Cold shower for those who hoped one day to have the final word on the rocky Mt.Gox hack, considered at the time of the events in 2014 to be the biggest crypto heist ever.
The release in mid-February of Alexander Vinnik - he can be seen on this video , cup of tea in hand at Moscow's Vnukovo international airport - for that of Marc Fogel, the American teacher imprisoned by Moscow for a few grams of cannabis (and suspected of being a spy), comes as no surprise.
His name had in fact already circulated last year during an initial prisoner exchange between the United States and Russia. But it is likely to wipe out any chance of getting to the bottom of this story. "There will probably be no further judicial progress on the people involved and the exact circumstances of the hacking", Kim Nilsson, a 42-year-old Swedish computer scientist who successfully investigated the hack, lamented to The Big Whale.
Of the three people indicted by the US justice system in this case, the 44-year-old Russian was in fact the only one to have been arrested in the United States. Accused of being one of the money launderers, he had ended up pleading guilty before the U.S. justice system in May 2024 for his role in BTC-e.
This dubious exchange platform launched in July 2011 was considered to be one of the world's biggest money-launderers. With little regard for its customers - no ID was required - it operated via vouchers, thus breaking the traceability of the flow of crypto-assets exchanged.
In February 2014, it was three years since Mt.Gox was run by Frenchman Mark Karpelès. The now-famous Japan-based exchange was initially intended to be a portal for trading cards from the game "Magic: The Gathering", hence its name. It was to collapse abruptly after the leak of an internal document .
Posted online by "Twobitidiot" , the pseudonym of Messari founder Ryan Selkis, this eleven-page crisis management draft reports the disappearance of 744,408 BTC from the exchange. Or 6% of BTC in circulation at the time, calculated the New York Times . The total of bitcoins lost would eventually amount to around 850,000 BTC.
>> Read also: Mark Karpelès: "I'm going to investigate Tether"
The first record of an up-and-coming start-up: Chainalysis Irate customers claim their cryptos in vain. Like Kolin Burges, the famous man with the beanie and the sign "Mt.Gox, where is our money?" who faces Mark Karpelès, coffee mug in hand, at the foot of the company's offices. Prosecuted by the Japanese justice system, one of the biggest bankruptcies in the crypto universe ended with the French boss descending into hell. In March 2019, he was finally acquitted of the embezzlement charge, but sentenced to a two-and-a-half-year suspended prison sentence for falsifying computer data, a much more lenient sentence than the ten-year firm sentence requested by the prosecution.
Beginning with the police investigation, the crypto community will attempt to understand the inner workings of this phenomenal hack.
YouTube / Patrick nsabimana With the backing of the boss of the Kraken exchange , the case would even become the first case for a start-up launched by a Danish computer scientist, Michael Gronager: Chainalysis . First of all, there is the hypothesis of internal malfeasance.
On the Bitcointalk forum, an internet user sketched out a plot in March 2014. Too amateurish, Mark Karpelès, at the time one of the main suspects in the story, allegedly failed to protect his platform effectively from hackers. He would then have tried to give the change by buying cryptos to compensate for the losses, relying in particular on a robot, Willy.
The activity of this account and another christened Markus would be detailed in a post, the "Willy Report ", published at the end of May 2014, an analysis of an internal database that leaked on Pirate Bay . It smacks of massive fraud.
A first account was thus pushing up the Bitcoin price by regularly buying cryptos, while a second was amassing "tons of BTC without spending a cent". Mark Karpelès confirmed at his trial in July 2017 that he was behind these operations, which were supposed to help hide the platform's growing hole. A now well-known lack of rigour.
Witness, for example, these 200,000 BTC found after the bankruptcy of the exchanger in a wallet. The private key had apparently been printed on a sheet of paper and then forgotten through carelessness, journalists Jack Adelstein and Nathalie Stucky assured us in their book "J'ai vendu mon âme en bitcoin" ("I sold my soul in bitcoin"). They are now the last hope for aggrieved users to recover their losses.
After the discovery of this misplaced wallet, there are therefore around 650,000 missing BTC .
Kim Nilsson: "Mt.Gox had been technically insolvent since at least 2012" In Tokyo, Kim Nilsson is continuing his search. In April 2015 , he dates the start of the mismatch between expected and actual crypto assets to August 2011. The gigantic theft would in fact be the result of a pearl leak that remained undetected for several years, virtually from the inception of the platform.
