World

Who Pulled Off the Biggest Bitcoin Heist in History?

HOT MONEY

Inside the mystery of how Mark Karpelès and his Mt. Gox company lost almost $500 million in cybercurrency.

170917-adelstein-bitcoin-heist-hero_mjct9k
Photo Illustration by Elizabeth Brockway/The Daily Beast

“Even in the midst of hell, it all depends on how much Bitcoin you’ve got.”

That would be modern version of an old Japanese saying (地獄の沙汰も金次第) but it still holds hold true. Bitcoin is worth a lot of money and that can open many doors. Bitcoin was supposed to be to currency what the internet was to information: liberating. In neither case did it quite work out that way.

In February of 2014, we had no idea what “Bitcoin” was but with the collapse of what was the world’s largest bitcoin exchange, Mt. Gox, in Tokyo, suddenly my writing partner, Nathalie-Kyoko Stucky and I needed to know a lot about it–very quickly. And then in March, when we had to chase Newsweek’s dubious expose on the mythological creator of the cyber currency, Satoshi Nakamoto, “The Banksy of Bitcoin” we found ourselves knee deep in BTC (bitcoin)–and here we are today. And we’re still learning.

ADVERTISEMENT

This book, which originated from over two years of reporting on Bitcoin for The Daily Beast, is the summation of what we learned. Pay The Devil In Bitcoin is a dense, darkly humorous primer on Bitcoin, Japan, and the real world chaos the virtual currency stirs up. It’s also the story of the extremely lucky and also unlucky Mark Karpelès, and his motley crew who created Mt. Gox, which made the currency takeoff and later would bring the value crashing down. In 2014, the exchange collapsed with nearly half a billion dollars worth of bitcoin missing, perhaps the greatest bitcoin heist in history. If it was a heist…

In just under a 110 pages, follow the virtual money as it is created and then sought by by hucksters, hackers, cyber criminals, drug dealers, corrupt federal agents, evangelical libertarians, true believers and tech wizards. Take a short detour to learn about Japan’s criminal justice system where the indicted are presumed guilty until proven guilty. All of this for less than the price of a single bitcoin. And I (Jake) should confess, that in order to see how it works, in the course of writing this, I did buy one bitcoin (1 BTC). Out of sheer dumb luck I sold it for $3,000 a few weeks ago, when bitcoin prices soared. There’s something about fiat money that is still appealing.

If we’d been smarter, we would have bought more bitcoin when we could have, but that’s why we’re journalists and not bankers. And without further adieu here is our favorite chapter of the book.

***

Let’s talk about Mt. Gox again.

From the outset, Mark Karpelès was a computer geek and math wiz, not a libertarian, politician, or financier, so he was never well informed about the political and financial aspects of bitcoin. It was the technology behind it that motivated and intrigued him.

As you may remember, Karpelès learned about bitcoin in 2010, when he was providing web-hosting services in Tokyo and William Waisse, a French client of his in Peru, asked if he could pay in bitcoin. Karpelès agreed, and he started to do some research on the currency. He thought the whole concept behind bitcoin was well thought out. There were a lot of technical problems that made for interesting challenges as a programmer. The beauty of the challenges themselves was sufficiently motivating for him (and others) to become involved.

Mt. Gox was the first successful bitcoin exchange that could cope with a massive number of users anywhere in the world. At its peak, it handled 80 percent of all bitcoin transactions.

The company became famous under Karpelès’s ownership, but it was an American named Jed McCaleb who started the site. In 2007 he bought the domain mtgox.com, which stood for “Magic: The Gathering Online eXchange.” He tried to turn it into an online card-trading site but shut it down after only a few months for reasons yet unclear. (We attempted to contact Jed McCaleb several times to ask him his version of events. While acknowledging that messages were received, he gave no response to our questions.)

McCaleb was intrigued by bitcoin as soon as he heard about it. According to court documents, e-mails, and associates, he was eager to buy the currency but found it unreasonably difficult. He turned his long-dormant mtgox.com into a bitcoin exchange in July 2010, implementing balances, deposits, and withdrawals on the basis of his order-matching system already in place from his card exchange. In other words, he added bitcoins as another commodity that could be exchanged online. The new site allowed trading between bitcoin and local currencies, and it was the first of its kind. (Incidentally, McCaleb is another individual thought to be the elusive Satoshi Nakamoto. It seems unlikely.)

Mt. Gox soon became more than McCaleb had bargained for. In fact, it became so popular that it took up all his time. He began looking for someone to help him manage the site and found MagicalTux—Mark Karpelès. McCaleb turned to him for advice and then sold the site to him for almost nothing.

