Hacker News new | comments | ask | show | jobs | submit login
Mt. Gox Finds 200,000 Missing Bitcoins (wsj.com)
278 points by byoogle on Mar 21, 2014 | hide | past | web | favorite | 236 comments

In case paywall is blocking the text:

TOKYO—Major bitcoin exchange Mt. Gox announced Thursday it had discovered 200,000 missing bitcoins in a wallet that the company no longer uses, reducing the total number of bitcoins still missing to 650,000 from 850,000.

"We believed there were no bitcoins left in old wallets, but found 199,999.99 bitcoins on March 7," Mt. Gox chief executive Mark Karpelès said in a document released Thursday.

Mt. Gox said it reported the discovery of the bitcoins to its lawyers on March 8, and moved the discovered bitcoins to offline storage between the March 14 and 15.

The exchange filed for court protection on Feb. 28. At the time, Mr Karpeles told a news conference it had lost 750,000 bitcoins owned by users and 100,000 held by the company, citing the possibility the bitcoins had been withdrawn without authorization.

The exchange was shut down Feb. 25.

Thanks. There really should be some rule on HN against posting links that hide the text, although I've heard it's not obvious to those who post the links as apparently coming from Google it displays the full article.

Seems like if it were irritating enough to people, lack of upvoting might naturally take care of the issue.

The problem is most people upvote based on the title without reading the article.

Yeah, exactly. Meaning it's probably not irritating at all to a lot of people.

Not my ideal situation, but HN is gonna be HN.

Thanks for that.

I am borderline speechless in the face of the incomprehensible carelessness. The lack of records is amazing. The lack of accounting is amazing. The lack of professional standards is amazing. The lack of common sense is amazing.

If you'll excuse me, I have to go to the bank. I just realized that I left a million dollars in the pockets of the jeans that I just washed. I suppose I should dry them out and deposit them, along with the $100,000 I just found fallen between then cushions of my couch.

This is why there is regulation of the finance sector, and exactly what happens when companies and individuals try to pretend the regulation doesn't apply to them.

If you want to start an online financial services business, the first thing to do is start researching the legal requirements for doing so, both where your business is located and where most of your likely customers will be. Not looking at them doesn't mean the rules don't apply, it's just grossly—potentially criminally—negligent.

In fact, that's the case for anyone starting almost any business. You need to examine the legal and regulatory environment in which you'll be operating as the very first step of your due diligence. Anything else is negligent.

A few weeks old but saw this earlier today via Brad DeLong:

Who’d have thought that there might be an incentive for operators in a totally unregulated market to take people’s assets and run? Or that self-regulation would be so lacking in a market that purposefully concocts information asymmetries that benefit money creators/the tech-savvy…. or that the Bitcoin system was only recreating and replicating all the bad incentives we know and love in our current system, which are now being curbed by intensified post-crisis regulation?

Irony of irony, Bitcoin Magazine concludes that since it is unfortunately the case that many bitcoin businesses must use escrow accounts to hold people’s bitcoin, the only solution to the problem is moving towards a quint-party agreement to manage unauthorised liability creation in the system...

But you mustn’t confuse this with some sort of recommendation to forge a Federal Bitcoin Reserve system. It’s a “Five Parties Model” system. Entirely different...

All in all, it would be NOTHING like the Federal Reserve System we have already arrived at thanks to decades of collective trial and error, and acquired wisdom from the countless bank collapses and system crises that have come before us.

Except, of course it would be exactly like the Fed. And where it wasn’t yet exactly like the Fed, it would soon be, because exactly the same human processes, incentives and behaviours would govern its evolution and development.

Proving the point yet again that there is nothing new under the sun, and that bitcoin is more of a replication of the old unregulated past, under a new technological order, which society collectively refined and regulated until it created the system-stabilising framework we know today, than a golden era of finance no-one had yet been smart enough to discover beforehand.


A: We've created a decentralized accounting system and currency that obviates the need for most of the standard accounting controls and fraud prevention measures, so long as you operate within that currency!

B: Oh yeah? Well look at all the shenanigans that happen at the re-entry points to the conventional financial system! Checkmate, hard-moneyists.

> A: We've created a decentralized accounting system and currency that obviates the need for most of the standard accounting controls and fraud prevention measures, so long as you operate within that currency!

I hear this a lot, but I think it's really only true with a massive asterix next to it. Can you explain how bitcoin will work, for instance, in a retail model? It seems like the transactions take a long (relatively) time to verify, which leaves two options:

1. The customer waits (not really a possibility - maybe for bar tabs it's sort of ok?)

2. The vendor purchases some level of security or risk management that allows transactions to occur instantly with a minimum amount of doublespend. And there's your transaction fee. Maybe it will be less than the credit card fee?

Am I wrong? I haven't been able to have anyone explain this to me.

It's been covered lots of times, but essentially, for all transactions whose value is an order of magnitude less than the current block reward, it is considered safe to complete the physical transaction as soon as the Bitcoin transaction arrives at the retailer's system through the Bitcoin network. This usually takes 5-15 seconds, so about the same amount of time as most credit card approvals take now.

This is considered safe because even though there are various tricks you can pull with no confirmations, the hashpower needed to do any of them is so great that you would make far more money turning that hashpower towards legitimate mining than by scamming retailers.

With Bitcoin value, block rewards, and hashrates as they are now, this means that anything less expensive then a car or a boat is okay to complete immediately. Waiting up to an hour for a couple of confirmations for a purchase of $10k or higher doesn't sound like too big of a deal.

Why does the order of magnitude/size of transaction matter in terms of knowing if a transaction is safe? Do larger transactions take more time to verify?

Thanks for answering, appreciate it - stuff like this is surprisingly difficult to google for.

All transactions take basically the same time to verify. The trick is more in the motivations of any potential attackers.

The heart of the Bitcoin system is the block confirmation system. Once a transaction has been accepted into a block and that block becomes part of the official blockchain, it becomes essentially impossible to perform any kind of scam or attack on that transaction, such as spending those coins somewhere else. Only one spend of a particular quantity of bitcoins can be in the blockchain at once, so any attempt to spend them again will be rejected.

The trouble is that this is relatively slow. Getting one confirmation on a transaction takes probably like 5 minutes on average, and could vary depending essentially on the luck of the mining network at that moment. Using 6 confirmation is the official recommendation, and this may be expected to take about 1hr.

It isn't necessary to use the official recommendation, though. It's always hard to attack the system, and the 6 confirmation point is where it becomes essentially impossible for even major governments to attack the system, but such strong security is not necessary on all transactions. So the question becomes, how hard do we need to make it for a particular transaction?

To guess at that, we have to look at attacks. I mentioned earlier completing the physical transaction after the initial arrival of a Bitcoin transaction through the P2P Bitcoin network, before any blocks confirming it come in. To do a double-spend in that scenario, you would put 2 transactions spending the same coins on the network, and arrange for one to hit the vendor's system, while the other went out to the rest of the network and would be included in the next block. That's tough to arrange though - who knows what nodes the vendor is connected to, and it's impossible to know which miner will produce the next block. To have a solid chance at pulling this attack off, you would have to run a very powerful miner yourself, solve a block with a transaction spending some of your coins before another miner solved a block, then hold back that block, and perform your transaction at the target vendor between when you solved that block that you are holding and when another miner does.

That's a window of a could of minutes, maybe, and it could take days or weeks or longer for your miner to solve a block that puts you in the position to do this. The timing is very tough to pull off at a physical store, then. And to do all of this, you have to be running your own independent miner, which is powerful enough to have a reasonable chance at solving a block in the next couple of weeks. But just running that miner as a normal miner means you're likely to get the mined block reward, currently 25 bitcoins, currently worth $12,500, just for solving that block. Why pull the funny business with transactions for, say, a $10 sandwich when you just made over 1000 times that money by doing nothing?

So because of this, completing physical transactions after only a receipt of the Bitcoin transaction is a risk, but given the high difficulty and low reward to the attacker, and low loss amount to the business, it seems like a very acceptable risk to make the purchase process more convenient to the normal customers.

Thanks, that was a really clear and helpful explanation!

Thanks! I've made enough posts like this that I was thinking of writing up some 'bitcoin nuts and bolts for coders' blog posts.

Perhaps you are not aware that actually settling credit card payments, i.e. the time it takes for the money to actually end up in the merchant's bank account may take several days, even weeks.

As for bitcoin, to my knowledge this is pretty much analoguous to "transaction confirmation", which typically happens in 10 minutes. So it's actually much much faster than credit card payments.

You just hand-waved away the fact that the trust necessary for an independent retailer to accept an "untrusted" credit-card has been aggregated in Visa and MasterCard and codified through tort law and agreements with the aforementioned credit-card companies.

What are you going to do, provide a detailed transaction history to the retailer proving that "your bitcoin transactions always are legit?" Kind of removes the last of the "anonymity" afforded by Bitcoin.

It's normally a matter of seconds until other clients can see a bitcoin transaction that you've posted for the network. The only way that will end up not being legit is if you've double-spent the funds - that won't happen if you're a legit user using a regular client, and for the most part even for a nefarious user it would require significant computing resources (e.g. you've already mined a block spending those coins but won't release it until you walk out of the store).

So the idea is that if you're a regular retail store, accepting unconfirmed transactions is fine. Unless a big exploit becomes known, any fraud you might happen to see certianly won't any higher than the credit card chargebacks you're getting now. If you're selling your house, you probably want to wait for a few block confirmations.

Not to mention there are other crypto-currencies with significantly faster block clearing times, and cryptocoin to cryptocoin exchanges are significantly easier to run than bitcoin to fiat exchanges.

So it really seems like all of this is only a minor inconvenience for bitcoin if anything. And there's certainly no reason to ever have to trust someone because "they've been legit in the past", that's an approximation of trust that previous systems have had to rely on but exactly what bitcoin avoids.

You outlined a couple of scenarios where a transaction can be fraudulent, which is more than the 0 acceptable to a small business where margins are razor-thin already.

You really expect every mom and pop store to accept Bitcoins when they have to be as technically literate as the posters of HN?

>You outlined a couple of scenarios where a transaction can be fraudulent, which is more than the 0 acceptable to a small business where margins are razor-thin already

What? You really think a small business has zero credit card fraud? You're wrong. Not to mention when you get hit with a chargeback, you get charged a fee that is usually higher than the amount stolen from you to begin with.

The credit card companies push fraud liability down to the merchant in the current system.

Bitcoin probably is less susceptible to PoS fraud than credit cards are, from a merchant standpoint. Consumer of course is a different story.

> which is more than the 0 acceptable to a small business where margins are razor-thin already.

I see you've never run a small business that accepts credit cards before. They are far more than 0 risk.

I am well aware of the risks, and it was some hyperbole. Why would a small business adopt a new revenue stream that is riskier than credit cards?

It's not riskier first off, it's less risky, by far. Bitcoin is cash, it can't be charged back and it doesn't incur the fees cards do. To say it's riskier shows you don't know what you're talking about.

Secondly, why would a business turn down any means by which a customer wants to pay? Have you ever run a business? Do you typically turn down cash payments? Bitcoin is cash.

that won't happen if you're a legit user using a regular client, and for the most part even for a nefarious user it would require significant computing resources (e.g. you've already mined a block spending those coins but won't release it until you walk out of the store).

Just in case he's not making it clear from the description of what actually doing that would involve, mining a block is a big deal. You're talking about winning the lottery in competition with 35 million other gigahash/sec worth of mining power. If the worst you want to do with that block is defraud a mom and pop store that accepts bitcoin you're positing a scenario something on the order of a multimillion dollar operation in order to undertake such an attempt. If you're going to do that, you're not going to try to defraud the corner store for a snickers bar.

Also, if that's genuinely not enough;

Not to mention there are other crypto-currencies with significantly faster block clearing times, and cryptocoin to cryptocoin exchanges are significantly easier to run than bitcoin to fiat exchanges.

Plenty of 60 second block confirm altcoin chains out there, no reason to use bitcoin if you absolutely insist on some way to address the double spend "problem".

So having a miner in your pocket is certainly one way to execute a double spend. That's a Finney attack.[0]

The other and less costly way is all about node connectivity.[1] If you are going to execute a double spend all you 'need' to do is broadcast two txs spending the same output at the same time--one going to the merchant the other spending it back to yourself--and cross your fingers and hope the double spend gets put in a block. Now, you can increase the probability (e.g. shielding the merchant's node from your double spend) of success but it's not a sure bet. And the higher the node connectivity of the network (i.e. how many nodes are each node connected to) the harder this attack becomes.

There has been some work in this area, especially in pursuit of the efficacy of double spend attacks in light of some minor changes to the protocol which (I think) were rolled into core with the most release 0.9.0.[2] It's about .09% probability of success.




>settling credit card payments ... may take several days, even weeks.

But there is a trusted 3rd party (the issuing bank) that gives an instant reply as to whether the purchaser's account has enough funds (or credit) to make the purchase, and assumes much of the risk if they are wrong and the purchaser is uncollectible.

Maybe they don't need to take 2-5% of each transaction to provide this service, but it does seem like a pure, anonymous bitcoin transaction can not provide this service to a retailer.

There is no need for this service with Bitcoin - the balance controlled by every address in the network is known to everyone.

I was referring to the fact that credit card companies prevent (or at least take responsibility for) double-spending.

> "...which typically happens in 10 minutes..."

Which is too long when waiting at a counter in a retail scenario. Imagine if every customer had to wait around for 10 minutes to verify the transaction, it would be chaos in a busy retail situation (even 1 minute is way too long), which is the point being raised by the GP comment.

The merchant might have to wait weeks to actually receive payment from a credit card company, but at least they know they will eventually get paid, as Visa or whoever is a trusted entity. Bitcoin is 'trustless', so if the customer can leave as soon as they like, the merchant might confirm the transaction in 10 minutes, or they might not get paid at all.

Try buying something with bitcoin. The first confirmation is all that is needed and it happens in a matter of seconds. It won't be fully confirmed for ~10 minutes but that is fine for the vast majority of cases.

the wont get paid by Visa if there is a chargeback, indeed they will owe some percentage extra as a processing fee.

What makes you think it's only exchange providers that are incompetent and/or crooked? Exchange providers tend to hold the largest balances, that makes them targets, but anyone else with a big sack of bitcoins and security by "my cousin knows Linux" is vulnerable too.

The analogy I give people is you lock the doors of your house, but it isn't really secure. Anyone can kick down the door or break a window, very easily and very quickly. Your real security for your house comes from the environment which makes it difficult for people to run around ransacking neighborhoods, e.g. your local police force.

With bitcoin, you actually have to use real security to secure your possessions. There is no local police force preventing a break in or a credit card company which will absorb fraudulent charges, or a bank that will flag and freeze questionable withdraws. In a crypto currency world, the wealth will have a tendency to flow not to the most business savy or politically connected but to the most secure (in some dimensions we see that the same thing happens with global wealth, both in terms of countries and currencies.)

