Pay the Devil in Bitcoin: The Creation of a Cryptocurrency and How Half a Billion Dollars of It Vanished from Japan (Kindle Single)

Home > Other > Pay the Devil in Bitcoin: The Creation of a Cryptocurrency and How Half a Billion Dollars of It Vanished from Japan (Kindle Single) > Page 5
Pay the Devil in Bitcoin: The Creation of a Cryptocurrency and How Half a Billion Dollars of It Vanished from Japan (Kindle Single) Page 5

by Jake Adelstein


  Just thirty minutes after the hacker contacted him, Ver decided to employ the tactic used by Mel Gibson’s character in the movie Ransom. He would use the Internet community to flush him out.

  He had an unspoken message for the pirate: Do not fuck with the Bitcoin Jesus. He is a vengeful God.

  Rather than hand over any bitcoins, he posted ads on bitcoinbountyhunter.com, Facebook, and Twitter. He offered the same amount the hacker had asked of him ($20,000 worth of bitcoins) as bounty on the hacker instead of paying the ransom, and he mentioned the Skype username nitrous.

  Ver’s post was retweeted by notable Internet figures, and thousands around the world were inspired to help find the culprit by pooling information. Meanwhile, Ver rallied his bitcoin friends from Tokyo, including Jason Maurice, who at the time was the chief white hat hacker at security consultancy Wiz Technologies.5 Both Ver and Maurice happened to be staying at the same hotel in Singapore where the conference was being held. Maurice immediately dropped whatever he was doing to start working with Ver. Together they began limiting the damage by identifying accounts that hadn’t been compromised and locking them down more securely.

  The hacker was trying to hijack Ver’s domain names and primary e-mail account by using information obtained from his old Hotmail account. Maurice fought hard to outmaneuver him.

  Someone on Skype known as “TGOD” even claimed he knew the hacker personally and had a grudge against him, but he wouldn’t give him away until he got paid all or part of the 37.6 BTC reward in advance.

  About an hour after the incident started, the hacker, irritated by the lack of a response, threatened Ver by writing that he would hit him “10,000 times harder” than he had originally planned.

  This didn’t work.

  Then the pirate switched tack. He said he was demanding the money to help pay for his mother’s $15,000 “transplant procedure,” but he gave no concrete details. Was it a liver transplant? A heart transplant? It didn’t matter. Ver was unsympathetic. He sent the hacker a link to his Facebook post offering the bitcoin bounty.

  At this point, the hacker seemed to panic, sending frantic apologies and claiming he was representing another person.

  Sir, I am sincerely sorry I am just a middleman I was being told what to tell you.

  I was seriously being told what to tell you by someone else I don’t even know what’s going on

  Please stop I am so sorry I told him that you are now going to have me killed over something he made me do I didn’t even do this it was someone else

  But Ver didn’t let it go. He replied by reminding the hacker he could earn 37.6 BTC by turning in the real offender.

  The response was:

  man that isnt even me this is so fucked up i got myself in this situation

  You dont know the stuff he makes me do he did this to me before . . .

  The hacker vanished after saying he would probably turn himself in to the authorities and notifying Ver that he had deleted the Hotmail account and reset all passwords to his other accounts. He also tried to delete the threats he had made on Skype, but Maurice got the chat logs just in time and posted the contents online.

  The actual hacker’s identity hasn’t yet been ascertained, but a couple of facts are certain: it wasn’t Ross Ulbricht, and Ver will still pay 37.6 BTC to whoever helps get the actual culprit arrested.

  Ver still doesn’t see bitcoin as the currency of criminals, even after this episode. His support for Ulbricht also remains unshaken.

  Is there any merit to Ross Ulbricht’s defense? There may be. There is certainly some doubt that he received a fair trial.

  A curious interview exists with another man claiming to be the real Dread Pirate Roberts. It was published in Forbes in August 2013 as “An Interview with a Digital Drug Lord: The Silk Road’s Dread Pirate Roberts (Q&A).” A month earlier, the journalist had put a series of questions to this man through Tor and the Silk Road messaging system. When asked why he had started Silk Road, his answer was: “I didn’t . . . my predecessor did. From what I understand, it was an original idea to combine Bitcoin and Tor to create an anonymous market. Everything was in place, he just put the pieces together.”6

  Was this Ross Ulbricht already trying to distance himself from his own work? Had Silk Road taken on a life of its own after Ulbricht had created it, much as Satoshi Nakamoto had created bitcoin and then seemingly vanished into cyberspace?

  Who is the real Dread Pirate Roberts?

  Some investigators believe he was still operating even after Ulbricht’s arrest. Some seem to share doubts as to whether they really had the right man. Some believe that the real Dread Pirate Roberts was an insider at Mt. Gox.

  CHAPTER FOUR

  THE MAGICAL MT. GOX

  Let’s talk about Mt. Gox again.

  From the outset, Karpelès was a computer geek and math wiz, not a libertarian, politician, or financier, so he was never well informed about the political and financial aspects of bitcoin. It was the technology behind it that motivated and intrigued him.

  As you may remember, Karpelès learned about bitcoin in 2010, when he was providing web-hosting services in Tokyo and William Waisse, a French client of his in Peru, asked if he could pay in bitcoin. Karpelès agreed, and he started to do some research on the currency. He thought the whole concept behind bitcoin was well thought out. There were a lot of technical problems that made for interesting challenges as a programmer. The beauty of the challenges themselves was sufficiently motivating for him (and others) to become involved.

  Mt. Gox was the first successful bitcoin exchange that could cope with a massive number of users anywhere in the world. At its peak, it handled 80 percent of all bitcoin transactions.

  The company became famous under Karpelès’s ownership, but it was an American named Jed McCaleb who started the site.1 In 2007 he bought the domain mtgox.com, which stood for “Magic: The Gathering Online eXchange.” He tried to turn it into an online card-trading site but shut it down after only a few months for reasons yet unclear.

  McCaleb was intrigued by bitcoin as soon as he heard about it. According to court documents, e-mails, and associates, he was eager to buy the currency but found it unreasonably difficult. He turned his long-dormant mtgox.com into a bitcoin exchange in July 2010, implementing balances, deposits, and withdrawals on the basis of his order-matching system already in place from his card exchange. In other words, he added bitcoins as another commodity that could be exchanged online. The new site allowed trading between bitcoin and local currencies, and it was the first of its kind. (Incidentally, McCaleb is another individual thought to be the elusive Satoshi Nakamoto. It seems unlikely.)

  Mt. Gox soon became more than McCaleb had bargained for. In fact, it became so popular that it took up all his time. He began looking for someone to help him manage the site and found MagicalTux—Mark Karpelès. McCaleb turned to him for advice and then sold the site to him for almost nothing.

  Karpelès thought the conditions were favorable. There was no need for an initial payment, just an agreement to share 50 percent of the profits for six months, with McCaleb retaining 12 percent of the company. Since Karpelès had already moved to Tokyo, the new Mt. Gox Co. Ltd. was based there as a subsidiary of Tibanne.

  Karpelès should have paid closer attention to the fine print. The main flaw in the deal was that the site had already suffered frequent bitcoin and monetary theft. Perhaps he didn’t understand how that would affect him. According to some sources, a bitcoin theft even occurred on the day Karpelès acquired the site.

  McCaleb wanted the matter kept under wraps and convinced Karpelès to sign a nondisclosure agreement. It’s possible more details may be released during Karpelès’s trial, but sources close to the Japanese police investigation believe that more than 80,000 BTC may already have been stolen by the time McCaleb sold Mt. Gox. Internal Mt. Gox documents we obtained corroborate this.

  Within a few months of its acquisition, the company went from having three thousand c
lient accounts to sixty thousand.

  On June 9, 2011, bitcoin skyrocketed, peaking at a new high of $31.91 on Mt. Gox. This drew unwanted attention.

  On June 18, exactly two years after Karpelès settled down in Japan, and fourteen weeks after the earthquake-tsunami–nuclear meltdown, the first serious setbacks with Mt. Gox occurred. Karpelès was woken up at 3:00 a.m. that day. William Waisse, a.k.a. “Neo futur,” called him on his cell phone to say that there were problems. Quickly, Karpelès confirmed what Neo futur was saying, and within seconds he had shut down the entire system.

  Hackers had always wanted to invade the exchange. Some had tried (and sometimes managed) to create denial-of-service (DOS) situations. McCaleb had reportedly put a fail-safe system in place so that any missing coins would be replaced by missing fiat money, the value of which was less likely to change. But that initial cybertheft of 80,000 BTC began a spiral of trouble that may well have led to the firm’s eventual financial collapse.

  In May 2016, Jake Adelstein and Nathalie Stucky, the authors of this book, were sent internal e-mails, contracts, and other documents relating to the implosion of Mt. Gox. All the documents were printed copies, and the envelope had no return address but appeared to have been posted from the Kasumigaseki district in Tokyo. Along with information provided by a former employee of bitcoin who had handled accounting for the firm, the documents reveal previously unreported details about how Mt. Gox failed and why. We set about verifying the e-mails with Karpelès’s lawyer—Nobuyasu Ogata—and former employees, as well as sources in law enforcement.

  This material, which included correspondence between Mark Karpelès and Jed McCaleb, suggests that Mt. Gox was plagued with problems from its earliest days, before Karpelès was involved. The documents, including the e-mails, were submitted to the Japanese courts as evidence for the Mt. Gox trial, which finally began in Japan in July of 2017 after nearly two years of delays.

  In an e-mail dated January 18, 2011, the year Karpelès was first approached about buying the site, McCaleb wrote:

  Hi Mark,

  Please keep all this confidential I don’t want to start a panic and I’m not sure I’ll do it yet but I’m thinking I might try to sell mtgox. I just have these other projects I would like to devote more time to.

  Would you be interested? It could be very little up front and just a payout based on revenue or something.

  There is also an investment group that wants to fund mtgox. Probably around $150k. So you could most likely take it over with some cash.

  Let me know

  Thanks,

  Jed

  When Karpelès agreed to purchase the company in February, he signed an agreement that included the unusual statement that “the Seller is uncertain if mtgox.com is compliant or not with any applicable US code or statute, or law of any country.” It also included a clause saying, “Buyer agrees to indemnify Seller against any legal action that is taken against Buyer or Seller with regards to mtgox.com or anything acquired under this agreement.”

  An e-mail of April that year, relating to the missing bitcoins, was probably the beginning of Karpelès’s nightmare:

  From: Jed McCaleb

  Date: 2011/04/28 22:33

  To: Mark Karpeles

  I can’t tell how big an issue it will be to be short 80k BTC if the price goes to $100 or something. That is quite a bit to owe at that point but mtgox should have made a ton of BTC getting to there. There is also still the fact that the BTC balance will probably never fall below 80k. So maybe you don’t really need to worry about it.

  There are 3 solutions I have thought of:

  - Slowly buy more BTC with the USD that Gox Bot has. Hopefully you would fill up the loss before the price got out of hand.

  - Buy a big chunk of BTC (really just moving the BTC debt to the USD side)[.] If BTC goes up this is a huge win. Problem is there isn’t enough BTC for sale on mtgox. Maybe you could find someone on the forum to do it?

  - Get those crystal island people to invest. They have 200+ BTC so they could fill in the gap.

  Maybe you could just mine it?

  We have tried to reach Jed McCaleb for several months both through his e-mail and social media accounts, but he has not responded.

  What is clear now is that the missing bitcoins might have been a small problem when Karpelès bought the company, but his own success would make the lost amount a huge burden.

  In the beginning of April 2011, 80,000 BTC was worth approximately $62,400.

  Maybe Karpelès went along with the suggested advice and figured he could make it back as he went along. But luck was not on his side. While he may have been trying to fill the hole, the price of bitcoins kept rising. By June 2, the value of the missing bitcoins had jumped to over $800,000.

  Unfortunately for Karpelès, he had signed a punitive nondisclosure agreement that left him unable to discuss the loss, and he faced the Sisyphean task of recovering the missing bitcoins on his own—a problem that became greater by the day and sometimes by the hour as the value of bitcoins rose. Jed McCaleb must have been relieved to have the shortfall off his back.

  It was not clear how the June 18, 2011, hack occurred, but investigators believe that hackers might have gained access to McCaleb’s administrator account, which was still active.

  Karpelès’s reaction was to move the majority of the bitcoins off-line into what is called “cold storage,” placing them in safety-deposit boxes dispersed among various banks in Tokyo. He only left enough online to make sure transactions could be carried out.

