Lessons From Mt. Gox Bankruptcy

DCP_evergreen28MtGox Co., Ltd., once the world’s largest Bitcoin exchange company, is insolvent, bankrupt, and now history.  This bankruptcy (which I discussed yesterday) offers lessons to cryptocurrency startups.

Mt. Gox’s fundamental lack of professionalism has become painfully clear since it filed for bankruptcy.  According to a Wired expose last year, former Mt. Gox CEO Mark Karpeles ignored fundamental business issues like accounting and regulatory compliance, but worked obsessively on side projects such as a Bitcoin Café and the Bitcoin Foundation (which is lately experiencing liquidity problems itself).

The bankruptcy filings show that Mt. Gox engaged in questionable self-dealing.  Last week the bankruptcy trustee filed an updated list of assets which revealed that Mt. Gox is owed a loan of about $1.1 million from Mr. Karpeles and a further $6.5 million from TIBANNE Co., Ltd., the parent corporation of Mt. Gox, named after Mr. Karpeles’ cat.  TIBANNE was forced into bankruptcy as of February 2, and it is unclear whether these monies can be recovered.

Mt. Gox’s handling of virtual deposits was no better.  Upon bankruptcy, Mr. Karpeles incorrectly represented that Mt. Gox had lost all but about 2000 Bitcoins still within the sites “hot wallet” (a server-controlled wallet for day-to-day transactions).  In fact, Mr. Karpeles announced next month that an additional 200,000 Bitcoin had been located in an “old format” cold wallet.  At the time, these Bitcoins were worth about $120 million.

The March 2014 announcement raised questions about how “cold” most of the Mt. Gox cold wallets actually were.  For background, large Bitcoin balances are typically kept in a cold wallet—a virtual wallet with private keys not attached to any networked device.  The private keys are lengthy prime numbers necessary to spend Bitcoins from an address.  If private keys do not exist on any networked device, it should be impossible for hackers to steal Bitcoins (unless quantum computing is someday invented).  A cold wallet private key can simply be written on a piece of paper and locked in a bank vault as Coinbase does.

Mt. Gox claimed to maintain most of it Bitcoins in cold wallets, but how did it manage to lose nearly all of its clients’ assets?  The cold wallets were either not truly “cold” or else were ineptly executed.  For example, recent analysis published by the security firm WizSec suggests that potentially compromised hot wallets were continually replenished from the cold wallets.  While this would prevent hackers from absconding with many coins at one time, unmonitored cold wallets thoughtlessly emptied into a leaky hot wallet would allow hackers to take unlimited money over time.  (A previous report by WizSec, focused on the controversial Mt. Gox trading algorithm “Willy,” as reported by this blog, but it appears that most Bitcoins were lost long before Willy started trading, and that the loss of Bitcoins was gradual over many years.)

The bankruptcy trustee Nobuaki Kobayashi is further investigating the matter with Payward, Inc. (a Delaware corporation that runs the Kraken Bitcoin exchange popular in Europe).  The investigation may shed more light on the hacking and/or insider trading that siphoned funds from Mt. Gox, but insufficient monitoring was likely part of the problem.

The lessons of Mt. Gox for other Bitcoin companies are:

  1. Stay focused on fundamentals including security and regulatory hurdles.
  2. Keep cold wallets cold—truly offline, monitored and secure.
  3. Keep track of real and virtual assets.
  4. Do not lightly engage in self-dealing.
  5. If you run an exchange, consider potential conflicts of interest and security repercussions of operating trading algorithms on your own platform.