The full story behind the first major crypto hack and how much really was lost.

MtGox was one of the very first platforms on which people could buy, sell, and trade bitcoin.

Launched in July 2010, by 2014 the Tokyo-based company was handling over 70% of all BTC transactions globally. It was on a trajectory that could have put it alongside or even in place of the major exchanges we know today, such as Coinbase, Kraken, Binance, etc. In fact, the domain name ‘mtgox.com’ was initially purchased in 2007 by the MtGox founder, Jed McCaleb, with the intention of building a Magic: The Gathering trading website where users could trade their MtG cards online like stocks (MtGox = Magic the Gathering Online Exchange); there’s no doubt they would have been early adopters of NFTs as well. The website was transitioned into one of the world’s first crypto exchanges after McCaleb read about bitcoin in an online publication called Slashdot and saw the opportunity to build a business.

However, in early 2014, at the height of its operations and no longer in the hands of McCaleb (who sold in 2011 to French developer Mark Karpelès), everything ground to an abrupt halt in the wake of revelations that hundreds of thousands of bitcoin were missing.

For several years afterward, the MtGox wallet incident with 850,000 lost bitcoin (~7% of the total BTC supply and valued around $473M at the time), remained the biggest theft the crypto world had ever seen. To this day, many MtGox users are still waiting to be reimbursed, and only a handful of larger cyber thefts have occurred.

The $473M MtGox Hack Timeline

Due to the chaotic nature of the early Bitcoin markets and the novelty of the crypto exchange business model, many of the details about the MtGox hack are spread over several months and even years, and not everything is accounted for. As an example, MtGox “found” 200k missing BTC several months after the exchange was closed down, and the biggest theft occurred several years before it was even noticed. I’ll do my best to break it all down.

February 7, 2014:

MtGox halts all bitcoin withdrawals, stating the reason as “to obtain a clear technical view of the currency processes.”

It’s later revealed in a February 10, 2014 announcement that the MtGox team has uncovered an issue with the way that bitcoin withdrawals are processed and have been investigating suspicious transactions for the past several weeks.

Essentially, they were worried about an issue called “transaction malleability”, which in plain English was a problem with the way some transactions could be interpreted that might result in a double sending of a transaction – so if you meant to send one BTC, it might go through twice and you’ll send two.

From the MtGox official statement, “a bug in the bitcoin software makes it possible for someone to use the bitcoin network to alter transaction details to make it seem like a sending of bitcoins to a bitcoin wallet did not occur when in fact it did occur. Since the transaction appears as if it has not proceeded correctly, the bitcoins may be resent.”

“MtGox is working with the bitcoin core development team and others to mitigate this issue,” they added. Specifically, it was the BIP66 soft fork on block 363724 that eventually solved most of these issues. The MtGox revelations were a major motivation for this update, even though the MtGox CEO Mark Karpelès was no longer on the board of the Bitcoin Foundation by the time the update was implemented in early 2015.

February 15, 2014:

CoinDesk publishes an article including a poll that launched on February 4th and claims that roughly 68% of the ~3,000 respondents are still waiting for withdrawals to go through; some had been waiting for more than 3 months.

February 17, 2014:

MtGox releases a statement claiming they have a workaround for the transaction malleability issue, a tool created by Blockchain.info, and they will soon be able to restore external bitcoin withdrawals “at a moderated pace and with new daily/monthly limits in place to prevent any problems with the new system and to take into account current market conditions.”

The same day, Wall Street Journal publishes an email exchange with the MtGox CEO that seems to contradict the outward optimism expressed by the company.

February 23, 2014:

The company’s Twitter feed gets completely wiped of all past tweets as reports emerge that MtGox has resigned from the board of the Bitcoin Foundation.

February 24, 2014:

The MtGox website shuts down, returning just a blank page, and therefore all trading is immediately ceased on the platform.

Wired publishes a bombshell report on what was apparently a “crisis strategy draft” written by MtGox that leaked online, which contained information suggesting the exchange was insolvent and missing 744,408 BTC, valued around $350M at the time.

February 28, 2014:

MtGox files for bankruptcy in Tokyo (they soon file in the US as well).

In the bankruptcy protection request, it’s revealed that the exchange is missing 850,000 BTC, valued around $473M at the time of filing. They claim 750,000 of the lost BTC belong to users, while another 100,000 belonged to the company – this was wrong and we’ll see why in the next paragraph.

March 20, 2014:

MtGox reports on its website they had found nearly 200,000 BTC in an old wallet used before 2011 when the new CEO took over, bringing the total loss down to 650,000 BTC, worth around $357M at the time.

April 16, 2014:

MtGox abandons plans to reorganize and reopen the exchange, filing a request with the Tokyo courts to liquidate their assets and pay off creditors, a process which is still underway as of November, 2022. Many of the 127,000 creditors have seen some compensation, but more is expected to come in 2023, sparking fears the big release of BTC back into the economy could provide downward pressure on the price.

How the MtGox Hack Happened

April 19, 2015:

Japanese Bitcoin security specialist WizSec releases a post-mortem that tries to pull all the fuzzy technical details together.

They conclude that the bitcoin had been slowly siphoned out of the MtGox wallets over years, stretching back to 2011, when some of the biggest unaccounted withdrawals took place. The company had apparently been insolvent for nearly 3 full years before anyone really noticed, or so it would seem. It’s still unknown today who was responsible for the majority of withdrawals, but MtGox CEO Karpelès would later be arrested in August of 2015 for his potential involvement with or foreknowledge of the missing cryptocurrency.

After an interrogation, Japanese police charged the MtGox CEO with fraud and embezzlement, as well as manipulating the MtGox systems to inflate the amount of bitcoin in an account. They also accused him of misappropriating $2.6M worth of bitcoin by moving it into a wallet he controlled just 6 months before the 2014 collapse.

March 14, 2019:

CEO Karpelès successfully defends against various charges, but is found guilty of falsifying data and inflating MtGox holdings by $33.5M. The other charges were dropped by the court based on its belief that he acted without ill intent, and it’s apparent neither he nor his actions were responsible for the vast majority of missing funds.

Jan 17, 2017:

The US Federal Reserve reports an indictment against Alexander Vinnik, the owner of a now defunct bitcoin exchange called BTC-E. In it, they claim he is responsible for the majority of MtGox’s missing bitcoin, having tracked transactions flowing out of MtGox and into BTC-E administrative accounts, ultimately being sold and showing the money being transferred to accounts owned by Vinnik. BTC-E was ultimately labeled by US officials as an international money-laundering scheme that catered to criminals, and it’s unclear if Vinnik himself was stealing the bitcoin from MtGox, or if it just all ended up in BTC-E and then landed in Vinnik’s bank.

The common belief is that there were many different exploits and malicious withdrawals from MtGox’s wallets over the several years they were losing funds, and it’s still one of the most cautionary crypto tales about all that can go wrong with lax security.

Marin Ivezic
Website | Other articles

For over 30 years, Marin Ivezic has been protecting critical infrastructure and financial services against cyber, financial crime and regulatory risks posed by complex and emerging technologies.

He held multiple interim CISO and technology leadership roles in Global 2000 companies.