"Mt.Gox had been technically insolvent since at least 2012," he noted. Before going on to outline the thieves' most likely method: access to the hot wallet's private keys stored on the wallet.dat file to get their hands on the cryptos.
Precursor, the exchange had serious security flaws. Indeed, traces of several hacks have been found. First of all, there are the two flaws linked to Liberty Reserve, the Costa Rica-based exchange platform shut down by the US judiciary in May 2013 .
Following the hacking of a server, there are also the 80,000 coins , which have since not moved , missing already at the call for the handover in April 2011 between Mt.Gox creator Jed McCaleb and Mark Karpelès.
Then there was the theft of 300,000 bitcoins in May 2011, a haul that the hacker would return for a commission of 3,000 bitcoins, "probably because he hadn't been very careful", remarked Kim Nilsson . Finally, in June 2011, the hacking of Jed McCaleb's admin account resulted in the outflow of 2,000 BTC and a spectacular market crash , with bitcoin reduced to a few pennies.
No leads have emerged, however, for the several hundred thousand bitcoins that evaporated from September 2011 to mid-2013. Until 25 July 2017.
On his blog , Kim Nilsson is exultant. A certain Alexander Vinnik has just been arrested in Greece. This arrest sounds like the culmination of several years of patient work. This Russian is "our main suspect", he confides.
Vinnik chief launderer, but on whose behalf? Following the exfiltration of stolen cryptos on Mt.Gox, the investigator had indeed arrived at "Mr Bitcoin", as the suspect would be nicknamed in the Greek press .
The bulk of the stolen tokens (around 300,000) were laundered via BTC-e. A dead-end trail because of the platform's opacity. But another part of the tokens went back to Mt.Gox... A mistake.
These accounts on the Japanese exchange will in fact be linked to a certain "WME". Now on the forum BitcoinTalk , there is someone with the same username who reported at the end of October 2011 that he wanted to exchange bitcoins for any currency. He also shared a series of screenshots a little later detailing a dispute against CryptoXchange . Without realising that he had inadvertently leaked his real identity in the process, a mistake notably spotted by Kim Nilsson in the summer of 2016 .
But there were others. In his book "Tracers in the Dark", journalist Andy Greenberg recounts the jubilation of Tigran Gambaryan, the famous Internal Revenue Service investigator, who was able to link the Mt.Gox case to WME thanks to a common IP address.
An "illumination", the investigator told the American journalist. "But of course! What better way to launder a fortune in bitcoins than to launch your own exchange platform?"
The role of Alexander Vinnik, an expert in exchanges - witness, for example, his stint at WebMoney, a Russian electronic payment solution launched in 1998 - was, however, probably limited to laundering the hack.
"Maybe he was a hacking genius," quips Kim Nilsson. But my instinct is more that he had connections with hacker groups, who even before this hack, would have needed such a laundering service. "
Kim Nilsson, during his keynote "Cracking Mt.Gox" in September 2017 (see video) Peered by his wife's Instagram account Whatever the case, by following the thread, US investigators are gathering a considerable mass of confounding evidence against their suspect, who flaunts an affluent lifestyle, from his Moscow flat worth around US$3 million to his luxury holidays in Greece and Dubai.
For the prosecution , the BTC-e platform supposedly based in Bulgaria and attached to a shell company in London, Always Efficient LLP, is actually controlled by Canton Business Corporation. A company based in the Seychelles whose main beneficiary is Alexander Vinnik.
He is also the one who has his hands on the BTC-e accounts that saw 300,000 bitcoins from the theft arrive, "Vamnedam", "Grmbit", "Petr" and "WME". Another part of the funds (around 191,000 bitcoins) was exchanged for US dollars on the TradeHill exchange by the same WME. Behind them was Alexander Vinnik, who had sent a copy of his passport to the exchange.
Investigators also linked one of the Apple computers purchased by the Russian to his Gmail address. In June 2016, Google passed on information about the suspect accounts. Their target usually used them behind a Dutch proxy to mask his real IP address. On 23 July 2017, however, Alexander Vinnik made a mistake.
He accessed his wmewme@gmail.com account from the same Greek IP address spotted in a connection earlier that day to his wife's Instagram account. The Russian was arrested two days later, an arrest synonymous with the end of the swap.
