Gox

1. The Sunday Times, January 13 2019, 12:01am
2. Share
3. Save
4. In 2013, I spent £2,000 on just over 100 bitcoins — inspired by the anarchic long shot that this revolutionary new currency might one day bring down the banking system. Since then the price has repeatedly skyrocketed and tumbled again. At bitcoin’s peak, in December 2017, my coins were worth £1.5m. Lucky — for the person who stole them.
5.  
6. My bitcoins were among those taken five years ago in a £300m hack of a bitcoin exchange. At the time it was the world’s largest heist, eclipsing even the Hatton Garden jewellery robbery. Unlike gemstones, though, bitcoins are supposedly traceable. The trail left by the thief has led me on a rollercoaster ride through cycles of hope and despair that mirror the peaks and troughs of bitcoin’s valuation.
7.  
8. When bitcoin crept into existence 10 years ago this month, it was the first working example of a cryptocurrency — electronic money whose ownership is registered in a shared online database called the blockchain. A decade ago, bitcoin’s mysterious and elusive inventor, known only by the sobriquet Satoshi Nakamoto, created the first “block” of bitcoins, known as the genesis block. Nakamoto left a message in the code, a headline — “The Times 03/Jan/2009 Chancellor on brink of second bailout for banks” — widely interpreted as a derisive comment about the instability of the traditional banking industry.
9.  
10.  
11. In the aftermath of the financial crisis, this chimed with me. I didn’t expect to get rich, but I bought in, hoping I’d end up on the right side of history when the banking system collapsed. Then the bitcoin price ballooned, and I watched dumbfounded. Every day my stash was worth more. My thoughts of overturning the banking system were replaced by dreams of how I would spend the windfall. I made big plans with my Californian girlfriend. By the start of 2014, my coins were worth £90,000, enough to buy a plot of land I’d found with its own fixer-up house and space for a vegetable garden. It sat at the foot of the sun-drenched pine-covered mountain in southern Oregon where I worked as a paragliding instructor.
12.  
13. Back then, Applegate Valley was home to a mix of rednecks and hippies, mostly paying their way by growing grapevines or medical marijuana in the Bordeaux-like climate. These people had time to be good neighbours and indulge their outdoor passions. We held barbecues, borrowed lawnmowers, helped fix each other’s plumbing. Some of us went paddleboarding up at the lake or rafting on the Rogue River. Others had cleared a paragliding launch area at the top of Woodrat Mountain, which is how I came to find the place. I made a living taking visitors on tandem flights. Every day I’d soar on the thermals alongside raptors, over the vineyards and huge pot plantations. I first spied my dream plot from the sky. Buying it would cement me into this community of friends. It would have been a great investment, too. A few years later, President Obama would stop federal enforcement against marijuana growers, and the green rush sent the value of land around Applegate Valley soaring. Life was going to be perfect, all because of my lucky faith in bitcoin.
14.  
15. And then everything unwound. While the coding for bitcoin itself is as solid as rock, the available digital wallet software to store the keys was too complicated for my IT skills. I had decided to leave my bitcoins in the care of the exchange where I had bought them, relying on the security of its electronic wallets. It didn’t occur to me that trusting a third party with my wealth was precisely what bitcoin had been designed to avoid.
16.  
17. Bitcoin exchanges are the gateway between cash and the bitcoin economy. In fact, apart from buying obscure IT services, drugs online or cupcakes from a few hipster cafes, exchanges are in many ways the totality of the bitcoin economy. In 2013, they were the Wild West. Unlike banks, bitcoin exchanges weren’t regulated (the situation is now improving), so didn’t offer much in the way of legal protection to customers. Hackers regularly stole from them, and sometimes even the exchange owners vanished with clients’ coins.
18.  
19. Back then, the Japan-based Mt Gox was the largest exchange, so, I reckoned, the most trustworthy. I wired my savings of £2,000 to its bank in Tokyo. I logged in most weeks to stare at my balance, and everything seemed fine. But behind the clean lines of the website was a spaghetti of code and incompetence.
20.  
21.  
