerdorf

"For all the folks getting excited about my quotes. Here is another - Yes, I am a terrible coder, but I am probably still better than you :)" -Rasmus Lerdorf

Then there was the time that Rasmus Lerdorf cut an official but fatally flawed public release of PHP 5.3.7 without bothering to run the unit tests, which would have caught his sloppy bug he just checked in that broke crypt().

This guy who thinks he's "probably still better than you" had to admit that maybe he "went a bit too fast" when he didn't actually bother to run any of the unit tests first before releasing a new version of PHP with a terrible security flaw in crypt(), because so many of the tests produced error messages, and even though the tests caught his bug, he didn't feel it was worth the hassle of wading through all those pesky error messages to see if he'd introduced yet another security related bug.

I sure hope no online banks depend on the crypt() function!

> 5.3.7 upgrade warning: [22-Aug-2011] Due to unfortunate issues with 5.3.7 (see bug#55439) users should postpone upgrading until 5.3.8 is released (expected in a few days).


>r314434 (rasmus): Make static analyzers happy

>r315218 (stas): Unbreak crypt() (fix bug #55439) # If you want to remove static analyser messages, be my guest, but please run unit tests after



>Rasmus Lerdorf

>+Lorenz H.-S. We do. See http://gcov.php.net

>You can see the code coverage, test case failures, Valgrind reports and more for each branch.

>The crypt change did trigger a test to fail, we just went a bit too fast with the release and didn't notice the failure. This is mostly because we have too many test failures which is primarily caused by us adding tests for bug reports before actually fixing the bug. I still like the practice of adding test cases for bugs and then working towards making the tests pass, however for some of these non-critical bugs that are taking a while to change we should probably switch them to XFAIL (expected fail) so they don't clutter up the test failure output and thus making it harder to spot new failures like this crypt one.

"I throw together things until it works then I move on." -Rasmus Lerdorf

That's honestly amazing how much of an impact he's had on software development. Interesting post.

I sure would like to have the 25BTC back that I lost from them.

Direct link to video: https://www.youtube.com/watch?v=l70iRcSxqzo

Content around it is just filler to promote the author's book.

Why does everyone call it Mount Gox or Mt Gox when it was the Magic the Gathering Online Exchange?

It was formerly the Magic the Gathering Online Exchange. When it became a bitcoin trading platform it was renamed Mt. Gox.

Was it actually ever a MtG exchange? I thought the domain name was purchased for that purpose but it was never actually used that way.

McCaleb had a site for this purpose at the address, but it's not clear how much happened on it:


The Wayback Machine has copies of the front page from May to September 2007.

Backronym, I suspect. MtGOX is a lot shorter than the full name spelled out, and it's just a hop, skip, and a jump (crikey, it's just a hop with a side of misinterpretation, if that) to Mount Gox and Mt Gox.

Edit to add: 'neotek has a better answer :)

Do you BackRub instead of Googling something?

Probably because of the similiarity to "Ft Knox"

Only in name, though. Not in security.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact