Mt. Gox hack
How can millions of dollars disappear without trace? This is the question Mt. Gox, the largest Bitcoin exchange in the world, was faced with in early 2014.
On 7 February, the exchange suddenly ceased trading, saying it had discovered a "transaction malleability" bug and locked customers out of their accounts. The organisation would later blame hackers for stealing $460 million-worth of Bitcoins over the course of three-to-four years, causing a crash in the value of the cryptocurrency.
Hacking, Distributed has done a good rundown of all the explanations given for what happened in 2014 - which may ultimately have been fraud or negligence, according to two lawsuits.
While this crisis led to the eventual bankruptcy of Mt. Gox, there was an earlier hack that foreshadowed what was to come in 2014.
On 13 June 2011, 478 Mt. Gox accounts were robbed of a total of 25,000 bitcoins (worth between $375,000 and $500,000 at the time), which were all transferred into a single account.
Mt. Gox largely blamed the victims for the theft, as the perpetrator had apparently used valid account passwords to gain access and carry out the transaction.
"As a reminder we assume no responsibility should your funds be stolen by someone using your own password," said Mt. Gox CEO Mark Karpeles, using the alias MagicalTux.
However, the 25,000-bitcoin theft was just the beginning. Towards the end of the same week, it became apparent the reason the 478 accounts were compromised using their own passwords was because a hacker had managed to access the Mt. Gox database and steal the usernames and passwords of all 60,000+ customers.
Karpeles seemed initially quite relaxed about claims the entire Mt. Gox database had been compromised, saying: "Passwords are encrypted one way (+salt). Someone cannot be selling 'user + pass' unless he has some way to revert this."
By 20 June, though, he was taking things a bit more seriously, when a huge Bitcoin sale from one of the compromised accounts caused the value of the cryptocurrency to crash to near zero.
In an official announcement on the Mt. Gox site, Karpeles explained that an admin account had been compromised and the attacker responsible had used the associated permissions to "arbitrarily assign himself a large number of bitcoins, which he subsequently sold on the exchange".
In doing this, the hacker flooded Mt. Gox with more bitcoins than were actually in the exchange's wallet, bringing the value of the cryptocurrency crashing down from $17.50/btc to $0.01/btc, while also relieving another account of 2,000 bitcoins.
In the same statement, Karpeles also confirmed the loss of the Mt. Gox database, stating this was likely how the hacker gained access to the admin account that caused the crash and the one that was robbed of 2,000 bitcoins.
The damage was undone by shutting down the exchange and rolling back the transactions that had taken place during the attack, while the lost 2,000 bitcoins were refunded at Mt. Gox's own expense.
What made the attack possible and successful, though, wasn't just the SQL injection vulnerability in the Mt. Gox code that gave hacker access to the user database, or the fact that usernames and email addresses were stored in plain text, or that it used the MD5 hashing algorithm rather than a more secure SHA-2 alternative, or even that about 1,600 of the passwords were hashed but unsalted.
It was Karpeles' own unique brand of hubris and naïveté. Failure to take seriously the complaints of the original 478 customers whose accounts were compromised - or even to consider it a bit weird that nearly 500 people were hacked on the same day - was a serious misstep; following it up by seemingly not caring that someone had stolen an entire user database is mind-blowing.
In light of what happened in 2011, Mt. Gox's complete failure in 2014 was perhaps inevitable.
Next: LulzSec exposes Sony's lack of security
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