Karpelès thought the conditions were favorable. There was no need for an initial payment, just an agreement to share 50 percent of the profits for six months, with McCaleb retaining 12 percent of the company. Since Karpelès had already moved to Tokyo, the new Mt. Gox Co. Ltd. was based there as a subsidiary of Tibanne.

Karpelès should have paid closer attention to the fine print. The main flaw in the deal was that the site had already suffered frequent bitcoin and monetary theft. Perhaps he didn’t understand how that would affect him. According to some sources, a bitcoin theft even occurred on the day Karpelès acquired the site.

McCaleb wanted the matter kept under wraps and convinced Karpelès to sign a nondisclosure agreement. It’s possible more details may be released during Karpelès’s trial, but sources close to the Japanese police investigation believe that more than 80,000 BTC may already have been stolen by the time McCaleb sold Mt. Gox. Internal Mt. Gox documents we obtained corroborate this.

Within a few months of its acquisition, the company went from having three thousand client accounts to sixty thousand.

On June 9, 2011, bitcoin skyrocketed, peaking at a new high of $31.91 on Mt. Gox. This drew unwanted attention.

On June 18, exactly two years after Karpelès settled down in Japan, and fourteen weeks after the earthquake-tsunami–nuclear meltdown, the first serious setbacks with Mt. Gox occurred. Karpelès was woken up at 3:00 a.m. that day. William Waisse, a.k.a. "Neo futur,” called him on his cell phone to say that there were problems. Quickly, Karpelès confirmed what Neofutur was saying, and within seconds he had shut down the entire system.

Hackers had always wanted to invade the exchange. Some had tried (and sometimes managed) to create denial-of-service (DOS) situations. McCaleb had reportedly put a fail-safe system in place so that any missing coins would be replaced by missing fiat money, the value of which was less likely to change. But that initial cybertheft of 80,000 BTC began a spiral of trouble that may well have led to the firm’s eventual financial collapse.

‘I Don’t Want to Start a Panic’

In May 2016, The Daily Beast’s Jake Adelstein and Nathalie Stucky were sent internal e-mails, contracts, and other documents relating to the implosion of Mt. Gox. All the documents were printed copies, and the envelope had no return address but appeared to have been posted from the Kasumigaseki district in Tokyo. Along with information provided by a former employee of bitcoin who had handled accounting for the firm, the documents reveal previously unreported details about how Mt. Gox failed and why. We set about verifying the e-mails with Karpelès’s lawyer—Nobuyasu Ogata—and former employees, as well as sources in law enforcement.

This material, which included correspondence between Mark Karpelès and Jed McCaleb, suggests that Mt. Gox was plagued with problems from its earliest days, before Karpelès was involved. The documents, including the e-mails, were submitted to the Japanese courts as evidence for the Mt. Gox trial, which finally began in Japan in July of 2017 after nearly two years of delays.

In an e-mail dated January 18, 2011, the year Karpelès was first approached about buying the site, McCaleb wrote:

Hi Mark,

Please keep all this confidential I don’t want to start a panic and I’m not sure I’ll do it yet but I’m thinking I might try to sell mtgox. I just have these other projects I would like to devote more time to.

Would you be interested? It could be very little up front and just a payout based on revenue or something.

There is also an investment group that wants to fund mtgox. Probably around $150k. So you could most likely take it over with some cash.

Let me know,

Thanks,

Jed

When Karpelès agreed to purchase the company in February, he signed an agreement that included the unusual statement that “the Seller is uncertain if mtgox.com is compliant or not with any applicable US code or statute, or law of any country.” It also included a clause saying, “Buyer agrees to indemnify Seller against any legal action that is taken against Buyer or Seller with regards to mtgox.com or anything acquired under this agreement.”

An e-mail of April that year, relating to the missing bitcoins, was probably the beginning of Karpelès’s nightmare:

From: Jed McCaleb

Date: 2011/04/28 22:33

To: Mark Karpeles

I can’t tell how big an issue it will be to be short 80k BTC if the price goes to $100 or something. That is quite a bit to owe at that point but mtgox should have made a ton of BTC getting to there. There is also still the fact that the BTC balance will probably never fall below 80k. So maybe you don’t really need to worry about it.

There are 3 solutions I have thought of:

- Slowly buy more BTC with the USD that Gox Bot has. Hopefully you would fill up the loss before the price got out of hand.

