What Bitcoin Did

View Original

Kim Nilsson on His Investigation Into Mt. Gox

See this content in the original post

Where to find the show

iTunes | Google | Spotify | Stitcher | SoundCloud | YouTube | Deezer | TuneIn | RSS Feed

Your browser doesn't support HTML5 audio

Kim Nilsson's on His Investigation Into Mt. Gox - WBD078 Peter McCormack

Download Episode MP3 File
The file will open in a new window. Click down arrow to download the file.


Interview location: Skype
Interview date: Wednesday 20th Feb, 2019
Company: WizSec
Role: Chief Engineer

Mark Karpeles has had many accusations thrown at his since the collapse of Mt. Gox, including being the architect of the theft himself. Many people were angry with him at the time, and many still are, but as more information surfaces about the history of the exchange, a different picture has emerged.

Indeed, Mark made mistakes which cost users of the website hundreds of millions of dollars but is everything attributable to him. Kim Nilsson’s investigation into the chain of events surrounding the collapse of Mt. Gox highlights that Mark likely inherited an insolvent exchange and was unable to cope with the challenges of a rapidly expanding business under constant attack.

In this interview, I talk to Kim about his report, his opinions on the numerous hacks during the history of Mt. Gox and his views on Mark, Jed McCaleb, Brock Pierce and Peter Vessenes.


TIMESTAMPS

00:03:25: Introductions
00:04:02: How did Kim become involved with Mt. Gox
00:05:39: Kim’s relationship and experiences with Mark Karpeles
00:08:01: The foundations of the WizSec report
00:09:29: Kim’s view on Jed McCaleb and Mark Karpeles
00:17:58: The timeline in creating the WizSec report
00:22:22: The liberty reserve hack of Mt. Gox
00:23:32: The theft of 80,000 Bitcoins during the handover period of Mt. Gox
00:26:34: Willy Bot
00:28:02: The theft of 300,000 Bitcoins from the unsecure private network drive at Mt. Gox
00:31:00: How hackers gained access to Jed McCaleb’s admin account
00:37:05: The theft of 77,500 Bitcoins from the database compromise from Mt. Gox
00:38:29: The main hack of 630,000 Bitcoins from Mt. Gox
00:42:38: Alexander Vinnik’s involvement with the hacks at Mt. Gox
00:49:18: What were the most fundamental mistakes made, that led to the hacks at Mt. Gox?
00:51:18: Kim’s thoughts on Coinlab’s lawsuit that is delaying the civil rehabilitation process
00:55:08: Brock Pierce and his potential incentives surrounding Gox Rising
01:03:24: Reflecting on Mt. Gox, 5 years after the main hack
01:04:10: Final comments and the future for Kim
01:05:11: How to keep in touch with Kim


See this content in the original post

SUPPORT THE SHOW

If you enjoy The What Bitcoin Did Podcast you can help support the show my doing the following:

If you are interested in sponsoring the show, you can read more about that here or please feel free to drop me an email to discuss options.


SPONSORS



Patron Sponsors
And a big thank you to Vidyen.com.


SHOW NOTES


THANKS

A big thanks to my WBD Maximalist Patrons for helping support the show: JP Petit, Logan Shultz, Steve Foster, Tony, Gordon Gould, David Burlington, Jesse Powell, Beam, Wiel Menger, Robert Romney, Jason DiLuzio and Yan Pritzker.


TRANSCRIPTION

Peter McCormack: Good Evening Kim. How are you?

Kim Nilsson: I’m fine, thank you.

Peter McCormack: Actually it’s not even evening for you is it, it’s some ridiculous hour?

Kim Nilsson: It’s early morning for me.

Peter McCormack: So thank you anyway for coming on. Obviously you are aware of my work this week. I’ve been trying to navigate a lot of the big rabbit hole for Mt. Gox and I almost could do all these interviews again afterwards because I learned a lot more. But I wanted to talk to you because I was made aware of your work by somebody else actually not involved directly in Mt. Gox a while ago. I never really looked at it, but obviously with my research for this, I’ve been looking through it in detail. But for a good starting point, it’d be great for you just to introduce yourself, tell people what you do, how you came to be involved with what’s going on in Mt. Gox.

Kim Nilsson: It’s an interesting story. I’m just a normal software developer really, honest! I was a customer at Mt. Gox in 2012/2013, was trading a little bit, checking out Bitcoin and got caught up in the Mt. Gox collapse in 2014. Lost a fair amount of money and was very annoyed as a result and I figured that… Well I wasn’t necessarily confident that law enforcement or just the system would be able to crack this case because it was Bitcoin. It was very new technology. I was not expecting at all there to be any Bitcoin blockchain experts in the Japanese police department or anything.

So the thought that kind of started appearing was that it’s Bitcoin, it’s blockchain, it’s a public ledger of all transactions. Wouldn’t there be an opportunity for someone to look at this completely from the outside and do a sort of an independent investigation just looking at the numbers on the ledger. It sort of started from there and I got together with some friends at the time and started exploring angles. We were based here in Japan so that was convenient, close to the first party sources and things like that. Basically that started the journey that then lasted for over three years, of me sitting in my spare time, figuring out the numbers, trying to gather up more data from Mt. Gox and trying to figure out what had happened basically.

Peter McCormack: Just for transparency, obviously today I released it episode with Daniel Kelman and I’ve also seen a Wall Street Journal article where you’re having I think apple pie in Mark Karpeles’ kitchen. So it’s probably good for transparency to explain your relationship or previous interactions with both.

Kim Nilsson: So Daniel Kelman is one of the people that I got together within 2014 to work on this stuff. Daniel is a lawyer so it was exploring more of the legal angles at the time and has kept doing so throughout the years. I’m mostly much more of a tech guy. So I was doing the technical investigation and working on the blockchain. Obviously, the main target of us being in Japan was to try to get hold of Mark himself. To see if he can share data with us and can he help us with this investigation.

