[mtgoxloser]

In this incident I lost a bit more than $500,000 USD that was in my MtGox account. I sold my Bitcoins a few months back, but the USD have been sitting in my account waiting to be withdrawn.

This was a massive fuck up by MtGox, but I really do feel sorry for Mark Karpeles. He seemed really enthusiastic about Bitcoin. Right by MtGox's offices in Japan was a Bitcoin Cafe being built. You can [see here](http://si.wsj.net/public/resources/images/BN-BS458_mtgox0_G_...) the sign of a Bitcoin logo waiting to be unraveled.

Bigger than all the victims (no pun intended) was Mark himself. He lost more Bitcoins than any of us, and it's likely he'll be going to jail. Not to mention the death threats he has and will be receiving.

--

One of the (features?) of Bitcoin is its inherent irreversibility. You only have one chance to get things right. Combined with Murphy's Law, something like this was bound to happen.

I've been a Bitcoin enthusiast and have been mining since early 2011, and Bitcoin has been a huge part of my life, but I will admit my confidence in Bitcoin ever _practically_ succeeding has diminished a little.

[bifftannen]

I got mugged last night, and gave the mugger a little extra because he was just so darn enthusiastic about mugging.

[bobowzki]

I chuckled

[miguelrochefort]

Did you try to get your money out of MtGox? A friend of mine has been trying to get his money (CAD) out of MtGox for 2 months. He received his money yesterday.

[rbobby]

I would advise him to close the bank account the money went into. Wire transfers can be cancelled... and if the bankruptcy folks are quick on their feet the first thing they'll do is cancel every completed wire transfer they can.

[mcdougle]

Where is he? I've read about a few people getting their money, but they were all in Japan moving $ into Japanese bank accounts.

I tried to withdraw a couple hundred at the start of January into a US bank account and I'm curious if I'll ever get it. It's a very small amount of money (and I paid even less to get the BTC originally), so it's not a big deal at all if I lose it all but I'd still like to get it.

[miguelrochefort]

Canada.

[tlrobinson]

Why the hell are they still processing withdrawals and simultaneously filing for bankruptcy?

[miguelrochefort]

MtGox might not be responsible for the delay. All I know is that he started the process months ago, they kept saying that "money was on the way", and he eventually received it.

[JumpCrisscross]

>I lost a bit more than $500,000 USD that was in my MtGox account

Sorry for your loss. Why didn't you move it to an interest-bearing bank account?

[shawabawa3]

> waiting to be withdrawn

Withdrawals have been massively delayed for at least 6 months.

The smart thing to do was to withdraw bitcoins to another exchange while you still could

[dcc1]

probably because the withdrawals to bank havent worked for months, the writing was on the wall for a long time, people who lost money in it took a huge gamble

he should have transferred the bitcoins to bitstamp when transfers worked and cashed out.

[mtgoxloser]

> the writing was on the wall for a long time

I wish I had hindsight like you.

It was only up until these few months that Bitstamp became of any competition to MtGox. Its liquidity sucked, which was why many early adopters like me stayed.

[smtddr]

>> hindsight

I'm only making this comment because you used the term "hindsight".

Let me first start off by saying I feel very, very sorry for all the people who lost funds in MtGox. It'll take awhile before you get over the pain of losing a life-changing amount of money. But let's be very clear about this; hindsight wasn't needed here. The warning signs that MtGox was a house of cards became visible a long time ago. Definitely before the disabling of BTC-transfers. A lesson should have been learned here and nothing like this should happen to you again.

-- http://www.livetradingnews.com/the-bitcoin-tangle-were-warni...

"Some signs of a strain were visible early on. The exchange was quick to accept purchases but slow in giving them back. Additional proofs were asked for. The site also had technical issues; some users complained that passwords were displayed in plain text. Users are now left wondering if the small hints portrayed deeper crises."

[mtgoxloser]

I will say that the article you linked is almost garbage. It glances over the "clues" very quickly which I will assume due to lack of knowledge.