- Buy a big chunk of BTC (really just moving the BTC debt to the USD side)[.] If BTC goes up this is a huge win. Problem is there isn’t enough BTC for sale on mtgox. Maybe you could find someone on the forum to do it?

- Get those crystal island people to invest. They have 200+ BTC so they could fill in the gap.

Maybe you could just mine it?

We have tried to reach Jed McCaleb for several months both through his e-mail and social media accounts, but he has not responded.

What is clear now is that the missing bitcoins might have been a small problem when Karpelès bought the company, but his own success would make the lost amount a huge burden.

In the beginning of April 2011, 80,000 BTC was worth approximately $62,400.

Maybe Karpelès went along with the suggested advice and figured he could make it back as he went along. But luck was not on his side. While he may have been trying to fill the hole, the price of bitcoins kept rising. By June 2, the value of the missing bitcoins had jumped to over $800,000.

Unfortunately for Karpelès, he had signed a punitive nondisclosure agreement that left him unable to discuss the loss, and he faced the Sisyphean task of recovering the missing bitcoins on his own—a problem that became greater by the day and sometimes by the hour as the value of bitcoins rose. Jed McCaleb must have been relieved to have the shortfall off his back.

It was not clear how the June 18, 2011, hack occurred, but investigators believe that hackers might have gained access to McCaleb’s administrator account, which was still active.

Karpelès’s reaction was to move the majority of the bitcoins off-line into what is called “cold storage,” placing them in safety-deposit boxes dispersed among various banks in Tokyo. He only left enough online to make sure transactions could be carried out.

The episode made him increasingly paranoid about hackers—almost obsessively so.

The man in charge of accounting at Mt. Gox says he urged Karpelès several times to reconcile the BTC balance, the online balance, and the cash balance, saying he needed to know where the money was. “But Karpelès said it was mendokusai [a pain in the ass]. He claimed it was difficult and risky, because you’d have to put the cold-storage bitcoins in a hot wallet [online], which made them more vulnerable to cyber predators.” Karpelès thought they were safer in cold wallets.

Virtual money was temporarily becoming paper money, and there were masses of it. The chief accountant understood Karpelès’s concern from a security perspective, yet he still felt that not reconciling the accounts was unwise. “But it’s his company,” he told us in an interview. “I thought, he’s the CEO, so I said okay.”

Some former employees say that Karpelès might have made it all work. Later, however, the freezing and seizure of $5 million of Mt. Gox funds in May 2013 was another huge blow, cutting into the firm’s operating reserves and probably signaling the beginning of the end. One accountant remembers: “The first time I realized we’d lost a pile was sometime in early February 2014, when Mark called me into his office and said, ‘There is a chance that Mt. Gox might have to file for bankruptcy.’ And he asked me to go to the law firm Baker & McKenzie the next day to discuss it with them.” Apparently, Karpelès was eerily calm at the time—but he was always that way. “He was always smiling. He could look you in the eye and probably tell you, ‘Your socks don’t match,’ or ‘Oh, the office is on fire and we’d better leave before we burn to death’ and he would have the same strange smile on his face.”

The Dow Jones of the Bitcoin World

Was Karpelès a con man, a victim, a fall guy, or all of the above? Only the outcome of his trial will tell. But one thing is certain: he bought a company already missing tens of thousands of bitcoins, and within a few months of his taking over, due to the rapid rise in their value, Mt. Gox was in the hole for close to a million dollars.

Did the thief who took them take hundreds of thousands—worth hundreds of millions of dollars—more? Someone did, in what may well be the heist of the century.

The June 18 hack seems to have been the most significant theft at Mt. Gox that summer, but there were many minor security breaches in the same period. Around the time of the June 18, 2011, hack, it appeared that McCaleb’s administrative account had been compromised, and an unconfirmed amount of about 20,000 BTC was stolen. Trading was halted for a week while the breach was resolved. That same month, the Mt. Gox user table was leaked. This contained thousands of usernames, e-mail addresses, and password hashes. Some clients in the leaked database had used the same usernames on MyBitcoin, a then-popular bitcoin wallet, and had their passwords cracked. Six hundred of them had their balances stolen. It was a fiscal disaster.

Mt. Gox was able to recover from this by offering a public apology and reimbursing the lost funds. But they wouldn’t be able to make the same promise of reimbursement again.

The hacks in June were a wake-up call for Karpelès. The first thing he did was put Mt. Gox’s bitcoins in what he believed was a safe place.

