Malicious Life Podcast: Hacker Highschool
Pete Herzog, co-founder of ISECOM and Hacker Highschool, wants our kids to learn about cybersecurity - especially the more advanced stuff like security analysis and hacking - check it out...
Malicious Life Podcast
What does a Russian man vacationing in Greece in 2017 have to do with the hacking of a crypto-currency company in Tokyo, in 2014? Find out...
The Malicious Life Podcast by Cybereason examines the human and technical factors behind the scenes that make cybercrime what it is today. Malicious Life explores the people and the stories behind the cybersecurity industry and its evolution, with host Ran Levi interviewing hackers and other security industry experts about hacking culture and the cyber attacks that define today’s threat landscape. The show has a monthly audience of over 200,000 and growing.
All Posts by Malicious Life PodcastBorn in Israel in 1975, Malicious Life Podcast host Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast Making History. He is author of three books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.
Malicious Life by Cybereason exposes the human and financial powers operating under the surface that make cybercrime what it is today. Malicious Life explores the people and the stories behind the cybersecurity industry and its evolution. Host Ran Levi interviews hackers and industry experts, discussing the hacking culture of the 1970s and 80s, the subsequent rise of viruses in the 1990s and today’s advanced cyber threats.
Malicious Life theme music: ‘Circuits’ by TKMusic, licensed under Creative Commons License. Malicious Life podcast is sponsored and produced by Cybereason. Subscribe and listen on your favorite platform:
All Posts by Malicious Life PodcastJuly 25th, 2017. Chalkidiki Penninsula, Greece. Alexandra Vinnik is at the beach, on summer vacation with her family. She’s in the water with her two children, swimming, when she turns to look towards the shoreline.
“Some 20 people took part in the arrest, wearing shorts, tops and sunglasses,” Alexandra told Russia Today, the media arm of Russia’s state propaganda. “I didn’t understand who they were and what that was about. In a minute, I saw my husband handcuffed, sitting on a sunbed. He didn’t resist, it was a complete shock for him.”
Alexandra and her children would be held at the beach for the following eight hours, without food, and her phone and hotel room key confiscated, as they waited under the watchful eye of three officers in plainclothes. Later in the evening, Alexandra contacted the Russian consul in Greece. Her husband was brought back to her, briefly, so that she could say goodbye.
There’s no way for us to know whether, in those moments, Alexandra Vinnik was aware or not, that her husband was being taken into custody in relation to a financial crime committed three and a half years earlier, halfway across the world.
So what does a Russian man, vacationing in Greece in 2017, have to do with the hacking of a cryptocurrency company in Tokyo, in 2014?…
A Surprise
With protests mounting outside his home and offices, and thousands of customers missing millions of dollars, Mark Karpeles in March of 2014 placed himself under a voluntary house arrest. Then, when he finally came out, he had a surprise: 200,000 Bitcoin.
Apparently, while relegated to his Tokyo penthouse, Mark decided to investigate his company’s hacking. He went back into the Mt. Gox databases and, having searched through all their now-emptied wallets, happened upon 200,000 Bitcoin just sitting, stored away, in an “old-format” wallet. Somehow, as a result of severe lack of oversight in accounting, 200,000 Bitcoin were inexplicably left in a wallet the company no longer actively managed. The file had been archived, but it remained in the cloud all those years. It’s as if Mt. Gox got robbed, then Mark checked under the company’s living room sofa and found millions of dollars nobody previously took note of. Maybe They all thought that big lump under the couch cushion was just part of its design…
The discovery of 200,000 Bitcoin–a full quarter of the money previously thought to have been lost forever to hackers–might seem like the type of thing that would turn public opinion for the better. But the reaction to Mark’s announcement was mixed, to say the least. If you believed Mark’s story, of how he came upon the money, this was a silver lining to an otherwise bad story. If you believed Mark was the hacker himself, this unbelievable story about “accidentally” coming upon a missing 200,000 coin smelled fishy–like some sort of trick, to throw us off his scent.