The complaint that passwords were displayed in plain text is not anywhere near recent. Even in 2011 when I started using MtGox, passwords were hashed. Granted, early on the passwords were only hashed with 1 pass of SHA256, but later on passwords were stored to much better standards.

How do I know this? Because they got hacked twice in 2011, both through SQL vulns. Once a database dump being leaked, and another time a user's account balance was changed and the attacker cleared the bid side of the market book. Trades were rolled back, and MtGox took the loss; nothing remote of this severity ever happened again.

Another thing I do remember [is this](http://imgur.com/xMeW43a), and it seems much more aligned to what the article is talking about. But seriously, look at the URL. The only issue is when someone looks at that user's browsing history, but even this wasn't an issue in 2011.

--

Banking problems were not apparent until last year. It was well understood that banks and Bitcoin exchanges had harsh relationships. Bitfloor, the most popular US-based exchange was shut down due to banking problems; they were unable to find any banking partner that were willing to accept them. MtGox having delays in fiat withdrawals were understandable since it was by far the biggest exchange.

--

Most people who call us idiots for not connecting the dots earlier are those who haven't been here long enough. For many of us, MtGox went down over the years but all to recover. Both Luke-Jr and gmaxwell (core dev) had a significant sum of coins stored on MtGox too. It shows the trust we had in MtGox over the years.

--

One last thing though, is that I will attribute Bitstamp's late popularity causing them to dodge a bullet. The reason MtGox had written their own bitcoin implementation was because the bitcoin reference client was unable to handle their volume of Bitcoin transactions at the time.

Transaction malleability was documented, but not well known issue for Bitcoin. Even the reference Bitcoin client was affected.

So the fatal flaw that MtGox's implementation made when resending transactions (because a different transaction id was accepted and their system did not see it) was it did not reuse the same inputs when resending the transaction.

In the reference bitcoin client (bitcoind), it makes sure to use at least one of the same coin inputs, so if the original transaction (but different tx id) did get accepted into the network, the client would attempt to resend using the same input, but it would get rejected by the network because it was a double spend.

[Xdes]

>Most people who call us idiots for not connecting the dots earlier are those who haven't been here long enough.

I've been a spectator for quite a few years and after their first hack I was out of MtGox. It was tempting to go back, but time-and-time again they proved their incompetence to a degree that I was not going to risk my holdings. They are amateurs and I have my doubts as to whether they've properly applied any knowledge they've gained over the years.

[berkes]

I've been advocating Bitcoin and trading with it since early 2011. Yes, MtGox was unstable. But so were other platforms.

I've tested withdrawal on MtGox every three years, to see and experience their current liquidity: Getting out Euro's was easy: getting out BTC has never been a problem. Probably them being my three-monthly-test, only a few hundred Euro or a fraction of a Coin at most, made it go through just fine.

Yes, there were apparent problems, and yes, these were highlighted everywhere. But in that case: with very little searching you'll read about people having problems bitstamp, kraken, btc-e, and whatnot.

This is a confusing market; one that requires you to keep a keen eye on the social-workings of some niche-forum, a reddit-community and a blogosphere around all that. In that sense, it might not be hindsight, no. But in that sense, /any/ problem was predicted. By someone. On some Forum. Or Blog. Or reddit-self.post.

[smtddr]

I can't really say anything you're saying here is false, but I still hope the lesson has been learned by most people affected. This wasn't 100% unavoidable bad luck and this kind of thing shouldn't happen to MtGox's victims twice.

But perhaps I'm taking for granted my tech-knowledge(or bias opinion). Let me say some things that jumped out at me immediately as mistakes that should have never happened to begin with when making an application dealing with people's money.

---The password in URL thing.

