June 19, 2011
The Tokyo sky outside Mark Karpeles’s window was still dark when the iPhone on his bedside table jolted him awake just after 3 a.m. Mark was still trying to get his bearings when he picked up the phone. On the other end was the panicked voice of his friend William, a Frenchman living in Peru who had first introduced Mark to Bitcoin back in 2010.
For the last few weeks, William had been helping Mark keep up with the seemingly irrepressible expansion of Mt. Gox, which had grown from three thousand users in March to over sixty thousand users in June. Just how little Mark was prepared for the recent growth was clear from what William was trying to tell him on the phone. Something about the exchange’s servers slowing down to a glacial pace—and the price of Bitcoin plummeting from $17 to 1 penny in less than an hour.
Suddenly alert, Mark leaped out of the bed he shared with his new wife and ran to the home office in their compact Tokyo apartment, one floor up from the narrow street. Mark was not generally known for moving fast—most who met him immediately noticed his slothlike way. But once he had his Mt. Gox administrative account up on the screen, Mark wasted no time in bringing the crisis to a screeching halt. He shut down the link between the Mt. Gox website and his server and moved Mt. Gox’s 432,000 Bitcoins—some $7 million at yesterday’s prices—to a new address that had a more secure password.
These moves were enough to stem the run on Mt. Gox, but immense damage had already been done. Hackers had enjoyed nearly an hour to do their work, while confused and terrified Bitcoin users looked on. Starting at around 2:15 in the morning in Japan, the hackers had begun selling large quantities of Bitcoins, pushing the price down dramatically.
“Everyone! Panic sell!” someone wrote on the chat channel, seeing the price dive.
“Holy fucking sht,” another wrote.
One user had the presence of mind to record the charts showing the decline and narrate a video of it in real time. Others, who had dollars in their Mt. Gox account, saw an opportunity and began buying up the cheap Bitcoins. The selling continued until 260,000 Bitcoins were purchased for $2,600 shortly before 3 a.m. Japan time—a 99.94 percent discount from their value just an hour earlier.
After Mark had shut everything down, he sat in his dark apartment and began to piece together what had happened. The user logs showed that someone had signed in with the administrator account of Jed McCaleb, the Mt. Gox founder who was still helping Mark out. The computer appeared to be in Hong Kong, but it was likely the hacker was porting in to a computer there from elsewhere. The Mt. Gox software enabled the hacker to change the balances in accounts and he created over 100,000 new Bitcoins out of thin air and put them in a new Mt. Gox account. These were not real coins on the official blockchain; they existed only in Mark’s accounting system. But that was enough for the hacker to begin using them on the Mt. Gox exchange.
The hacker had clearly planned in advance and knew that Mt. Gox allowed users to withdraw only $1,000 worth of Bitcoins at a time. In order to maximize the amount of Bitcoins that could be withdrawn, the hacker began selling some of the newly created coins to push down the price. As the price dropped, it was possible to withdraw more and more Bitcoins under the $1,000 limit, until the relatively primitive design of Mt. Gox came to its rescue. As the servers slowed to a crawl, owing to the traffic created by the hacker, withdrawals suddenly became impossible. By the time Mark got up, most of the hacker’s Bitcoins were still stranded inside Mt. Gox, though hundreds of thousands of coins had already been sold at distorted prices.
It was not until an hour after he first got online—and two hours after the melee began—that Mark posted any kind of explanation to the Bitcoin forums. At that point, he gave the basics of what he knew and said that the site would be down indefinitely. He also announced his intention to cancel all the trades made with the Bitcoins created by the hacker, a move that drew an immediate backlash from buyers, who believed that they had gotten thousands of those Bitcoins on the cheap. Although many expressed anger that Mark was violating one of the fundamental tenets of Bitcoin—the irreversibility of Bitcoin transactions—Mark could do so because trades on Mt. Gox happened only within the company’s system, not on the actual blockchain (Mt. Gox interacted with the blockchain only when coins moved into and out of the company).
The scope of the questions soon expanded, especially after it emerged that the hacker had stolen a copy of Mt. Gox’s customer database, with everyone’s e-mail addresses, and posted it on the Internet. There was bewilderment that Mt. Gox administrators had needed only a single password to log in, not the multiple passwords that most financial websites required. And Mark’s system had not checked on the IP address and location of users to look for abnormal activity.
“Frankly, we are fortunate that our hackers have been stupid and lazy so far,” Jeff Garzik, the North Carolina programmer, said to some other developers.
On top of these programming mistakes, the released customer database demonstrated how few measures Mark had taken to stay compliant with international rules designed to stop money laundering. Mark had just e-mail addresses for most of his users, much less than financial regulators generally expected. Of course, it wasn’t clear what regulations Bitcoin would fall under, if any. But there was now real money flowing into and out of Mt. Gox, making the exchange an easy target for government prosecutors if they decided to look.
THE FIRST SIGN of any relief for Mark came in an e-mail that popped into his inbox later that morning.
Hey Mark—
If you guys need any physical help, I’m available. I can be at your office within 10 minutes.
I’m not sure what I can do to help, but I can help with phones or emails or anything you need for a day or two until you get things calmed down.
The e-mail came from Roger Ver. From Roger’s glass-walled sixteenth-floor apartment, in one of Tokyo’s most exclusive residential towers, he could see the Cerulean Tower, where Mark had recently set up Mt. Gox’s offices. Since discovering Bitcoin in April on Free Talk Live, Roger had dedicated many of his waking hours to thinking up new ways to promote the technology. In a conversation right before the crash he had said something that would become a standard line for him: “Bitcoins are the most important invention since the internet itself. They will change the way the entire world does business.”
At this point, though, Roger knew that Bitcoin relied as much on Mt. Gox’s survival as on the Bitcoin protocol itself, and he wanted to make sure that Mt. Gox would survive so that Bitcoin could as well.
By the time Roger sent his e-mail, Mark had driven in his souped-up 2009 Honda Civic from his apartment to his new office. Mark quickly connected with Roger on Internet chat—Mark’s preferred method of communication—and asked him to come right over. He needed people who could speak English and sort through the thousands of incoming e-mails from confused customers.
When Roger showed up at the bare-walled office, he was an even more forceful and impressive presence than he seemed online. He had the lean, muscular physique of a wrestler, which is what he had once been, and the buzz cut and big smile of a politician, which is what he had once wanted to be. What’s more, he came with his Japanese fiancée, Ayaka, and one of his employees from Memory Dealers, whom he put at Mark’s service.
Roger, on the other hand, had to adjust his judgments of Mark in the other direction. Mark had the chubby look of a big child and the nervous crooked smile of someone who was not entirely comfortable with direct human contact. His wardrobe was heavily reliant on T-shirts with puns about programming languages. His heavily accented English made him difficult to understand. Mark’s only staff member was a young Canadian with no programming expertise who had been hired a few weeks earlier. Roger put all this aside for the time being and dived into the flood of customer-support requests.
Roger brought an energy unlike anything that Mark had seen before. As he plowed through complaints and requests, Roger also managed to convince an old friend to get on a flight from California to help the Mt. Gox rescue effort.
Roger and the friend who came to Tokyo the next day, Jesse Powell, were a somewhat unlikely pair. In contrast to Roger’s clean-cut, buttoned-down appearance, Jesse had long blond hair and had used money from his startup to found an art gallery in his hometown, Sacramento. But Jesse and Roger had met when they were teenagers and both playing the card game Magic competitively. The strategy game appealed to both young men—and many of the other youngsters who later found Bitcoin—because they liked the idea of finding unexpected solutions to complex problems. Later on, the same instinct had led both of them to the martial art jujitsu. A mixture of Japanese and Brazilian influences, jujitsu gained renown as a way for smaller, less muscular people to disarm and defeat larger opponents. Libertarianism and Bitcoin were alluring to Roger and Jesse for much the same reason, owing to the deceptively simple answers they promised for much bigger problems.
Roger had chosen his apartment in Tokyo largely because it was near his jujitsu studio, or dojo, and during Jesse’s visit to help at Mt. Gox, the men went to the dojo to grapple with each other and let off steam. But they spent almost all of their time working through the constantly growing pile of e-mails that had been sent to info@mtgox.com.
Mark, for his part, spent these days silently parked in front of his computer, investigating the cause of the hack. He determined that the attacker had gained access to Jed’s Mt. Gox administrative account by either guessing the password with the brute force of a computer program or by gaming the system that allowed users to create new passwords. In the end, Mark calculated that the site had lost only a few thousand Bitcoins, which he promised to reimburse with the company’s money.
Mark then moved on to rewriting the Mt. Gox code so that he could reopen the site. Two days after the crash, he appeared briefly, via Skype, on The Bitcoin Show, a relatively new online production created by an enthusiast in New York. Mark took the opportunity to blame the code he inherited from Jed McCaleb, which he said had “a lot of problems.”
“The new system was written from scratch with absolutely no code from the old system,” he said. “It was made from state of the art techniques.”
Two days after that, Mark made a transfer of 424,424 Bitcoins that was visible on the public blockchain, in order to prove that he had his customers’ coins.
“Ready guys?” he asked, right before making the move. “Don’t come after me claiming we have no coins after that.”
“Hopefully I’ll be able to work without getting too much disturbed after that,” he said.
Roger and Jesse were initially impressed by Mark’s calm during the crisis. Every day he sat quietly at his desk, eyes fixed on the screen. But as the week progressed, Mark’s silence put him at an uneasy distance from the surrounding world. Jesse and Roger grew concerned that all Mt. Gox’s technological and financial affairs were in the hands of one person, with no one else in a position to question his decisions or stand ready if things went wrong. They also worried about Mark’s ability to prioritize tasks properly. They frequently noticed that when Mark was supposed to be working on fixing the site, he was instead on the Mt. Gox chat channel, trying to address customer complaints. At the end of the week, Roger and Jesse asked what time they should come in the next day.
“Oh no,” Mark said. “We can just start again on Monday.”
“But this site isn’t even back up,” Roger said. “I think we should keep working until we get it up.”
Mark said something about the office tower being closed during the weekends and shut off further conversation. While walking back to Roger’s apartment, Roger and Jesse wondered at Mark’s lack of urgency.
Mark himself worked through the weekend, from his apartment, and opened the site for trading on Monday morning. As soon as this happened, the price of Bitcoins began falling. In the week that Mt. Gox had been closed, the public perception of Bitcoin had taken a decided turn for the worse, with a series of news articles suggesting that the hack marked the likely end of Bitcoin. The day after Mt. Gox reopened, Forbes, which had been among the first to write positively about Bitcoin, said that “it’s likely to go the way of other online currencies,” the first of many public obituaries for Bitcoin.