Mark insisted to journalists that he wanted no part of the 200,000 Bitcoin he’d found, but if that were ever to have gained him any goodwill, his timing was marred by another, unexpected development. A development which requires some background in Japanese bankruptcy law. More on that in a bit.
Willy The Bot
In addition to government authorities in the U.S., Japan and elsewhere, many members of the Bitcoin community joined the effort to investigate and, hopefully, recover Mt. Gox’s lost money. The first breakthrough came on in the late Spring, 2014, when a detailed technical document was posted to the web by a Tokyo-based software engineer. The document was the culmination of a longstanding inquiry within the Mt. Gox community, about suspicious activity by Mt. Gox in the blockchain. The theory was first publicly introduced by a Reddit user, named “paleh0rse”, who noticed something patently wrong with the site’s activity. They wrote (and I quote): “At approximately 0102 EST on 7 January 2014, the Gox trading API went offline for everyone in the world… EXCEPT Willy, the infamous buy bot suspected of belonging to Mount Gox itself. During the next ~90 minutes, Willy continued to buy his usual 10-19 BTC every 6-20 minutes while nobody else in the world could trade.”
“Willy”, the bot who was first given its name in this post by paleh0rse, was being discussed by traders as far back as December 2013. It appeared that, throughout the months of December 2013 and January 2014, between ten and twenty Bitcoin were being bought, consistently, every five to ten minutes. The red flag wasn’t the amount of Bitcoin being traded, of course. It was the nonstop, unfailing consistency of the pattern, and the fact that it continued even as Mt. Gox’s service shut down to the public. This was a bot. But whose bot was it? Was this Mt. Gox itself?
“Glitch in the System”
“When internal data from Mt. Gox leaked, following their insolvency, it offered the conspiracy theorists hard information to draw from.
Essentially, there was a leaked data set of Mt. Gox trades that was leaked on Reddit.”
This is Kai Chang. When Mt. Gox user data leaked, he worked with a partner, Eric Rodenbeck, to produce graphical representations that could sus out some of the patterns in the data. Nate Nelson, our producer, spoke with them.
“And we sort of sat on it for a couple of weeks and at some point, there was just a lot of media coverage around this incident. It sort of coincided with the crash in bitcoin’s price, which had sort of a lot of eyes drawn to these sort of negative events. And we decided we would sort of look into this data set a little more. If you were to look at Kai’s graphs, they might appear rather innocuous. That is, except for one. And then this Glitch in the System is a strange user. We are not sure exactly what this is and we didn’t investigate it further. But it has many buys at very strange prices that don’t correspond at all to the market price of bitcoin.”
Kai’s team named this user the “Glitch in the System” because of how odd it was. Picture hundreds of graphs, with dots that generally take the shape of curves and sloped lines, sort of like stocks. Then there’s the Glitch, whose lines go straight up and down, like a barcode.
“Kai: Yeah. So in our graph, we’ve plotted on a log scale from 2011 to the end of 2013 the price of bitcoin trades. And so you see these sort of lines peaking up and falling down and peaking up and falling down corresponding to sort of the boom/bust cycle of bitcoin as people are buying and selling bitcoin.
This particular user from February 2013 to September 2013, it has a couple of trades that follow that pattern but for the most part, there are these vertical stripes of just buying bitcoin at all various prices from 100 to 100,000 Yen, could be within minutes of each other buying bitcoin for prices that are thousands of times different. So it doesn’t seem to make any sense.
And if you look at a couple of the other users in these visualizations, you’ll see that they are actually selling bitcoin and they also have some of these stripes. It’s not usually their primary activity but somehow their account sold bitcoin to this particular user at very strange prices. And it shows up in these visualizations as these stripes of dots.
Interviewer: Right.