22. On February 7, 2014, a few weeks after I’d found my perfect plot of land, I logged on as usual. My bitcoins were now worth enough to buy the place, but something was up. Mt Gox’s website suddenly suspended withdrawals. A few days later the site admitted it had been hacked. Then came the bad news: all my savings were gone. When the dust settled, Mt Gox revealed that 850,000 bitcoins, then worth £300m, were missing, including mine. At today’s rate they would be worth £2.6bn — and my stake would be £310,000.
23.  
24. I was stunned. For two days I just kept reloading the error message on Mt Gox’s homepage in disbelief. My mother tried to comfort me. “You only lost £2,000,” she said — the initial stake money I’d sunk into my bitcoin bet. That was all I should be upset about, she insisted, but I could not accept that. Those electronic coins were the closest I was ever going to get to living the dream — I would never make that kind of money as a paragliding instructor. Worse, in my head I’d already spent my windfall. Aside from the land, I’d planned to get some new paragliding gear and buy a car to go on a road trip with friends. In anticipation of my new bitcoin-fuelled life I’d become more confident. When the cash vanished, it was as though the opportunity to be that person went with it.
25.  
26. It took months to accept and let go of the dream. Tensions over money simmered with my girlfriend and eventually we split up. I left the US aimless and looking for a new start.
27.  
28. If I had sold my coins during 2017’s peak, it would have made me a millionaire. It stings to think about that. But if I’d cashed out as I intended in 2014, I’d be kicking myself for missing out on those big profits. I could happily live with that — instead I’m chasing a hacker, still trying to claw something back.
29.  
30. To find out who stole my bitcoins, I first had to understand more about Mt Gox, the exchange I’d trusted to look after them. It was run, I discovered, by Mark Karpelès, a French expat programmer living in Japan. Karpelès had been an early believer in the power of bitcoin. In March 2011, aged just 25, he had bought the fledgling platform from a successful San Francisco programmer, Jed McCaleb. McCaleb’s platform had already been robbed of £30,000, arguably due to his hastily written code. One condition of the sale was that Karpelès had to take full responsibility for thefts, even though McCaleb held on to 12% of the company.
31.  
32. A few days after the deal was agreed, another hacker ransacked Mt Gox, taking 80,000 bitcoins — an estimated third of their coin reserves, then worth about £45,000. It is unclear which man had custody of the coins when they vanished.
33.  
34. Ironically, the missing 80,000 bitcoins benefited no one. They went from Mt Gox directly to a bitcoin wallet from which they have never moved. Today they are worth about £240m but hang in an unreachable electronic limbo, like the bullion in the final scene of the 1969 heist film The Italian Job.
35.  
36. As the price of bitcoin rose, the hole left in Mt Gox’s finances by the missing coins grew. McCaleb suggested buying bitcoins to stabilise the losses using automated software he had created called the “Gox Bot”. Both men claim it was done to protect customers from the loss, but they kept it a secret. In more sober markets, it’s the sort of financial juggling that regulators exist to prevent.
37.  
38. By the end of 2011, Karpelès had completely rewritten the code for Mt Gox’s wallets, and McCaleb took a back seat. Two years of seemingly good times followed for Karpelès and Mt Gox. As bitcoin boomed, so did the exchange. In his blog, Karpelès recalled raking in annual profits of more than £18m from trading fees. He splashed money to support bitcoin projects and business ventures. The Japanese press would later report he also bought a sports car and rented a £6,800-a-month Tokyo penthouse with his wife and son during this period. Local papers alleged he spent company money on prostitutes, an accusation he categorically denies.
39.  
40. Kim Nilsson, a software engineer, lost 12.7 bitcoins with Mt Gox. He is now a bitcoin security researcher and has investigated the exchange’s accounts by cross-referencing leaked company data with the blockchain records. Despite the improved security, Nilsson found a catalogue of further hacks, mistakes, poor business decisions and bad luck during those seemingly halcyon years. He says Mt Gox never made up the 80,000 bitcoin shortfall, and in fact Karpelès’s meddling made things worse.
41.  
42. His research suggests Karpelès effectively set the Gox Bot to buy replacement bitcoins using customers’ funds, and then speculated with it, but by late 2013 Mt Gox was short $61.6m and 234,000 bitcoins. “The main problems with Mt Gox,” Nilsson says, “was not with the bitcoin technology, it was with how the company was run. It doesn’t matter if you use the strongest bank vault in the world if you leave the keys out.”
