Mt. Gox Hack Technical Explanation
WizSec recently released a technical analysis of what ultimately led to the bankruptcy of Mt. Gox. In this article, I’m going to explain what the hackers stole and what likely happened.
September 2011 — Mt. Gox’s hot wallet private keys were stolen from a wallet.dat file.
2011 to 2012 — Additional coins were stolen from Bitcoinica, Bitfloor and others.
2012 to 2013 — Hacker emptied the wallets continuously from addresses associated with Mt. Gox’s private keys. In addition, whenever these wallets were emptied, the Mt. Gox systems somehow interpreted the spending as deposits, crediting some users with up to about 40,000 extra BTC.
Mid 2013 — Roughly 630,000 BTC total had been stolen from Mt. Gox. About 300,000 BTC of which ended up at BTC-e.
What Got Stolen
Bitcoin is spent using digital signatures. In order to create a digital signature, you have to have the private key. Most wallets these days encrypt these private keys to a password or pin, but before September of 2011, the Bitcoin Core Wallet did not encrypt them.
Wallet encryption was the major feature of the Bitcoin 0.4.0 release (released Sep. 23 , 2011) as can be seen here. Thus, the attacker did not need any special password, but only the wallet.dat file in order to gain access to the private keys. This file was stolen, perhaps through hacking, perhaps through a rogue employee or theft of a backup.
Why Funds Kept Coming In
It’s hard to fathom Mt. Gox not knowing that these keys were compromised, but that’s exactly what seems to have happened. Most of the company probably thought that funds were being moved to more secure addresses. Funds probably kept flowing into the compromised addresses because they were associated with customer accounts. This is a known problem for exchanges in that customers will often deposit funds to the same Bitcoin address over and over, even if new addresses are created for new funds.
The attacker gladly stole those funds even as Mt. Gox remained oblivious to the theft. There were even instances where actually stealing the funds resulted in deposits to various customers, creating 40,000 extra BTC on the Mt. Gox system.
It’s obvious that Mt. Gox was not very good at security, but this is an unconscionable neglect of fiduciary duty. Thankfully, wallets have gotten a lot more secure and funds are a lot more difficult to steal.