So a lot of the time has been spent approaching and getting to know Mark, getting him to try to share information that I can use in my technical research and tried to share more of the backstory that we can use to piece of the puzzle together. But basically I know Mark decently well by now. I know Daniel well by now, so it’s not a huge world. We know each other decently well. I have had the apple pie, that’s pretty good.

Peter McCormack: How open was Mark to working with you? How transparent was he? Was he difficult in any way?

Kim Nilsson: In the beginning, he wasn’t open to it at all, very, very guarded. Had a poker face on and Mark’s poker face is somewhat amazing in that he had obviously had the exchanges collapsed down on him and in retrospect now we know that he was involved with some less than honourable stuff about running Willie, the exchange bot and things like that. But at the time we spoke to him, he was complete blank face and I couldn’t read him all. It was really, really hard to get close to him to get him to share information. He was very guarded. He didn’t want to share anything in case that got him in trouble and things like that. I kept at it over the years. Basically it stayed that way until around the time when he went to jail basically, which was years later.

Peter McCormack: So I’ve been through the report. It is fascinating and I’ve actually seen you present it as well and the information is fascinating. It goes over my head quite a bit. But what was the incentive for you to produce the report?

Kim Nilsson: Well, the incentive was that I wanted to know the answer. The report was more of a side effect that I think I figured it out, I’d better tells someone. Initially I found most of the things that I’ve put in my report quite a bit earlier, some of it years earlier, some just in the preceding year before I went public with it. I did cooperate a fair amount with law enforcement and then feed information to them and figuring that whoever was behind this, they would have better chance to get at them. So basically the reports came at the end of a long, personal journey that was mostly me not being satisfied until I had convinced myself that I understood what happened to Mt. Gox and by extension my money.

Peter McCormack: Right, because you were also a creditor. Sorry, I didn’t ask that question.

Kim Nilsson: Yes, I was a creditor, not a huge creditor, but it was definitely enough for me to be annoyed at the time.

Peter McCormack: In retrospect now, it would be good, before we start going into this, if you can give me a kind of picture of your feelings and opinions on both Jed and Mark having gone through the research.

Kim Nilsson: I guess maybe start with Mark’s since he is the obvious guy in the center of everything. I got into the investigation basically figuring that Mark was probably the bad guy, maybe he had cooked the numbers, maybe there were no Bitcoin that started going missing. My initial theory was, that as some of the people who were theorizing as well at the time, that maybe the Bitcoins never existed. Maybe it was all this exchange bot that he had been running, which messed up the accounting. Eventually over time, as I’ve worked more on the case, it became more obvious that no, there actually was a theft of Bitcoin.

I sort of had to readjust my attitude a bit towards Mark as well and recognize that, alright he wasn’t completely guilty of everything that people are accusing him of. These days I have a more neutral opinion. I still think he did a lot of things wrong. It’s easy to look back and hold people perfectly accountable and have 20/20 vision and say, “oh you should obviously have done this”. But there are some mitigating circumstances I feel. It doesn’t excuse everything. But these days, Mark at least seems to be trying to do the right thing and repair what he can.

As for Jed, I haven’t spoken with Jed myself. I have very limited exposure to Jed. I only know him through Mt. Gox basically, in that I’ve done the research, I’ve tried to figure out what happened even in the early days. It seems that when Mt. Gox was initially made, even more so than while Mark was running it, it was more of a tech experiment, just something put together to see if he could build it. So with that in mind it’s not terribly surprising if the code wasn’t built very solid or had security holes in it or whatnot.

What has been slightly striking though is that in the grander scheme of things, people have gone after Mark to a very large degree and then he’s been in jail etc. People are obviously hating him a lot online as well. But a lot of the problems that plagued Mt. Gox and some of the early financial issues, were definitely caused by or at least under Jed’s management and Jed has been able to sort of walk away from the whole thing relatively unscathed, not even losing any money in it. So in that sense, I guess, it’s slightly unsatisfying to see blame sort of apportion of it unevenly.

Peter McCormack: So let me tell you my defence of both of them, because I tried to give them both a benefit of the doubt. One thing that has been a kind of a constant through these interviews, which I’ve raised with each guest, is that I think perhaps people look back at the timeline with 2017, 2018, 2019 eyes where we have a much more mature ecosystem, more experience of how to run these exchanges and a network worth tens if not hundreds of billions and a Bitcoin worth thousands.

So when I look back at Jed, I see he created the first exchange. I think at the time when he launched it, Bitcoin was 6 cents and it had I think a couple of thousand users on the site. Within six months he’s kind of got rid of it. So I almost see his contribution to Mt. Gox, whilst he contributed something that maybe did have faults, it feels more like a bedroom project than any serious business. So that’s kind of my defence of Jed. My defence of Mark is he took over the first exchange. It seems to me like he was more a combination of, I don’t want to say incompetent because I don’t want to be totally unfair, but out of his depth, digging a bigger hole and didn’t probably have the necessary business or technical skills to navigate himself out of this hole that seem to get a lot bigger. So that’s my defence of both of them. How do you feel about that?

Kim Nilsson: I think I would agree with most of what you’re saying. Like you say, when Mt. Gox was created by Jed, definitely a hobby project. He created something… Nothing like this had really existed before and Jed made it. So that’s a big achievement. Of course, it would have been even better if it was flawless and perfect from the start, but things tend not to be. So, I’m not trying to detract in any way from Jed’s accomplishment in that area. It’s more a matter of did you really hand this off in the way that you should have? Do you not do feel any responsibility for the things that were broken when you handed them over

With Mark, it’s really, really hard to summarize that person. Like you say, definitely out of his depth, too much responsibility on one person’s shoulders I think. Maybe most of us would break in the same way, under the same circumstances, I don’t know. I would like to think that I would have been able to make the harder decision and go public as soon as I knew there were any trouble with the exchange, for example. But, I don’t know how I really would have acted in the same situation. I can come up with ways to defend Mark because it was clearly not an enviable situation that he was put in. But also with great power comes great responsibility, I guess.