  The episode made him increasingly paranoid about hackers—almost obsessively so.

  The man in charge of accounting at Mt. Gox says he urged Karpelès several times to reconcile the BTC balance, the online balance, and the cash balance, saying he needed to know where the money was. “But Karpelès said it was mendokusai [a pain in the ass]. He claimed it was difficult and risky, because you’d have to put the cold-storage bitcoins in a hot wallet [online], which made them more vulnerable to cyber predators.” Karpelès thought they were safer in cold wallets.

  Virtual money was temporarily becoming paper money, and there were masses of it. The chief accountant understood Karpelès’s concern from a security perspective, yet he still felt that not reconciling the accounts was unwise. “But it’s his company,” he told us in an interview. “I thought, he’s the CEO, so I said okay.”

  Some former employees say that Karpelès might have made it all work. Later, however, the freezing and seizure of $5 million of Mt. Gox funds in May 2013 was another huge blow, cutting into the firm’s operating reserves and probably signaling the beginning of the end. One accountant remembers: “The first time I realized we’d lost a pile was sometime in early February 2014, when Mark called me into his office and said, ‘There is a chance that Mt. Gox might have to file for bankruptcy.’ And he asked me to go to the law firm Baker & McKenzie the next day to discuss it with them.” Apparently, Karpelès was eerily calm at the time—but he was always that way. “He was always smiling. He could look you in the eye and probably tell you, ‘Your socks don’t match,’ or ‘Oh, the office is on fire and we’d better leave before we burn to death’ and he would have the same strange smile on his face.”

  Was Karpelès a con man, a victim, a fall guy, or all of the above? Only the outcome of his trial will tell. But one thing is certain: he bought a company already missing tens of thousands of bitcoins, and within a few months of his taking over, due to the rapid rise in their value, Mt. Gox was in the hole for close to a million dollars.

  Did the thief who took them take hundreds of thousands—worth hundreds of millions of dollars—more? Someone did, in what may well be the heist of the century.

  The June 18 hack seems to have been the most significant theft at Mt. Gox that summer, but there were many minor security breaches in the same period. Around the time of the June 18, 2011, hack, it appeared that McCaleb’s administrative account had been compromis
ed, and an unconfirmed amount of about 20,000 BTC was stolen. Trading was halted for a week while the breach was resolved. That same month, the Mt. Gox user table was leaked. This contained thousands of usernames, e-mail addresses, and password hashes. Some clients in the leaked database had used the same usernames on MyBitcoin, a then-popular bitcoin wallet, and had their passwords cracked. Six hundred of them had their balances stolen. It was a fiscal disaster.

  Mt. Gox was able to recover from this by offering a public apology and reimbursing the lost funds. But they wouldn’t be able to make the same promise of reimbursement again.

  The hacks in June were a wake-up call for Karpelès. The first thing he did was put Mt. Gox’s bitcoins in what he believed was a safe place.

  I decided to use my portable PC running on Linux, due to the fact that it was shut down most of the time, which made it a more difficult target than a server. Then I encrypted the bitcoin wallet and put it on Dropbox to make sure that the bitcoins wouldn’t be lost, even if the portable computer’s hard disk died.

  Once I arrived at the office, and after posting an announcement on the site, I was finally able to understand what had happened. A hacker had created two accounts, credited a huge sum of bitcoins and US dollars, and artificially increased the sum in one of the accounts. He then tried to withdraw the bitcoins, but without success because I’d deactivated a routine that Jed had set up, and limited withdrawals to $1,000 per day at the current rate. The pirate then decided to force the rate down by selling a lot of bitcoins in order to be able to withdraw more. This caused an overload on the system, which made it impossible for him to withdraw the money before I woke up and shut down the entire system.

  Later on, I was able to discover that the hacker had used a flaw of the type called “SQL Injection” to get a list of the Mt. Gox users including Jed McCaleb’s administrative account and use it to modify the balance in Jed’s account. I didn’t know if there were other flaws in it, so I decided to reopen the site with a new, clean system. This meant that I had to rewrite the code from scratch, and quickly. I also decided that everything that happened during the hack and after would be blotted out, treating it as if it had never occurred.

 

‹ Prev