The flip side of that is, stolen bitcoins may fall under a legal classification of stolen property and be retrievable through legal systems -- or at the least blacklisted and non spendable through sources that fall under those jurisdictions. That outcome, I think, is the most important thing to watch, above any other hypothetical bitcoin regulation or banning. If I was an active bitcoin startup I would build a system to identify and classify bitcoins as safe, stolen, unknown, or questionable.

Think of the current implementation of bitcoin as crypto currency alpha build 2 or 3. It is slightly amusing that people would risk so much of their own capital to participate in an alpha test, but also necessary in order to truly stress test the system.

A's premise is faulty. The accounting/fraud measures are not obviated. You have slow cash with a transaction log, that's it.

shenanigans that happen at the re-entry points to the conventional financial system

Those shenanigans aren't exclusive to exchanges. Exchanges are currently the epicenter of shenanigans because they're just high volume and operate on bitcoin as if it wasn't just a different asset in the conventional financial system.

People that are neither true believers nor in a specifically bitcoin focused business operate as normal. Bitcoin is just internet fun bucks that have to be liquidated. So the Bitcoin transactions get treated the same as any other transaction, as a result they carry the benefits of the processes created around conventional transactions.

Tell me again how either of these arguments help the folks who lost their money to MtGox's sloppiness? How is the MtGox debacle (or the other recent BitCoin exchange failures) an example of the lack of need for "standard accounting controls" or "fraud prevention measures"? They are the opposite.

The e-mail I just sent to the author of that post:

"Ms. Kaminska,

In your recent post (http://ftalphaville.ft.com/2014/03/03/1787992/magic-the-unde...), which I found via Brad DeLong’s web site, you described Bitcoin as "totally unregulated" and "completely unregulated" a number of times. Such characterizations are completely erroneous, and you should probably correct your post.

Unfortunately, many people are under the impression that Bitcoin is unregulated because its various proponents (such as Marc Andreessen, the Bitcoin Foundation, etc.) have done an excellent job convincing the world that it’s so new and supposedly novel that no regulations could possibly apply. That’s not even close to true. In the United States, numerous Bank Secrecy Act statutes, 18 U.S.C. § 1960, and a state money transmission framework involving 47 different state laws all apply. The problem is that the state laws are hugely problematic, the regulators are bumbling fools, the entrepreneurs and their venture capitalist backers are exceptionally cunning in their efforts to evade regulatory scrutiny, while the press utterly refuses to write about what is actually going on. My company is the plaintiff in two federal lawsuits over the issue, one of which has set the record for the most-delayed, non-stayed motion to dismiss in California federal judicial history (764 days and counting):



If you’re interested in the issues, I would suggest that you read my recent comment letter to the Consumer Financial Protection Bureau, which can be found here:


You may also find this article on my personal web site about Mt. Gox specifically and the role of Iowa’s state regulators of interest:


Feel free to let me know if you have any questions.


While you may take issue with coinbase, or MtGox, can you accept that a cryptographic proof-of-work solution to the byzantine general's problem, that implements a general consensus ledger of forth-like script applications, is not a "currency" per se, but a mechanism in which currencies can be implemented upon?

I.E. Regulate the companies that are engaging in currency like transactions on top of the bitcoin ledger, but don't be too quick to attempt to regulate bitcoin itself.

can you accept that a cryptographic proof-of-work solution to the byzantine general's problem, that implements a general consensus ledger of forth-like script applications, is not a "currency" per se, but a mechanism in which currencies can be implemented upon?


As far as regulation goes what does one have to do with the other? I would answer yes to your question and also answer yes if someone asked if I could accept that a printing press that could be used to print currency should not be regulated as a currency. However as soon as you use the currency making tools to make currency then that currency should be regulated as a currency.

You're correct; "a cryptographic proof-of-work solution to the byzantine general's problem, that implements a general consensus ledger of forth-like script applications" becomes of legal interest when people start founding legal contracts upon the basis of "as consideration for X, party Y will ensure that a specifically crafted entry is created in this particular general consensus ledger of forth-like script applications based upon cryptographic proofs-of-work". Contracts are always going to be regulated.

no one wants your regulation. people took a risk with their money and they lost. they were affected, i wasnt. good for me, time to move on. no need to waste everyone's time and tax dollars coming up with regulations, etc.

please don't rebut with a public good argument.

>please don't rebut with a public good argument.

Since you anticipate one, why not preemptively respond to the best examples of one that you can think of rather than begging internet strangers to be nice to you?

You can, provided you can convince the judge.


Aaron you come across so angry and prickly that even people that may agree with you do so begrudgingly. In this case you're simply wrong to not even agree and cannot expound beyond a simple "No", like a 2 year old that doesn't want to share their drink box. The fact is he's right, there's nothing about bitcoin and the technology itself that should fall under scrutiny until it's used in monetary transactions. It's almost as if you didn't even read that questions because your answer is just flat wrong. I respect what you've done to disseminate the information regarding the complete failure of government to clarify and enforce laws around finance but you may want to reconsider your tone because it's not going to help you to further that cause.

So first of all, you have to keep in mind that I'm in the middle of litigation related to these issues. I am careful about what I say.

Second of all, the question posed here was both presumptuous and awfully vague. I'm not about to go on the record in response to that kind of question other than to reject it. I'm sorry if that makes me come off as prickly--I have to put other considerations ahead of public perception.

He's a legal troll a parasite on innovation not to different from patent trolls, don't entertain him.

You have it backwards.

>because your answer is just flat wrong

His answer to "Can we agree?" is wrong?

I have to agree with kovacs. Simply saying "No" does not count as a reasonable answer to a reasonable question (and I agree in the fact that it sounds petulant).

If you disagree with the points put forth disemminate them and offer a rebuttal. Do you think that the presented cryptographic solution is one that is equivalent to money? if so why? I'm sure if I wanted to argue so I could think of some parallels or arguments to illustrate the point (possibly using the example of the current credit or financial systems, though I think I would personally disagree with those arguments). If not and you take exception to some other point raised state what that is.

Your response as it is provides 1 bit of information and that is only as to your opinion on a matter and is thus semantically useless.

Is this a good synopsis of your lawsuits?


How does the suit relate to your experience with FaceCash?

Regulation enables this kind of thing systemically. Let this happen a few times without regulation and the market will demand trustworthy solutions, not some politician waving a magic wand and declaring something safe. As we've seen recently that system doesn't work too well.

Everyone who lost money in this knew the risks. Nobody is calling for accountability beyond the guy that actually is accountable. How refreshing is that? How refreshing is it to actually have a name of the person who fucked up, instead of a stream of pseudonymous apologetic soundbites from banks/regulators/politicians?

Not to mention the fact this whole problem is completely self contained. There is no talk of rescuing MtGox with tax money, or the need for a "national debate" on how to run this shit in the future. If you didn't run MtGox or have money in MtGox or don't outright choose to be involve yourself in some other way then you can go to bed at night and sleep well knowing it is absolutely not your problem.

This, friends, is one example of the many long forgotten benefits of private trade.

There's no talk of rescuing MtGox with tax money because the size of MtGox is small enough that the losses are pocket change in the great scale of things. There's no risk of a new global recession over MtGox.

I think you'd find the debate would have been entirely different if the scale of it wasn't such that most people, if asked, would go "MtGox? What's that?"

>This is why there is regulation of the finance sector

This is why there are bailouts of the finance sector. A bank loses this kind of money, they get it back for free.

Except that taken as a whole, the bailout money was already been paid back in full, with interest over 2 years ago.

But that doesn't stop this old sore being rolled out regularly. Who need the truth when you've got Truthiness on your side, eh?


sympathy for the devil.

as already stated, the economic impacts were larger than the money owed, and the abstract impacts are untold and likely substantial.

the 'too big to fail' paradigm was novel, and a clear abuse of their position. Most of us are upset at the fact that corporations literally held the idea of 'global financial well-being' hostage.