Peter McCormack: Yeah, having met him myself, I liked the guy. I’ve got to be honest, I did. I thought he was very welcoming. He seemed honest. One of my comments on my previous interview with him was that whether he’s lied, which he probably has at times. I think sometimes there’s a certain amount of self-preservation that goes on in a situation like this. I can’t imagine anyone being a hundred percent honest with the truth through such a situation because you know there’s multiple excuses that you may have in your head and like I said, there’s a certain amount of self-preservation.

What I did find with Mark is that based on my experience, my limited experience in running companies, he didn’t seem like the kind of guy who should be running the company. He seemed like the kind of guy who should be working for somebody running the company, who has maybe the experience and skills necessary to build a structure and to deal with complex disaster scenarios. It seems like he suddenly went from having probably a company that turned over maybe a couple hundred thousand in profit to something that suddenly was holding hundreds of millions in value. I don’t even know myself how I would handle such growth, but it seems like it grew quicker than he was able to deal with. Does that make sense?

Kim Nilsson: Yeah. It makes perfect sense and it absolutely did. Mt. Gox exploded and became a huge success story, on the surface at least. I don’t know many companies that can handle that. Even if you have the best possible team and you’re prepared to scale up instantly, that’s a hard thing to deal with. And if you’re just one guy or a few guys, it’s bound to be almost impossible to do. When we look back on everything now, of course we can see all of the mistakes being made.

At the time it was probably just trying to deal the hand that life dealt him. We can definitely say that he played it poorly at times, but I don’t know how I would have done it, if I were in his shoes. From a human perspective, I can definitely understand what he did. I think I would be dishonest if I said that I wouldn’t have had the same impulse to maybe try to cover some of it up and try to save Mt. Gox behind the scenes secretly, instead of coming clean and saying, you know, something awful has happened. But at the same time we expect more from people in this position. That’s why we usually put people in these elevated positions, to be able to make the right decisions and Mark kind of ended up there more by accident.

Peter McCormack: So let’s go through the investigation, because like I say, it is fascinating. Most of it goes way over my head. So can you talk to me about where you started? Like what was the starting point? Because there’s a timeline of different types of hacks, but there’s also the looking at the hacks themselves. Did you start with the primary, like the big syphoning off of Bitcoin from the main wallet or did you start from the very start when Jed handed over? Tell me your timeline of activity.

Kim Nilsson: Well, my timeline is that I didn’t know any of these things when I started. I only know what everyone else knew. That Mt. Gox apparently had no money and there were 650,000 or 750,000 or 850,000 Bitcoins missing. That was all what anyone ever knew. In early 2014, there was a data leak where someone who had seemingly hacked into Mt. Gox and got hold of some of their accounting records published that online.

Suddenly there were some records about some of their trading logs. Like which people traded Bitcoins with which people and as well as some Bitcoin deposits and withdrawals. Based on that, there was another researcher that wrote what’s called the Willy report, which was basically the first person to identify in terms of data, that there seemed to be an internal trading bot on Mt. Gox that was trading money and trading money in Bitcoin. It was doing it at such a volume that it almost had to be faked using not real money and just inventing Bitcoins or inventing dollars. That wasn’t even the first time people had started noticing this already. In 2013, some people were seeing that live when they were watching Mt. Gox trades online. Just seeing that, “hey, there seems to be someone executing trades at regular intervals” or whatnot.

So the fact that that data leaked and then that someone was able to analyze it and make something useful out of it, that sort of became the real starting point for me to get started as well. Because at that point I figured, all right, I have no excuse. Clearly it’s possible to find out things based on the material that’s available to the public. I got started with basically trying to replicate his findings; the author of that Willy report. I tried to replicate what he had done and come to the same conclusion that yes, there’s an internal trading bot. Further I tried to look a bit closer and see that it’s probably based in the same timezone as Japan and finding like a few extra details like that. So basically that was my starting angle.

I didn’t know about specific incidents that have happened at Mt. Gox or anything. I just knew that coins were missing. This was the only early lead. Let’s see what I can find with that. I was able to replicate the report and I got a bit further. This is where we started approaching Mark as well to see if we can get bit more information and possibly more data about Mt. Gox to sort of take the next step and try to basically identify where there then any leaks of Bitcoins. Was the wallet handling appropriate for Mt. Gox? Did it actually send out Bitcoins for all the withdrawals or were there more Bitcoins being sent out than there were legitimate withdrawals? Those were the sort of questions that I really wanted to answer and that required a lot of data processing on my end and also I needed to get closer to Mark and get him to help me verify that what I’m finding and reconstructing is actually in the right direction, at least in terms of being able to reconstruct the original data.

So that’s how my investigation sort of started. I was initially convinced it was just internal trading or something that was responsible. I had to sort of widen my horizons a bit, to try to get hold of more data and start looking more at the technical aspect of it and then following the blockchain and seeing where there any coins being taken out of the Mt. Gox wallet.

Peter McCormack: Well let’s work through the timeline because one of the things that’s quite interesting in your report, is you have that pinned note that totals the losses over time. I think that gives a very good reflection of a deepening crisis. Let’s start with the first one. This was pre-Mark. This was the liberty reserve withdrawal exploit, which was essentially handed to Mark, therefore as an exchange with a $50,000 deficit.

Kim Nilsson: In the initial handover between Jed and Mark, this was one of the hacks that already happened that was known and the sales agreement accounted for it. It basically said that Jed would handover all the holdings of Mt. Gox, but that would be defined as all customer deposits minus the 50,000 that had been taken out from this account.

Peter McCormack: Does that mean he is operating insolvent?

Kim Nilsson: I don’t know if he would have had enough money to cover that missing $50,000, but if you are accepting customer deposits and you are not able to pay all of them back, if all the customers would have asked for it at the time. Then I believe you technically insolvent.

Peter McCormack: Okay, I’ll skip the next liberty reserve exploit because that was returned. I think one of the most interesting things that I would love to get to the bottom of was the theft of the 80,000 Bitcoin, because at the time, Bitcoin wasn’t worth a lot, but if those Bitcoins weren’t replaced and the price suddenly shoots up, that becomes a kind of real crisis point. From my both my interviews, it seems to me that that theft happened during what was considered the handover period. So can you talk about what happened there and what you found?