Eric: It’s just clear like no rational person or market, whatever, behave in this way. Like you would when you’re buying – what you’re doing when you’re buying and selling is to try buy low and sell high and suddenly, one of these accounts just decides to both buy and sell at low and high in ways that are just entirely outside of their price of what their currency is going for.
Kai: It was as if you had some houses and you were going around and someone says, “Oh, I’ll pay you $500,000 for the house.” And you say, “That sounds good. I’ll sell you the house.” And then someone else says, “Oh, I’ll pay you $5 for this other house.” And you say, “That sounds good. I’ll sell you the house.”
Kai and Eric themselves weren’t interested in following up the study. But then, on May 25th, 2014, came “The Willy Report”. In it, its author lays out the trail of breadcrumbs, illuminating what exactly this Glitch in the System might have been.
Two Question Marks
The Willy Report solved one key issue: pinning down Willy’s account. You see, many people already knew about Willy, but nobody could pin him…it…down. It turned out, Willy wasn’t associated with a single account at all. The report’s author tracked Willy’s buying pattern in the final days of November and, instead of finding an account demonstrating suspicious activity, it found many. All of the User IDs which displayed the suspicious buying pattern also shared strange characteristics. The value for “state” and “country” associated with these accounts–in other words, where they purported to be trading from–was simply two question marks. Verified Mt. Gox accounts have legitimate values associated with these fields, associated with the real-world location of the user. Even suspicious or otherwise unverified exchange participants generally displayed either two exclamation points, or nothing at all in those fields, but never question marks.
When the Willy Report author accumulated all accounts with question marks for state/country fields, they noticed a remarkable pattern. First, each of these User IDs would complete trades of very specific dollar amounts: say, 10,000 dollars, never 10,001 or 10,234. Next, the IDs would deactivate, but then another User ID with the same buying pattern would always pop up within the following few hours. It seems Willy’s creator was clever–anticipating that a single User ID, purchasing the same amount of coin, over the same time intervals, might alert community members. The bot would instead kill and birth new accounts regularly, and buy varying amounts of coin, so that it would appear to be the product of many community members instead of one. This pattern was discovered going back to September 27th of 2013.
The most common amount of money purchased by Willy was two and a half million dollars. It never, once, sold any Bitcoin. By the end of November, Willy had purchased a whole 112 million dollars worth of cryptocurrency. The effect was that the entire market skyrocketed. In late October, 2013, Bitcoin was trading for around 200 dollars a pop. After a month, one Bitcoin cost over 1,000 dollars. Investors speculated at the time that the price jump could have been the result of an influx of wealthy Chinese investors, or the FBI bust of an online black market for drugs, called “Silk Road”, which used Bitcoin as its currency. Nope. It was Willy all along.
Willy’s identity wasn’t clear to this point, but it soon would be, as the trail of breadcrumbs turns out to have led back far beyond late 2013. Among the other strange qualities of the Willy User IDs, the Report’s author noted that the first Willy account had an inordinately high ID number. All Mt. Gox User IDs are numbered and, to that point in the exchange’s history, those numbers went up to about 650,000. The first Willy ID was 807884, which seemed rather artificial. It’s like if you’re at a deli counter, and you get a number for your place in line, and everyone else’s numbers are ordered sequentially–2, 3, 4, et cetera–but your ticket says 458. Upon closer inspection, it turned out there was one other, outlier account, with the ID number 698630. User 698630 lived for about eight months, then became deactivated on…September 27th, just seven hours before Willy was born. This could be no accident.
Markus The Bot
The author of the Willy Report named this parent bot “Markus”. Markus had state/country fields indicating it was located in Tokyo, Japan. Its trading activity was much stranger than Willy’s, though–it never paid fees on transactions, and would purchase large sums of Bitcoin at seemingly random price points. Sometimes, Markus bought coin at prices so low you’d wonder who in the world would’ve been willing to sell to it at that rate. Other times, Markus bought at unbelievably high prices which brought into question why anybody would pay such unnecessary amounts for what could otherwise be bought with much less.