43.  
44. After sifting through the company’s computers, the Japanese police arrested Karpelès in August 2015 and charged him with embezzlement and data manipulation. Karpelès admits making some trades to manage losses from the thefts, but pleaded not guilty, arguing there was no law against it in this unregulated business.
45.  
46. The exchange was still profitable enough that it might eventually have recovered. But one last hack was underway: the mega-heist that killed Mt Gox and robbed me of my dream life. This theft actually began in late October 2011. Someone somehow gained access to an old Mt Gox wallet that automatically moved coins around internally. Over the next two years, they slowly sucked coins out of it. Meanwhile, Karpelès was conscious that if staff checked the company bitcoin balance they’d see things didn’t add up from previous losses, and reportedly prevented them. Consequently, no one noticed coins were being sucked out.
47.  
48. Nilsson has identified hundreds of transfers made by the thief every day, continuing for more than two years until finally, in February 2014, about 630,000 bitcoins had been siphoned off and the exchange ran dry.
49.  
50. Within days, Mt Gox filed for bankruptcy at the Tokyo district court. Those proceedings still continue and more than 24,000 people, including me, have claimed for losses. This time last year a price explosion pushed the value of these stolen bitcoins to almost £10bn, and even though the price has dropped significantly since then, the incentive to trace the thief was still overwhelming.
51.  
52. It took Nilsson more than a year to build a comprehensive picture of where the stolen coins had gone. He had to develop specialist software to look at millions of addresses and transactions, pioneering techniques in forensic bitcoin investigation to identify patterns that link addresses. His results have been shared with the Japanese police.
53.  
54. Nilsson discovered that some of the stolen coins were funnelled back and sold on Mt Gox itself, but most went to addresses belonging to a rival exchange, BTC-e, which was renowned for not verifying its clients’ identities. It was popular with hackers selling bitcoins they had stolen, extorted with ransomware or earned from online drug deals. BTC-e provided a bridge of anonymity between bitcoins and banks, which facilitated a slew or real-world crimes. Criminality was openly discussed in the exchange’s chat rooms. Created in 2011, BTC-e was run anonymously, revealing only that its founders were two Russian programmers known simply as Alexander and Aleksei from Skolkovo, Moscow’s answer to Silicon Valley. Their banking details were obscured behind intermediaries in the Czech Republic, Georgia and Panama.
55.  
56. Nilsson noticed that the stolen Mt Gox coins had been shunted into BTC-e’s internal addresses, suggesting that they were deposited by the exchange’s owners, rather than clients. These addresses also handled coins stolen from other big hacks, and appear to be a large-scale laundering service.
57.  
58. The exchange was purportedly operated by a UK shell company, with directors in the Seychelles. However, records also link control of it to a Muscovite, Alexander Buyanov — the same name, I discovered , used to register the BTC-e.com domain in 2011. His given address leads to a notary’s office in a Moscow back street. There, my search for Buyanov has run cold.
59.  
60. Following the trail of coins to its end, Nilsson found those addresses were controlled by someone with the online identity WME. This person had got into a spat with an exchange that refused to pay him for coins stolen in another hack. In an attempt to discredit the exchange, WME published their conversation online, unwittingly revealing his full name: Alexander Vinnik.
61.  
62. It wasn’t just Nilsson who’d followed the trail to Vinnik. In July 2017, while Vinnik was holidaying with his wife near Thessaloniki in Greece, the local police arrested the 38-year-old on a US warrant.
63.  
64. Simultaneously BTC-e.com was taken offline by US authorities. The attorney general for California’s Northern District published a 42-count indictment against BTC-e and Vinnik, claiming he was one of its owners and that it had laundered $4bn illegally. It specifically accuses Vinnik of handling bitcoins from the Mt Gox theft. The combined fines add up to $122m.
65.  
66. Eighteen months later, Vinnik is still in a Greek cell and his arrest has turned geopolitical. Russia also requested his extradition over a comparatively minor fraud worth about £8,600. Vinnik is fighting to be sent home to Russia.
67.  