Kim Nilsson: All right, so I don’t know 100% exactly what happened because I’ve only heard both sides of it. But basically around the time when Mt. Gox was due to be handed over with Jed gradually giving Mark access to all this stuff. Sometime during that period, some hackers seem to have gotten into the server, got access to the hot wallet, which is just a wallet.dat file; the original Bitcoin software. Copy that off and then basically, move the funds and Jed notices this and kind of messages Mark and said “Hey, there’s a problem, all the money’s gone basically”.

I would pretend to know all of the details from that. I mean the end result is for some reason that they still go through with the handover and Mark doesn’t ever publicly call Jed out on this, which has always seemed a little bit weird to me. Why would you still go through with the deal and take over the exchange when the terms change so drastically on the eve of the handover. I know that there are emails later where Jed is making some suggestions about how you could possibly recover this by injecting additional investment into the company or shifting the debt into dollars, so that it doesn’t go up if the Bitcoin price goes up etc. So they were clearly both aware that the amount was missing and that it was a problem. But for some reason, they both figured that it’s something that they could keep quiet and just try to recover it in secret.

Peter McCormack: I guess because the price was so low then that those 80,000 Bitcoin, I think Jed said to me were worth like $10,000 or whatever the price was. It’s not such a problem at that point. But when the price shoots up, say 10x, 15x, 20x, whatever it does, it becomes a real problem because the dollar debt is a lot higher, rigt?

Kim Nilsson: Exactly. So at the time when the theft happened, I think the Bitcoin price is pretty close to like a dollar or something. So in rough numbers, 80,000 Bitcoins would’ve been around $80,000 yeah. But just a few months later around June, that was the first Bitcoin price spike where the price was suddenly $30 for a Bitcoin. These 80,000 Bitcoins is suddenly a huge amount of money that the company absolutely doesn’t have any coverage for. So yes, it could very quickly become a problem and it did very quickly become a problem.

Peter McCormack: And is this around the same time that Willy bot starts?

Kim Nilsson: So the Willy bot is sort of a collective term for all of the manipulation, so to speak. There were two generations of the Willy bot that Mark was running. One was done manually and that started later in 2011, I think. Then late in 2013 he also made the automated version, which is the one that was noticed in public. But even before that, there had been a few bot accounts also created, but I don’t know, or I don’t believe, that they were created for this purpose or to recover from the debt. But there existed additional accounts that were being used to keep money that had been seized from fraudulent customers and things like that.

Peter McCormack: Am I right in thinking the 80,000 Bitcoin that was stolen, they’ve never moved since they have been stolen?

Kim Nilsson: Yeah, that’s correct. They’re still sitting in the same address that… They were moved out of the hot wallet and then moved to that one new address and they’re still sitting there today.

Peter McCormack: Does that make you suspicious in any way?

Kim Nilsson: I don’t know. If I stole the Bitcoins, even if I was convinced that somebody was watching the coins, I would think that at some point in the next five years I would try to move them if I could, to try to come up with some way to launder them. So the fact that they haven’t moved might suggest that the thief lost the private key, I don’t know.

Peter McCormack: So let’s move on to May. Another 300,000 Bitcoin was stolen. Talk me through this because they were stored on an unsecure private network drive. Talk me through what you found out about this.

Kim Nilsson: Basically this was not a publicly known theft at any point. I found the transactions while I was investigating. Then Mark told me the background story behind what had happened. Basically at the time, this is sort of early after the initial transition period, where he’s making changes to all the code and making all the improvements and touch ups after taking over everything from Jed. At that point in time he was apparently keeping a ton of the Bitcoins in a private wallet that he just kept on his own computer.

The story that he gave me is that at one point, one day his whole network router broke down. To get access back to the internet again, he just hooked up his main computer straight to it without any firewalls on it. At which point someone just randomly happened to notice that, “hey, there’s this private network with a computer on it with a shared metric drive for his own profile with a Bitcoin wallet on it. I’ll just help myself to them” and suddenly 300,000 Bitcoins are gone. The only reason why Mt. Gox didn’t crash then and there is that, whoever this thief was, they probably weren’t the most experienced, because they got cold feet and contacted Mark and offered to give the coins back, if they could keep a small fee basically.

Peter McCormack: So that’s the 1% keeper’s fee. Did you ever try and track what happened to those 3,000 Bitcoin?

Kim Nilsson: I’ve done some tracking of them, not too far. It never felt like the top priority of my investigation, but they can be tracked a bit further if anyone wants to.

Peter McCormack: I guess at that point, if that person hadn’t returned the coins, that probably might have been the end of Mt. Gox then?

Kim Nilsson: Oh definitely, yes. Remember that this is just two months after the first theft of 80,000 Bitcoins. Mt. Gox had become quite popular at this point. They were still raking in tons of new deposits, but this was still the majority of all the coins that it was holding at the time.

Peter McCormack: I guess that’s an early indication that the internal security procedures aren’t great and kind of one of the areas that is inexcusable.

Kim Nilsson: Yeah. I mean even if Bitcoin is only worth, what it was at the time, like $2 or $3, that’s still $1 million you were having on your computer for other people’s money. You would think that you would be a bit more cautious about it. It clearly suggests, not the kind of mindset you would want to watch over other people’s money, I guess, if you’re able to make seemingly thoughtless mistakes.

Peter McCormack: So let’s move on to June. There’s another hack, this time someone has gained access to Jed’s admin account. Talk me through this. What happened here?

Kim Nilsson: Basically one of the weaknesses on Jed’s first implementation of the exchange, was that all the user passwords were stored with just a weak hash, that was “unsalted”. That is a technical term that basically just means that if a hacker gets into the system, or are able to copy your user’s table, it’s much simpler for them to start cracking passwords. “Salting” passwords is basically a method where you make it much harder for hackers too crack those hashes. But in Jed’s version it was just a simple MD5 hash with no salting and there’s very strong reasons to believe that this user’s table was compromised and taken out at some previous point in time.

