When former Mt.Gox CEO Mark Karpeles bought Mt.Gox from founder Jed McCaleb in 2011, he probably wished he had access to today’s artificial intelligence.
That’s because Karpeles just introduced an early version of Mt.Gox’s codebase to Anthropic’s Claude AI. What he returned was a detailed analysis of the key vulnerabilities that led to the first major hack of the defunct exchange, while simultaneously labeling it as “highly insecure.”
In a post on Sunday
Source: Mark Karpeles
According to an analysis by Claude AI, Mt.Gox’s 2011 codebase represents a “feature-rich but extremely insecure Bitcoin exchange.”
“The developer (Jed McCaleb) demonstrated strong software engineering capabilities in terms of architecture and feature implementation, creating a sophisticated trading platform in just three months,” the analysis reads, but adds:
“The codebase contained multiple critical security vulnerabilities that were the target of the June 2011 hack. Security improvements made between the ownership transfer and the attack partially mitigated the impact.”
Karpeles took over the reins of Japan-based Mt.Gox in March 2011 after acquiring the exchange from founder and developer Jed McCaleb. Then, about three months later, the exchange was hacked and 2,000 Bitcoins (BTC) were leaked from the platform.
“I didn’t get to see the code before taking over. The code was thrust on me as soon as the contract was signed (I know better now, but due diligence goes a long way),” added one in a comment on X’s post.
Post-mortem of Mt Gox by Claude AI
According to Claude AI, the primary vulnerabilities consisted of a combination of code flaws, lack of internal documentation, weak administrator and user passwords, and retention of previous administrator account access after new ownership was taken over.
The hack was sparked by a massive data breach in which Karpeles’ WordPress blog account and some of his social media accounts were compromised.
“Factors include an insecure original platform, undocumented WordPress installations, retention of admin access for ‘auditing’ purposes after ownership transfer, and weak passwords for critical admin accounts,” the analysis states.
The analysis also outlined that some changes before and after the hack “mitigated some of the attack vectors” and prevented the attack from becoming much worse than expected.
These changes include updating the salted hash algorithm for better password protection, fixing SQL injection hacking code in the main application, and implementing “proper locks on withdrawals.”
“While Salted Hash prevented mass breaches and individual brute force enforcement, no hashing algorithm can protect against weak passwords. Withdrawal Lock prevented the more serious outcome of tens of thousands of BTC being leaked through the $0.01 withdrawal limit exploit,” the analysis states, adding:
“This codebase was the target of a sophisticated attack in June 2011. Security improvements were made in the three months following the ownership transfer that influenced the outcome of the attack. This incident demonstrates both the severity of the vulnerability in the original codebase and the partial effectiveness of remediation efforts.”
While analysis suggests that AI may have helped shore up certain coding flaws, the core of the breach was the result of poor internal processes, weak passwords, and a severe lack of network segmentation, leading to the blog breach threatening the entire exchange.
Unfortunately, AI cannot prevent human error.
Mt Gox is still impacting the market 10 years later
Despite being extinct for over a decade, Mt. Gox has continued to impact the market in recent years, with large amounts of Bitcoin (BTC) being paid back to creditors, resulting in significant potential selling pressure on the market, although this has not happened to the extent that many feared.
The exchange holds approximately 34,689 BTC ahead of the October 31 repayment deadline at the end of this month.
Discover more from Earlybirds Invest
Subscribe to get the latest posts sent to your email.
