The Great Crypto Stagecoach Robbery

Anyone holding Bitcoins — or pretty much any cryptocurrency, really — has taken a substantial hit in the last few months, with the exchange rate of dollars to Bitcoins dropping from a high of around $1200 last November to around $550 today. But it’s possible that those whose Bitcoins were parked at the long-troubled Mt. Gox exchange have suffered a near-wipeout, or even a total one, in what may have been the catastrophic theft of some 744,000 Bitcoin from that exchange.

Mt. Gox was the first big Bitcoin exchange; as such it attracted the most attention, the most traffic, and the most trouble. It was hacked repeatedly because, at one time, it was simply where all the Bitcoins were. Most knowledgeable Bitcoin enthusiasts took off for more modern, more reliable exchanges long ago.

Details began to emerge Monday night in a leaked document (“Crisis Strategy Draft”) of at least partial authenticity obtained by blogger Two-Bit Idiot. The document explained that Mt. Gox had been subject to years of uncaught theft. (A Hacker News post later claimed to have restored the redacted slide from the leaked document that detailed the full Mt. Gox financials.)

Mt. Gox CEO Mark Karpeles, who is apparently holed up at home in Tokyo with his cat, has since verified in an IRC chat that the document is “more or less” legitimate, though it was not prepared internally by his embattled firm. He says that he is still trying to save the company: “’Giving up’ is not part of how I usually do things.”

You could look at the Mt. Gox disaster this way: imagine that ordinary consumer banks had only just been invented five years ago, and they’d since exploded in popularity. All of a sudden, Bank of America’s internal systems are alleged to have been broken all along and every penny that was held there is gone. The money in all the other banks is okay, seemingly — but now, the whole banking system looks very rocky and untrustworthy. How to trust any bank, if one of the biggest lost everything?

That’s basically what has happened to Bitcoin over the last few weeks, since it became clear that Mt. Gox was having trouble processing transactions last November. Delays grew from weeks into months, until withdrawals were suspended in early February (temporarily, it was alleged, until a “bug” was worked out).

Warnings against using Mt. Gox have been numerous and passionate for years, though the exchange managed to patch things up enough to keep going after each successive trainwreck.

The wheels fell off the trolley completely on Monday night, with the Mt. Gox site taken offline and all trading summarily halted. A joint statement signed by the heads of the principal remaining Bitcoin exchanges appeared at roughly the same time, bemoaning Mt. Gox’s “tragic violation of the trust of users.” Given that Bitcoin was explicitly designed to eliminate the need for “trust” — and obviously, the exchanges are one thing, and the underlying system another — I mean I hate to laugh, but still. Interestingly, the first version of the joint statement referred to “Insolvency of MtGox,” but moments later the title was altered to remove the word “Insolvency.”

Perhaps this is an indication that attempts are still being made to restore at least some part of their losses to Mt. Gox account holders. The joint statement is less interesting for what it contains, however, than for what it so glaringly leaves out.

A lot of venture money has found its way into Bitcoin in the last eighteen months or so; there are millions upon millions riding on its future. As Mt. Gox’s troubles mounted, many observers assumed that the Bitcoin chieftains from the competing exchanges and the core devs of the Bitcoin Foundation would rally round Mt. Gox and Karpeles, and to do whatever was necessary to ensure the solvency and trustworthiness of the currency as a whole. The Mt. Gox “Crisis Strategy Draft” linked above hints at such an outcome. Unfortunately, it also hints at the possibility of what would in ordinary banking circles be considered fraud and collusion to conceal wrongdoing. This would be an ironic turn of events in the case of Bitcoin, which, again, was expressly designed to promote openness and transparency and to minimize the possibility of financial shenanigans.

Though most media reports and much of the Bitcoin community have been in a huge hurry to lay blame at the feet of Karpeles and Mt. Gox exclusively and at once, the story seems likely to develop in as yet unseen directions. Karpeles is hardly the only player capable of mischief in this game. Should Mt. Gox recover even somewhat, there are many who will have benefited enormously in these wild weeks of arbitrage. Indeed, those possessed of pluck (and/or recklessness) and ready Bitcoin can arrange to buy Mt. Gox Bitcoins for around $65 each (at time of writing) on the exchange at bitcoinbuilder.com.

There has been a temptation to mock the libertarians who make up a lot of Bitcoin’s most passionate following, and to blame the unregulated joys of the free market for Bitcoin’s current problems. But just take a look at the stock market, the startup world, the bankruptcy courts, the markets for distressed debt, the art market, the real estate market, and any number of other markets (sure, basically all of them) where hopeful neophytes ripe for the plucking and clever participants eager to benefit from insider knowledge, plus quite a lot of plain cheats, are not hard to find. The most surprising thing about the Mt. Gox episode so far might be the resilience of Bitcoin prices, which might have been expected to take a much larger tumble in the face of the disaster.