What happened in June, was that eventually someone did crack Jed’s password from this user’s table and was then able to get into his user account for Mt. Gox. Jed’s user accounts still have admin privileges. I don’t know if that was intentional as part of the sales agreement? But part of the admin privileges of Mt. Gox is that you’re able to freely manipulate the balance of any account. So whoever got into this, got into his account, made use of this feature and started adding tons of coins to other people’s accounts and just selling them on the open market and that crashed the price down to nothing.

Peter McCormack: So at this point, we’re at 85,000 Bitcoin missing. We were at $50,000 missing. Have you done any audit alongside this to see what the balance was of say Mt. Gox’s owned Bitcoin. Like did they have 85,000 themselves to cover?

Kim Nilsson: I haven’t done like a total analysis of how much they would have accumulated in fees, but my opinion is that they would not have had nearly enough to cover any of this. Not even close at any point.

Peter McCormack: So then we move on to August and for some reason, Mark decides to acquire Bitomat and absorb their debts, which was 17,000 Bitcoin. Has He talked about this to you and why he did that?

Kim Nilsson: Not to great depth, but, basically at the time, Mt. Gox was looking for some sort of a foothold in the European market and didn’t necessarily want to go through all the paperwork of getting local permits. So I think Mark at the time saw it as an opportunity, Bitomat was an exchange that was already established in Europe.

They had some of the permits that Mt. Gox would have needed to legally operate and figured, “all right, we’ll just take you guys over and swallow your debts in exchange for taking over your company and running with your licenses”. I don’t know if it ended up being worth it. I mean 17,000 Bitcoins at today’s prices was certainly a healthy payout, for that company. But at the time, it seems like something that Mark did too to try to keep the company afloat and expanding.

Peter McCormack: Then we move on to September and there’s another significant hack. So database compromise, the hacker gets read/write access to the database, inflates account balances and 77,500 Bitcoin is withdrawn. So what did you find out about this and were you able to track where this one went, because this is quite a significant amount at that time.

Kim Nilsson: Yeah. So this is actually the last thefts that were defined as part of my investigation at least. They were the hardest to find because the thieves this time actually erased the evidence. They created temporary user accounts in the Mt. Gox database, but then wiped it after they were done. So it was much harder to uncover what has actually happened here, even with the cooperation of Mark. Basically these funds took a different route, that they’re listed in the graph I made from my presentation about where the stolen Mt. Gox money went.

So they get laundered through a different wall of networks. They still end up at largely the same destination points, which were BTC-E and Trade Hill, which were the main exchanges used for money laundering at the time. So I don’t necessarily know if there’s any strong connection between this and the later main theft, but one way or another, the money ended up taking similar channels, at least after they were stolen.

Peter McCormack: Right. So let’s talk about the main theft, the 630,000 Bitcoin stolen from the hot wallet. It’s fascinating, but even watching your presentation, I didn’t fully understand it and I think there are other people who might struggle with it. So talk me through what you found, what the hacker did, how Mark missed it. But if you can try and make it as easy to understand as possible, that would be great because it is complicated!

Kim Nilsson: You are asking a lot of me Sir! It’s not easy to explain this in an easier way, but basically what I did was, after I had been able to get hold of and reconstruct enough data about the Mt. Gox wallet and the lists of Bitcoin deposit and withdrawals, I was able to start comparing that to the wallet as it existed on the blockchain, with the full list of transactions that actually happened. Comparing those two, eventually I started seeing a pattern where there were additional transactions of a fairly regular pattern where a couple of hundred Bitcoins at a time, were being taken out of the hot wallet. It looked just like a withdrawal except it was logged anywhere.

So these went off into other sources on and I later started tracking where the money actually went. But for the time being, the first step was just noticing that this was happening and it was happening over a long period of time. What actually caused this was that, hackers again had gotten into the servers and they copied the Bitcoin wallet file as it existed at the time, which would let them spend any Bitcoin that existed in any address that had been created at the time, because a wallet is nothing but a collection of your private keys. As you use your wallet, you will typically create more and more private keys. So stealing a wallet at one point in time, this sort of first generation wallet, means that the thief can spend anything, but only the Bitcoins that you have in your oldest addresses basically.

That’s what kept happening to Mt. Gox and that over time as customers who are slowly depositing more and more coins in, any coins that were deposited into an old address, could be stolen by the thieves. So next step of that is figuring out where the hell that went. Which basically means doing a lot of “clustering”, which means grouping according to which addresses are likely belonging to the same person and wallet. Most if not all of the money stolen in this way, went to the same small set of wallets. From there it was being deposited back onto exchanges again, which is probably for selling off or laundering in some way. My suspicion is that it was just for selling because that would have made more sense at the time. No one would be betting in 2011 that Bitcoin is going to go up to $20,000 in 2018 for example.

I got sort of a rough picture of this coin flow from Mt. Gox and going into other exchanges including Mt. Gox itself interestingly. So whoever stole the money and gave them to this person for money laundering. They were trying to launder it back through Mt. Gox again. Now that was interesting because Mt. Gox was something that actually had some internal information about, and it could actually see which accounts were being used on the Mt. Gox side to receive those stolen funds again. So basically that became the foothold for the rest of the investigation. Trying to connect this to some actual person and after lots of trial and error and just trying to track where all of this is going, I got some leads to a guy online that was complaining about his funds being seized, as he had deposited them to an exchange called CryptoExchange.

Peter McCormack: Was that Vinnik?

Kim Nilsson: Yeah, that’s Vinnik. So he had put a bunch of Bitcoins into CryptoExchange to sell them off. But then CryptoExchange said that they wouldn’t honour his withdrawal requests and they just ended up keeping the money. What happened behind the scenes, was that ironically that stolen money, the Bitcoins that actually had come from the theft of Bitcoinica, which was another exchange at the time that got hacked.