I decided to use my portable PC running on Linux, due to the fact that it was shut down most of the time, which made it a more difficult target than a server. Then I encrypted the bitcoin wallet and put it on Dropbox to make sure that the bitcoins wouldn’t be lost, even if the portable computer’s hard disk died.

Once I arrived at the office, and after posting an announcement on the site, I was finally able to understand what had happened. A hacker had created two accounts, credited a huge sum of bitcoins and US dollars, and artificially increased the sum in one of the accounts. He then tried to withdraw the bitcoins, but without success because I’d deactivated a routine that Jed had set up, and limited withdrawals to $1,000 per day at the current rate. The pirate then decided to force the rate down by selling a lot of bitcoins in order to be able to withdraw more. This caused an overload on the system, which made it impossible for him to withdraw the money before I woke up and shut down the entire system.

Later on, I was able to discover that the hacker had used a flaw of the type called “SQL Injection” to get a list of the Mt. Gox users including Jed McCaleb’s administrative account and use it to modify the balance in Jed’s account. I didn’t know if there were other flaws in it, so I decided to reopen the site with a new, clean system. This meant that I had to rewrite the code from scratch, and quickly. I also decided that everything that happened during the hack and after would be blotted out, treating it as if it had never occurred.

All this was known as the “Mt. Gox rollback” among Mt. Gox users at the time. Karpelès rewrote almost all the code used to run the website and exchange. McCaleb’s still-existent account had certain administrative privileges, and these were also changed.

Three individuals came to help Karpelès deal with the hack: the Bitcoin Jesus (Roger Ver), Jesse Powell, and one other cyberhero. Powell is the cofounder and CEO of Kraken, a leading San Francisco–based bitcoin exchange. These people provided a support team while Karpelès was trying to put a new Mt. Gox together that would go live as quickly as possible, even if it meant working night and day and during weekends.

“Conditions in the office with all these people around made it very hard to concentrate,” Karpelès recalled. “So it took a while to rebuild Mt. Gox. I created a system to allow users to recover control over their accounts, which worked pretty well. In fact, to my knowledge, Mt. Gox is the only bitcoin exchange to have successfully recovered from such an attack. Later, in August 2011, a system of ‘cold wallets’ was put in place in order to increase security. Around that time, we also reformed the original bitcoin core software.”

But Karpelès failed to solve the problems, according to experts at WizSec, a bitcoin security firm established in 2014 in Tokyo by former Mt. Gox creditors. They launched an independent investigation in early 2014, drawing on as many sources of information as possible, including transaction data leaked by hackers and interviews with ex-employees, in an attempt to reconstruct relevant parts of Mt. Gox’s database. Bitcoin addresses, deposits, and withdrawals were matched against the blockchain to detect any irregularities.

Their conclusion was that Mt. Gox’s system had been compromised by a hacker or hackers who slowly extracted funds from the exchange between the summer of 2011 and September 2013.

In a report published in April 2015 they wrote:

Most or all of the missing bitcoins were stolen straight out of the MtGox hot wallet over time, beginning in late 2011. As a result, MtGox was technically insolvent for years (knowingly or not), and was practically depleted of bitcoins by 2013. A significant number of stolen bitcoins were deposited onto various exchanges, including MtGox itself, and probably sold for cash (which at the bitcoin prices of the day would have been substantially less than the hundreds of millions of dollars they were worth at the time of MtGox’s collapse.)

In plain English, Mt. Gox had been running on empty long before it collapsed in 2014. It had enough capital to do business, but any slowdown could mean disaster. The business it did, however, was substantial. By January 2014, Mt. Gox was handling millions of dollars in daily transactions, sometimes as much as $20 million in one working day.

If Karpelès knew just how precarious this situation was, he seems to have decided to plow on regardless. And neither the Financial Services Agency nor the Ministry of Finance nor the Bank of Japan did anything to regulate Mt. Gox, though all acknowledged that they knew of its activities.

It’s a shame that Karpelès didn’t read Spider-Man comics. As Uncle Ben said, “With great power there must also come—great responsibility!”

Karpelès had always loved Japanese manga but had relatively little interest in Western comics, so he may never have been exposed to this bit of comic book wisdom. For him, with great power came great wealth, and with great wealth, great silliness. He began to indulge himself, splurging on prostitutes, pet projects (of which, more later), and other amusements. He bought himself a custom-made bed that cost millions of yen. If he had learned to separate his personal account from that of his company and simply paid for stuff out of his own lavish salary, things might have gone better down the line.