In any case, things are heating up fast for Mark Karpeles, who is presumably about to collide with a giant swarm of lawyers. Reuters reports that Japanese banking authorities are taking an interest in the affair; the Wall Street Journal reported late Tuesday that Mt. Gox has received a federal subpoena, as well.

It’s not as if Mt. Gox were the only big problem facing Bitcoin in recent months, either. January saw the arrest of Charlie Shrem, the CEO of BitInstant, for selling people Bitcoins which they then allegedly used to buy drugs on the notorious Silk Road website (by that reckoning, they might as well arrest the CEO of every bank that ever held an account for a drug dealer but whatever, not good news). Warnings from the Russian central bank last month indicated that Bitcoin users could be arrested à la Shrem on money-laundering charges, simply for holding Bitcoin. Also the Chinese, fearing capital flight, clamped down on third-party platforms for moving yuan onto Bitcoin exchanges in December.

There has been no word from Blockchain.info or from the Bitcoin Foundation as to next steps, so far. Yesterday I contacted Gavin Andresen, the level-headed Chief Scientist of the Bitcoin Foundation, for comment. “I don’t have any coherent thoughts,” he responded, most uncharacteristically. “I’ve been very busy working on getting a 0.9 release of the reference implementation out.”

744,000 Bitcoins comes to around $400 million, and would rank as one of the biggest robberies in history (if you don’t like to count business and government robberies). It’s about 6% of the total coins mined so far (an estimate that does not account for the doubtless substantial number that have been lost since mining began in 2009, or the even larger number thought to have been retained by Satoshi Nakamoto, Bitcoin’s founder(s)). Ideally, if they can’t eventually be returned to their rightful owners, the coins stolen from Mt. Gox will be identified and blacklisted on the blockchain so that they can never be spent. Only a concerted and responsible effort to address the theft, if there is one, will persuade people that Bitcoin still has potential as a real medium of exchange.

So how did the thieves, if there were thieves, get away with a heist of that size? At the moment it appears that they may have been able to exploit Mt. Gox’s weak security and customer service practices — in particular, its reliance on a certain transaction ID (TXID) for internal verification; this weakness has been called “transaction malleability” in news reports. When the TXID was manipulated, it might have been possible for thieves to sneak Bitcoins out of Mt. Gox undetected — but it’s important to note that the blockchain (the underlying ledger that guarantees all Bitcoin transactions) is unaffected by that flaw, since TXID is generated not to guarantee or record the underlying Bitcoin transaction, but simply as a marker for support services. It appears that Mt. Gox’s custom wallet software may have made use of that housekeeping number to identify transactions in its own wallet system. That’s why Mt. Gox alone appears to have been hacked — if, indeed, that is the explanation for the alleged losses. (David Z. Morris has a good, simple explanation of transaction malleability at CNN Money.)

But if all this is as it has been suggested in the press and on Reddit and various blogs, it would mean that Mt. Gox had no internal auditing controls at all to verify its own transactions. As in, none. I still find that a little bit difficult to believe, despite the claims of those who insist that Mt. Gox’s coins are lost forever.

Chief among these is Erik Voorhees, well-known Bitcoin honcho (of Coinapult, BitInstant and SatoshiDice) and would-be orator, who went into full-blown Libertario-Biblical mode on this point in a lavishly festooned Reddit post he wrote on Monday night. Apparently Voorhees lost some 550 BTC at Mt. Gox himself (a smallish portion of his total Bitcoin holdings, it would be fair to assume; he says he was foolish to keep Bitcoin at Mt. Gox, and disregarded his own good sense in favor of “convenience.”)

And finally, the lesson is not that we ought to seek out “regulation” to save us from the evils and incompetence of man. For the regulators are men too, and wield the very same evil and incompetence, only enshrined in an authority from which it can wreck [sic] amplified and far more insidious destruction. Let us not retreat from our rising platform only to cower back underneath the deranged machinations of Leviathan.

(Help!)

We are at risk from accidents. We are at risk from fraud, from corruption, and from evil. We are at risk from journalists seeking headlines and from politicians seeking power and glory. We are at risk from the very market we are trying to build — a market which cares not about our portfolio, our ambitions, or our delicate sympathies.

So purple it is about the shade of an eggplant. But about that last part, he ain’t wrong.

Maria Bustillos is a journalist and critic in Los Angeles.