The randomness with which Markus paid for Bitcoin, ultimately, indicated something much more sinister. It turned out these values weren’t just random, they were meaningless. Markus was trading for Bitcoin, but never paying for any of it.
In total Markus bought about 300,000 Bitcoin over its lifespan. Willy, afterwards, would purchase around 350,000. That means, between the two bots, around 650,000 Bitcoin were purchased.
650,000…like, 850,000 Bitcoins lost from Mt. Gox in February 2014, minus 200,000 recovered by Mark Karpeles. Evidence, or coincidence?
The amount of money managed by Markus and Willy seems unusually parallel to the amount of Bitcoin missing from Mt. Gox, but remember too: Willy continued to operate when Mt. Gox was shut down, and Markus operated out of Tokyo, Japan–the location of the company’s headquarters. So was this the hacker, was it Mt. Gox, or was it evidence that the hacker was Mt. Gox?
Who Operated The Bots?
Kim Nilsson is the Swedish computer scientist and former Mt. Gox investor whose work helped uncover the bevy of hacks Mt. Gox faced long before 2014. Where the Willy Report first published the patterns of Willy’s automatic purchasing activity, Kim was able to analyze one further aspect of its behavior: when it shifted, from automatic to manual control.
It turns out Willy wasn’t entirely automatic. Its behavior changed at certain, identifiable points over time, whether it was the amount of coin purchased, or the amount of time between orders placed, or specific transactions which seemed above and beyond the typical buying patterns of the machine. Whenever the data diverged from the norm, it was evidence to human intervention.
The anomalous data Nilsson tallied up revealed a few, key patterns. There were no manual actions taken upon Willy during what were typical sleeping hours in Japan, or during weekends. Most of the actions were taken during typical workday hours in Japan, though many were also enacted after typical work hours. There was a notable gap in manual actions during the Christmas holiday break. In all: it appeared somebody in Japan was operating Willy as part of their work duties.
There was one more, notable trend in Nilsson’s findings. Right as February 2014 approached, the Willy bot suddenly reversed course: where it only bought, never sold Bitcoin in its lifespan beforehand, now it began exclusively selling off significant amounts of coin.
February 2014, you’ll recall, is when Mt. Gox became aware that they were insolvent.
A Veritable Crisis
In part one of this double-episode, I told you about some of the many hacks that hit Mt. Gox during the 2011 calendar year. But I left out a few of them. That’s because they occurred even before Mark Karpeles had even taken over the company.
On March first–after Mark signed on to take over the company, but just before it was literally handed over–a hacker breached the company’s servers and stole the wallet.dat file representing an entire hot wallet. A hot wallet, for context, is an online storage location for coin. Having hacked the wallet, 80,000 Bitcoin was stolen from Mt. Gox and put into a single user account. Interestingly enough: the hacker never actually used their stolen money. It’s hard to believe somebody would just up and forget about 80,000 Bitcoin, but it all remained in the account, not ever converted, not ever withdrawn, but still locked away to those who’d wish it returned.
80,000 Bitcoin may not have seemed all that dire to a flourishing 2013 Mt. Gox, but to a fledgling, 2011 Mt. Gox, it was a veritable crisis. In a very real sense, the Mt. Gox company was insolvent even before its sale to Mark Karpeles, whether Jed knew it or not. Mark realized only after the fact that he’d bought a broken product, and now he needed a solution. It was Jed who first suggested buying up coin using a software bot, to try and make up the difference over time.
And so, Mark created a bot that would trade Bitcoin to such an extent that it could manipulate the entire market, with the effect of making money for its owner. Markus and Willy, it turns out, were no hackers at all. They were Mt. Gox projects, put into place to try and make up for losses accrued even before Mark took over the company. So Mt. Gox was trading its own liabilities on its own exchange. It’s sort of like punching yourself in the eye, to forget about your broken leg. Mark Karpeles would later state his excuse for having initiated illegal bot activity to influence his own currency exchange, claiming he only did it for the good of the company. Many didn’t believe him, but the evidence would suggest this is not a lie.