68. While in prison, he has reportedly been the victim of an assassination attempt and started a hunger strike. He has filed for asylum in Greece, claiming the US charges are politically motivated.
69.  
70. When I spoke to Vinnik’s lawyer, he said his client denies all money-laundering charges and claims to have nothing to do with the Mt Gox theft. BTC-e released a statement that said: “Alexander was never the head nor employee of our exchange.” It claimed almost half its assets had been seized by the authorities, and they shut up shop. Lawyers have told me that if Vinnik goes to the US, his alleged victims have a fighting chance of getting some answers, and maybe some money back. But if he goes to Russia, we will get nothing. The competing extradition requests now rest with Michalis Kalogirou, the Greek minister of justice.
71.  
72. There is still a glimmer of hope I might get some bitcoins back. Six weeks after Mt Gox’s shutdown in 2014, Karpelès rediscovered an address he had seemingly forgotten about. It contained 200,000 bitcoins, almost a quarter of Mt Gox’s supply. It seems the only reason these weren’t stolen was because they had been virtually misplaced. A slim chance emerged of recovering 23% of my coins, but the slow, intractable Japanese bankruptcy proceedings became tied up in disputes that would take years to resolve, and my hope faded gently to embers.
73.  
74. Then, in autumn 2016, the price of a bitcoin rose sharply from £500 to more than £15,500 in just a few months. It was high enough that the remaining 23% now represented a much bigger windfall than the one I’d missed out on in 2014. There was jubilation among Mt Gox customers, but it was short-lived. In September 2016, Mt Gox’s liquidator announced that the law allowed for creditors to receive only a maximum of £370 per bitcoin — their market price at the time of the bankruptcy. The surplus, which grew to about £1.5bn, would be paid to the shareholders, McCaleb and Karpelès. There was outrage that the perceived architects of this loss could now benefit from it. Both men, however, said they would refuse the payment.
75.  
76. In response, I established an online co-operative of Mt Gox creditors. More than 1,000 people from around the world have signed up. We clubbed together to pay for lawyers to challenge the bankruptcy, and in June it was provisionally switched to a process called civil rehabilitation, which allows for creditors to share the surplus that had been due to go to McCaleb and Karpelès. By the middle of this year, the process should deliver something to us. But only last month, as I dared let my thoughts turn once again to my home-owning dream, the value of bitcoin, which had been uncharacteristically steady at about $6,000, started a sharp decline and with it went much of my bumper surplus. I am now trapped in the bitcoin bubble by Japanese, Greek and US courtrooms.
77.  
78. Karpelès and McCaleb, meanwhile, are quick to point the finger at each other. Last year, Forbes estimated McCaleb was worth $37.3bn. He told me he had sold Mt Gox to Karpelès with the expectation he would improve the code and grow the business, but regrets that Karpelès was too “incompetent”. “He got this golden goose and lost 650,000 of other people’s bitcoins. And he never checked the wallets! It’s frustrating that this is still blowing back on me,” McCaleb told me. “The idea that a $67,000 loss [80,000 bitcoins] somehow set him up for failure is just crazy. It was well within the bounds of the business to absorb. Mt Gox was on pace to make over $1m a year [from fees] at that point.”
79.  
80. McCaleb admits he suggested using the Gox Bot to buy bitcoins, but only with legitimate company profits, not customers’ money. He admitted to me that the 80,000 bitcoin loss may have been due to him overlooking some security updates, but quickly added that Karpelès also had access to the server at that point. Karpelès says he hadn’t yet accessed it.
81.  
82. Karpelès suggests he has been made a fall guy. He insists that the bitcoin balance was never checked for security reasons, and not to cover up losses. He denies speculating with customers’ money. A verdict in his trial is due in March. Prosecutors have requested a 10-year prison sentence.
83.  
84. Given my five-year entanglement with bitcoin, I now qualify as an expert. Here’s my free advice: if you have money to lose, buy some bitcoins and use cold storage wallet software to print your bitcoin key on a piece of paper. Delete it from your computer, then hide the paper in your jewellery box. Forget it for 10 years. Then it will either be worth nothing or it’ll change your life. Remember me if you get rich.
85.  
86. Andy Pag is a freelance journalist and runs MtGoxLegal.com, a co-operative of former Mt Gox clients