The fall of FTX, a crypto empire that defrauded investors, customers and employees to the tune of $8 billion, rattled the ecosystem, with many worrying whether the ecosystem would survive.
However, this was not the first time a failure of such a magnitude has happened in the space. Unbeknown to many cryptocurrency newcomers, in 2014 the world’s largest bitcoin exchange, Mt. Gox, went bankrupt following a series of hacks and mismanagement issues. The fall resulted in customers losing over 800,000 bitcoin — a level of worry that makes FTX seem like a blip in time.
Tokyo-based Mt. Gox, whose domain (MtGox.com) was originally registered in 2007 to host a trading site for the wildly popular “Magic: The Gathering” game cards, began operating as a rudimentary bitcoin exchange in late 2010. As business began to drive huge traffic, the owner sold the platform to Mark Karpelès.
Karpelès, an avid programmer and Bitcoin enthusiast, beefed up the web platform’s code to handle an increased volume of bitcoin transactions and buy and sell orders. Ultimately, the exchange’s failure demonstrated that he did not do a sufficient job, either technically or in the management aspects of the business, as he tried filling the role of Mt. Gox’s chief executive officer with little experience.
On February 24, 2014, Mt. Gox suspended trading and went offline. Eventually, it came to light that Mt. Gox’s infrastructure had been exploited by attackers multiple times over the course of several years. The attackers had slowly robbed the exchange of its bitcoin by manipulating parts of transactions data — a characteristic known as transaction malleability — leading Mt. Gox to believe that certain withdrawals had not happened, which led it to send requested funds multiple times.
Earlier that month, Mt. Gox had gone offline for a few hours and its team issued a press release blaming the Bitcoin protocol itself for being faulty in its transaction watching mechanism. When receiving a withdrawal request, the exchange would observe the Bitcoin blockchain for a confirmation of the withdrawal transaction ID — a hash constructed from the transaction data. However, a transaction ID is only final once the transaction gets confirmed on the blockchain, a characteristic that lets attackers alter parts of the transaction — not including the inputs and outputs — and thus alter its ID. The result? Mt. Gox’s database would not show a successful withdrawal as the specific transaction ID that the exchange was watching for would never make its way into a block, but the attacker would still receive the bitcoin as the altered transaction did get confirmed. (It is important to reiterate that this was a failure of Mt. Gox, and not of the Bitcoin protocol.)
While this accounting discrepancy was, surprisingly, never spotted, on February 24, 2014 an internal Mt. Gox document was leaked, detailing how big of a hole it had really dug for itself. The document indicated that over 800,000 bitcoin were stolen, worth over $430 million then and almost $18 billion now; nine years later and customers are still waiting to get some of their bitcoin back.
At the time of failure, it was estimated that Mt. Gox was handling as much as 70% of all bitcoin traded worldwide. For comparison, FTX’s fall represented a fraud of over $8 billion, or less than half the corresponding amount of bitcoin lost with Mt. Gox. Sam Bankman-Fried’s exchange was a prominent one, but it didn’t hold the top one post worldwide at the time of failure.
While the two exchanges differed in terms of how they collapsed, the backbone issue was the same: centralized exchanges represent single points of failure. In both instances, the chief executives failed their clients, who had trusted them with the custody of their bitcoin. For all exchanges, the risk of error, fraud or bankruptcy is an omnipresent threat that should be treated as such. It is never too late to get into self-custody and take control over your bitcoin.