Mark Karpelès, the former CEO of Mt. Gox, likely wishes he had today’s AI technology when he acquired Mt. Gox from its founder, Jed McCaleb, in 2011.
Karpelès recently input an early version of Mt. Gox’s codebase into Anthropic’s Claude AI. The analysis returned highlighted the critical vulnerabilities that led to the exchange’s initial major hack, labeling it as “critically insecure.”
In a post on X, Karpelès shared that he uploaded Mt. Gox’s 2011 codebase to Claude, including various data like GitHub history, access logs, and information released by the hacker.
Claude AI’s analysis indicated that Mt. Gox’s 2011 codebase was a “feature-rich but critically insecure Bitcoin exchange.”
“The developer (Jed McCaleb) showcased strong engineering skills in designing a sophisticated trading platform within just 3 months,” the analysis stated, but also noted:
“The codebase contained multiple critical security vulnerabilities targeted in the June 2011 hack. Security improvements made between the ownership transfer and the attack partially mitigated the impact.”
Karpelès assumed control of the Japan-based Mt. Gox in March 2011 after purchasing it from Jed McCaleb. Just three months later, the exchange was hacked, resulting in 2,000 Bitcoin (BTC) being stolen from the platform.
“I didn’t review the code before taking over; it was handed to me immediately after signing the contract (I know better now; due diligence is essential),” he commented on his X post.
Claude AI’s Post-Mortem of Mt. Gox
Claude AI identified the primary vulnerabilities as a combination of code flaws, inadequate internal documentation, weak passwords for both admins and users, and continued account access for previous admins post-ownership transfer.
The hack was initiated by a significant data breach after Karpelès’ WordPress blog and some social media accounts were infiltrated.
“Contributing factors included: the original platform’s insecurity, undocumented WordPress setup, retained admin access for ‘audits’ after the ownership transfer, and a weak password for a key admin account,” the analysis stated.
The assessment also pointed out that certain changes made before and after the hack “mitigated some attack vectors,” preventing a potentially worse outcome.
These changes encompassed an update to a salted hashing algorithm for enhanced password protection, fixing a SQL injection vulnerability in the main app, and applying “proper locking around withdrawals.”
“The salted hashing prevented mass compromise and mandated individual brute forcing, although no hashing algorithm can defend against weak passwords. The withdrawal locking hindered a more severe outcome of significant BTC drain via the $0.01 withdrawal limit exploit,” the analysis emphasized, adding:
“This codebase was targeted in a sophisticated attack in June 2011. Security enhancements were implemented in the three months following the ownership transfer, which impacted the attack outcome. This incident underscores the severity of the original codebase’s vulnerabilities and the partial effectiveness of remediation efforts.”
Related: The ghost of Mt. Gox will stop haunting Bitcoin this Halloween
While the analysis implies that AI could have rectified specific coding deficiencies, the main cause of the breach stemmed from poor internal practices, weak passwords, and a critical lack of network segmentation that allowed a blog breach to threaten the entire exchange.
Regrettably, AI cannot guard against human error.
Mt. Gox Still Influences the Market a Decade Later
Though defunct for over ten years, Mt. Gox continues to affect the market as substantial amounts of Bitcoin (BTC) have recently been repaid to creditors. Many feared this would create selling pressure, yet the repayments haven’t noticeably impacted Bitcoin’s price.
With the repayment deadline approaching on October 31, the exchange currently holds approximately 34,689 BTC.
Magazine: Mysterious Mr Nakamoto author: Finding Satoshi would hurt Bitcoin
