MtGox: What the largest exchange is doing about the Linode theft and the implications

This article was originally written on March 28, 2012

Following the recent Linode theft, in which over 43000 total bitcoins were stolen from Bitcoinica, MtGox enacted a new policy in an attempt to help stop the thief get away with his illicit gains: they began freezing accounts with bitcoins that could be traced back to the theft and demanding that they submit identification to regain access to their accounts.

MtGox has admitted that they are cooperating with the Japanese CyberPolice in an attempt to determine the identity of the thief, and it is possible that their strategy will help achieve such a goal. Even if someone trying to sell the tainted bitcoins through MtGox is not the seller himself, a fact that even MtGox themselves have admitted is almost certainly true in every case, they would likely know something about the person who sent the coins to them, and the police, working with MtGox and other Bitcoin services, could theoretically trace their way back through each link, asking the receiver of each transaction who sent it to him, until they arrive at the original thief. It’s hard to tell how practical such a strategy actually is, although if it is possible at all it is the largest heists, those whose value swamps any mixing pool that the thief tries to use, that would be the easiest to unravel.

However, some suspect that there may be motives at play beyond simply wanting justice for Bitcoinica. Over time, MtGox has built in more and more authentication features, first requiring email addresses for accounts since last June, and later requiring identification for accounts handling large amounts of bitcoin, and this too may be part of a long-term plan to slowly get the Bitcoin community used to accounts being linked to their owners’ legal identities. Anti-money laundering law requires businesses transferring significant quantities of money to “know your customer”, and MtGox may have realized that they are bound by such laws and are currently not in compliance with them, so they are doing their best to become legal without clamping down too hard all at once. During the security crisis and the media attention on illegal uses for Bitcoin last June, MtGox stated their willingness to work with law enforcement authorities to track down criminals and resolve legal issues, so it has for a long time been known that those interested in using Bitcoin as a tool to fight against government surveillance and probihitions should not look to MtGox for aid. And this is arguably the most logical position for them to take; since they are such a central entity to the Bitcoin economy it would hurt the economy, both legal and illegal, far more if they were shut down than if they enacted some authentication requirements that can still be bypassed simply by going through less prominent exchanges instead.

Others accuse MtGox of simple theft, but this seems highly unlikely. MtGox has no way of knowing if a frozen account will ever be claimed, so if they were to cash out on their gains they would effectively be operating under a fractional reserve, a policy which, if it were ever leaked or otherwise revealed, would effectively destroy MtGox’s reputation and seriously hurt Bitcoin’s public image, both of which they have already demonstrated a willingness to sacrifice short-term profits for when they bailed out the hacked exchange bitomat.pl in August.

MtGox’s move raises other concerns too. The most common is that it undermines the fungibility of bitcoins; the idea that one bitcoin is one bitcoin, no matter which bitcoin it is and where it came from. By flagging 43000 BTC as tainted, MtGox is substituting this model with one where some bitcoins have more value than others. Some have suggested that this is a good thing, and the Bitcoin community can expand upon the idea and adopt a self-policing mechanism by which most clients are configured to reject bitcoins that have been confirmed as stolen. However, there are many ways to criticize such a system. First of all, such a scheme would rely on a centralized authority, which Bitcoin was designed to avoid. A polycentric system may be possible, but if one authority becomes accepted by the majority of users the system will fall into a stable equilibrium of centralization which is so hard to get out of that it would be easier to create a new currency. Once the mechanism is in place, governments can easily take it over and gain the power to penalize whomever they want and make any bitcoin-handling service unusable. Second, the thief will most likely exchange his stolen coins immediately, before the community even finds out what’s going on, and it would be average users, not the thief, who are inconvenienced when they discover that a fraction of their money is suddenly worthless. The system would essentially serve as a chaotic transaction tax, not affecting those who simply hoard their bitcoins but adding an element of fear to every transaction as the coins that the receiver received may suddenly become worthless. The end result would be an undermining of the trust and integrity of the Bitcoin system as a whole.

Fortunately, MtGox is not confiscating tainted coins or declaring them worthless; for now they are simply requiring identification for a few accounts. The move should be interpreted not so much as MtGox asserting themselves as a government of the Bitcoin world, but as a step toward the legitimatization of the currency. MtGox is not mandatory; those who prefer not to be tracked in their bitcoin usage can always go to one of the many secondary exchanges or even arrange a physical transaction and throw potential investigators even further off their tracks by depositing and withdrawing their coins through Silk Road. If we want to restrain MtGox’s power to decide how the Bitcoin economy functions, perhaps it is most appropriate look not at each specific move that they are making, but at their near-monopoly 86% market share, and question why they have so much power in the first place.

  
 

Leave a Reply

Your email address will not be published. Required fields are marked *