The issue with that password in browser's history is that it becomes an easy target for malware. Just like there's malware that knows the default location of wallet.dat, malware that scrubs your web history will find it. Making it worse is the fact that there are already a lot of malware that hijack browsers and monitor where it's going. At least wallet.dat can have a passphrase. Then you have those tools that are designed to help end-users by keeping their web history synced with other computers and/or devices. In short, web history is constantly exposed to 3rd parties so no personal info should end up there since you don't know how secure the 3rd parties are handling your data. At least, not passwords, SSN, etc. Another thing is servers tend to keep urls in access.log which tend not to get the same level of security consideration as the rest of the webapp. They should have sent it in POST body which isn't stored in access.log(at least not by default).

----The password hashing thing

Security 101; you don't just hash passwords once with no salt. Existence of rainbow-tables make that insecure and even a novice should have known that before starting. Also, according to this article[1] it was a "saltless MD5"[2?] hash.

----SQL vuln

I don't claim to be a DB expert but I do know using stored-procedures, instead of concatenating a bunch of strings together partially from user-input to form an SQL statement, makes SQL injection nearly impossible. I also believe there are some nice SQL sanitation libraries out there. But I can't judge this too hard because I don't know exactly where the SQL injection happened. Sometimes hackers do something really clever and put the malicious SQL in a place that's not normally user-input; like a cookie value for an authtoken.

----Trades roll back

I did not see that solution as a valid way to do things. I still don't fully understand how that didn't screw over all kinds of people. Can etrade.com decide to roll back 1 day of activity?

I dunno; all these things put together just gave me the feeling that one day these guys would be in trouble. The right thing to do after first, or at least 2nd, hack was a full audit of their whole system by someone who knows about these things. They just didn't show any signs of learning from their mistakes. e.g., like the postmortems that other companies sometimes post up detailing the problem and steps to recover. MtGox seemed to just be reactionary and only enough to solve the immediate problem. I'd advise anyone going forward that if you see similar behavior in anything you deal with, not just bitcoin-related, you run away. Also, a red-flag for me is any system where it's easy to put money into but hard to get out without a very sensible reason.

1. http://www.dailytech.com/The+Death+of+Bitcoins+Mt+Gox/articl...

2. This article claims there was a salt... http://www.dailytech.com/Inside+the+MegaHack+of+Bitcoin+the+...

[pakitan]

The signs were there, we all knew that. It's just that hindsight makes you believe the signs meant 100% probability Gox will go down. But back then with the limited information everyone had, that was definitely not the case. At some point Gox's bitcoin price had a 20% premium over the rest of the exchanges. So, if he wanted to get out of Gox immediately, he'd have to buy BTC, withdraw and sell at another exchange. Which means 20% loss or $100K. At that point he'd have ask himself if the probability of Gox being completely insolvent is really that great to be worth taking such a hit. And I don't think it was - the loss of 700K BTC came as a surprise even to the biggest Gox critics.

[MartinCron]

You also don't need hindsight to know that investing/trading/speculating in a brand new type of asset in a space with nearly zero regulatory controls is not for the faint of heart.

Just like the handful of people who realized that the Bernie Madoff claims were too good to possibly be true, they didn't need hindsight. There's a great This American Life story about one such person: http://www.thisamericanlife.org/radio-archives/episode/376/w...

[bbosh]

Did you invest $500,000 in real dollars, or earn it from mining?

[mtgoxloser]

Majority of it was from mining, but I had already realized my profits.

[celticninja]

to be fair, with the funds in $ you probably have a better chance of getting some of that back than if it was BTC.

[pistle]

Yeah, call in the regulators to get some back. Thank a US fiat tax payer. You're welcome.

It's the biggest load of hypocrisy that people who enthusiastically wanted to play in the libertarian paradise of an unregulated currency think they should be able to turn around and request the help of the regular, regulated, tax-supported economy to make them partial or whole.

First, we'll crap a bunch of processing resources into thin air, ponzi up value in the system, scream self-righteous screeds to the nay-sayers... then, when it goes to shit, call in the cops you were giving the finger to a second ago.

You took your chances. You relished in the freedom of the risk. You eat your pudding.