"Save us, if not only to save yourselves." is not anything that any corporation should ever or ever be able to say, especially to the government of an entire nation.

The banks may have paid back the cash they borrowed, but the negative impact of their behavior and the 2008 crisis is still being felt (and paid for) around the world.

>Except that taken as a whole, the bailout money was already been paid back in full, with interest over 2 years ago.

This sounds very truthy, but there was no market rate on the interest on loans to insolvent banks that was less than infinity%. The reason the government loaned them money was because they were completely uncreditworthy, and at those rates, they could have (and did) just invest the money in treasuries and take the favorable difference in the interest rate as a gift.

Simultaneously, we started a massive program of buying all of their shit debt at par.

Paying it back is great and all, but it shouldn't have had to be done in the first place.

It shouldn't have. But the pain the economy would have felt would have been 10X worse.

Banks supply capital to firms, the government bailed them out (and the automakers) because no one else was willing to supply capital to get the economy rolling.

Sure. When are the automakers going to pay back their bailouts?

> Of the $466 billion distributed, about $245.2 billion have gone to banks, both national and local

Where did he other half go? Not mentioned in the article. Also, that investment was paid back in grossly inflated dollars, thanks to QE.

Inflation has been super low the last five years. Can you back up your claim of gross inflation? Almost all economists would disagree with you.

What do the bailouts have to do with the regulation of banks?

In the US, banks are regulated by the Federal Reserve. They have the authority to close and liquidate a bank. They have no authority to bailout a bank. That authority is the responsibility of Congress.

I'm pretty sure it's the same in other countries with a regulated banking sector. The UK parliament decided to bailout their banks, the German senate chose not to.

In the US, banks are regulated by the Federal Reserve.

That's way too simple a statement for the US banking system. Banks in the US are regulated by the Federal Reserve, by the Federal Deposit Insurance Corporation, by the Office of Foreign Assets Control and a few others.

"Banks" is a catchall for a place to deposit or get money. Not all banks are under the regulations of FDIC, like GS, but all banks are under the regulations of the Reserve.

Only commercial banks are under the regulatory authority of the Fed. Until they converted to a bank holding company, Goldmann Sachs was not regulated by the Fed. As an "ivesemt bank" (which is not actually a bank at all), they were regulated by a mishmash of other authorities including the SEC and FTC. That was a major contributing factor to the financial crisis in the first place, and the reason Dodd-Frank expanded the authority of the Fed and FDIC to cover "systemically important financial institutions"--even if they are not banks.

I'm not sure you mean otherwise, but part of the bailout process in 2008 was to allow Goldman Sachs and Merrill Lynch (now part of Bank of America) to become bank holding companies. The major reason was so they could shore up their balance sheets with cheap and safe FDIC insured accounts.

>so they could shore up their balance sheets with cheap and safe FDIC insured accounts.

FDIC insured accounts are liabilities on a bank's balance sheet.

You are right, they did it to access a lending facility that was only available to them if they switched their structure.

(I made the mistake of talking when I shouldn't have, I wasn't trying to mislead)

> They have no authority to bailout a bank.

Is the understanding of the financial crisis really this poor? Paulson literally forced the banks to take TARP. The CEO of BofA and other banks that didn't need it spent a lot of time in the media complaining about it.

He also forced the retail banks to merge with and absorb the losses of the investment banks.

He wasn't able to do this because of direct permission, but because the Fed has so much power that everybody just has to listen to what they say.

>Is the understanding of the financial crisis really this poor?

Yes. One of the great tricks of this disaster (as in most financial crises) is that the powers that be were able to convince to public that there was some single enemy that caused this problem, in this case the "banks", completely ignoring the banks' customers and clients (businesses small and large, mortgage brokers, house-flippers, home-buyers, honest investors, fraudsters, sovereign nations) or the fact that the banks consists of hundreds of thousands of actors working and thinking independently.

This crisis was so much more complicated than "The banks were too greedy". But that's as deep as most people care to get.

Paulson was Secretary of the Treasury; the bailout was a government program, not Federal Reserve.

That said, the quantitative easing programs are basically bailouts, just not as overt as opening up the public treasury.

It was Paulson who lead it, but Bernanke and Blair were right there next to him during the TARP ultimatum meeting. The implicit threat was that if they turned it down, the regulators would force it upon them.

The meeting minutes came out in an FOIA request and lawsuit[0]:

> Ben, Sheila, John, Tim and I have asked you here ..

> If a capital fusion is not appealing, you should be aware that your regulator will require it in any circumstance.

[0] http://www.judicialwatch.org/press-room/press-releases/judic...

In the US, banks are regulated by the Federal Reserve

I hope you know that the FED is not a independent institution, but owned by the banks themselves?

Just because the regulation and political system failed doesn't mean they must fail. Iceland did pretty well for itself in the aftermath, even having let the bad behavior slip past them. And Canada apparently never let the bad behavior begin in the first place.

Another thing to keep in mind, the people who got the bailouts are a subset of the people who claim unfettered capitalism will cure all ills.

Just because MtGox failed doesn't mean unregulated Bitcoin businesses must fail. Iceland is a pretty poor posterboy for your point: their banks failed even more spectacularly than other countries', their cleanup effort was just much more ruthless. Essentially your argument in favour of regulation is that we now sort-of know how to clean up after it fails spectacularly.

Indeed, other exchanges and other Bitcoin businesses don't appear to suffer from the gross incompetence that brought down MtGox.

> Another thing to keep in mind, the people who got the bailouts are a subset of the people who claim unfettered capitalism will cure all ills.

Is that so? In that case they are paying the same kind of lip service to that point as a kleptocratic dictator on his private jet is to socialism.

>Iceland did pretty well for itself in the aftermath, even having let the bad behavior slip past them. And Canada apparently never let the bad behavior begin in the first place.

Iceland did it by stiffing creditors. That's a short-run gain, long-term pain solution.

With regards to Canada, there are specific laws that have inhibited a housing crisis, but we don't know if we have avoided anything yet. Our housing in major centres is as frothy as the peaks of almost anywhere else in the world who suffered a bust. It's too early to say.

Sure, in America. Just because you guys are bad at regulating banks doesn't mean it's impossible.

The now-defunct FSA in the UK was pretty bad at regulating our banks too, mind.

> A bank loses this kind of money, they get it back for free.

Customers lose that kind of money, they get it back for free. Socialising losses is an annoyingly common theme in ‘capitalist’ countries; unfortunately, it is politically infeasible not to bail out failed banks.

Let's not forget that in neither case is it 'free'. The public foots the bill in both cases.

Silence infidel, pro state circle jerk in progress.

>If you want to start an online financial services business, the first thing to do is start researching the legal requirements for doing business...

This is a bit naive isn't it? Imagine contacting FINCEN, or whatever other appropriate regulatory agencies at the time of MtGox's founding when Bitcoin was a novelty and worth practically nothing. Imagine trying to explain to them what a "Bitcoin" is. Imagine being thrown out of their offices "Go away kid. Grown-ups are working here." Even if you did find some reasonable solution, compliance would have probably made the proposition unprofitable. Bitcoin might never have got off the ground if your advice were followed rigorously.

OTOH, it is certainly unforgivable for Kerpales to have continued in shooting from the hip after becoming a millionaire; and after MtGox was raking in the kind of fees that would have supported hiring legal staff, building a robust trading engine, and implementing some sane practices for data protection.

