MtGox, BTC-e, and the Missing Coins: A living timeline of the greatest cyber crime ever

Liesl Eichholz , 17 Aug 2017 - HackMt GoxTimeline
Image Credit: Joseph Schweitzer

This time a year ago, one might have been forgiven for thinking that Bitcoin had exhausted its fair share of newsworthy scandals. But the past several months have proven that this technology, although no longer nascent, shows no signs of becoming boring any time soon.

With the recent hardfork and the creation of the first alt-bitcoin, Bitcoin Cash (BCH), the news of developments in the MtGox saga late last month was relegated to the status of mere background noise among media outlets covering the crypto space. This is understandable, given that increasingly few players in today’s crypto ecosystem have been around long enough to remember the theft, or to have been affected by it. However, for those who have been following Bitcoin since the earlier days, any progress in solving the mystery of the MtGox heist is still considered big news.

In light of recent events, namely the arrest of alleged MtGox thief Alexander Vinnik and the shutdown of BTC-e, a recap of the now-defunct MtGox exchange’s ever-developing timeline is in order.

MTGOX Timeline 2January 2007 — With the intention of building a website where Magic: The Gatheringplayers could trade digital cards like stocks, software developer Jed McCaleb purchased the domain mtgox.com (Magic The Gathering Online eXchange). The site was live for around 3 months in late 2007 before McCaleb decided it was not worth his time to continue hosting.

18 July 2010 — Upon learning about Bitcoin, McCaleb wrote an exchange website and launched it on the dormant mtgox.com domain name.

March 2011 — Unable to dedicate his time fully to the site, McCaleb sold MtGox to Mark Karpelès, a French software developer based in Japan.

19 June 2011 — MtGox experienced a security breach as a result of an auditor’s computer being compromised, allowing a hacker to steal a large number of bitcoins. The hacker immediately sold these coins, causing Bitcoin’s nominal price to drop to one cent on the MtGox exchange (although the price corrected within minutes). This was one of the first indications of the incompetency of MtGox’s security.

September 2011 — Unbeknownst to the exchange or its users at the time, the private keys for the MtGox hot wallet were stolen via a copied wallet.dat file. This allowed the hacker to immediately access the coins in the compromised wallets, and also to spend any bitcoins deposited into these addresses over time.

2012 and 2013 — Over several years, the hacker regularly emptied the coins from the compromised addresses into wallets controlled by an anonymous entity now alleged to be Alexander Vinnik. These withdrawals allegedly went unnoticed by the exchange, and by mid-2013, around 630,000 BTC had been siphoned out of MtGox in this manner. Additionally, a consequence of the dat file’s shared keypool was that addresses were reused, confusing the system into crediting user accounts with a total of over 40,000 BTC, most of which were quickly withdrawn by users and never recovered. MtGox’s failure to notice these withdrawals and irregularities resulted in an increasingly large discrepancy between its expected BTC holdings and its actual holdings.

MTGOX Timeline 3

Increasing discrepancy between MtGox’s expected and actual BTC holdings over time (source)

September-November 2013 — A bot, nicknamed Willy, began automatically purchasing bitcoins on the MtGox exchange at a rate of 10–20 BTC every 5–10 minutes. Noting that the related user accounts were active even during periods when the exchange was down, the Willy Report shed some light on these strange trades, suggesting that there was some internal involvement. The report also identified another bot, Markus, which operated earlier in 2013. It is highly likely that Willy, which bought over 250,000 BTC over its few months of operation, was responsible for artificially inflating the price of Bitcoin in late 2013.

MTGOX Timeline 4

An indication of Willy’s effect on the price of Bitcoin

7 February 2014 — MtGox halted all BTC withdrawals from the exchange, citing a transaction malleability bug in the core Bitcoin software. When withdrawals had still not resumed after 2 weeks, users began to suspect that MtGox may not be able to pay its customers. This lack of confidence resulted in the price dropping to below 20% of that on other exchanges.

24 February 2014 — MtGox suspended all trading, then went offline completely, returning a blank page. News outlets reported on a leaked “crisis strategy draft” plan, which declared MtGox’s insolvency after losing 744,408 BTC of customer funds (valued at over $2 billion USD at today’s prices) as well as 100,000 of its own bitcoins.

28 February 2014 — Blaming hackers and technical issues for the missing BTC, MtGox filed for bankruptcy protection in Tokyo, and in the US two weeks later, to halt legal action resulting from allegations of fraud.

20 March 2014 — In a statement on its website, MtGox reported that it had found 200,000 BTC in an old wallet, bringing the total number of missing bitcoins down to approximately 650,000 BTC.

