The Mysteries of Mt. Gox Continues: Interim Independent Report Shows Attacks Were Mainly an Inside Job
Tokyo – by Kyoko Miura
A Secret Service agent and a DEA agent, who had been cooperating with the investigation leaked information to the Silk Road operators on Mark Karpeles, the founder of Mt. Gox, once the world’s largest bitcoin exchange. The agents may have also tried to shake down Mark Karpeles on two separate investigations.
The prosecution of the two federal agents who played key roles in the Silk Road investigation now raises new questions about the collapse of Mt. Gox, which filed for bankruptcy protection in February of 2014, and the activities of the two agents involved. When the cops are cooperating with the criminals, and acting as criminals, then informants are likely to become targets for retaliation.
Once the world’s largest bitcoin exchange based in Tokyo, Mt. Gox collapsed in February of 2014, with 500 million dollars missing. The official police investigation began on March 27th. A year later, the mystery has only deepened. The Tokyo Police Department Cyber Crimes unit leaked to the press that it was an inside job but who was that insider? Was there an accomplice?
Data leaked and available after the extraordinary collapse of Mt. Gox was analyzed by a group of independent investigators, who released their 8 month-old findings on February 19th due to non disclosure agreements signed with different parties. The report mainly announces that the Mt. Gox hack was mostly an inside job. The report detailed the activities of a robot that was buying hundreds of thousands of coins with fake money within Mt. Gox. Mt. Gox filed for bankruptcy protection in Tokyo on February 28th of last year after 850,000 bitcoins worth about $500 million disappeared.
On the first anniversary of the mysterious hack, WizSec (Wiz Securities), the independent group lead by Kim Nilsson, 32, a Swedish software engineer and Jason Maurice, 29, a Hawaiian security researcher, both based in Tokyo, launched their first and interim report on February 19th, showing the clearest account in terms of what could have happened to Mt Gox. Days later, maybe in response to this report, the alleged hacker(s) again anonymously leaked data that should normally be in possession of the trustee, who is currently liquidating Mt. Gox, and of the official investigators. The hacker(s) sloppily leaked private information about Mt. Gox creditors. The leak was immediately taken down, possibly by the moderators of Reddit.com.
Wiz’ independent report is based on a limited amount of information. Part of the data analysed in their report was left behind by the hacker(s) who allegedly attacked Mt. Gox.
Among information totally new to the public, the Wiz report sheds light on the time slot of the activities of “Willy bot”, which seems to have been running all the time except between 2 and 5 AM, Japan time. Experts estimate Willy started running sometime in 2013.
Maurice explains that the act perpetrated by the anonymous person is clearly voluntary and illegal. The bitcoin trading data showed that the automated trading robot, or computer software (Willy bot), was used to manipulate the market and possibly steal coins as well. The computer software, because it had database access, was trading different accounts at Mt. Gox, using fake money, creating new accounts, and set the balance of those accounts to millions of dollars. Then it faked the money that didn’t really get deposited. “The bot would spend that fake money on the exchange buying up few bitcoins every few minutes, which would usually take a day or so to spend. Spending $2 million buying bitcoins off of the market is something that can be made only slowly over time.” Maurice explained.
On March 9th, 2014 an anonymous hacker, that called himself “Nanashi”, aka “Anonymous” in Japanese language, posted trading data on Mark Karpeles’ blog. The hacker compromised the Mt. Gox database and downloaded a lot of the transaction data, account balances, packaged it all up and leaked it on Karpeles’ blog, then posted it on Reddit, an internet forum with Karpeles’ Reddit account. This person had clearly hacked Mt. Gox and hacked Karpeles personally. The perpetrator is anonymous and there is allegedly no evidence that points to his nationality.
“There is certainly a lot of evidence which makes the trading bot look like it were being run from either inside Japan or the Mt. Gox network itself.” Maurice said. The time slot of the operation of that bot also suggests it was an inside job.
“I do not know a lot of people capable of sleeping only 3 hours per night during 3 consecutive days.” Mark Karpeles said, commenting on the Wiz report.
This new information suggests that there could be more than one person behind the bot working on shifts. “This opens a new path to the investigation but the problem is that we don’t have anything solid at this level.” Karpeles added.
The bot was discovered by bitcoin traders using Mt. Gox as early as in January 2014 and was then dubbed “Willy”by the trader who discovered it. It’s only after the bankruptcy of Mt. Gox that the community reported the bot to Mt. Gox. Nobody knows how the bot got into the system. The exact nature of the bot is still unknown.
“Multiple hacks, including one attack that happened over several years to manipulate the market”
The report shows that there might have been multiple hacks. One of the attacks might have taken over several years and manipulated the market. Another attack was used to simply steal the coins. “Until we get the full database we can’t really be sure. There could have been multiple hackers in multiple countries. It could have all been done inside Japan and we don’t know. But there is a lot of evidence pointing to inside Japan.” Maurice explained.