> This is a bit naive isn't it? Imagine contacting FINCEN, or whatever other appropriate regulatory agencies at the time of MtGox's founding when Bitcoin was a novelty and worth practically nothing. Imagine trying to explain to them what a "Bitcoin" is.

Much of the financial regulation that exists that would apply to MtGox has nothing to do with Bitcoin per se, it has to do with keeping customer accounts denominated in fiat currency and disbursing funds at customer direction from those accounts to accounts of other customers.

If we can build a P2P decentralized exchanges (which we will soon), all of that "regulation" (at least from the government side) won't be needed.

MF Global.

This seems like complete BS to me. I wonder how it's going to show up in the blockchain. I suspect Kerpeles has somehow shuffled a few 10,000 BTCs to a private account, considering the lack of records.

I lost over $5000 USD (in fiat) on Mt. Gox and I want my money. Seeing stories like this just raise more questions that I wish didn't have to be asked.

Check the bitcoin reddit. Everybody knows about that 200k btc for weeks. There is evidence they have about 300k more.

Remember that Reddit is frequently completely wrong with it's guesswork, only a fool would rely on that communities information when preparing for a witch hunt.

For what it's worth (which isn't necessarily very much, since I've been very wrong about bitcoin before) I've been monitoring the situation pretty closely, and the Redditors have been doing a thorough and fairly scientific job of concluding what is or isn't possible. There are some crazies in the threads of course, but they get downvoted or called out on their speculation. Since there's no concrete evidence, what rises to the top of the threads are statements like "Here's what we know. Here are possible theories as to why these facts are present." It feels very much like the opposite of a witch hunt.

The "analysis" is frequently totally incorrect, I've looked at it before and I wasn't impressed. They mostly hinge on the assumption that if 1x sends to 1y then 1y is owned by 1x, which is obviously complete nonsense. Once you get past a single hop there's usually no way of knowing if the transaction is an internal move or one to an external party. Unless there is cryptographic evidence in chains of transactions that prove ownership, nobody can really claim Gox owns anything past what they have just announced.

Someone transferring huge sums of money right before they shut down and claim the money is missing is pretty suspicious.

Perhaps but the 200k in question was last transferred in 2011 (until they found it and moved it very recently).

At least the reddit discussions I've been directed to have been very unscientific— more pseudo-scientific in that they dump a bunch of data and throw around some technical terms. Though there may be some selection bias since people are probably more likely to ask me for my opinion on the more questionable work.

Ah. Thank you for correcting me. For what it's worth, your explanations are what I had in mind when talking about the scientificness of the investigations. I probably should have said "nullc has been doing a great job of making sure people don't get carried away with unfounded speculation" and left it at that though.

Until otherwise proven, it's coincidence. Assuming just complicates things.

People "assumed" about that 200k wallet over a month ago. "Proven" is subjective and a rhetoric that has agenda on its own.

My education was in math, and in general I find being wrong helps me get to the truth a lot quicker than not moving forward until it's 100%. None of us knows the truth yet, but slowly we're knocking out things that aren't.

Honestly, same goes for HN. It's just that it has more stricter laws once you are ghost-banned you would never know why. Basically both the communities are full of bs, HN does it with suave and accepted sophistication.

This in itself is a crime. At the very least, it doesn't make them any less guilty, and moving around indescriminate amount of bitcoins where we do not know from whence they came to plug a huge financial hole in an insolvent company would raise a thousand eyebrows from those paying attention.

Total novice. Clearly didn't talk to his lawyer first.

A question: given the financial risk, why did you trust Mt. Gox with your private keys?

I began trading on Mt. Gox in mid 2011. Having most of my coins on there meant that I could make trades immediately based on market trends. I wasn't aware of all the negative reviews of Mt. Gox, because most of my "bitcoin experience" was visiting mtgox.com every few weeks. As soon as something clearly nefarious was going on, I was lucky enough to get 1.3 BTC out of my account in January. The remaining value of my account was $5000+ USD. I had sent in a photocopy of my passport last November, which they "processed" in February (already aware of the insolvency). This really pissed me off because I was finally "approved" to withdraw USD from my account but I didn't have the ability to do so on the website.

> $5000 USD (in fiat)

Did we expect more?

there's one hell of a difference between a large financial organisation or an exchange and some half arsed startup who hacked up a web site in PHP that just happens to handle something that represents a currency. The former at least probably has a QA team, knows industry regulations and best practices and designs their architecture properly. Oh and they have cumulative experience and a designated location you can visit with burning torches and pitchforks when they steal your money. I'm ignoring regulation as I've worked in the compliance industry and it's entirely about working around it.

Not joking and I'm sure that this is going to stand on a few toes but some of the stuff I've seen on HN is verging on criminal. So many immature poorly thought out and damn right dangerous products being thrown out. Lots of people are sitting on ticking bombs like this.

Large financial organisations can be surprisingly criminal and incompetent when it comes to IT - you don't have to look far. Knight Capital, NatWest, HSBC... just a few names that pop into my head. The big guys spend large amounts of time and money convincing regulators and the public that they're clean and clever. It's public confidence that counts.

Sure, but the regulations worked. NatWest and HSBC were brought to book.

Nobody is saying that traditional financial institutions are perfect, but at least they are regulated and at least there are checks and balances in place. By and large the examples people roll out of these institutions behaving badly are examples of the regulators and legal frameworks working the way they are supposed to.

Knight capital were in a risky business and they blew it. It happens. But they're the exception, not the rule. In the wonderful world of Bitcoin, the goings on at MtGox looks like the rule, not the exception.

"But they're the exception, not the rule."

Excuse me, you must have forgotten about a certain global financial meltdown in 2008?

They're pretty fine to be honest. They have mitigation and FCA oversight which means you're not in the shit as a customer (usually).

Knight capital was a cock up in a high risk trading env. They paid for that.

HSBC was money laundering which is basically the entire purpose of a bank.

NatWest was a process cock up.

However no money went "oops we lost it" and was never seen again. At most, even with HSBC consumer withdrawal limits it's a minor inconvenience for a couple of days.

Much like mobile phone networks, people expect 100% uptime but that's unrealistic in practice. Always keep £200 rolled up in your mattress.

HSBC was money laundering which is basically the entire purpose of a bank.

This is a very strong statement.

Do you mind backing it up, or is this just meant as a glib throwaway quip?

I'm not the OP, but I think I can see what he means, and I think he means it in a non-pejorative way too.

One of the functions of banks is indeed to hide the source and destination of your money. My grocer doesn't get to know who employs me; my employer doesn't see where I spend my money.

Yes, you can achieve that with cash, without directly involving a bank. But the money is still issued by a bank.

I'm not saying that it's impossible to achieve this level of information hiding without banks, but I can see where the GP is coming from in his argument.

I suppose that was a throwaway quip directed at HSBC who seems to have managed to get away with laundering on a large scale with some slapped wrists.

And yet you still see banking security that insists on alphanumeric password only and no 2FA.

Seriously, that's screwed up. That being said, banks have insurance and all that jazz. So even though the state of security is not that great, it seems that you are less likely to get screwed incase of a screwup.

Not seen that in Europe for a long time. In fact all four UK bank accounts I have use two-factor auth.

My UK bank account (Bank of Scotland) does not have two-factor auth, and there's no stated plans to implement it, as far as I can tell.

My RBS and Natwest accounts both have CAP devices:


Edit: apparently I don't need them any more.

HSBC does still require it though.

They used to offer 2 factor authentication to some personal account holders but they have removed that and it only appears to be available for business accounts:


That's news to me - not that I've logged into my accounts for a few months! :)

Million dollars? I think you're missing two zeros.

I love it when I find $120MM under the couch. It really makes my day.