[danielweber]

I know why you are annoyed, but many libertarians (of the non-anarchist variety) still believe in the court system to recover damages. If they use the courts to recover part of their losses from MtGox's assets there's nothing hypocritical there.

If they want a bailout, ie a cash injection, then I'm with you.

[wpietri]

Given all of the rhetoric around the distributed, untraceable, unregulated nature of BitCoin, I think an initial assumption of hypocrisy is still not a bad place to start.

[crucini]

Perhaps there is some hypocrisy, but I think your comment borders on a common fallacy.

The fallacy says that an idealist is hypocritical for using real-world resources which wouldn't exist in his ideal world.

It says a communist is hypocritical for wearing shoes made by private enterprise, and a libertarian is hypocritical for buying liquor at the state liquor store, in a state which has that system.

It ignores the issue of bootstrapping. Those who dream of the future must necessarily exist in the present and use the resources of the present.

If (and I'm not persuaded of this) some BitCoiners want a future without regulators, they presumably want some other mechanism to replace regulators, just as the communist wants a people's shoe factory to replace the capitalist shoe factory.

[MWil]

it may be lost to spend but can't you spread the loss out over some years and never pay taxes for that period?

[mtgoxloser]

Losses can only be taken on your initial investment amount if you have Bitcoins in MtGox. This means that if you invested $10k a year back, and your Bitcoins are now worth $1000k, you can only take $10k in losses.

Luckily I have realized my gains which means I can deduct $3k every year in losses with infinite rollover.

[steven2012]

I believe your understanding if the situation is flawed, if you are a US citizen. The $3000 per year applies to capital losses. You did not suffer a capital loss. You suffered a loss due to bank insolvency.

If you realized your gains in 2013, you actually owe taxes on $500,000 for your 2013 taxes, which is roughly $250k.

I believe your losses due to bank insolvency will apply to your income for 2014. But you may be on the hook for $250,000 in income taxes this year. But it probably won't offset your tax liability from 2013.

And the state of NYC subpoenaed MtGox's records so they may share this with the IRS.

I would consult a CPA if I were you, you could have a huge tax liability with no adequate way to offset it.

[patio11]

Yep, talk to a CPA. One key issue is you may not have a capital loss, but rather a casualty, which by my read of the flowchart becomes a miscellaneous itemized deduction. Those are limited to 2% of MAGI and I don't believe they carry over. Also, there is a hard cap at $20k for lost deposits. See publication 547. It may be to your advantage to file it under a loss to personal property (form 4648) - the math isn't straightforward for me to work out.

Talk to a CPA. This is the sort of thing they live for.

[wtvanhest]

It may depend on why the exchange went insolvent.

If it is not a technical problem, and is rather a Ponzi Scheme, the tax implications may be much different since there are IRS rules that handle Ponzi Schemes. Additionally, those that gained profits in the exchange may be required to pay back those profits to victims through clawback lawsuits+.

This IRS link below is a brief overview of how victims of Ponzi Schemes are treated. The most important piece of information is that there is a real chance of a clawback for the people who withdrew and currently think they made money.

http://www.irs.gov/uac/Help-for-Victims-of-Ponzi-Investment-...

I don't have time to read these documents this morning, but I do know that the people who received returns from Madoff are now the focus of lawsuits.

Here is a Forbes article on the subject, there are plenty more you can read out there as well: http://www.forbes.com/sites/jordanmaglich/2012/10/23/ponzi-s...

Here is one example of a hospital having to pay a Clawback. http://www.jewishpress.com/news/breaking-news/hadassah-docto...

+My guess is that the clawback lawsuits would yield very little real money since much of the value of Bitcoined gained was due to price appreciation which may keep lawsuits against those who gained fairly minimal since there isn't much money for lawyers to sue for in complex litigation.

[zAy0LfpBZLC8mAC]

Noone was promising any returns, so how could this possibly be a ponzi scheme?