The Mt. Gox site started accepting a dozen different currencies. Their first Japanese banking partner was Sumitomo Mitsui Banking Corporation (SMBC), but the man responsible for the account was reappointed elsewhere and his replacement felt uneasy about bitcoin. Mt. Gox switched to Mizuho Bank when SMBC was spooked by the unexplained decision taken by HSBC in Hong Kong to close Mt. Gox’s account without returning its money.

More staff were hired to cope with expanding business, making it too expensive to stay at the Cerulean Tower. In the summer of 2012, the company moved to a different section of Shibuya, just behind the Cross Tower, on the fifth floor of a small building known as Round Cross Shibuya.

The year 2012 was obviously busy. In order to tackle business operations in North America and to avoid the complex licensing regulations there, Mt. Gox signed a contract with a Seattle bitcoin service, CoinLab, in November, after a summer filled with negotiations. CoinLab was relatively new on the scene, but they had gained attention due to large funding from venture capitalists. They also managed the Bitcoin Foundation.

It seemed to be a good deal for both parties. CoinLab had a small but passionate team that could use the extra business and advice from an experienced company like Mt. Gox. And Mt. Gox, with CoinLab handling its US and Canadian clients, wouldn’t have the hassle of getting a license to function there.

As it happens, four financial experts gave differing answers to the question of whether a license was required at all. Some said that bitcoin was not regulated, so a license would be unnecessary. Others said a license was required but would be nearly impossible to get. The money-transmitting-business (MTB) license covering all US states cost almost $50 million. Mt. Gox didn’t have $50 million to invest at the time.

According to Karpelès, CoinLab assured him that they could handle the license situation.

The Financial Crimes Enforcement Network (FinCEN), an agency within the US Treasury Department, ruled in March 2013 that “a person is an exchanger and a money transmitter if the person accepts such de-centralized convertible virtual currency from one person and transmits it to another person as part of the acceptance and transfer of currency, funds, or other value that substitutes for currency.” FinCEN’s mission is to safeguard the US financial system from misuse and to combat money laundering. In line with that mission, they took a hard line with money-transmitting businesses. The new “guidance” issued in March appeared to indicate that all money-transmitting businesses using virtual currency had to get an MTB license where anti–money laundering and know-your-client (KYC) measures were enforced and the people they did business with were identified.

A few months after the partnership began, problems started to arise.

On May 2, 2013, CoinLab filed a $75 million lawsuit against Mt. Gox, accusing it of not giving them full access to their North American clients, and continuing to serve customers there. Later that month, as part of the investigation into Silk Road, the US government seized a total of $5 million from Mt. Gox’s accounts in North America and Karpelès’s private account.

“With CoinLab threatening us legally,” Karpelès said sadly, “Mizuho Bank recommended that we find another bank. Then a few weeks later, they refused to handle any outgoing international remittance transactions. We had no better alternative than to start using Japan Post Bank to do our computer transfers, at a maximum of ten per day, while our lawyers in the US were discussing with the prosecutors whether they could cancel the fund seizure.”

Negotiations with other banks outside Japan did not work out. Eventually the company created a working relationship domestically with Japan Net Bank to solve their money-transfer issues.

To all appearances, Mt. Gox was still a success. It was still the largest bitcoin exchange. During the month of May 2013, it traded an average of $18 million a day, which was 70 percent of all bitcoin exchange transactions.

This wasn’t enough, though. Karpelès wanted more. He wanted to set up a bitcoin coffee shop to attract more Japanese users, with a staff of beautiful bitcoin baristas. He would call it the Bitcoin Café, with a proper accent above the e—he is a Frenchman, after all. People would pay for their hot coffee and croissants with bitcoins. It would show the Japanese people how simple bitcoins were to use. It would also act as a community center for bitcoin fans.

On August 29, 2013, Karpelès officially launched the café project. He even had the coffee mugs specially designed. But all this took more time than expected, and it wasn’t able to open on schedule.

Around November, he bought the company Shade 3D, allegedly in order to have a side business and guarantee the availability of cash in case he needed it.

And while he was busy with these sidelines, bitcoin was constantly in the news overseas.

On October 1, the FBI arrested Ross Ulbricht, the alleged founder of Silk Road. That same month, Mt. Gox acquired a money-service-operator license in Hong Kong. On October 29, the Las Vegas start-up Robocoin launched the world’s first bitcoin ATM.

In November, the bitcoin price exceeded $1,000 on Mt. Gox. In December, the number of verified customers on the exchange surpassed a million. The de facto value of a single bitcoin was whatever it was being sold for on Mt. Gox.

Mt. Gox had become the Dow Jones of the bitcoin world.

At this point, Karpelès had moved from his home in Tokyo’s Setagaya Ward to a new apartment in Meguro Ward due to domestic issues with his ex-wife, Kyoko. His new home was on the twenty-eighth floor of the luxurious apartment complex La Tour Aobadai.

Despite his wealth and growing fame, Karpelès was spending most of his free time eating junk food, watching anime, and compiling code. As his friend and colleague Julien Laglasse, a Frenchman living in Tokyo, says: “Mark is happy as long as he has a pizza, a coke, a computer to work on, and his two cats around him. He is not a greedy guy.” The trouble was, he wasn’t a careful guy either, and someone who was managing millions of dollars of clients’ money and a staff of over forty needed to be.

Before the shit hit the fan, someone on the Internet Relay Chat #mtgox publicly announced that Mt. Gox could be attacked via the method known as “transaction malleability” and explained how to do it. As a consequence of the warning, Karpelès improvised a way to block that attack immediately. Later that month, he received an e-mail from a shady character offering to sell information about angry Silk Road vendors trying to attack Mt. Gox. He ignored it.

Bitcoin’s Black Tuesday

But there came a point when reality couldn’t be ignored any longer. On February 7, 2014, Mt. Gox temporarily halted all withdrawals. The measure was taken due to the theft or disappearance of hundreds of thousands of bitcoins owned by Mt. Gox customers, as well as by Mt. Gox itself.

In a press release three days later, the company said it had suspended withdrawals because of a software flaw that would allow traders to defraud the exchange. However, what really happened was that Karpelès was beginning to confront the fact that a colossal sum was missing. To be precise, he was either just realizing that this had happened or found himself in a position where he had to admit the money wasn’t there—and that it hadn’t been there earlier. Only Mark Karpelès really knows the truth.

The announcement drew the ire of the bitcoin community because the flaw was allegedly well known and others in the business had already accounted for it. Mt. Gox was blaming the software when it should have taken direct responsibility itself. Its excuse reflected badly on the currency.

Jason Maurice, once at WizSec and now a freelance security adviser, believes that Karpelès misjudged the severity of the security issue and didn’t implement a correct fix when it was needed. According to Maurice, it was only in early February 2014 that Karpelès understood the danger of the bug and came up with a proper solution, but by then it was too late. The damage had been done.

“Basically he dismissed a multimillion-dollar bug in his software that any decent software engineer would immediately have realized was a major issue,” Maurice said in our talks with him. “Any other financial institution would have a quality assurance team to find something like that, but for Karpelès it was all up to him.”

In addition to leaking money through the bug, the company might accidentally have been giving it away.

“Essentially, Mt. Gox was a dysfunctional organization,” said someone who once worked for the company.

Nobody was doing accounting reconciliation, and there was an exploitable fault in the transaction system that allowed people to get more or less paid twice. Think of it this way: if bitcoins were like frozen hamburger patties being served at a diner with a touchscreen menu, someone figured out a way of tapping the screen to get two for the price of one. Then one day somebody at the diner went to the freezer and realized they were completely out of hamburgers—and they’d only served half the customers they thought they had.

The bitcoins were poorly secured, digitally and physically.

Former employees from the exchange claimed that at some point they stored about 90 percent of their bitcoins in paper wallets and USB keys. By moving bitcoins into a paper wallet—a printed document that contains all the necessary data to operate one or more private keys—the keys are no longer digitally stored where they might be subject to attacks. However, if the paper wallet is lost, the bitcoins in the wallet are also lost. Apparently, paper wallets at Mt. Gox were often haphazardly stored in the office, buried in sofas, or pushed behind desks. Karpelès denies this, saying that he shredded them once they had been inserted in the system “for security reasons.”

According to another former employee, Mt. Gox “rented safety-deposit boxes in banks. When they needed to refill the transaction accounts, they took the bitcoins out of storage and deposited them in the system. There was no reconciliation in the accounting sense between the cold storage and the transactions done. As long as money was coming in at a steady pace, no one realized they might actually have been losing a lot of money. And when they did, all hell broke loose.”

In February 2014, Karpelès informed this person that an estimated 850,000 BTC was unaccounted for—at the time, the equivalent of close to $462 million. He told him that users, exploiting flaws in the system, had probably siphoned off the bitcoins over several months. In particular, there seemed to be a system glitch that made it possible to get a payment reissued.