Some employees claimed the measures put in place to dig Mt. Gox out of its hole were working. But then, the price of Bitcoin just kept rising, and rising–those missing coins becoming more and more expensive to make up. Mark was chasing a finish line that kept moving further away. Willy might have succeeded, had it been perfectly programmed to read and react to the Bitcoin market. But it wasn’t able to do that, and the result of the effort left Mt. Gox even deeper in the hole. The bot caused a net loss of 22,800 Bitcoin, a total of 50 million dollars.
The final blow came when U.S. officials seized five million dollars from their U.S. bank accounts. No longer could bots, or any other security measures, make up the gap.
Mark In Jail
As his paranoia grew and his company’s future plummeted, Mark appeared unphased to friends and colleagues. “He was like a more stoic version of the Cheshire Cat,” Mt. Gox’s head accountant recalled to The Daily Beast. “He was always smiling. He could probably tell you, ‘Oh, the entire office is on fire and we’d better leave before we burn to death’ and it would be the same expression.” To those who knew him, Mark was just strange like that. To the public, it must have been confusing and suspicious that a man being taken from his home in handcuffs would’ve looked so relaxed about it all.
The first of August, 2015, was when a 30 year-old Mark Karpeles was arrested by Japanese police, on charges that he manipulated Mt. Gox to artificially add one million dollars to his personal account and had stolen 166,000 dollars from Mt. Gox user accounts for himself. While locked up, though, being pressed day and night about having stolen and pocketed money from his own company, Mark never once admitted to the crimes for which he was being accused.
Still, this was late 2015 and Mark Karpeles was being held in jail on charges related to much less than one percent of the total money lost in Mt. Gox’s insolvency. During this time, former Mt. Gox employees were publicly disclosing to media outlets Mt. Gox’s practice of dipping into customer accounts to cover for its financial losses, but none of those accusations made their way into Mark’s legal case. The crimes being alleged against him, really, had very little to do with the Mt. Gox hack at all. And yet, for a public who sought justice against Bitcoin’s public enemy number one, it was something.
It wouldn’t be until July of 2016, just about one year after his initial arrest, that Mark Karpeles exited a Japanese jail on bail. He lost 70 pounds while behind bars and deprived of quiche. Before jail, Mark looked like the kind of guy you’d expect near the finger food table at a party, in a t-shirt, commenting on the dip. The Mark who left jail was a new man: sharply dressed, hair cut, the kind of guy you’d find at a party smooth-talking a lady. The upgraded look was merely a thin veil, though, to his continued, anxious, never-ending legal, financial, personal journey. The lost Mt. Gox Bitcoin hadn’t yet been recovered, even in part. His upcoming trial in Japanese courts were looming.
The Trail Starts
That day came on July 11th of the following year. The prosecution charged Mark on two fronts: embezzlement, and breach of trust, related to any payments Mark made from the company to himself, for personal gain – and manipulating of his personal account balance, related to the activity of his Markus bot. Notably left out of these charges were any accusations of crimes that had anything to do with anyone besides Mark, such as operation of the Willy Bot which, despite having a similar effect to Markus, did not specifically originate from Mark’s individual account. Even more notably, the allegations made no mention whatsoever of Mt. Gox’s 650,000 BTC hack, or the potential crimes Mark had committed that allowed for, or otherwise related to it.
Mark, for his part, admitted to operating his bot. In fact, he didn’t actually deny any aspect of the prosecution’s factual claims – he merely attemped to reverse the narrative the Japanese prosecution were portraying of him. In his opening statement, Mark iterated the following:
“I am innocent of all charges. […]What is being called ‘fraudulent creation of private electronic records’ was in reality a business function called ‘obligation exchange’, by which MtGox’s BTC and USD liabilities towards its customers could be exchanged at market value for the purposes of keeping MtGox’s debt portfolio reasonably balanced. […] Regarding this prosecution, I swear to God that I am innocent. Nevertheless, I would like to say something to everyone. […] Through the collapse of MtGox, I have caused enormous trouble for the many customers, and as the representative I would like to offer my apologies from the bottom of my heart.”
As his trial was picking up, years after the bad news about his company first broke, Mark Karpeles was still receiving regular hate mail. This time, though, most of it was related not to the hack itself, or his personal trial, but to a different problem he had going against him.
A Strange Turning Point
In the beginning of this episode, we talked about one of the strangest turning points in the Mt. Gox story: when Mark Karpeles, searching through his now-defunct company’s emptied files, happened upon 200,000 Bitcoin previously unknown to him or anyone else. He figured this was great news. You’d have probably figured the same. But it wasn’t, to many. Those who suspected Mark of being his company’s hacker suspected the move was merely a diversion, to lead investigators off his trail. But what really triggered former Mt. Gox users was what 200,000 recovered Bitcoin meant, by late, to the ongoing case of whether they would ever be repaid.
First, the obvious: 200,000 recovered Bitcoin meant that investors who lost money in Mt. Gox would receive money back they otherwise wouldn’t have, had no money been recovered at all. The twist here has to do with Japanese bankruptcy law. According to statute, a Japanese company’s liabilities are handled in bankruptcy proceedings according to the market value of such liabilities at the time the proceedings were first initiated. The idea is that creditors with money owed to them won’t lose out if a company’s holdings become devalued over the time it takes to complete a bankruptcy case. In Mt. Gox’s case, the law had the exact opposite effect. In early 2014, one Bitcoin was worth under 500 dollars. When the bankruptcy proceedings hit their stride in mid-2017, Bitcoin had hit its all-time high price, of over 17,000 dollars per coin. Because Japanese law only concerned the market value of the lost Bitcoin, rather than the number of lost coins itself, Mt. Gox customers were subject to receiving their money back only at that near-500-dollar rate. In practice, this meant they would be receiving just 12 percent of the money currently up for grabs. The rest of the 88 percent? Mt. Gox’s lawyers had basis to argue it belonged to Tibanne Hong Kong, Mt. Gox’s parent company, for which Mark Karpeles was the largest stakeholder. So, after everything, Mark Karpeles was set to come into a multi-million dollar windfall.
Even though Mark had little influence over the matter, this characteristic of Japanese law had the effect of further demonizing him to the general public. In a way, it only lead to more problems for him. Even if only that 200,000 coin made it back into the hands of investors, it’s quite possible that the Mt. Gox story could’ve petered out from there. 200,000 Bitcoin represented less than one third of the money missing from Mt. Gox customer accounts, but by 2017, it was worth orders of magnitude more than 100 percent had been in 2014. A simple one-to-one return of coins may have been a sweet-and-sour compromise for all parties. Instead, due to the particulars of Japanese bankruptcy law, Mark had to spend many of his days after jail between the offices of his bankruptcy trustee, and various teams of lawyers. All the while, he insisted in interviews with the media that he wanted no part of the money. Few people listened, or believed him.
BTC-e
Mark Karpeles may not have been on trial for malicious activity pertaining to the hacking of his company. However, in the public eye, among many, he very much was. That would change on July 25th, 2017, with the arrest of a Russian man on vacation in a small beach side village in Greece. And he has Kim Nilsson to thank for it.