Convicted in France before being extradited to the United States The extradition of Alexander Vinnik to the United States will, however, involve a diversion via France. After assuring judges that he was simply a stock market operator unaware of the identity of his real employers, he will be sentenced in France to five years in prison for laundering the ransomware extorted by the Locky ransomware.
Then, almost a year after he was first detained in the United States, in August 2022, the identities of two other Russians implicated in the hacking and laundering of the Mt.Gox loot were revealed.
An announcement then interpreted as an admission of failure. Indeed, it is unlikely that they will now move away from Russia, a country that does not extradite its nationals. The two suspects are Aleksandr Verner and Alexey Bilyuchenko. Aged 29 and 43 at the time, they are also two of the kingpins of BTC-e, denounced the American justice in June 2023.
According to journalist Andrey Zakharov, author of a book (untranslated) on the subject, the first is a programmer nicknamed "ne0n". The second is a domain name squatting specialist. Two men already connected before BTC-e, as with this portal for the Starcraft II video game, the Smallarena.com site.
In an article for the BBC , this journalist had greedily recounted how Bilyuchenko, a former IT manager for a chain of shops based in Novosibirsk, western Siberia, had allegedly narrowly escaped the dragnet in Greece. Also holidaying in Crete at the time, but under the radar of the American justice system, the man nicknamed "the red admin", in reference to the colour of his BTC-e username, was allegedly warned by his mother of Alexander Vinnik's arrest and immediately took the first plane to Moscow.
The proceedings provide new details on the circuit for laundering the 647,000 bitcoins stolen from Mt.Gox.
Between March 2012 and April 2013, under cover of a false advertising contract, there was thus a transfer of $6.6 million from a New York bitcoin broker, presumably the counterparty for part of the 300,000 BTC that went to BTC-e. The name of the company is not specified.
Another court document, a summary of the Department of Homeland Security's financial investigations, states that between April and November 2013, $2.5 million also passed, via an account in Latvia, from Memory Dealers - the former company of Roger Ver , aka "Bitcoin Jesus" - and BitInstant - run at one time by Charlie Shrem, the former president of the Bitcoin Foundation - to Canton Business Corporation.
This too in return for internet advertising services of which investigators have found no trace.
In the same document, US investigators report a total of $90 million suspected of having been laundered through New Zealand banks. In 2020, the local police had welcomed this seizure, the largest in its history.
Part of the money, which Mt.Gox 's creditors are eyeing, is believed to have arrived via the FX Open exchange. A trading platform controlled by Aliaksandr Klimenka. Presented as one of the leaders of BTC-e, this man accused of money laundering, without the Mt.Gox hack being mentioned, was arrested in December 2023 in Latvia and then extradited to the United States in early 2024.
The trail of money stolen from Mt.Gox ends there. It's likely that all the funds have long since been taken out.
Russian intelligence involved in BTC-e? "These guys didn't keep tokens in case bitcoin took off, they just wanted to get the money back as quickly as possible," believes Kim Nilsson. The BTC-e exchange, meanwhile, left a hoard - Chainalysis had reported in November 2022 the movement of the equivalent of $165 million in bitcoin - that makes one salivate.
Journalist Andrey Zakharov had recounted how Alexey Bilyuchenko's attempt to create a new exchange, Wex, after the fall of BTC-e, had come to naught.
Finally condemned by the Russian justice to three and a half years in prison in September 2023 for embezzlement, he claimed he had been forced to transfer the wallets that had escaped the US seizure into a so-called fund of the FSB, Russia's domestic intelligence service.
And this under pressure from a certain Konstantin Malofeyev, a Russian oligarch who disputed these accusations, speaking of a campaign to discredit him. A kind of intelligence connection, however, already seen.
The blockchain investigation specialist Elliptic had thus reported the use of the platform by hackers from "Fancy Bear ", a group linked to the GRU, Russia's military intelligence service.
Accused of hacking the Democratic National Committee in June 2016, ahead of the US presidential election, these hackers allegedly bought $100,000 worth of bitcoins on BTC-e. "Justice will finally be done," hoped eight years ago Mark Karpelès after the arrest of Alexander Vinnik.
The happy ending now seems a long way off.
>> Read also - Crypto blenders: exclusive report on their use and contribution to money laundering
