February 28, 2025, marks the eleventh year since the collapse of the Japanese exchange: history and recent developments.
Initially conceived as a trading space for online collectible cards of the game Magic: The Gathering Online, the Mt. Gox platform was born in July 2010. The name is directly linked to its original purpose, consisting of the initials of Magic: The Gathering Online Exchange.
The founder of the platform is Jed McCaleb, an American programmer and entrepreneur who later became known for his contribution to the development of altcoin such as Ripple and Stellar.
A few months after the launch, the website’s business model was changed, and Mt. Gox became an online marketplace for trading bitcoin.
As early as March 2011, McCaleb decided to sell Mt. Gox to the French programmer and Bitcoin enthusiast, Mark Karpelès.
The rise and problems
At the time, Mt. Gox was already establishing itself in its reference market, effectively becoming one of the very first exchanges in the world. Thanks also to the increase in the price of bitcoin, growth was exponential: by early 2013, Mt. Gox became the largest exchange in the world by trading volumes, handling approximately 70% of bitcoin trading volumes.
The exchange’s problems would only become serious in 2014, but one of the most widespread suspicions is that Mt. Gox was actually subject to continuous hacker attacks as early as 2011.
The first breach dates back to June 2011, presumably due to a compromised computer belonging to an auditor. On that occasion, the hacker used the auditor’s credentials to access the exchange, artificially manipulate the price of bitcoin by quoting it at 1 cent each, and transfer about 2,000 bitcoin from customers’ accounts.
Due to this vulnerability, it was also estimated that some customers were able to purchase 650 bitcoin at the price of 1 cent each.
Following the hack, Mt. Gox implemented a series of security measures, including transferring a considerable amount of bitcoin to cold wallets. Despite the countermeasures, on February 7th, 2014, there was a sudden suspension of withdrawals, and the website became inaccessible.
On February 24th, the exchange permanently suspended bitcoin trading, and four days later, the company declared bankruptcy in Japan. Karpelès admitted to the loss of 844,408 bitcoin, of which 744,408 belonged to customers and 100,000 belonged to Mt. Gox itself.
To this day, the hack at Mt. Gox represents the largest failure ever to occur at an exchange in terms of lost bitcoin.
A few weeks after the collapse, in March 2014, Mt. Gox claimed to have recovered 200,000 bitcoin. Karpelès immediately became the subject of investigations. In 2015, he was arrested in Japan on charges including fraud and embezzlement. Karpelès did not plead guilty to the charges and remained in prison until July 2016 when he was released on bail.
The causes of the failure
After the company’s bankruptcy, some employees leaked internal operational procedures of the exchange. The descriptions provided painted a disastrous picture: disorganized teams, negligence in platform management, lack of expertise, poor security procedures, and a series of serious issues related to the website’s source code.
Investigations initiated in 2014 revealed that Mt. Gox’s wallet’s private key was not encrypted. According to the investigations, the key was stolen in 2011, following the breach of the wallet.dat file. It is unclear whether access to the file was obtained through a hack or by an insider.
Once the file was obtained, hackers had the opportunity to access the wallet and gradually transfer the bitcoin outside without the hack being detected by the exchange.
Mt. Gox attributed the losses to the vulnerability known as transaction malleability, stating that hackers exploited this bug to repeatedly withdraw bitcoin from the exchange. However, some argue that transaction malleability could not have allowed hackers to steal such a large amount of bitcoin without being noticed. On-chain analysis showed that, although the issue of transaction malleability was real, there was no widespread use of that type of attack at the time. From the analysis, it appears that only 386 bitcoin may have been stolen by exploiting the transaction malleability issue.
The compensation plan
Since the bankruptcy declaration of Mt. Gox, a long process began that led to the partial reimbursement of customers affected by the collapse.
In November 2021, Japanese courts and Mt. Gox creditors reached an agreement on the exchange’s rehabilitation plan. The plan establishes a registration and compensation process composed of various phases. Creditors approved for rehabilitation, equipped with a creditor code, were able to register on the Mt. Gox Online Rehabilitation Claiming System portal to request reimbursement.
According to the original compensation plan, Mt. Gox was supposed to reimburse its customers by September 30th, 2023. Later, the company rescheduled the reimbursement to October 31st, 2023.
In September 2023, Kobayashi announced a second deadline extension: October 31st, 2024 to finalize the reimbursement process.
According to some official documents from 2019, the company’s bankruptcy trustee held an amount of 141,686 bitcoin, as well as some bitcoin cash and Japanese yen.
The reimbursement consisted of returning 17% of the funds each customer held on the exchange and was planned to be made either in bitcoin or fiat currency, at the creditor’s discretion.
On December 26th, 2023, some customers confirmed receiving the reimbursement in yen via bank transfer or PayPal. Some even received the reimbursement twice due to an error by the exchange. Within the r/mtgoxinsolvency subreddit, a user reported the email that Mt. Gox sent to some users, admitting the error and requesting the return of the second payment.
Following a series of delays due to legal issues, on July 23, 2024, Dave Ripley, CEO of Kraken, announced that the exchange had completed the distribution of reimbursements in bitcoin and bitcoin cash to creditors. Along with Kraken, other exchanges such as Bitstamp, SBI VC Trade, Bitbank, and Coincheck were selected to facilitate the reimbursement for approximately 127,000 affected customers.