History revisited: US DOJ unseals Mt. Gox cybercrime charges – Source: nakedsecurity.sophos.com

Remember Mt. Gox?

Originally, it was a card-trading site called MTGOX, short for Magic The Gathering Online Exchange (there was no sense of “Mountain” in the name at all), but the domain changed hands and purpose in the early days of cryptocurrency.

Operated out of Japan by French expatriate Mark Karpelès, Mt. Gox rapidly became the biggest online Bitcoin exchange, but imploded in 2014 when the company was forced to admit that it had lost Bitcoins worth more than $0.5 billion at the time (they’d be worth more than 25 times as much today).

As we wrote back then:

In 2014, the Big Daddy of Bitcoin exchanges, Japan-based Mt. Gox, made a “So sorry, they seem to have vanished” announcement about a whopping 650,000 Bitcoins, worth approximately $800 each at the time.

The mystery of the missing BTCs was at first blamed on a cryptographic flaw in the Bitcoin protocol that Mt. Gox’s coders hadn’t defended against properly – something they really ought to have done, considering that they were sitting on half-a-billion dollars worth of other people’s assets.

But that story didn’t wash with everyone, not least those who thought that any abuse of the flaw concerned (it’s euphemistically known as transaction malleability if you would like to look it up) ought to have been visible, albeit too late, in the transaction record.

Some people suspected Mt. Gox insiders of simply taking the missing Bitcoins (or some of them, anyway) for themselves.

Ironically, the very sort of incautious attitude to coding that would make a transaction malleability exploit possible would probably also make it possible for rogue insiders to get away unnoticed with large-scale Bitcoin larceny.

That’s where the story sat throughout the second half of 2014: something bad happened, but no-one quite knew whom to blame.

But on New Year’s Day 2015, as we noted in that report, Japanese newspaper Yomiuri Shimbun published a dramatic article in which it openly stated that there was “strong suspicion” that most of the missing Bitcoins were ripped off from inside.

The paper suggested that although the loss of BTC 7000 could be explained by cyberattack (in other words, that crooks outside the company’s network were the perpetrators), there was no evidence of cyberattack in repsect of the remaining BTC 643,000.

In short, the reporters at Yomiuri Shimbun were as good as saying, 99% of the crime was an inside job.

Karpelès, for his part, ultimately received a suspended prison sentence in Japan, but that was because he was found guilty of misrepresenting his financial position to potential investors, not because of the missing Bitcoins.

Not Karpelès

Ironically, perhaps, Karpeles now has what amounts to a partial exoneration on the matter of the many missing Bitcoins, with the US Department of Justice unsealing Mt. Gox-related charges against two named individuals:

Alexey Bilyuchenko, 43, and Aleksandr Verner, 29, both Russian nationals, are charged with conspiring to launder approximately 647,000 bitcoins from their hack of Mt. Gox.

[…]

Bilyuchenko, Verner, and their co-conspirators allegedly used their unauthorized access to Mt. Gox’s server to fraudulently cause bitcoin to be transferred from Mt. Gox’s wallets to bitcoin addresses controlled by Bilyuchenko, Verner, and their co-conspirators.

From September 2011 through at least May 2014, Bilyuchenko, Verner, and their co-conspirators allegedly caused the theft of at least approximately 647,000 bitcoins from Mt. Gox, representing the vast majority of the bitcoins belonging to Mt. Gox’s customers.

Bilyuchenko, Verner, and their co-conspirators allegedly laundered the bulk of the bitcoins stolen through Mt. Gox principally through bitcoin addresses associated with accounts Bilyuchenko, Verner, and their co-conspirators controlled at two other online bitcoin exchanges.

In an intriguing twist, Bilyuchenko is also charged with operating one of those “two other online Bitcoin exchanges”, the notorious exchange known as BTC-e, along with a third individual named Alexander Vinnik.

BTC-e ran from 2011 until July 2017, when it was busted and shut down by US law enforcment.

Vinnik was indicted back then by a US court on money-laundering charges, after being arrested in Greece.

(Since then, Vinnik has variously been in custody in Greece; extradited to France, where he was sent to prison for money laundering; returned to Greece after his release; and then extradited to the US to face charges there.)

The DOJ’s press release about these new charges, relating to a hack that now dates back more than 10 years, says simply that Bilyuchenko and Verner are “Russian nationals”, but not which country the two men are in right now.

But US Attorney Ismail J. Ramsey did go on the record to say:

For years, Bilyuchenko and his co-conspirators allegedly operated a digital currency exchange that enabled criminals around the world – including computer hackers, ransomware actors, narcotics rings, and corrupt public officials – to launder billions of dollars.

The Department of Justice will work tirelessly to identify cyber criminals, no matter where they are.

And Bilyuchenko and his co-conspirators will learn that the Department of Justice has long arms and an even longer memory for crimes that harm our communities.

As for Mt. Gox, its winding-up process is at last drawing to a close, with the final deadline for recognised corporate creditors to file verification documents recently extended until 2023-06-15, just three days from now.

Though the mills of the Law grind slowly/Yet they grind exceeding small/Though with patience they stand waiting/With exactness grind they all…

…or, at least, we can but hope they do and will.

LEARN MORE ABOUT BTC-E (AND HOW DARK WEB CROOKS GET CAUGHT)

We talk to renowned cybersecurity author Andy Greenberg about his excellent book, Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency.