I’m Kevin and I'm the guy who bought 259684 BTC for under $3000 yesterday. I really wanted to keep this as quiet as possible, but I don't feel I can anymore. Here's my side of what happened.
On an exchange like MtGox, there are typically hundreds of standing "buy orders" where people are offering to buy bitcoins at various amounts and prices. When a large sell order comes in, an exchange will start with the highest priced buy order, match up the buyer and seller, then move down to the next lowest buy order. This repeats until the entire quantity of bitcoins being sold have found buyers, or there are no more buyers at the minimum price the seller was willing to accept.
I was watching, like many of you, a gigantic sell order burning through the bids. Mt Gox doesn't execute trades very quickly, so we were watching this huge order slowly eat up every buy order on the books. The price started at around $17.50, and within minutes was below $10. At this point, I realized this wasn't merely a large seller willing to accept some losses. This was someone attempting to crash the market by selling a huge percentage of the market's total bitcoins at once.
I had around $3000 USD in my Mt Gox account, from earlier sales I'd made. I looked at the market stats, and realized that there were tons of orders to buy BTC at $0.01 that would likely eat up any remaining bitcoins this seller had on the order. I figured if I put a buy order in for $0.0101, my order would execute first and I could buy a huge amount of bitcoins from this seller before it hit the bottom. The only problem was that Mt Gox was running slower than molasses at the time, and everyone was saying that it wasn't accepting trades. I had to try several times, but eventually I got a buy order in, offering to buy as many bitcoins as I could for $0.0101.
The site stopped responding completely for a while, probably from so many people hitting refresh to see what was going on. When I got back in, I saw in my account:06/19/11 17:51 Bought BTC 259684.77 for 0.0101
I had just purchased over 250,000 bitcoins for $2613. At the trading price immediately before this large sell order happened, that number would have been worth nearly $5 million. After I regained my breath, I tried to figure out what to do. I wasn't sure what was really going on. Over the past few days there had been a lot of talk and complaints about Mt Gox's security. Lists of Mt Gox usernames, email addresses and encrypted passwords were being traded around, which was an obvious sign that security at Mt Gox had been breached in some way. If there was an attacker in the system, perhaps he was able to log into my account now and force my account to execute some other crazy trade.
I attempted to withdraw the bitcoin balance into my own wallet, and hit the limit that Mt Gox has, preventing you from withdrawing more than $1000 USD worth of bitcoins (at the current market value) in a day. This transferred 643.27 bitcoins to my personal bitcoin account before hitting that limit. It was pretty well known that the limit for transferring bitcoins was actually broken in Mt Gox. It stopped you from moving more than that in one withdrawal, but you could immediately ask for more and get another $1000 USD worth, over and over. I decided against this, since it was exploiting a bug, and I definitely didn't want to do anything suspicious looking or improper.
The thought also occurred to me that there were only about 100 bitcoins worth of buy orders back on the market in the minutes immediately following all of this. I could place a reasonably sized sell order for $0.001, crash the market again, and withdraw probably all of the bitcoins, since they'd be valued at $0.001 each and would fit under the $1000 USD limit. I also decided against this, when I realized that whoever placed the gigantic sell order was probably doing so for the exact same reasons and I knew how that would make me look.
I then sent an private message on IRC to MagicalTux (Mark Karpeles, the founder of Mt Gox) to explain that I was the one who won the giant buy order, and that I wasn't the same person as whoever placed the huge sell order. We'd talked previously, including a private talk a couple of days ago about Mt Gox's "change my password" system not working. He didn't respond to me at all, but I figured he was busy. A few minutes later he was saying in public that he'd decided to reverse all the recent trades, effectively undoing the final 3602 trades that were executed before he shut the site down.
We talked a bit, and I started to become increasingly concerned with what Mt Gox was saying in public which was totally contradicting what I knew to have happened. The Mt Gox status page said:
"One account with a lot of coins was compromised and whoever stole it (using a HK based IP to login) first sold all the coins in there, to buy those again just after, and then tried to withdraw the coins. The $1000/day withdraw limit was active for this account and the hacker could only get out with $1000 worth of coins."
There are three very misleading elements in that line alone.
First, this makes it sound like the "hacker" is the one who was buying back all the bitcoins at a penny. We all were watching the trades execute in real time, there was only one buy order of anywhere near the size of the huge sell order that went through, and I was the buyer not the hacker. Other people in IRC were saying which other buy orders they were able to get. The hacker couldn't have been able to buy back even 10% of the bitcoins that were sold during the sell-off. Did this mean Mark thought *I* was the hacker? I have repeatedly asked him this question, which he's managed to ignore each time.
Recently I've been getting into the bitcoin trading market. Over the last couple of weeks, I was hitting the $1000 USD Dwolla cash withdrawal limit from Mt Gox, so I requested that it be increased. I sent Mt Gox a copy of my driver's license and two utility bills in my name/address to prove my identity, which Mark accepted and increased my limit. Could that have been faked? Sure. But, if I was the hacker I was going about this whole thing stupidly. I had several ways I could have drained the Mt Gox account, and deliberately didn't. I immediately contacted Mark to identify myself as the buyer and offer assistance. If I were up to something shady, I was doing a really bad job at it.
The second thing wrong with Mt Gox's statement is that it makes it sound like only the hacker managed to withdraw any money, and even then only $1000 worth. I alone withdrew 643 bitcoins (worth more than $10,000 USD easily). The withdrawal limit feature was so broken, it was hard to imagine the hacker didn't know how to exploit it.
On top of how misleading I felt they were being about what I knew occurred, I felt it was far worse that they were using this argument for why they wanted to undo the trades. From reading their public statements, they're making it sound like they're reverting the trades because they want to prevent a hacker from profiting from it. This is simply not true, the vast majority, if not all of the buy orders that picked up coins at a low price were regular users like myself. Any profit this hacker was going to make, he's already done so. The majority of the buy orders that got executed were standing orders from legit users that had been in the system for quite some time, and those are the orders he's threatening to revert.
And this is where I, like others here, have a problem. Of course I am greatly biased here, but look at what's going on:
1) Rolling back/Breaking trades is something Mt Gox said they wouldn't do.
Many exchanges will break trades if something truly unusual happened, but there's a policy listed in advance so everyone knows how, when and why it will kick in. Mt Gox never claimed they felt they had the authority to undo trades, in fact the Mt Gox website states:
"You are trading with other users of Mt Gox. Mt Gox does not act as a counter party to any trades."
Claiming that Mt Gox isn't a "counter party" to trades has a specific legal meaning. Typically market participants, stock brokers and other associated people are "counter parties" or "central counter parties" to trades, taking on the burden of insuring trades were executed properly. Put simply, Mt Gox was saying in legal terms they were only acting as a match maker between buyers and sellers, not involving themselves in any issues that may come up from the trades themselves.
If they're claiming they have no responsibility for what occurs, that means they don't get to flex any control over it. You're either merely introducing buyers and sellers to each other and have no liability or power over what happens after that point, or you are a central counter party to the trade and do get to make those decisions. Mt Gox is trying to have it both ways, after telling us that they didn't want the responsibility. No rollback policy was ever published or even discussed anywhere I could find.
2) Mt Gox had been repeatedly warned about password security issues recently, and continued to reassure us everything was safe.
An exchange cannot be allowed to reassure customers of their security and fail to accept responsibility when it is proven to be insecure. As customers of Mt Gox, we cannot have the same visibility into their systems that they do and must rely on their word that the exchange is trustworthy. If exchanges are allowed to repeatedly tell us we can rely on their trading platform, fail at securing it, then be given a blank check to remove funds from anyone they desire to make themselves whole again, no exchange has any incentive to secure themselves.
3) The precedent they're setting here cannot be maintained.
Exactly what happened here may never be fully known, but according to Mt Gox an unauthorized user accessed someone's account and placed a sell order. Passwords get guessed/leaked all the time, and any exchange that attempts to undo that in every case will undoubtably fail.
If I'm careless with my password and someone places orders on my behalf in my account without my permission, will Mt Gox revert an hour's worth of trading to fix it? What if I only had 2 bitcoins? Or 20? or 200? There is no way rolling back trades to handle a compromised password in any way that will scale to the size of bitcoin's current economy. Unless Mt Gox is wiling to explicitly say they'll give this same treatment to any user who has their account compromised, it's blatantly unfair to everyone else.
This also opens the door to allowing anyone to request equal treatment if they made some trades they later regret. Log in through a proxy to make it seem like someone from a distant country was using your account, make your trades, then later scream about how your account was compromised and you want a do-over.
4) The whole situation seems fishy once you know everything that’s been made public.
Mt Gox's story is requiring extreme leaps of faith to believe. They have insisted that only one account was accessed. This means they expect us to believe:
* A Mt Gox user had more than 500,000 bitcoins stored in their Mt Gox account (more than $8 million by Sunday's prices).
* This user chose a password that was able to be guessed by a password cracker from the encrypted hash of their pass. (This means their password was likely quite simple)
* This user managed to amass this many bitcoins without being involved in the community enough to hear everyone screaming about the password file being leaked to the world.
* Mark claimed to me that police reports were filed in less than an hour after Mt Gox's trading was halted.
* The decision to roll back trades was announced within minutes of them investigating.
* Mt Gox's public statements have been, at best, misleading.
All of this is so implausible that I can't help but believe we are not being told the whole story. I am not implying that I believe Mt Gox is acting dishonorably
, but that if they don't respond to this sort of thing, people will start jumping to worse conclusions.