This guy, the money launderer Vinnik, was trying to launder those funds as well. But when he put them into CryptoExchange, CryptoExchange was actually relying on Mt. Gox as sort of one of their back ends to actually do the exchanges of Bitcoin to Fiat. When those coins came to Mt. Gox, Mark had put in place a notification system that warned him that stolen coins were being put into Mt. Gox. So he had actually written a system where he got an alert because stolen Bitcoinica coins were being deposited to Mt. Gox. You just didn’t have a system that were watching for Mt. Gox coins, which is kind of a sad historical irony.

Peter McCormack: How did Mark miss this? Is it because the hot wallet was meant to be depositing to the cold wallet and he just assumed it was and never checked the status of the cold wallet. Is that how he missed it?

Kim Nilsson: I think that’s how he rationalizes it, which he is very good at doing. He is good at coming up with the reason why this had to happen. If we’re honest now, you shouldn’t be able to miss any of this. If you’re keeping hundreds of thousands of Bitcoins, regardless of if they’re in hot wallets in your cold storage, you should know how much is there. To come up with reasons for why you shouldn’t, feels more like trying to justify why he did

Peter McCormack: Do you think possibly then Mark was aware what was going on for a very long time, rather than it being some kind of last-minute panic?

Kim Nilsson: That, I don’t know and I can’t know for sure. I mean I can’t get inside the man’s head that much. If I were to guess, it’s even money on whether he was aware and trying to cover it up or if he really innocently and naively was just assuming that the money was really there and it never occurred to him to actually look. He’s the kind of innocent programmer type where he might just assume that because he wrote the system to behave in a certain way, he would just assume that it keeps working that way and never looked back. That’s an actual possibility I think.

Peter McCormack: So far is it only Vinnik who’s been arrested and charged in relation to this?

Kim Nilsson: That I’m aware of, yes.

Peter McCormack: Is there any connection between the theft and the laundering? Because everything I’ve read about Vinnik is that he almost certainly was laundering the stolen Bitcoin. But there isn’t any direct proof that he was the thief as well. Is that correct?

Kim Nilsson: Yes. Pretty much everyone has been quite careful to point out, that all the evidence points to the Vinnik laundering money or to be precise receiving money and then passing it on to exchanges and things, which looks like laundering. There’s no direct connection that he would have actually been in the exchange and doing any of the hacking himself.

So he was probably just a finance guy, being put in charge of the money laundering and this makes sense from the point of view that it wasn’t just Mt. Gox that got hacked and whose money went to Vinnik. It was Mt. Gox, it was Bitcoinica, it was other places as well. At least like three or four different hacks as well as hacks of individuals. All those Bitcoins went through the same network and a lot of it through Vinnik’s personal wallets. I don’t think that Vinnik himself personally would have been that active in hacking that many different things. So I think it’s much more likely that hackers or hacker groups were the ones that actually broke into the exchanges and stole Bitcoins and then they had an agreement with Vinnik for how to launder them and exchange stuff for cash.

Peter McCormack: Another thing that I think points in that direction as well, is that some of these hacks are quite sophisticated, yet some of Vinnik’s actions were quite amateur in terms of hiding his own trail.

Kim Nilsson: Yeah, that’s a fair way to put it. He doesn’t seem to put a lot of effort into hiding his blockchain trail, that’s for sure.

Peter McCormack: Were any of the Bitcoins that he was laundering recovered?

Kim Nilsson: Not to my knowledge. It’s not public information what may have happened with US law enforcement when they made a bust on BTC-E. I don’t know if they seize any Bitcoins. There never has been anything about it in the news. My expectation would be that I wouldn’t expect any Mt. Gox coins to be recovered from that. I rather suspect that they would have been sold or laundered long ago, probably for cash.

Specifically because this was so long ago, Bitcoin wasn’t worth that much in 2011 when these tests were happening. Bitcoin was coming down from its first price boom and for anyone new, that was probably going to be the end of Bitcoin and the price is going to keep declining. So if you are a criminal mastermind and you have all these Bitcoins, your first thought at that time it was probably going to be, well how do you turn this into real money so that it’s not going to be worthless in six months.

Peter McCormack: Have you tracked any of the 630,000 that was stolen? Have you been able to find a trail of where they’ve gone?

Kim Nilsson: I can see which exchanges they go to, but without having any internal records from those exchanges, to see which accounts they were deposited to, I can’t follow the trail any further than that, because exchanges are basically, perfect natural mixers. You deposit your money, but since it’s a shared wallet, it gets mixed with everyone else who also deposits their money and even just depositing your Bitcoins and then immediately withdrawing them, you’re statistically likely to have gotten some other Bitcoin back out. That’s sort of stumps a blockchain investigator because he can’t follow the trail because you now you’re holding different Bitcoins.

Peter McCormack: Oh, interesting. I’d never thought of it like that. So on reflection, what are the key, most fundamental mistakes that Mark made? The most stupid things he did, that could’ve prevented all this?

Kim Nilsson: Well in retrospect, hindsight is always 20/20, but the most egregious 20/20 here would be monitoring the coin holders. Mark has made an argument that he didn’t monitor his cold storage because he felt that if you had even the public keys on a live system, that’s slightly lowered the security of them in case there was any weakness in key generation. That seems like an extremely specific risk to worry about, while you’re basically potentially leaving the door to the vault open and never knowing you have been robbed. The much more natural starting point should have been to just watch your Bitcoins and make sure that you know the first instance if something is wrong.

Apart from just the main theft from the hot wallet, the 630,000 that was stolen and ended up in Vinnik’s hands, I think they should have gone public much sooner because both Mark and Jed knew that Mt. Gox was insolvent in early 2011. Had they been public about that, I think a lot more people would have been much less likely to put their money in Mt. Gox and keep it there. It may well have had a significant impact on the Bitcoin markets. I mean, Mt. Gox was a significant driver of the Bitcoin market and adoption. But even so, that was sort of based on a lie that Mt. Gox was working properly when in fact it had been robbed very early on and had significant financial troubles throughout basically its entire lifetime.

