Mt. Gox Collapse 10th Anniversary: Who Was Behind It? How Did the Theft Happen?
TechFlow Selected TechFlow Selected
Mt. Gox Collapse 10th Anniversary: Who Was Behind It? How Did the Theft Happen?
The culprit remains a mystery.
Navigating Web3 tides with focused insightsBy Mark Hunter, CoinDesk
Translated by Deng Tong, Jinse Finance
Japan's Bitcoin exchange Mt. Gox collapsed in February 2014.
Between March 2011 and January 2014, over 880,000 BTC were lost or stolen from Mt. Gox in various forms—now worth as much as $45 billion. Yet, on the 10th anniversary of Mt. Gox’s collapse, several critical questions remain unresolved.
Who Were the Culprits?
One still-unknown key question is whether we know all the perpetrators. During Mt. Gox’s operation, more than 809,000 BTC were stolen across six hacking incidents. We only know two names linked to one of these attacks: Alexey Bilyuchenko and Aleksandr Verner, accused of being members of a Russian hacker group responsible for breaching the exchange in October 2011. Over 26 months, the two allegedly stole and laundered 647,000 bitcoins from the exchange’s cold wallets.
Verner and Bilyuchenko have only been charged by U.S. authorities. However, the charges are related to money laundering rather than the hacking itself, which may suggest insufficient evidence for direct hacking accusations.
Beyond these charges, filed in 2017 and made public last June, we do not know who stole the remaining 162,000 BTC. 79,956 BTC remain tied to the well-known address starting with "1Feex," while 77,500 BTC stolen in September 2011 have never been traced. That hack was so effective it wasn’t discovered until 2015.
Another individual stole 2,000 BTC in June 2011, causing Bitcoin’s price to plummet from $17.50 to just $0.01. Then there was the hacker who, while Mt. Gox CEO Mark Karpelès was away, accessed and attempted to steal more than half of the exchange’s Bitcoin holdings. The wallet was stored on a drive connected to an unsecured network. Fortunately for Karpelès, the hacker backed down and negotiated a 1% bounty, resulting in a loss of only 3,000 BTC instead of 300,000.
For all these events, we cannot definitively identify the culprits—and it’s now almost certain we never will. Given the similar methods used, many suspect the 1Feex attack was a trial run for the devastating vulnerabilities exploited between October 2011 and January 2014, but this has never been proven.
How Did the Theft Happen?
Of the 881,865 BTC lost from Mt. Gox, we can only confirm how 72,409 BTC went missing. Mt. Gox’s system recorded 30,000 BTC as customer deposits, though those funds had already been stolen. In October 2011, Mark Karpelès made an error that caused 2,609 emails to be sent to a non-existent address. Two bots running on Mt. Gox, Markus and Willy, lost 22,800 BTC. Karpelès acquired the Polish exchange Bitomat in July 2011 for 17,000 BTC.
As for the rest, the entry points are either unknown or merely suspected. In the June 2011 hack, we know the attacker gained access to Mt. Gox servers via an administrator-level account. This was initially attributed to auditor Auden McKernan, but later revealed to be founder Jed McCaleb’s account—which he had sold to Mark Karpelès, who inexplicably retained administrative privileges. It is believed that during the 1Feex hack, when the entire Mt. Gox user database and 79,956 BTC were stolen, the hacker obtained detailed information.
Given that U.S. authorities are confident identifying Verner and Bilyuchenko as members of the group behind the October 2011 breach, they must possess some evidence supporting their claims. But unless a trial occurs (which is highly unlikely now that their names are public), those details may never be revealed.
How Secure Was Mt. Gox’s Bitcoin Storage?
Related to how hackers accessed Mt. Gox’s servers is the question of how they reached funds supposedly securely stored in cold wallets. We know that prior to the June 2011 hack, Karpelès kept users’ bitcoins in a haphazard manner across various physical and software wallets—an arrangement that worsened the impact of the hack and prolonged recovery efforts.
Karpelès claimed the incident prompted him to adopt a more secure system: splitting bitcoins into multiple paper wallets (he later said hundreds were involved) and storing them in bank vaults and safety deposit boxes across Tokyo. Thus, if hot wallets were compromised again—as in the 1Feex hack—the cold wallets should remain untouched.
This might seem sufficiently secure, but widespread skepticism emerged when it became known that Mt. Gox’s cold wallets were indeed drained between October 2011 and January 2014—including among prominent Bitcoin bloggers at the time and future general partner at crypto investment firm Andreessen Horowitz, Arianna Simpson:
"If done correctly, cold storage wallets shouldn't be accessible through hot wallets, regardless of any leaks. That's the whole point of separating the two."
So how were the cold wallets compromised? Karpelès has never confirmed the specifics of his custom cold-hot wallet setup—likely to avoid lawsuits over mishandling of funds—but his interviews contain hints suggesting an inconsistent and sometimes illogical picture.
The only way to securely replenish a hot wallet from paper wallets is to physically retrieve the paper and manually execute multi-step transactions on a highly secure network. This would need to be repeated every time—a process entirely impractical for any Bitcoin exchange, regardless of size or transaction volume. No Mt. Gox staff reported seeing Mark Karpelès handling paper wallets. In fact, several key employees told me in the book *The Ultimate Disaster: How Mt. Gox Lost $5 Billion and Nearly Killed Bitcoin* that they only ever heard talk about hot wallets—never cold ones.
Could there have been a system that automatically refilled hot wallets when cold wallets ran low, or vice versa? That seems like the only feasible way the exchange could operate—yet it completely undermines the principle of cold storage security.
Did Karpelès Know the Exchange Was Insolvent?
This remains a major point of contention. Karpelès insists he didn’t realize the exchange had collapsed until mid-February 2014, when he checked the cold wallets—but this claim has flaws. Mt. Gox began experiencing Bitcoin withdrawal issues as early as August 2013, which should have raised red flags. Yet Karpelès apparently didn’t believe Mt. Gox was under-reserved, despite the exchange having suffered multiple hacks.
When the "transaction malleability" vulnerability surfaced in early 2014, Karpelès quickly blamed withdrawal delays on it—though exploiting even small thefts through this flaw required significant social engineering. He also stated he didn’t suspect any losses due to monitoring systems. If such systems existed, they were poorly designed, indicating serious mismanagement at the exchange.
Needless to say, many don’t believe Karpelès only discovered the losses in February 2014. Others go further, alleging that Karpelès not only knew about the missing bitcoins but actively used Willy and Markus bots to cover up the shortfall. If that was his intention, it backfired spectacularly: before the collapse, the two bots lost 22,800 BTC and $51.6 million.
Simply put, we can only speculate about how Mt. Gox’s bitcoins were protected—unless and until Mark Karpelès chooses to tell us otherwise.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News
CoinDesk