[arethuza]

Lets see if I understand this (I am not in the US) - the bitcoins count as an asset, you sell these bitcoins for dollars at MtGox and at this point the tax is due regardless of whether you actually get the dollars out of MtGox?

So any time between you selling bitcoins and actually getting the cleared funds out of an exchange leaves you with the risk of a fairly serious tax liability if the exchange can't actually give you the kind of currency you can pay tax bills with...

[I've had very close calls with seemingly small matters introducing potentially horrific tax liabilities so I am a bit oversensitive to these things!]

[patio11]

Bingo. Works the same way for shares. Unless you're investing in a tax-advantaged account, if you have a $10k basis in a stock/fund and liquidate it for $20k, you just realized a $10k gain regardless of what subsequently happens to that $20k. Park it at your brokerage, plow it into a new stock, withdraw it and buy a vat of chocolate to go skinny dipping in, the IRS doesn't care, but it will have its cut.

Poorly timed realizations of capital gains used to routinely bankrupt people in the startup community, which is why that 83(b) election paperwork is actually really important.

[mbesto]

> 83(b) election

Just a friendly reminder if someone is reading this - you have 30 days to claim 83(b) after you offer yourself shares in your business, otherwise you'll be in a heap of legal/tax issues that can be quite painful (i.e. cost a lot). Make sure you bring this up with your accountant/lawyer.

[steven2012]

It's not just that.

During the dotcom boom, many, many people faced tremendous tax liabilities because of ill-timed tax strategies. For example, they had stock options that were worth millions, but instead of selling them, they exercised them in order to hold them to get long term capital gains. So for example, they had options worth $10M, and they exercised them. They faced an immediate tax liability for $10M, but then the dotcom bust hit, and they lost all $10M, leaving them with $10M in taxes but nothing to pay it back with. I personally knew several coworkers that suffered this.

I believe it was only recently, over 10 years after the fact, that the IRS changed how they treated this so that people didn't go bankrupt from this.

[rayiner]

That's more or less the rule: the gain is taxed when it is "realized" which is roughly when it becomes "yours." It doesn't actually have to be cash in your hand (otherwise it would be quite easy to get around tax laws simply by trading assets on accounts without taking cash out). See: http://en.wikipedia.org/wiki/Realization_%28tax%29.

[arethuza]

That's pretty much the same as the UK (and presumably everywhere else).

Pretty ghastly situation to be in if you do end up with a tax liability because of something like this.

[mtgoxloser]

I am not clear with taxes, but I will go and consult with a CPA.

Fortunately I did not keep everything in MtGox. If it turns out that I do owe $250k in taxes, I won't be in trouble.

Thanks.

[nwh]

> If it turns out that I do owe $250k in taxes, I won't be in trouble.

It sounds like you have little to complain about really. it sucks you lost half a million dollars, but if you're not upset about the possibility of losing a quarter more I imagine you're probably set for life as it is.

[randallsquared]

He initially posted a comment including

> [...] I really do feel sorry for Mark Karpeles.

So, it didn't seem that complaining was the main point.

[mtgoxwinner]

Please, tell us more about how wealthy you are.

[btcfn]

I have little sympathy for Mark. Assuming he didn't straight up stole the money, it all happened because of his incompetence.

How do you not notice a leak of 850,000 BTC?

How do you not have most of it in cold storage?

How do you not have all kinds of alert systems warning you about even a 500 BTC discrepancy, let alone hundreds of thousands?

[danielweber]

You have to get bookkeeping exactly right.

You have to get crypto exactly right.

Bitcoin sits on top of both of those sharp pyramids.

Yesterday someone on HackerNews compared a Bitcoin account to a pressurized system where the slightest failure means you lose everything irretrievably and instantly which is a great analogy.

You don't need Good Enough for this. You need Perfect for this.

[jeremyjh]

No you don't need perfection to add some basic controls that would have prevented most of the damage here.

[wmf]

Hence the theory that the missing BTC is in cold storage but the private keys have been lost.