Mt. Gox Vulnerability Covered Up by Founder McCaleb, Lawsuit Alleges

The latest in the long trail of events since the 2014 shutdown of the then-largest — but now defunct — cryptocurrency exchange Mt. Gox is a lawsuit that two former traders on the exchange brought against founder Jed McCaleb. The traders, Joseph Jones and Peter Steinmetz, allege McCaleb of fraudulently and negligently misrepresenting Mt. Gox to “induce” traders to use the exchange. The duo, who filed the lawsuit on May 19 in a court in California, allege that McCaleb was aware of “serious security risks” in the architecture of Mt. Gox back in late 2010 to early 2011, but neither followed-up to fix the issues nor disclosed the vulnerabilities to the public.

Was McCaleb aware of Mt. Gox's security flaws?

The lawsuit from Jones and Steinmetz builds on the previous findings published in a Daily Beast report, that suggests that Mt. Gox had security flaws from its early days. The lawsuit claims that in or before January 2011 — when the Mt. Gox account was compromised, leading to the unauthorized sale of thousands of users’ Bitcoins (BTC) — McCaleb was informed about the security flaws and was aware that more than 80,000 Bitcoin had already gone missing. 

Not long after, another breach, termed the “dictionary attack” — i.e., an attempt to gain unauthorized access to an account or computer system by trying several different passwords until one is correct — occurred, which involved at least two Mt. Gox accounts. McCaleb failed to take any action to fix the security issues, but instead sold the majority of his interest in Mt. Gox to the eventual CEO of the exchange Mark Karpeles, the lawsuit claims. Karpeles signed the sales and purchase agreement around February 2011. In a recent interview with Cointelegraph, Karpeles confirmed his belief that the security flaw in Mt Gox through which the attackers gained access was part of the original architecture of the platform:

“Mt. Gox was hacked prior to being transferred on from what ordinarily was made by the Mt. Gox creator McCaleb. I have not been able to review everything myself because right now the lawyer holds the files but based on what they could find on the blockchain, as for the stolen bitcoins, are basically analyzed from the different court documents that will be made available. I'm 99 percent sure that the hacking came from what originally was made by McCaleb, the original creator of Mt. Gox.”

Related: ‘CoinLab Is a Big Stopping Block’: Mark Karpeles Talks Mt. Gox Creditor Claims and Life After Trial

The following email on April 28, 2011, obtained by The Daily Beast, suggests that McCaleb, who co-founded both Ripple and Stellar and currently serves as Stellar's chief technology officer, knew about the missing 80,000 Bitcoin but did not disclose the information to the public:

Email1

Data obtained from Bitcoin.com shows that the price of bitcoin was, on average, $1.90, as of April 28, 2011.

Bitcoin Price on April 28, 2011

Bitcoin Price on April 28, 2011

Source: charts.bitcoin.com

Indeed, as McCaleb wrote, Mt. Gox appeared to have made enough money to cover the loss of 80,000 Bitcoins, given that McCaleb came back around December 2011 to request an earnout worth $263,431 from Karpeles, in accordance with the sale agreement between the two. The supporting documents filed with the lawsuit include a purported email conversation between McCaleb and Karpeles:

email2

Misrepresentations made by McCaleb?

After McCaleb handed over the reins of the exchange to Karpeles, Mt. Gox would go on to lose about 700,000 more Bitcoin to hacks and theft, all of which led to the eventual collapse of the exchange

As of the time Mt. Gox halted withdrawals on Feb. 7, 2014, Steinmetz owned 43,000 BTC and Jones had 1,900 BTC, as the lawsuit shows. Based on the lowest Bitcoin price of $654.35 on the day, Steinmetz holding was worth roughly $28,137,050, and Jones’ 1,900 BTC was worth about $1,243,265

Bitcoin price from Feb. 7, 2014 to Feb. 8, 2014

Bitcoin price from Feb. 7, 2014 to Feb. 8, 2014

Source: Coin360

Jones and Steinmetz claim that McCaleb reassured them about the security of the exchange, following the dictionary attack in 2011 An unknown amount of Bitcoin was missing due to this attack. In addition, the plaintiffs described themselves as experienced cryptocurrency traders and, as of the time of filing, they were still in pursuit of their lost Bitcoin. 

Alleged misrepresentations that the plaintiffs mentioned include McCaleb saying:

Timeline of Statements

These statements suggest that every issue of which McCaleb was aware was fixed and that no Bitcoin was stolen, a contradiction to findings that 80,000 Bitcoin was already missing. However, the purported misrepresentations above led users, especially the plaintiffs, to continue trading on Mt. Gox until the exchange ultimately sought bankruptcy protection in 2014, going by the following paragraphs in the lawsuit:

"Had plaintiffs known that the representations and omissions made by defendants were inaccurate, false and misleading, and designed to induce plaintiffs into utilizing the services provided by defendants, plaintiffs would not have selected Mt. Gox to do their bitcoin trading. As a direct, proximate and foreseeable result of defendants’ fraudulent misrepresentations and omissions, plaintiffs have suffered and will continue to suffer substantial damages in an amount to be proven at trial.”

A similar lawsuit filed against McCaleb by two different ex-users of Mt Gox last year showed email conversations with McCaleb that suggests that he was aware of the security flaws that had lead to Bitcoins going missing from the platform. The 2018 lawsuit, filed by Donald Raggio and his son Chris Raggio, claimed that McCaleb did not do enough to recover a total of 9,500 Bitcoins that were stolen from the pair’s accounts on Jan. 9, 2011.

Meanwhile, the struggles of Mt. Gox creditors to get their funds back is lingering. There had been hopes that creditors, of which there are approximately 24,000 people in total, might get paid before the end of 2019. However, the exit of the founder and coordinator of Mt. Gox Legal (MGL), Andy Pag, from the group has sprung new uncertainties. Pag, who decided to sell his stake in the group when he stepped down, said that the civil rehabilitation process of the failed exchange could take two additional years to reach a conclusion. Pag pointed at online legal issues including the recent petition from United States-based startup incubator CoinLab, which has issued a claim for $16 billion from Mt. Gox. It seems that the more the situation around Mt. Gox and its creditors develops, the more questions and accusations emerge.