Users of recently bankrupt bitcoin exchange Mt. Gox may have more to worry about than just the loss of crypto-currency and cash deposits. Rumors circulating in online chat forums suggest that hackers may have penetrated the failing bitcoin exchange and stolen troves of sensitive data, including the exchange’s source code and, more troubling, user personal identification information like passport scans, bank account numbers, and home addresses used for “know your customer” account verification.
While PandoDaily cannot verify the these claims, an individual going by the name “nanashi” (or 名無し, Japanese for anonymous) in the IRC chat forum ##mtgox-chat has posted what he claims is a sample of the Gox source code (1,719 lines) and an audio recording purporting to be a phone call (in Japanese) between Gox CEO Mark Karpeles and a Japanese banker. Both appear to be intended as evidence of the breach, although it’s unclear who made the recording and whether the code was actually obtained from the Mt. Gox database.
A HackerNews user going by the name gklitt, who claims to be a fluent Japanese speaker, calls the recording “legit” and adds that “One of the voices is almost certainly Mark Karpeles’ (based on hearing his voice in his recent public apology…).” Gklitt further explains that the recording is that of a January 30th call between Karpeles and a representative of Mizuho Bank who wishes to shut down Mt. Gox’s accounts due to recent technical issues and other factors.
Several HackerNews threads involving this breach offer technical discussions of the leaked Gox code in which a number of weaknesses and poor practices are described. This follows a recent Wired article in which anonymous insiders describe Gox as a technically inept organization besieged by its immature and ineffective CEO.
Nanashi, who self-identifies as being Serbian (although doesn’t respond to comments directed at him in Serbian), claims not to be a member of the unnamed hacking group but simply communicating on its behalf. Language barriers, combined with the frenetic and disjointed nature of IRC chats make the conversation difficult to follow. He states at the end of the chat thread that the hacker group is focused, at least currently, on dissecting the non-personal information for clues as to what happened at Mt. Gox, rather than releasing or exploiting users’ personal information.
The chat thread reads:
nanashi____: want gox boss going a jail for crime against user
emma: nanashi____: – fraud deserves to be revealed. innocent customer information doesn’t. Okay?
nanashi____: passport copy not release
pasod: nanashi____: tell your friends to respect users personal information please
nanashi____: they look for non personal document at moment
The notion that “white hat,” or benevolent hackers (as opposed to “black hat,” nefarious ones) are Mt. Gox victims’ best hope would be ironic, if it weren’t so sad. If what Nanshi claims is legit (and there’s no way to know that) then this could be a positive development. Despite the criminal nature of the group’s activities, the hackers might be better equipped to dissect the inner-workings of Mt. Gox, which is, in essence, one huge mound of code, than any traditional law enforcement agency.
Nonetheless, even the slightest possibility of identity theft rubs salt in the wounds of Mt. Gox users victims who most likely have lost financial wealth. As another HackerNews user, “nathan_f77,” puts it:
Wow, that’s a lot of my personal data leaked in these last months. My email and encrypted password in the adobe breach, my user id and part of my mobile number via SnapChat, and now hackers potentially have scans of my passport courtesy of Mt. Gox.
I’m probably forgetting about some leaks, and who knows how many security breaches were never discovered. The internet is not a safe place.
As of Friday, Mt. Gox sought bankruptcy protection under Japanese law, citing more than $63 million in debt and the loss of more than 850 million bitcoins. A group of US Gox users have also filed a class action lawsuit against the exchange, alleging negligence, consumer fraud, breach of contract, and breach of fiduciary duty, among other allegations.
We are at the very beginning of what promises to be a lengthy, ugly saga as law enforcement, courts, and maybe a few coders attempt to sift through the rubble that’s left of this former top bitcoin exchange. Given Gox’s history of breaches, it’s unsurprising that hackers could penetrate the system and make off with sensitive data.
Best case, it will be Mt. Gox’s own ineptitude that allows the bitcoin community to piece together the details of what went wrong and and potentially recover some of the lost deposits. Worst case, “Goxed, Part II: An Identity Theft Saga” is coming to a theater near you.