Peter McCormack: Well, it’s very interesting, but also as you are a creditor and you are quite close to it, I think it’d be quite good to just get your opinion on a couple of other things. Can you tell me your thoughts on the Coinlab dispute because that is in your report as well. What do you make of that? I mean, obviously you’re a creditor so you’re probably pissed off with Peter Vessenes, but do you give any value or credit to his claim at all?

Kim Nilsson: Like you say, I’m probably biased as a creditor, but it seems to be a crystal clear bad faith claim from Peter Vessenes. Basically to summarize things, Coinlab and Mt. Gox in 2013 made an agreement where Coinlab was supposed to act as the US payment processor and be the interface to all Mt. Gox’s US customers. So all deposit and withdrawals for US dollars was supposed to go via Coinlab, etc. They made a contract for that. But it quickly turns out that Coinlab doesn’t even have the money licenses required to do this legally. When Mt. Gox moves to sort of break the deal, it turns out that Coinlab is refusing to return money.

So they’ve basically accepted deposits on behalf of Mt. Gox customers and not actually forwarded them that money to Mt. Gox, instead just crediting their Mt. Gox accounts because they had API access to be able to do that part. But then never actually forwarded the actual deposited money to Mt. Gox. Basically amounted to stealing once the dispute, was in process. When being called out on that, instead of trying to resolve it amicably or anything, Peter’s reaction seems a bit over the top, “all right, well I’m going to sue you for $16 billion” just out of spite. Now that the bankruptcy and civil rehabilitation processes are in process, that seems basically just calculated to make sure that no one gets paid until he gets sort of a settlement out of it, which is basically just hodling everyone, all the legitimate victims of Mt. Gox to blackmail.

Peter McCormack: Yeah, so I was wondering about this. I’ve been looking at it back and forth and thinking, because there was $12 million, right? He did return $7 million but held onto $5 million. What was the reason he held that $5 million? Has he actually said why he didn’t return the whole $12 million?

Kim Nilsson: So I’m not totally familiar with the entire story and I can’t vouch for the validity of it, but basically, yeah. The story goes that out of the $12 million, he gave $7 million back and then kept the $5 million because he figured that he was owed that by Mt. Gox anyway, as part of the deal.

Peter McCormack: See, I’m wondering if he’s putting it in such a huge claim, that his compromise would be happily to retain the $5 million.

Kim Nilsson: I think that’s certainly a likely interpretation. I mean, there’s no way anyone would credibly say that “yes, you lost $16 billion because of Mt. Gox canceling this deal”, even though it was Coinlab that breached the contract by not having the licenses to fulfill its obligations. So just throwing that huge number out there, that seems to be just blackmailed, hold the creditor process hostage. So that in comparison to that huge number, then a mere couple of million would seem like a reasonable settlement when in fact the entire thing is completely baseless from the start and he owes Mt. Gox money.

Peter McCormack: Yeah, that’s what Daniel said to me. Daniel said he gives him negative credit as he should be returning the $5 million, because that $5 million is due to the creditors?

Kim Nilsson: Yes, absolutely.

Peter McCormack: Then I lastly want to ask you about Brock Pierce, who I’ve also spoken to. I had an interesting conversation with him. It was probably the most heated interview I’ve had of all of them. I think I probably triggered him on a couple of points. I think what I really struggled with, with Brock is understanding his incentive. The public face of his Gox Rising is very much about supporting the creditors, helping them get as much as they can.

One of his claims was to raise funds to go after the missing Bitcoin. But somebody said, well if you speak to Kim there’s little to zero chance of that actually happening and it’s more just smoke and mirrors. So what’s your interpretation of Brock, what he’s trying to do and his vision of trying to recover some of the stolen Bitcoin?

Kim Nilsson: I really, really don’t know. I’m having real trouble reading the man because on the one hand, everything that he claims to be about, are all very honourable things. To make sure that the creditors get repaid all the assets instead of them going to somewhere else, his promises that he’s going to start an exchange and give creditors equity of that, as a way to gain some additional future recovery. All very honourable things. That would be great, if he was actually just willing to join the process and help contribute to that.

But if you look at what he’s actually doing, it ends up being more of an interference in the process in that he comes in and wants to say that, “okay, we’re going to start a civil rehabilitation process”. Okay, but we already did that last year without you. “Okay, we’re going to make sure that shareholders don’t get paid out from the so called bankruptcy surplus”. Okay. But there hasn’t been any surplus since last year.

Again, it doesn’t seem like he has been following the news or he’s intentionally misleading people by repeating old talking points. So most of what he is promising, is actually something that the creditors have already secured for themselves. Which if you combine that with his claims about owning Mt. Gox and things like that, based on some old letters that didn’t even turn into an actual sales agreement, it doesn’t make sense. Why are you doing all these things, why are you making all these claims that are trivially disprovable when with just a few tweaks you could have come across as much more reasonable and as a good guy.

It makes no sense and it makes me wonder if this is all, like you say, just smoke and mirrors and he’s just trying to get some positive PR as the saviour, the man who saved Mt. Gox, who is doing it for the creditors and then banking on that media won’t remember to follow up on this and see what actually happens in six months for example.

Peter McCormack: As a creditor, how do you feel about the civil rehabilitation process? How you feeling about it all right now? It seems to have been dragging on for years and it seems like you guys do nothing but fight for your right to have your money returned.

Kim Nilsson: That’s kind of what it feels like. It’s been a really long and arduous process and for a long time we were in this really, really bad spot where there was a surplus situation, where due to a quirk in bankruptcy law in Japan, since Bitcoin had appreciated so much in value, there was suddenly a surplus of over a billion dollars that was going to go to shareholders, meaning Tibanne, the parent company and Mark Karpeles, which is possibly the worst possible way you could ever resolve the bankruptcy.

That’s absolutely 100% the wrong way you should do it and it was so obviously unfair and unjust, but it seemed hard to sort of find the loophole out of it based on the reading of the law. So after much fighting and creditors trying to get organized and then file petitions, creditors were able to convince the court to take Mt. Gox out of bankruptcy and back into civil rehabilitation, which allowed them to work around this quirk basically. So at the moment there’s no surplus that’s going to any shareholders. It’s been fixed.

We don’t know how long it’s going to take until anyone sees any money back. It might be years. We don’t know if the trustee feels that he’s going to have to sell more Bitcoins, which might drive the market down further. There’s still a lot of uncertainty, but as a creditor, my feeling when it comes to people like Brock, who just jump into the room and say, “all right, we’re going to do this”. That adds even more uncertainty. In the worst case, if something like Gox Rising had appeared on the horizon and they file their own civil rehabilitation claim. In the worst case that could have led to there being two competing civil rehabilitation plans, which means that none of them might gain majority, in which case you actually go back to bankruptcy and you’re back in the surplus problem again.

So there’s a lot of ways this can still end badly and we need people who are very versed in the situation and trying to do the right thing and actually know what the right thing is to try to steer this in the good direction as much as we can. I don’t think that’s Brock, half of the time he doesn’t seem to know what he’s talking about and the other half he seems to be arguing in bad faith.

Peter McCormack: Well, that was one of the interesting points in my discussion with him because trying to get to the bottom of his incentives, one of them was, he kept saying, “I want to do everything to make sure Mark Karpeles doesn’t receive any money from the bankruptcy of Mt. Gox”, but from everything I’ve seen, Mark has certainly said over and over again he doesn’t want the money. Also because of the way the bankruptcies and civil rehabilitation has been structured now he can’t anyway right?

Kim Nilsson: Yeah, at the moment none of the money is going to Mark. Mark has said in public that he doesn’t want the money. Mark is also not in control. So it’s not like he can make binding commitments. For example, the owner of Mt. Gox, Tibanne, Mark’s old company also has bankruptcy claims on Mt. Gox which is also a complication that needs to be resolved. Mark’s not in control of that, so he can’t make binding commitments on behalf of Tibanne anymore.

But, I mean no one wants creditor money to go to Mark, including Mark. In fact, a year or so ago, when it became obvious with the increasing Bitcoin price that this was actually a problem, that this was going to happen. Mark was one of the people who raised the alarm bell the most. He was talking about it in public. This is going to happen unless you organize and oppose it, because that’s what they’re saying in the bankruptcy proceeding right now and most creditors weren’t aware of it. So if anything Mark has done more for the creditors than Brock has.

Peter McCormack: Yeah, I think some people missed that. So I did my interview and I put it up live and on Twitter and Youtube. There’s still some quite scathing remarks and wild accusations against Mark. I’ve still seen people accusing him of masterminding a theft here and I just don’t see it. I don’t see any form of real criminal action by him. It’s more a combination of just like I said to you earlier, he was out of his depth and a bit of self-preservation and possibly some incompetence. But nothing that seems criminally fraudulent.

Kim Nilsson: Well, I mean it can still be criminal. I mean he is still accused of an actual crime in Japan for manipulating records, which is arguably his way to try to dig himself out of the hole. So that’s still up for courts to decide. Yeah, I don’t see Mark as having masterminded a massive Bitcoin theft where all the Bitcoins went to his secret Cayman Islands Bitcoin wallet or anything of that. That didn’t happen. I mean the research is pretty conclusive on that area. That’s never going to stop people from weaving up conspiracy theory and clearly having a lot of animosity towards him because he’s still the guy who, even if you don’t think he was personally responsible for everything, then he arguably made it worse by even trying to cover it up, instead of coming clean about it earlier on.

Peter McCormack: So Kim, we’re five years on, how do you reflect on it all?

Kim Nilsson: It’s been a wild journey, that’s for sure! I don’t know when this is going to end either. I mean, if anything, that’s the only real frustration at this point, in that we have had lots of investigation where we now have a fairly good idea of what happened, although we haven’t gotten hold of the actual hackers. But still the civil rehabilitation looks like it’s going to drag on for quite some time and then even with all that, we have these bad faith actors that get in and trying to prolong it even further, basically holding everybody hostage, which just infuriates me as a creditor.

Peter McCormack: So what’s going to be coming up for you next? How much are you still involved with the process and are you still looking at data or is that done for you now?

Kim Nilsson: I’m not looking so much at data anymore. I’ve never been formally involved with any of this. It was always just a hobby project. So as with all hobby projects, eventually you need to get back to focusing on your real job as well. So it’s been an interesting ride for me. I spend a ton of time investigating Mt. Gox and learned a lot of interesting things. Now not looking at it so much, hopefully they’ll come a point in the next couple of years when people won’t need to remember Mt. Gox anymore and we’ll probably be passed it all.

Peter McCormack: Unless Brock Pierce launches a new Mt. Gox trading platform.

Kim Nilsson: Well in this case, maybe that can be the beginning of the new story instead. That would be better than everyone having to keep obsessing over the original Mt. Gox.

Peter McCormack: Just to finish up, I do really appreciate your time and your flexibility because we’ve moved this around a few times. Can you just tell people how they can keep in touch with you? Tell them the kind of work you’re doing and who might want to get in touch with you as well?

Kim Nilsson: Most of my research on this, goes on my blog wizsec.jp, I’m on Twitter with security. I don’t put out a lot of stuff in Bitcoin research these days, but I’m definitely reachable on Twitter. Reach out to me by the website or send me an email at kim@wizsec.com if you are looking into stuff on the blockchain and you could use an extra opinion, especially on the older stuff because that’s basically where I focused most my time. I tend to call myself more of a Bitcoin archaeologists more than an analyst, I think that’s an apt title!

Peter McCormack: Well listen, look, thank you for coming on. Appreciate your time and thank you for doing the report. I will share both the hard copy and the version where you present it, because I think it’s interesting to read, but it’s also interesting to see you present it. But yeah, thanks for coming on. I might be in Tokyo soon, so if I am I think we’ll catch up!

Kim Nilsson: Thanks very much, it’s nice coming on.

See this content in the original post