19 April 2015 — WizSec, a group of individuals who have been investigating the MtGox mystery for several years, released a detailed analysis of their findings so far. This report cleared up a number of questions about the nature of the coins’ disappearance, but didn’t appear to provide any leads on a potential perpetrator.

1 August 2015 — Mark Karpelès was arrested by Japanese police on suspicion of having falsified data about MtGox’s outstanding balance on its computer system. He was later indicted for embezzlement and data manipulation, based on allegations of manually manipulating trades on MtGox prior to the activities of the Willy Bot.

July 2017 — Karpelès appeared in court to face the charges pressed against him in 2015. In an ongoing trial beginning on 11 July, he publicly admittedresponsibility for running Willy, but claimed the bot was established to save the company from insolvency rather than for his personal enrichment. Despite his suspicious activities, there is no solid evidence to suggest that Karpelès was responsible for (or intentionally complicit in) the theft of the 650,000 bitcoins.

MTGOX Timeline 5

25 July 2017 — BTC-e, a well-known Russian-based exchange with ties to illegal activities, announced via twitter that it was undertaking “unplanned maintenance” in its data center. Several subsequent tweets reiterated this as an explanation for the site being down. However, it was later revealed that FBI staff had raided the exchange’s data center and seized all of its equipment, servers (which held all databases) and purses. The site was shut down and the domain seized, marking the first time the US government has attacked a foreign exchange on foreign soil.

26 July 2017 — Alexander Vinnik, a 38-year-old Russian national, was arrested by US authorities in Greece and charged with 17 counts of money laundering and 2 counts of engaging in unlawful monetary transactions (which could see him facing up to 55 years in prison). Vinnik is alleged to have laundered $4 billion in cash through BTC-e since 2011, and users of the exchange quickly connected his identity with one of BTC-e’s leaders known as “Alexander”.

WizSec released a report stating that “Vinnik is [their] chief suspect for involvement in the MtGox theft (or the laundering of the proceeds thereof).” They had previously identified Vinnik as “WME”, the owner of the wallets into which the stolen MtGox bitcoins had been transferred. Approximately 300,000 of these coins were laundered or sold off on BTC-e, and some were moved straight into internal storage rather than customer deposit addresses, strengthening the claim that Vinnik is somehow involved with BTC-e.

MTGOX Timeline 6

Movement of missing MtGox bitcoins and other stolen coins (source)

The same investigation by WizSec revealed that these wallets controlled by Vinnik were also used to launder coins stolen from Bitcoinica, Bitfloor and several other exchanges in 2011 and 2012. WizSec concluded that Vinnik is responsible for, at the very least, laundering the missing MtGox coins. Whether or not he is responsible for the thefts themselves remains to be established.

As these developments unfolded, the US government unsealed a 21-count indictment against BTC-e and levied a $110 million USD fine against the exchange for its alleged violations. The allegations against BTC-e include that it functioned as a clearinghouse for funds sourced from “computer intrusions and hacking incidents, ransomware scams, identity theft schemes, corrupt public officials, and narcotics distribution rings.”

31 July 2017 — BTC-e published an update in Russian on the Bitcointalk forum, confirming that the FBI had indeed seized their equipment, and claiming that Vinnik was neither the head nor an employee of BTC-e at any time. It has also promised to restore customer funds if the exchange is not back up before the end of August, stating that it will “evaluate and publish information about how much money fell into the hands of the FBI and what amount of funds is available for return.” At this time, various users noted that large amounts of BTC and ETH have been transferred out of addresses believed to be owned by BTC-e, suggesting either that they have been seized by authorities or moved for safeguarding by the exchange.

4 August 2017 — In another post on the Bitcointalk forum, BTC-e stated: “We were able to access our databases and wallets, at the moment we are evaluating data and balances on [coins], this information will be made public by the end of next week.”

9 August 2017 — BTC-e revealed that it now controls only 55% of customer funds, with the remainder having been confiscated. The exchange plans to work with an unnamed group of investors to relaunch the site under a new name. Further, it plans to issue a new token (BTE) to cover the shortfall, which it will then buy back from the market over time (similar to the method used by Bitfinex after it was hacked in 2016).

14 August 2017 — BTC-e announced that its new token will in fact be called BTCT, and that the exchange will offer free trading of these tokens, allowing users to trade them “at any price, but no more than their face value.” The translated post elaborates: “For example, you had 1 BTC. You will receive 0.55 BTC and 0.45 BTCT. 0.55 BTC you can withdraw immediately. The remaining 0.45 BTCT you can either exchange for BTC at the market rate, or wait for their exchange at face value.”

As yet, the ultimate fate of the missing MtGox coins, and the extent of their connection to BTC-e and its leadership, remains unclear. However, for long-time followers of this mystery, a glimmer of hope is finally emerging as these previously unconnected threads begin to intertwine.