The Russian is suspected to have been an operator of BTC-e. BTC-e, you may or may not remember, is a name we briefly mentioned in Part One of this episode–it was one of the two Bitcoin exchanges that overcame Mt. Gox as that exchange’s popularity waned during its dying months. BTC-e wasn’t a major exchange in that same way, though–founded in July 2011, by February 2015, even after the collapse of Mt. Gox, it managed only three percent of all Bitcoin transactions worldwide. It’s based out of Russia, and even before coming under scrutiny, had something of a reputation as the “shady” Bitcoin exchange. Considering that Mt. Gox–a company with no money, over half a dozen hacks in three years, and executive-sponsored manipulation of the market through bot activity–was the gold standard of its time, the fact that BTC-e was considered the “shady” one should say something about that company.
Later investigations would bear out these truths. The BBC discovered their parent company, Always Efficient LLP., is a shell operation registered to a non-starter office space in East London, under the name of a nightclub DJ from Moscow, who claimed no knowledge of the company when questioned by reporters. A Justice Department press statement, released two days after the arrest of Alexander Vinnik, essentially summed it up in saying:
“BTC-e…was heavily reliant on criminals, including by not requiring users to validate their identity, obscuring and anonymizing transactions and source of funds, and by lacking any anti-money laundering processes. The indictment alleges BTC-e was operated to facilitate transactions for cybercriminals worldwide and received the criminal proceeds of numerous computer intrusions and hacking incidents, ransomware scams, identity theft schemes, corrupt public officials, and narcotics distribution rings.”
Not long after establishing himself as an effective investigator in the matter, U.S. authorities looking into the Mt. Gox hack enlisted the help of Kim Nilsson to track down the hacker, and the lost money. For over two years, beginning in Spring 2015, Nilsson’s blog, “Wizsec”, didn’t post a single new article on the case. It may have appeared that Kim had nothing else to report, or lost interest in the story. Instead, he was remaining quiet so as to not disturb a slow, building investigation.
By analyzing data from Mt. Gox and the publicly available Bitcoin ledger, Kim identified that the Mt. Gox hack began at 5:30 am Japan time, on September 22nd, 2011.
The Russian
The next breakthrough came as it was discovered that a money launderer working with the thief in fact sent some of that coin, taken from Mt. Gox, back through Mt. Gox itself. Remember, these were the early days, when Mt. Gox was the de facto Bitcoin exchange, and had very few competitors to the title. A plurality of the stolen coin, around 300,000 of it, moved through BTC-e, the preferred choice of Bitcoin criminals. The rest of it was sent to the other major exchanges, not least Mt. Gox. So, in other words: it was as if this hacker broke into bank vault at Wells Fargo, gave the money to the launderer, and the launderer walked in through the front door of those same banks soon thereafter to deposit the cash into their own Wells Fargo account.
All Bitcoin transactions make it onto its blockchain ledger, so it can be seen which accounts were receiving the stolen funds. And when Mt. Gox’s internal data leaked–the same data used to incriminate the company for using bots–it revealed sensitive information which causally connected these suspicious accounts back to a single crypto investor, and avid participant in online forums, who went by the name WME online. WME, it appeared, was the launderer for the Mt. Gox hacker. Ironically, WME had already made a name for himself in the community for, among other suspicious activity such as promoting “cheap coins”, posting a long thread in a Bitcoin forum claiming to have been scammed out of 100,000 dollars.
WME was not too forward-thinking when, in posting online, he’d use his real name–Alexander Vinnik. Kim Nilsson, for one, after tying the laundering Mt. Gox accounts to WME, suspected Alexander Vinnik to be a pseudonym. He would only find out, once news broke of Vinnik’s arrest, that it was not. It probably made the job easier for U.S. law enforcement when they started looking for him.
It’s worth emphasizing that Vinnik’s accounts were used to launder the money, not steal it. The coin did, however, travel directly from the private keys associated with the hacker to those under Vinnik’s possession, before making its way to BTC-e and other locations, indicating a close relationship between him and the hacking entity.
Who was this hacker? Investigators came upon only small hints. One inference we might draw is that with a hack of a company this massive, of so much money, and such successful execution, it’s reasonable to assume no single individual could’ve pulled off the feat. Also worth considering is how Vinnik has been tied with the highest echelons of the Russian government. FBI investigations uncovered evidence that suggested Vinnik may have helped launder Bitcoin for Fancy Bear, Russia’s primary, government-sponsored hacker collective responsible for hacking the 2016 U.S. elections.
In other words – there’s a good reason to think that the entity that hacked Mt. Gox was related – and maybe operated – by Russian Intelligence.
In context, then, there was reason to be suspicious when the Russian government charged Vinnik with “fraud”. The charges appeared to be trumped-up–a way to get him back on home soil, rather than have him face 21 much more serious indictments coming from courts in the U.S. Russia even issued a veiled threat towards the Greeks, after their court system initially approved America’s extradition request. Until Vinnik is properly tried in a Western court, there’s no way to tell whether any of this is pertinent to the Mt. Gox case or not.
Epilogue
We’ve released this podcast episode on February 5th, 2019. To this day, none of the hacked 650,000 Mt. Gox Bitcoin has been recovered, nor its true hacker identified.
The story of the found 200,000 Bitcoin would end with a petition organized by four major Mt. Gox creditors, who lobbied that the bankruptcy proceedings be nullified and replaced, instead, by civil rehabilitation proceedings. Civil rehabilitation, the logic went, is a less strictly regulated process, leaving flexibility for the courts to divvy up the remaining coin more fairly among the company’s customers, rather than the company itself. On June 22nd of 2018, Tokyo’s District Court sided with the creditors, and for the first time in its nation’s history, pulled a corporation out of bankruptcy in order to allow those who lost their money to file claim for just reimbursement. 24,750 of those claims would end up being filed, including one from Kolin Burges. They’re all slated to be met later this year.
Despite claiming that Alexander Vinnik was neither an administrator nor employee of the company, BTC-e’s data center was raided by FBI agents at 11 AM on the day of Vinnik’s arrest. Their servers were seized, including 38% of customer funds. Their website went down, and three days later, the FBI seized its web domain.
Vinnik himself was held by authorities in Greece for over a year following his arrest. In that time, he’d avoided a hit placed on his head, placed by an unknown Russian entity, uncovered by Greek police in May of 2018. On September 14th of last year, in response to heavy coercion from the Russian government, the Greeks conceded, and sent Vinnik back home. He’ll likely never have to answer to his highest crimes.
Jed McCaleb, for his part, now acts as CTO of Stellar, a decentralized financial services company.
Kim Nilsson’s company, Wizsec, dissolved before he was able to complete his full Mt. Gox investigation. With Vinnik in Russian hands and Japanese civil rehabilitations underway, it may be that the investigations into Mt. Gox have run their course.
Finally, Mark Karpeles pled “not guilty” to the charges leveled against him in his trial. His case remains ongoing to this day. Despite his infamous celebrity, and the continued threat of more Japanese jail time, he managed to score himself a new gig: as CTO of London Trust Media, a VPN company.
And with that, we’ve come to the conclusion of the Mt. Gox story. And yet, we’re left with one unanswered question: was Mark Karpeles Mt. Gox’s greatest villain, or its most tragic victim?…
Pete Herzog, co-founder of ISECOM and Hacker Highschool, wants our kids to learn about cybersecurity - especially the more advanced stuff like security analysis and hacking - check it out...
Black Hills Infosec founder John Strand discusses The Wild West Hackin’ Fest - a unique security conference that emphasizes diversity and lowering the barriers to entering the world of security...
Pete Herzog, co-founder of ISECOM and Hacker Highschool, wants our kids to learn about cybersecurity - especially the more advanced stuff like security analysis and hacking - check it out...
Black Hills Infosec founder John Strand discusses The Wild West Hackin’ Fest - a unique security conference that emphasizes diversity and lowering the barriers to entering the world of security...
Get the latest research, expert insights, and security industry news.
Subscribe