I found 5 bucks in my car yesterday.

Think about how much scalability they got from being "eventually consistent". It's only a matter of time before the other half-billion dollars shows up!

It really highlights the current state of Bitcoin. The promise is having an all-digital method of transferring value peer to peer, without the need for banks, or other central authorities.

The reality however, is that it's just not all that easy to cut out the middleman. People follow the path of least resistance, and educating yourself on cold storage and paper wallets and the like just isn't that easy compared to simply trusting a third party to do it all for you. Unfortunately, in doing so you give up all the benefits of bitcoin, AND all the benefits of traditional banking with it's oversight and FDIC coverage, etc. Literally the worst of both worlds.

Another explanation is that such carelessness was a form of willful blindness. If Gox had cratered (relatively) silently then perhaps the coins would not have been 'found' until much of the fracas passed. But because legal process has been invoked (bankruptcy, IL class action) the penalties for not doing a clean-up now go beyond negligence and could result in contempt or a loss of liberty. So there's additional incentive to look harder at this stage.

my faith in someone else handling my wallet has diminished considerably.

That's probably not a bad thing. What gave you faith to begin with?

"Hey! That's not the wallet inspector!"


Why on earth would you have faith in handing out your cryptocurrencies' private key?

Is this just a symptom of the wrong-headed thinking around cloud SaaS, where data and continuity are considered to be of such low value that they can be entrusted to any number of external parties?

Because people have faith in handing out their money, which is much the same thing. The concept of a bank or exchange literally running away with your money is not a thing which happens to most people.

Except deposits are insured up to a cap that most people never exceed. MtGox offered nothing remotely comparable.

Long established / regulated vs didn't exist a year ago / wild west.

Although it's taken Mt. Gox two weeks to report this, amazingly, it was public knowledge as soon as it happened on March 7/8, because the movement of over $100,000,000 was instantly visible on the public Blockchain. Reddit noticed it immediately: http://redd.it/1zshct

Most of it was in this transaction of 180,000 bitcoins -


From that evidence alone, it wasn't clear who had control of the money. Mt. Gox, or a hacker, but the Mt.Gox API was still up, and the API confirmed that this was a Mt.Gox-controlled transaction. Reddit saw that, too: http://redd.it/1zswul

Many people are expressing surprise by the events that have unfolded here with Mark Karpeles and Mt. Gox, but I'm not surprised in the least.

I've known several web developer "enthusiasts" over the years who know just enough PHP (usually it's PHP, but this applies to other technologies as well) to build things that mostly work and feel confident that they can solve anything with "a little PHP." Working mostly alone, these people prefer to spend their time building constantly, and little time learning or keeping up with current best practices (or in this case, cryptography).

There are a large number of companies (many of them doing very well) built by people like this, and even when they bring on other developers, no one has the courage to tell the original developer (who is often CEO) that their code sucks and needs to be scrapped completely. They keep throwing more crap onto the pile because the machine "works" and customers are demanding new features. The original (incompetent) developer feels a sense of pride for his or her work, and nothing short of total failure (in this case, spectacular failure) will convince them that their work is anything less than genius.

It's unfortunate that some companies thrive in situations like this (it sets them up for failure), but it happens all the time.

I don't know Mark personally, but from everything I've read from him over the years, he seems to fit the description above. It doesn't necessarily mean he's a terrible person or a thief (he could be that as well, but I have no knowledge to prove one way or the other). It just means he got in over his head, and kept the site running on deeply flawed assumptions and implementations (e.g., no standard accounting, little understanding of security, etc). It's a shame that people kept coming back to Mt. Gox and entrusted the site with their money, even after those behind Mt. Gox proved themselves to be incompetent over and over again.

Is it sad? Yes. Is it surprising? The only surprising thing is how people kept going back.

As for the missing and suddenly reappearing coins, I honestly think they just had absolutely no idea where everything was. I've heard people describe Mt. Gox's infrastructure as a hodgepodge of random scripts and servers duct-taped together, and it's easy to imagine a dozen hard drives filled with an unorganized mess of Bitcoin wallets, private keys, database dumps, etc. I believe they're honestly trying to pick up the pieces, but the pieces are scattered everywhere.

> I've known several web developer "enthusiasts" over the years who know just enough PHP (usually it's PHP, but this applies to other technologies as well) to build things that mostly work and feel confident that they can solve anything with "a little PHP."

Not trying to start another language debate, but this point I think epitomizes the sort of hate PHP gets from a lot of developers. Regardless of any pros of the language/tool and how much better it might have gotten over the years PHP as a language and ecosystem seems to encourage this mentality. Another, more recent example, seems be NodeJS. You can write beautiful, rigorous, well tested and thought out code in PHP or Javascript, but that hardly seems to be what most people are doing or even what those communities, in general, encourage.

I agree. I've seen some beautiful PHP over the years, but much of it... isn't so beautiful. The culprit as you say isn't so much the current state of the language, but the legacy left as the language has evolved and the community that emerges as a result of the language's features/attractive qualities.

PHP is popular, readily available, and has a very low barrier to entry. It's the first language I picked up, primarily because it was the "gateway drug" of programming (for me). I had little intention to learn programming, but began making some basic HTML web pages in the mid 90's for fun. Other languages looked like greek and didn't interest me at all, but when I first saw a few snippets of PHP, I felt empowered because it felt more like an "HTML tag" that could perform logic rather than being a "full" intimidating language; I was naive, but that's how it felt. At the time, I didn't even completely understand the fact that PHP was executed on the server-side, while JavaScript (in my web page) was executed client-side.

Ironically, from what I understand, PHP was originally intended to be little more than a template language. OOP and other features were added later to allow PHP to function more like a "proper" programming language. Unfortunately, it still carries some oddities from the early days (procedural and OOP ways to do many things, the default use of PHP opening/closing tags even in scripts where HTML/markup may not be applicable, etc.).

I'm happy that PHP got me interested in programming, and I think it still captures the interest of otherwise non-programmers today. It still empowers people to do amazing things without forcing all of the complexities (or best practices) of other languages. I don't fault PHP for the situations described above (incompetent people getting in over their heads and turning a blind eye to best practices), but many of the features that make PHP accessible to these kinds of people (including myself years ago) don't exactly help encourage or enforce best practices. The same could be said for NodeJS and others as you say.

The current incarnations of PHP, NodeJS, and others certainly allow for more disciplined and well-designed code, but the culture/community behind a language is shaped by much more than just the current state-of-the-art.

Why pick on PHP and Node? This can be said for X, Y, and Z programming languages.

PHP and Node are unusually easy to get started in. I think this is where many of the issues originate.

Unfortunately, PHP has replaced VB6 in this way (not in other ways though!).

We're definitely in that position, except we know our stuff is shit and we're rebuilding it and hiring furiously to rebuild it. 99% percent of life is knowing the difference isn't it?

Maybe the biggest tragedy of Mt. Gox is that even after doing well and earning loads of revenue, they still didn't recognize (or hire someone who would help them recognize) their own weaknesses.

This story should be a wake-up call for any entrepreneur/developer to never become complacent, even when things are going well.

There's a big difference between making an app that loops an MP3 (no offense - certainly well done and well marketed) and one that handles millions of financial transactions. Don't feel bad - if something goes wrong with yours, nobody loses their life savings.

I think it's fair to say at this point that if somebody placed all their life savings in Mt Gox, they themselves probably deserve at least some of the blame for their loss.

I appreciate that - I actually run a fintech startup that handles some of the most sensitive information that exists. Our security around THAT information is solid, but the front end that interacts with it is shit and that makes me nervous.

I just noticed your profile mentions Coffitivity's revenue. What's the revenue model, if you don't mind my asking?