Surprisingly, on February 24th this reporter obtained a whole new document disclosed by a Mt. Gox insider. The document leaked information about security issues at Tibanne (the mother company of Mt. Gox). The report, which brings a tremendous feedback for investigators, showed that the systems at Mt. Gox were compromised precisely from 19:23 JST (Japan Standard Time) on February 28th, ending at 16:07 JST on March 2nd. Its analysis on the origin of the attack says that there is a high probability that the attack was in response to the press conference held by Mt. Gox Co., Ltd on February 28th, around 18:30, where it was announced that a police investigation would be requested to find out what happened on Mt. Gox regarding the discrepancy in held balances. According to the leaked document, the attack was stopped on the day it was detected Karpeles, on March 2nd, at 16:07.
Bot operating on Asian hours suggests the creator could have worked at Mt. Gox
Kim Nilsson, the author of the Wiz report says that while his team went deeper and profiled how the Willy bot was run and controlled, their research showed beyond a doubt that the bot was real, intentional and significant enough to affect the market, contributing to, though not necessarily the sole reason for the 2013 price boom and subsequent early 2014 crash. “We also uncovered evidence that Willy’s operator was likely located in East Asia, based on the times they controlled the bot”, Nilsson explained. The fact that the bot was operating on Asian hours is one of several clues suggesting that the creator could have worked at Mt. Gox. “We think that there is a lot of evidence pointing out that it was an insider rather than an external hacker”, both Maurice and Nilsson told this reporter.
The group also claims that their report is about 6 months old, and that they had discussions with the Japanese police last summer with whom they shared a lot of their findings. “The police never came back to us after we had shared these information”. Maurice added.
Just before the bankruptcy was announced on February 28th, 2014, Mt. Gox had about 40 employees, a dozen were highly skilled engineers who had access to the entire system, about half of them were hired on a one year contract and the other half were permanent employees.
Karpeles reportedly wasn’t aware of any coins missing up until late February, weeks after users began to report difficulties withdrawing funds. Karpeles explained that Mt. Gox launched an investigation as soon as they received such information. “One thing we discovered was the transaction malleability, and then we recovered 200,000 of the 850,000 missing bitcoins in an old format wallet. It took us 4 months in total to investigate everything, starting from early February up until months after we shut down Mt. Gox,” Karpeles said.
The Yomiuri Shinbun, Japan’s largest newspaper reported on January 1st of this year that according to police sources, the Mt. Gox hack was a 99% inside job. Sankei Shinbun later reported it was a 90% inside job, showing similarities with the 8-months-old Wiz report.
The independent experts note that the recent leak to the Japanese press is compatible with what they shared with the Japanese police at the time. “It’s possible the police kept investigating this angle without telling us, and it is also possible the leak is referring to some other similar insider activity. Either way, Wiz claims their original report is almost one year old and cryptographic proof was embedded in the bitcoin blockchain. (The blockchain stores the history of all bitcoins transactions and can also be used to store information permanently).
Nobuaki Kobayashi, the appointed trustee of Mt. Gox and anyone in his team was unavailable for comments.
Clearly, there was negligence and lack of security. Some creditors of Mt. Gox say Karpeles is responsible as a CEO of the company for securing everyone’s money. “I don’t think he is personally the thief we are looking for. It could have been someone else, an external hacker or somebody else within the company”.
The Wiz report is based on data leaked by the hacker(s) between February 28th to March 2nd. Wiz investigators claim they matched the data with information they collected elsewhere. The entire data was potentially deleted from Mt. Gox servers between February 28 and March 2nd, and a part of the data was left visible by the perpetrator(s). As pointed out in the surprise report released on Tuesday by a Mt. Gox insider, “during the attack, various logs were erased and disabled.” […] “The files were erased, and instead, a symbolic link was placed”, the surprise report said. The mystery within Mt. Gox is looming but shows some hope in the horizon.
Japanese media coverage of Mt. Gox collapse “too negative”, a Japanese economist says
Yukio Noguchi, a professor at Waseda University and economist said that the Mt. Gox coverage by the Japanese media was too negative and not based on facts. “They [the Japanese media] reported that the bankruptcy of Mt. Gox was the bankruptcy of Bitcoin, well it wasn’t.” He commented, explaining that Japanese people do not trust the virtual currency. “One of the flaws in Bitcoin is that Mt. Gox got hacked. Bitcoins are designed so that transactions can never be reversed or undone. There is no charge back like a credit card. Once bitcoins are stolen, there is no way to get them back unless the guy who did it is actually found.” Maurice summed up.
So Saito, a Japanese Attorney and auditor at JADA (Japan Authority of Digital Asset) said that after the collapse of Mt. Gox, the Japanese government discussed whether regulations should be put in place for Bitcoin, but finally decided that bitcoin is not a currency and that the crypto-currency would be treated like other goods and services, with commercial sales of bitcoin itself and bitcoin-based transactions subject to sales tax.