Hacking and Mt. Gox, But from Whom?
By now most everyone has heard about the demise of Mt. Gox, the granddaddy of bitcoin exchanges. I am finding their tale of “hackers” stealing bitcoins nominally valued at half a billion dollars rather hard to believe. Let me explain why. According to the alleged leaked document, it looks like hackers had been exploiting that bug for two years, and even removing bitcoins from supposedly secure “cold” wallets that the company had stored offline. Offline wallets are disconnected from the internet and cannot be emptied by online attackers. However, supposedly “cold storage has been wiped out due to a leak in the hot wallet.”
I’m sorry. That is gobbledegook. I was a top end software engineer for 20 years. I’ve worked inside everything from banking to factory automation. I’ve written code from device drivers and math routines to computer integrated manufacturing, simulation and CASE. Flatly, there is no such thing as “a leak in the hot wallet” unless software specifically is written that accesses the “offline” wallet. But if it can be accessed “hot” then it’s online, not offline. If it’s offline, it’s offline. If it’s online it’s online. There isn’t something in between. Bitcoins are data. That’s all they are. The files are either accessible or they are not.
Yes, it is easy to steal bitcoins. In fact, it is trivially easy to do it – if you have access to the drive the bitcoins are stored on. A bitcoin is just an encryption key that is stored on a computer. Now, let’s ask ourselves, who had access to offline data storage that bitcoins were stored on?
Sysadmins can get at anything in a computer system. Talk to the NSA about that. And Mt. Gox was a very small operation. Not many people involved in it. Think about that. Some significant moral hazard here.
I had my confrontation with moral hazard back when I was working on Bank of America’s ATM system. I worked out how to remove millions over a 3 day weekend from ATMS and leave no audit trail. And I knew at the time that there was a “jackpot” problem where ATMs spit out tens of thousands. As an insider, I know that explanations like cosmic rays and acid fog were literally written down and given to upper management as the reason.
Tyler Durden, writing about bitcoin hacks says it well, “The most lucrative attacks are carried out on online services that store the private keys for a large number of users, … It seems these attacks are often carried out by insiders who don’t have to do much hacking at all. Just copy the database of private keys and you can gain control of the bitcoins at all those addresses.”
I have also followed things at Mt. Gox since their first announcement that they had shut down withdrawals of bitcoins. I noticed something interesting – when that happened, huge arbitrage opened up between Mt. Gox and other exchanges. And it was even odder that it was pretty much Mt. Gox that was claiming to have this problem with the bitcoin transfer software. Other exchanges did just fine. The problem was dead simple to fix. As in, one guy could fix it overnight. And yet the problem remained.
Mt. Gox, Feb 15, 2014:
• Weighted Average:$348.87
Coinbase Feb 15, 2014:
• Buy: $652.08
• Sell: $651.30
That is $112.08 per bitcoin in arbitrage if you bought high on Mt. Gox and sold on Coinbase. More realistically, $303.21 in average arbitrage per coin on Mt. Gox.
Mt. Gox was 54% lower. Think about that. What would cutting off transfers outbound from Mt. Gox accomplish? It traps everyone at Mt. Gox. That forces prices lower still. And that opened up an awfully tempting opportunity for the guys running Mt. Gox to buy up bitcoins on Mt. Gox, transfer them to Coinbase or Kraken, or wherever, and sell them all at a 150% or more of their costs basis. They would have the ability to do that. But none of their clients did. Did the operators of Mt. Gox play arbitrage against their clients for a few weeks in February? If they did, is it legal? Since at least one court has classed bitcoins as both money and a security, the SEC does have jurisdiction.
My involvement with bitcoin
I have followed and studied Bitcoin for a couple of years. I have the distinction of correctly calling the top at roughly $1000 when bitcoin was around $20. I did that by using historical estimations of other bubble-mania items like Beanie Babies. There was a time when those little bean-bag creatures sold for such inflated prices. The $1,000 price point is where people tend to pull back.
I looked into buying bitcoins to make a play. I was somewhat concerned that I would no longer be an objective observer, and I definitely didn’t agree with bitcoin’s claims. But, making a million dollars off of the silliness of others was tempting. I would have, except that Mt. Gox was the primary game in town. And when I examined their systems I decided that Mt. Gox resembled nothing quite so much as a roach hotel. Easy to check in. Hard to check out. Anyone could buy any amount of bitcoin going in.
But redemption was severely limited with daily limits that meant any fortune was not actually redeemable in practice. Sure, $10,000 per day might sound fine. But for a serious amount of money it was nonsense. Bitcoin was just too volatile to think that 4 months was an acceptable redemption time. That meant that the only way to cash out on a million dollar payday was to find buyers off the exchange. I didn’t have the time or inclination to do that.
I also decided that it was extremely unlikely that Mt. Gox or any other bitcoin exchange would not trade on their own account. With no real transparency, sometimes wild variances between sale prices, I was supposed to trust a bunch of neo-anarchist sorts to voluntarily do what I wouldn’t trust the boys on the NYSE to do if the regulators didn’t watch them like hawks?
It was also evident that with sites like Silkroad doing big business, that there were backdoors for insiders to cash out. Getting into that group involved with Silkroad’s “business ventures” seemed a bit dicey. So I left bitcoin investing alone.
Mt. Gox exit strategy?
Here’s where it gets a little complicated. The Mt. Gox strategy is the rational one to pursue if you know the ship is sinking and the game is over. Because none of the moves that have occurred are what an exchange would do if they thought bitcoin had a future. I thought it was highly likely that Mt. Gox was heading for a shutdown when their “software problem” lasted more than a day.
And, I had another reason. Back on December 7, 2013, I submitted the initial version of my paper on the conceptual flaws in bitcoin. That has been covered for the lay public in a previous popular article. I had a fairly lengthy email discussion about it with the chief economist for bitcoin, and we ended it with him saying that I, “might be right.” That suggests that this knowledge would percolate out to the top insiders of bitcoin first. And it would be logical then for the operator of Mt. Gox to come up with an exit strategy.
Maybe Mt. Gox has really just shut down bitcoin transfers outbound to fix a real software problem and they couldn’t figure it out for almost a month. Maybe they really were victimized. Maybe. But I doubt it. Things don’t add up that way. Frankly, I don’t believe the story about hackers from outside. Nor do I think the leaked document is likely to be an accident. I think that a careful audit may show something worth seeing.