We sold the apps for a while and made enough money to power the company for a while, making the move to freemium now. I'm actually no longer actively involved with Coffitivity, I founded knoxpayments.com and am doing that full time. Coffitivity is in some extremely capable hands though.


Which company are you involved with?

KnoxPayments.com - connecting all US bank accounts so people can make payments just by logging into their online banking. Working pretty furiously to make it way better, which forces us to stay in closed Beta and hold off on some of larger integrations that would be pushing our revenue up.

He's a founder at http://coffitivity.com

> It's unfortunate that many companies thrive despite situations like this, but it happens all the time.

Would you prefer successful company run by incompetent people or unsuccessful company run by competent people?

Neither. I prefer a successful company run by competent people since it has greater chances of survival ;)

Then it becomes a big and successful corporation that is usually loathed here. No strategy can win this game :)

It seems unlikely that Karpeles randomly stumbled across 200,000 missing bitcoins. It seems at least plausible that he attempted to steal them and is now backpedaling since people aren't buying his malleability story.

This is the first ray of hope regarding customers recovering any of their missing bitcoin though.

> It seems at least plausible that he attempted to steal them and is now backpedaling since people aren't buying his malleability story.

Or that they lost the keys to some wallets and have managed to crack one.

If that were the case, then there's no reason to frame it as if they thought there weren't any bitcoins left in unused company wallets. They could just tell the truth.

That's true, it would actually make them seem less cretinous if they said they had cracked a lost key.

I guess the fact that they have to have been so staggeringly incompetent to have 200,000 bitcoins they didn't even know about makes me feel like there must be some other explanation than the one they are offering.

Attempted theft is up there.

Karpeles said last winter that they were going to make their keys more secure by breaking them into pieces using a Shamir's secret sharing algorithm. This would allow a key to be more secure because it would take several pieces, but not all of them, to reconstitute the private key.

My assumption is that they either made a mistake with the algorithm, or they lost enough chunks of the keys that they can't reconstitute the private key. This could have been as simple as a banks safety-deposit box being inaccessible because it's seized or losing the pieces.

If they were stored digitally, it could be as simple as a media problem (Organic dyes in CDR's degrade. USB drives aren't infallible, etc).

The reason they got this wallet open is because they probably recovered the private key in some ancient backup they forgot they had from before they split the keys into pieces and deleted what they thought were the only copies of the unsecured keys.

This is just my completely unsubstantiated theory, but it seems to match the current facts.

Mark stated that the missing coins were most likely lost due to transaction malleability. I don't know why he would risk lying for no good reason.

The 'good' reason would be the 400 Million dollars...

Not saying he is or isnt lying, but we cant just throw around the 'there is no good reason for him to say xyz' in this situation...

Yes, that's what I meant: stealing them would have been a good reason to lie but covering up a form of negligence (media failure) with another form of negligence (transaction malleability), which was the theory I was trying to refute, doesn't seem especially useful (hence the "no good reason to lie").

Wouldn't someone publishing that keys can be cracked in realistic timeframes deal a blow to the currency itself?

Sure, it would have required tons of computing power, but they still would have cracked the key in several weeks' time.

Well not exactly, as I understand it you could attack the passphrase protecting the key.

If you remember any details about this passphrase then you can dramatically reduce the strength? (I'm not sure of the word to use here. Someone help me out) of said passphrase.

But yes, if someone was able to crack keys in a reasonable amount of time then bitcoin would crash overnight.

Ah okay, you're right. And yes, if you knew anything about the key you could drastically reduce the key space to search.

Was the word you were looking for "entropy"?

That would be it!

>>Or that they lost the keys to some wallets and have managed to crack one.

No cracking. They just found a wallet.dat somewhere, that's all. If they lost the keys(as in, lost the wallet.dat with the keys in it) and were able to generate a valid private key given only a public bitcoin address... bitcoin is dead, game over, pack it up.

Now instead, if we're talking about a passphrase to a wallet.dat...

> If they lost the keys(as in, lost the wallet.dat with the keys in it) and were able to generate a valid private key given only a public bitcoin address... bitcoin is dead, game over, pack it up.

This is a realistic scenario. If the private key generation was of the same quality as the rest of their code (i.e. using a weak PRNG), the reconstructing a private key may be doable.

It's not like Bitcoin wallets weren't previously cracked using this method in the case of an Android wallet misusing the crypto API (http://arstechnica.com/security/2013/08/google-confirms-crit...)

A competent entity in possession of MtGox source code may be in a good position to steal all the loot.

> If they lost the keys(as in, lost the wallet.dat with the keys in it) and were able to generate a valid private key given only a public bitcoin address... bitcoin is dead, game over, pack it up.

Yeah. This wouldn't be a fail on the MTGox league; this would be a "Satoshi Nakamoto and all the cryptographers who took a look at the code failed". Cracking a wallet is supposed to be something that requires the resources of a state-sized entity.

>Cracking a wallet is supposed to be something that requires the resources of a state-sized entity.

A galaxy-sized entity, maybe? The only known way to find a private key from a public key is brute force. That's way beyond the abilities of a state, unless they've made a massive breakthrough in quantum computing.


Obpedantry: In theory rho allows you to recover private keys with work-factor 2^128 (times some small constant depending on how much storage you wish to use), which is significantly less than the 2^256 you might expect from "brute force".

Still completely infeasible.

But first you have to obtain the public key by finding a preimage of the SHA-256-hashed address. And SHA-256 (with the full number of rounds) currently has no known preimage attacks that are even marginally better than brute force.

Not in a flawed PRNG was used. Lets not forget we talk custom wallet implementation here...

Am I missing something or does that seem really really implausible http://bitcoin.stackexchange.com/questions/2847/how-long-wou...

Yeah, you make off with $116 million, and then rather than blame it on incompetence (which by all accounts is what mt gox looks like), you start back pedalling....

That lends some more plausibility to this theory: http://chrispacia.wordpress.com/2014/02/28/this-is-what-most...

This is the most plausible theory I have heard yet.

tl;dr: Wallets were in cold storage at Japanese bank, US govt seized them while investigating Silk Road.

How could they seize a foreign exchanges assets held in a foreign bank?

Their official announcement is even more ridiculous. https://www.mtgox.com/img/pdf/20140320-btc-announce.pdf

The have more coins and there is evidence for that in the blockchain. Many people know about that for weeks. After they figured people were on to them they released this lie.

Nobody just forgets about 200,000 btc.

"Oh there's that $116 million I was looking for!". I suppose that given the level of incompetence and/or malfeasance at Mt.Gox, this shouldn't be that suprising. What is actually more surprising is that they ever became the primary BTC exchange in the first place.

I first wrote them off as a scam years ago when I read a Bitcointalk thread wherein Gox tried to explain away their aggressive "tainted" coin confiscation policy. They essentially explained that they were confiscating all coins that they deemed to be tied to theft or illegal activity at any point in the blockchain - in their sole discretion. Yet somehow, with that and many more very public red flags, they just kept growing.

MtGox: We lost all the coins! We have no idea were they are...

Random person: Have you tried looking in your wallet?

MtGox: Found it!


MtGox: We lost all the coins! What must have happened is a very complex sequence of events where people were able to take money from us without noticing. We complained to the wallet manufacturer. But it's very complex, and umm, we're sorry, and umm, bye.

Random person: Have you tried looking in your wallet?

MtGox: Found it!

I would suggest people to try to avoid the "regulation = 1% bailouts" equation.

It would be more useful to think of regulation for bitcoin actors more in the sense of required car insurance, or not being allowed to sell food with poisonous chemicals in it.