Teikoku Databank, Japan’s largest and most respected credit-rating agency, had reviewed the company in July 2013, months before the collapse. The bank gave it a D4, the worst-possible rating a company can receive on their scale. One of the reasons for the low rating was the lack of qualified accounting staff at the company. There is also the possibility that Teikoku Databank simply had no idea of how to account for the value of bitcoins—a problem not unique to them.

Mt. Gox had survived hacks, system failures, and seizures by the authorities, but now things looked hopeless for them. Thousands of customers were unable to withdraw deposits, and Karpelès wasn’t talking to the press. Speculation was rampant as to what exactly had happened, and the bitcoin world was in a panic.

Key members of the Mt. Gox staff and consultants gathered and brainstormed for a way to keep the company solvent, protect its assets, and move forward. They drafted a document—a “Crisis Strategy Draft”—that was meant to show investors the problems and possible solutions. On February 24, Karpelès resigned from the board of the Bitcoin Foundation, of which he was a founding member along with Gavin Andresen (the chief scientist), Charlie Shrem, and Roger Ver, among others. He reportedly told the organization of the troubles on the horizon.

The final nail in the coffin was the unauthorized release of the Crisis Strategy Draft, the supposed plan for saving the company. The document was unfinished.

“The Crisis Strategy Draft had only been shown to a few people, including the Winklevoss twins, who were active investors in the industry and SecondMarket executives. If, prematurely, it got into the public domain, it would be disastrous,” another former employee said. A few days after being put together, the document was leaked to the blogger the Two-Bit Idiot, who published it on the web on Monday, February 24, 2014, at 6:23 p.m., EST. It spread across the Internet within hours.

The media were soon all over the story. (It was at this point that we began covering it.)

If the document hadn’t been leaked, Mt. Gox might have survived.

“Our last-minute efforts to discreetly refinance the company and avoid insolvency had pretty much been sabotaged by it,” the same employee said.

Mt. Gox suspended all trading after internal investigations discovered a loss amounting to 744,408 BTC. The accounting practices at the firm were so slipshod, however, that even what seemed like an “exact” sum wasn’t accurate. On February 25, after confirming with their lawyers that the end was near, they shut down entirely. Since Karpelès still wasn’t sure exactly how many bitcoins were missing, he started scanning the paper wallets and confirmed that the cupboard was bare.

On February 28 at 11:39 a.m., EST, The Daily Beast published “Inside Japan’s Bitcoin Heist,” reporting the amount of missing bitcoins to be 820,000 BTC—the closest figure yet to Karpelès’s initial calculation.

Mt. Gox filed for bankruptcy protection with the Tokyo District Court. It declared liabilities of about ¥6.5 billion ($64 million at the time). The company said they had lost almost 750,000 BTC belonging to its customers and about 100,000 BTC of its own, then worth around $462 million.

Karpelès remembers that day well. “I went to the Tokyo District Court with my lawyers in the afternoon and, by the end of the afternoon, the order was given. With just thirty minutes to prepare, we then gave a press conference. The room was full.”

He answered the questions in his French-accented Japanese without forgetting to make the deep bow of atonement and apology expected of a CEO.

“The press conference in itself went okay, although one cameraman decided to ask questions in English, which I wasn’t prepared for. But the worst thing was the walk to the taxi outside, with all the reporters surrounding me, getting closer and closer. Once in the taxi, the driver had to struggle hard to get out of there. I was followed all the way to the Baker & McKenzie offices, where I was finally able to rest a bit before driving home.”

In its official statement, Mt. Gox said that the bankruptcy was related to a bug in the bitcoin software algorithm that was exploited by one or more persons. “We believe that there is a high probability that these bitcoins were stolen,” it asserted bluntly, blaming hackers. And since the company had a business plan that looked forward to 2017, it seemed unlikely, some felt, that its CEO had stolen his clients’ money himself.

After filing for bankruptcy, Karpelès went on working at the same office in Shibuya. The number of employees was drastically reduced. There was a small coffee shop on the first floor that had been destined to be the world’s first Bitcoin Café. Today, it is still just a café.

One of the former employees who believe that Karpelès did not act maliciously or for his own profit says: “He’s a workaholic and a geek, but a good-hearted geek. He just has very limited management skills, a little hubris, and didn’t pay attention to accounting. He was only twenty-seven or twenty-eight years old.”

A colleague was more complimentary. “He wrote most of the code—he created a fantastic application interface. It’s a wonderful platform for trading bitcoin. The problem isn’t bitcoin—it’s the way Mt. Gox was run. And it was run into the ground.”

At the time of the bankruptcy, Yoshihide Suga, a top government spokesman, stated that official organizations including the police and Japan’s Financial Services Agency were collecting information on the bitcoin trade in Japan and considering regulatory action. In addition, there were reports that US authorities had begun investigating Mt. Gox and had subpoenaed individuals who had worked for, or still work for, the company.

The United States was interested in Mt. Gox for many reasons. The Silk Road investigation was ongoing, and some law enforcement agencies believed that Karpelès might have been the victim of a group of cybercriminals they were looking for.

A few days after the bankruptcy, we spoke with Karl-Friedrich Lenz, professor of German and European law at Aoyama Gakuin University in Tokyo and author of an academic paper entitled Legal Issues of the New Internet Currency Bitcoin in EU Law and German Law. Professor Lenz believes Mt. Gox should have been treated as a banking institution and not allowed to operate without a license under Japanese law at the time. He believes that because Mt. Gox accepted deposits and money could be wired to its accounts, it was more or less a financial institution. “I went to the Financial Services Agency and asked to speak with someone on this issue. After much argument, someone from the banking division accepted my report, which I hope they will review.”

He added, “If Mt. Gox had been treated like a bank, this problem would have never happened. It would have had to have proper accounting and people with financial skills to get licensed. It is unlikely that the Japanese government would have granted such authority to a company run by a twenty-seven-year-old geek with no background in finance.”

Karpelès recalls that, in the days following the bankruptcy announcement, things calmed down while the trustee appointed by the Tokyo District Court was figuring out what to do.

“We had to rapidly put in place a call center, which I developed within a couple of hours, the best I could, and then things started to move along.”

The trouble was, any hope of civil rehabilitation of the company was hampered by Karpelès’s inability to travel out of Japan, since he had to be available at any time to answer the liquidator’s questions.

In the United States, his lawyers filed Chapter 15, which is done when a liquidation or rehabilitation process is taking place in another country. As part of routine procedure, the US courts needed to question Karpelès in person; otherwise, the filing would be impossible and the assets of the company in the United States would be threatened with seizure.

A rumor went around that Mark was planning to travel to America, which prompted FinCEN to submit a subpoena and the DHS to dispatch a couple of agents to each airport he might use. He had become a person of interest. Of course, it was out of the question for him to travel under these conditions. And the court in Tokyo wouldn’t allow him to leave the country without a guarantee that the United States would permit him to return. So Mt. Gox wasn’t authorized to proceed to rehabilitation, and liquidation began around the end of April 2014.

“After that, I tried to make Tibanne, my first company, work, but without great success,” Mark said.

Karpelès noted that while the general public knew about most of the big events connected with Mt. Gox’s downfall, many details went unnoticed. “All I can say is that each and every move taken by Mt. Gox and Tibanne was done for a valid reason.”

On March 20, 2014, the discovery of an old wallet brought the number of bitcoins still missing to roughly 650,000, down from about 850,000. A statement posted by Karpelès online said: “MtGox Co., Ltd. had certain old-format wallets which were used in the past and which, MtGox thought, no longer held any bitcoins.” This was both good news and bad. People wondered: If Mt. Gox could simply misplace 200,000 BTC, maybe they had misplaced a whole lot more. Maybe Karpelès was hiding them.

‘Innocent People Have Been Arrested’

Many mysteries remain. Independent investigators are focusing on the way Mt. Gox was bought by Karpelès from McCaleb. Some believe that the theft of the bitcoins occurred during the period when transfers to paper wallets were being made. If so, it happened precisely when detecting any theft would be the most difficult.

After the bankruptcy, Karpelès’s lawyers filed a report with the Japanese police requesting an investigation into the hacking of the company and the missing bitcoins. Not everyone was confident, though, that the police had the skills to solve the case, and some Mt. Gox creditors launched their own probe. This was something Karpelès welcomed.

I totally approve of there being several separate investigations. It’s generally a good idea to have different people looking into the same problem from different angles. The police don’t report in detail what they are doing, so it can seem that they aren’t doing anything. But they are actually making progress. What’s worrying, however, is recurrent evidence that innocent people have been arrested and made to confess to crimes that they didn’t commit. So I just hope they won’t do anything crazy here. There’s no guarantee, of course.

Personally, I support their efforts to find the culprit or culprits. The method used is less important to me than the result.

Unfortunately for Karpelès, the result wouldn’t be quite what he expected.

Excerpted from Pay The Devil in Bitcoin: The Creation of a Cryptocurrency and How Half a Billion Dollars of It Vanished From Japan by Jake Adelstein and Nathalie Stucky.