If I had $8 million worth of easily convertible currency, there is absolutely no way I would store it on a public website like Mt Gox, no matter how secure I believed it was. If I had to store that much there, even temporarily, I would use a password so long it would make War and Peace look like a Twitter message.
Is the account owner a friend or investor in Mt Gox? The account owner managed to get decisions made and a police report filed faster than I was able to get a response out of Mark. If there is some kind of connection between the account owner at Mt Gox, this needs to be fully disclosed and explained before any actions are taken, or any trust in what Mt Gox does is going to be shattered.
I am not actually accusing Mt Gox of scamming us or anything, but asking their users to accept over 500,000 BTC in orders to be reversed due to a story that has some serious holes in it, greatly benefits an anonymous account holder, and has some elements that are provably false is simply unacceptable.
5) Claims that they want to revert to protect the market are false.
Again, unless there are major pieces of the story missing, the hacker has already gotten away with whatever they were going to. Secure the compromised account with a better password and that matter is closed.
Mt Gox's website was severely affected by the large sell order, very very few new sell orders made it into the system. A few people did get some panic sells in during the freefall, but they were tiny in comparison to the volume of the big sell that started the mess.
The majority of the "buy" orders that got executed were long standing buy orders that were already in the system. Those people, before any crash started, told the system of their intent to buy at specific prices, and those agreements were honored. At worst, buyers got exactly what they already agreed to purchase, at best got a good deal.
The market made a 70% recovery within minutes, and was continuing to trend upwards before Mt Gox halted trading and shut their web server down.
The only parties that need to be involved in this are Mt Gox and the original account owner to determine if any unauthorized trades were actually made from their account, and how Mt Gox is going to make it up to them.
6) Mt Gox has several options before them, and are choosing to screw over the community to protect their profit.
I've seen people throwing around three options:
Option 1: Rollback all trades.
+ The guy who chose to store $8m in bitcoins on a public website gets the majority of his money back
+ Mt Gox is out very little
? Sellers who placed a panic sell during the freefall get a free undo.
- This sets a precedent that trades can be reversed, which increases risk and will likely result in some players want to wait for their trades to "clear" before taking further action making us no better than using PayPal.
- This gives strong incentive for traders to immediately withdraw funds after a trade, which will greatly reduce liquidity.
- Buyers who had both new and long time orders that were executed are getting them revoked by a policy that didn't exist yesterday.
- Had I not decided to "do the right thing" and leave the funds in Mt Gox, this wouldn't even be an option.
Option 2: Mt Gox tells the account owner "tough luck" and does nothing.
+ Everyone else who placed orders will be unaffected
- The account owner that got hacked is facing massive losses from something that may have not been completely their fault.
- This gives strong incentive for traders to immediately withdraw funds after a trade, which will greatly reduce liquidity.
- Mt Gox ends up earning their trading fees off someone's loss that they were likely partially or fully responsible for.
Option 3: Mt Gox takes responsibility, and reimburses the original account owner's account to the best of their ability.
+ The exchange is forced to deal with the consequences of their negligent lapse in security
+ Faith in the trading market would be largely restored if not increased
+ Buyers who placed orders that were executed get what they paid for
+ Mt Gox has clearly made several times more revenue (through trading fees) than this incident would cost them to completely absorb.
+ If this became an expected feature of an exchange, only exchanges that actually protected our accounts would survive.
+ Mt Gox is the only party that can go after the auditor that they are claiming was responsible for this incident
- It is uncertain if Mt Gox actually has that much liquid reserve to do this fully.
I am publicly asking Mt Gox to explain why they are unwilling to go for Option 3. They're choosing the option that costs them the least, protecting this mystery user at the expense of the entire bitcoin community. Their decision will result it everyone refusing to keep balances in the exchange for fear that profitable trades will be lost at the whim of the exchange owner. You've heard my story, if you make a sudden windfall trade that nets you a good profit, how long are you going to let Mt Gox hold onto it, out of fear they're going to claim it was invalid? If everyone is doing this, where is the money going to come from to make trades?
I realize a lot of this is going to fall on deaf ears who think I’m only doing this for my own profit. I’d believe this no matter what, but I probably wouldn’t be fighting so passionately if I didn’t have some stake in it.
I made a bunch of attempts to try to come up with some kind of mutually agreed on plan with the Mt Gox people, only to get stalled (they won't even talk to me until I sent them notarized copies of my photo ID on a Sunday?). I'd like to end as much uncertainty as I can, so this is my side. We all have opportunities to totally disrupt the market. I could threaten legal action which would cause an even bigger run on their reserves. Mt Gox could close their doors and take everyone's cash. I could have drained the money from Mt Gox but didn't. I really just want a fair solution that doesn't leave anyone hanging and doesn't disrupt the whole economy any more than it already has been.*flame suit on*