There can be a certain amount of regulation that helps avoiding incompetent or fraudolent actors even without a money-emitting FED or a socialize-losses-privatize-gains government.

Every new story about this makes Mt. Gox look worse. Now they're not even competent enough to steal them or have them stolen, they just lost a hundred million dollars?

"You know, I think you're missing the point, man. They found them again, man."

they've always looked incompetent, slightly more than people who kept their money with them before this entire thing happened.

Since they are in receivership, what will happen when the adjudicator liquidates th to pay off debts? What will happen to the exchange rate when these get dumped on the market?

It's a good question, but they would be obligated to seek the best return they can which means recognizing that they can't just sell them on the open market. It's unclear to me whether the BTC liabilities or the hard currency liabilities rank higher (my guess the hard currency) in which case maybe they can just sell to a big investor like the guy who offered to buy the FBI's coins: http://www.businessinsider.com/falcon-global-capital-offers-...

Can someone post a full version of the article? I only get the first two lines...

The easiest way to get around this is by googling the headline and clicking on the article from the google results.

It almost always works for some reason.. my best guess is that sites allows these crawled links to see the full content because doing otherwise would harm their SEO.

Not only that, people who use this tactic are helping improve the pay-walled article's page ranking, because most search engines will record that click and account it as a good search result.

So from publisher's perspective, they are getting more SEO by pay-walling!

Best I've seen so far is google translation of this site:


A leading trading site management company "bit coin (BTC = Bitcoin)" virtual currency on the Internet, the 20th, I had described the company has lost the bankruptcy in February "Mount Ngoc, Inc." The (Tokyo) Of the approximately 850,000 BTC, has announced about 200,000 BTC has left.  

According to the lawyers of the company, the 7th of this month, the company was using previously in June 2011, and found the place of examination of the storage location on the net called "Wallet" and (wallet).  

February 28, when it is filed for Civil Rehabilitation Law in Tokyo District Court, the company describes a total of about 850,000 BTC corresponding to almost all to be held has been lost.

Edit: antonius has posted the content above:


Be nice to not have paywall posts on HN... But then again, apparently most people just read the headlines. :)

Old trick, giving customers false hope: http://cryptopic.tumblr.com/post/80210959301/cryptopic-003

Just like finding a $20 in your laundry!

Mark: Honey, I was cleaning out the couch and found 117,000,000 USD!

One a serious note: How do they not have a program that monitors all wallets they control? This seems beyond ridicule.

Or even a text file with the all their public keys listed, so they could verify where their money was without giving access to move it.

I take better care of my dogecoins, and they are only worth a few hundred at best.

Yes, that would be the safest option! This level of incompetence is astounding.

All of us who look down upon Accountants take a hard look in the mirror (I am one of them who used to). Most of us are like..."meh...its just +'s and -'s with some tax component here and there, how hard can it be. I will get to it when I get to it."

Turns out all those tough exams and practices are in place to mitigate this exact scenario.

The above assuming no malicious intent on part of MtGox and the recent revelation was pure stupidity.

Actually there's no solid evidence how much help an accountant is with regards to safely using Bitcoins.

Would an accountant know enough to safely store "wallets", to monitor "blockchains". Is this in their training? No. You can have perfect accounting and still turn out you lost the wallets.

Bitcoin's problem is that there's no other asset in human history so easily misplaced, lost, or stolen. A bunch of numbers on a bunch of vulnerable computers.

Imagine telling this story to someone that time travelled from the time Magic: The Gathering first appeared in the mid-nineties.

MtGox: "Funny story ... internet ... website to trade Magic cards ... digital currency ... so that's how we found the $100,000,000 that we accidentally misplaced. Still looking for the other $300,000,000 or so -- must be around here someplace."

Apparently MtGox, despite the name, was never used for anything other than bitcoin. It was just a domain the owner had.

Sidebar: I know the motivations of people who post in every single goddamn thread that MtGox stands for "Magic the Gathering: Online eXchange" (ie, "tee-hee! giggle giggle! laugh!").

However, there is also someone in every thread who replies to this assertion to say that they never actually traded Magic cards. My question is, what is your motivation for this? I could think of three off the top of my head:

  a.  Emotional need to defend MtGox
  b.  Intellectual need to correct misinformation
  c.  Refocusing; it's an ad hominem and detracts from the real problems with MtGox

I appreciate the directness of the question. Can't speak for others, but in my case, it's (b) - I was one of the gigglers until I read one of the rebuttals you mention. Just trying to help the meme flow.

The wayback machine begs to differ: http://web.archive.org/web/20070525044536/http://mtgox.com/g... -- now, if the codebase was the same as it was when that page was hosted and today, I can't say.

That's just a holding page, not a functional site.

This story keeps getting more ridiculous. First, Gox loses a huge amount of BTC...now all of a sudden they have found some of it?

I assume this wasn't stolen and isn't already in the blockchain somehow. I do not believe that Gox was this blind to the problem in their systems. Something seems very, very fishy about this.

This might as well be a comedy sketch. Can someone explain how this is even remotely possible?

Truth is sometimes funnier than fiction.

Let me guess, they were under the couch cushions, with some Lego pieces and stale Cheetos.

This is what happens when you only have contractors in your company and no one with equity. No one cares about the business and the founder ends up with 87% equity of nothing.

Being limited to reading the first paragraph of the linked article (paywall) and the other comments here, I can't resist to point out for those Pratchett fans among us, that this feels like the stunt Moist von Lipwig pulled in "Going Postal" in order to pay for the reconstruction of the post office.

While I feel really bad for those who lost money with MtGox, there were so many signs pointing at such an outcome: Unexperienced programmer asking all the wrong questions, background in "Magic the Gathering" card trading, zero background in banking or security.

None of that sounded particularly trustworthy and look where it went.

In other shocking news it was also revealed by MtGox the first 100k BTC in the old wallet were actually the ones owned by MtGox and were thought stolen.

Sadly, I would have to pay $1 a week for 12 weeks to read the story. I think it would probably be old news by then.

WSJ stories are 100% of the time available by doing a google search for the headline.

It's ridiculous that we should have to do that.

If you've got a better way for them to keep the lights on, there are wheelbarrows of money waiting for you.

What about the Netflix/Spotify model? Pay a monthly subscription for "premium news" and then let the content providers divvy up the monies based on pageviews.

That would simply accelerate existing trends. All the money would go toward pumping out more celebrity gossip because that's what gets eyeballs. There would be no remaining incentive to engage in actual journalism.

Profit-based news is irretrievably broken.

There's nothing wrong with profit news. That is how all news generally works - journalists generally don't work for free. However they should rely on adverts like the other online news sources.

Journalists get paid, that doesn't mean the news organization that pays them must be a for-profit entity.

Barons articles too, if you're into financial news.

Hold on. They just LOST over 100 million dollars? Give me back my 5 bitcoins now!

These amounts are lost all the time in governments in conventional currency..

How were you able to trigger the double spend on mtgox anyways?

Never mind that, where do I get one of those big sofas?

I can't help laughing at all this shit. I was saying for years people shouldn't be trusting their money to Mt Gox, and constantly got mocked for it. Common sense wins again.

Current market value of about $116M. Wow.

Anyone that believes they "simply found" those coins should PM me about a bridge I have for sale.

any versions of this article that i don't have to pay for?

loginwalled article.

Great jokes, keep them coming! :-)

bitcoin advertising and promoting operation: success !

I actually envy Mark Karpeles' ability to not give a fuck throughout this whole situation.

In fact, I think it's some sort of super power.

Hyperbole and a Half has a interesting monologue on this sort of superpower:


It's called Xanax

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact