Mark Karpeles’ t-shirt couldn’t be more ironic.
“I don’t always test my code,” it reads, “but when I do, I do it in production.”
The former head of Mt. Gox, once the world’s biggest Bitcoin exchange, saw his company collapse because its code was exploited by hackers.
A source close to the firm said in March that Mt. Gox’s code was “a spaghetti mess,” possibly containing vulnerabilities that allowed hackers to pilfer millions of dollars worth of the digital currency. Japanese police are probing that possibility.
Karpeles has kept a low profile since Mt. Gox filed for bankruptcy on Feb. 28 and disclosed that roughly 750,000 customer bitcoins and 100,000 of its own had vanished, apparently stolen by hackers. That amounted to roughly US$474 million based on the valuation of the volatile cryptocurrency at the time of the filing.
But as Mt. Gox undergoes liquidation under the supervision of the Tokyo District Court, Karpeles has recently emerged from the shadows, posting messages on Twitter and answering emails from media. He agreed to talk to IDG News Service on the condition that he would not discuss other than in general terms what happened at the company, the police investigation into it and other litigation involving him. The latest lawsuit was filed last month in Tokyo by three Mt. Gox clients who are each seeking about ¥10 million ($87,000) over lost bitcoins, according to his lawyer.
Karpeles is still leading Mt. Gox’s parent company Tibanne, a small IT development firm located in Tokyo’s youth mecca of Shibuya. Its office building is no longer the site of protests by Mt. Gox clients who lost their bitcoin and the security guard hired by the landlord is long gone.
Tibanne now has 13 employees and still does Web and server hosting as well as Web and mobile application development. Tibanne’s graphics editing software subsidiary Shade3D, meanwhile, has about 10 staff.
“I’ve been trying to keep Tibanne and Shade3D running well so we can maybe assist with the Mt. Gox bankruptcy,” Karpeles said.
He added that contrary to rumor, he hasn’t left Japan since February and has had to stay in the country as part of the bankruptcy process. He spends his down time taking care of his aging cat Tibanne (the inspiration for the name of his company) and pursuing his passion for baking apple pies.
Indeed, he’s more comfortable discussing where to find the best croissants in Tokyo than what happened at Mt. Gox. In the debacle, he and his staff received death threats. Their landlord, upset with the protesters and journalists outside the office, nearly evicted them. His plans to open a Bitcoin cafe on the property were shelved.
But Karpeles admits Mt. Gox got more than it could handle when it began taking in millions of dollars worth of bitcoin and tens of thousands of new customers per month, peaking at about 1.2 million customers in total.
They were all eager to jump on the soaring rocket that was Bitcoin in 2013 as its value climbed to over $1,100. But these days the cryptocurrency has been trading between $300 and $400, according to Coindesk, a Bitcoin exchange tracking site. Karpeles still watches the price of Bitcoin and believes it can rise again barring major incidents like hacking attacks against it or government shutdowns of exchanges.
If Mt. Gox had been a U.S. company, it would have had access to investment funds more readily than in Japan, which would have allowed it to add resources and security to deal with the influx of money and customers, the French-born CEO said. Japan’s vague regulations on digital currencies didn’t help, he added.
Investigators are likely to have been focusing on what happened with Mt. Gox’s cold wallets, essentially an offline storage system for keeping bitcoin on paper with QR codes. A document posted online in late February and purporting to be a leaked business plan said the cold storage was “wiped out due to a leak in the hot wallet.”
Karpeles would only say that the cold wallets were implemented in 2011 and that auditing their contents was risky since it involved scanning the QR code for a wallet and checking whether its private key matched the public key on the Internet.
“Each time you want to check the balance of a cold wallet, you’re making it less cold,” he said, adding that Mt. Gox took immediate steps to address any security problem it discovered.
Karpeles now thinks Bitcoin needs the kind of physical security measures that are used to protect gold. Bitcoin exchanges should have 24-hour operation centers manned by guards and accessed only through hardware tokens, and with staff who have undergone extensive background checks, he said.
The cryptocurrency could also benefit from a kind of central bank established by merchants accepting Bitcoin, he said, that would act as a clearing house for transactions and implement secure storage of coins. Karpeles is also trying to draft a best practices document for Bitcoin security that he said he would share with anyone willing to consider his ideas.
Without major investments in security infrastructure, Karpeles said, “most likely we’re going to see more companies getting hacked, or bitcoin being stolen.”
That’s little consolation to Mt. Gox clients who lost significant sums in the company’s meltdown, including the protesters who staged sit-ins in front of the company’s offices in February.
“I cannot apologize enough for what happened,” Karpeles said. “While I believe I did everything I could do to prevent this from happening, it still happened. Right now, I’m trying to do my best to cooperate with the bankruptcy process and the ongoing investigation.”