The First Mt. Gox Hack: How Bitcoin Crashed to One Cent in 2011

A penny for your bitcoin

On 19 June 2011, the price of bitcoin on Mt. Gox — then the exchange where the overwhelming majority of the world's bitcoin changed hands — collapsed from roughly $17.50 to a single US cent in a matter of minutes. For a brief window, the going rate for one bitcoin was $0.01. Fifteen years later, that flash crash remains one of the most instructive disasters in Bitcoin's history — not because of how much was stolen (relatively little, as it turned out), but because of what it revealed about trusting a third party with your coins.

This was the first Mt. Gox hack, a separate and much earlier event than the catastrophic 2014 collapse that ultimately bankrupted the company. Understanding June 2011 means understanding the moment the Bitcoin community first learned, at scale, that an exchange is not a bank, a wallet, or a vault.

What Mt. Gox was

The name is a leftover acronym: "Magic: The Gathering Online eXchange." The domain was originally registered by programmer Jed McCaleb in 2007 for trading fantasy card-game items. In 2010 McCaleb repurposed it into one of the first dedicated Bitcoin exchanges. In March 2011 he sold the operation to a French developer living in Japan, Mark Karpelès, who owned and ran it at the time of the June crash.

By the standards of 2011, Mt. Gox effectively was the Bitcoin market. At its height it handled an estimated 70–80% of all global bitcoin trades; for years, "the Bitcoin price" essentially meant "the Mt. Gox price." That dominance is exactly what turned one exchange's security failure into a market-wide event.

The setup: Bitcoin's first bubble

Spring 2011 was Bitcoin's first true mania. The price had climbed from well under a dollar to an all-time high near $32 in early June 2011, drawing a wave of new, often non-technical users onto Mt. Gox. By 19 June the price had already cooled to around $17.50. In the preceding weeks, multiple users had reported accounts being drained and warning signs about Mt. Gox's security were mounting — yet trading continued.

How the crash happened

The attack did not break Bitcoin's cryptography or its blockchain. It exploited Mt. Gox's own internal systems. An attacker obtained the credentials to an administrator-level account that still had access to the exchange's database. The breach is most commonly attributed to credentials taken from a compromised computer belonging to one of Mt. Gox's auditors; some later analyses point instead to a dormant high-privilege account left over from the handover. The precise entry point has been debated for years — but the effect is not in dispute.

With that access, the attacker assigned a large bitcoin balance to an account and then dumped it all onto the order book at once: a single, enormous market sell order. Mt. Gox's matching engine did exactly what it was told. It chewed through every standing buy order, all the way down, until the final trade printed at $0.01. The order book simply ran out of bids.

Why crash the price to a penny on purpose?

The crash was not the goal — it was the method. Mt. Gox enforced a $1,000-per-day limit on US-dollar withdrawals. An attacker stealing dollars directly could only siphon out $1,000 a day. But by collapsing the price to a cent, the attacker could use the compromised funds to buy bitcoin absurdly cheaply and then withdraw it as BTC, sidestepping the dollar cap entirely.

What saved Mt. Gox from a far larger loss was a second, less-publicized control: a cap on bitcoin withdrawals too. Karpelès later put it bluntly — "the btc withdrawal limit saved us." The attacker ultimately managed to withdraw roughly 2,000 BTC before the limits and the chaos shut things down.

The damage

• ~2,000 BTC were withdrawn by the attacker at the artificial price.
• ~650 BTC were bought by ordinary users with open orders or quick reflexes during the panic — coins Mt. Gox did not return.
• Account balances worth more than $8.75 million at normal prices were swept up in the fraudulent trading.

One enduring legend from that day is a trader known only as "Kevin," who claimed to have bought on the order of a quarter-million bitcoins for a few thousand dollars during the crash. The story is almost certainly exaggerated — Mt. Gox reversed the affected trades — and the figure has never been verified. Treat it as folklore, not fact.

The database leak

The breach came with a second blow. Around the same time, Mt. Gox's user database leaked publicly — roughly 60,000 account records including usernames, email addresses, and hashed passwords. Many of those passwords were protected only by unsalted MD5 hashing, a weak scheme even in 2011, meaning a meaningful fraction could be cracked outright. For thousands of early adopters, one incident compromised both their account security and their real-world email identities.

Mt. Gox's response

Faced with a market trading at a penny, Mt. Gox took the most controversial action available to a centralized operator: it rolled back the trades, reversing transactions executed after the fraudulent sell order, and halted trading for roughly a week while it stabilized. Rolling back trades is something no decentralized system can do — but a centralized exchange controls its own ledger, and Mt. Gox simply edited it. To reassure panicked depositors that it still held customer funds, the exchange moved 424,242 BTC between addresses in a single, highly visible on-chain transaction as a proof of reserves. (The figure was a wink to internet culture, not an accounting number.)

The aftermath

The immediate theft was modest by later standards, and most users were made whole by the rollback. The lasting damage was to confidence. Combined with the bursting of the $32 bubble, the hack helped push Bitcoin into a long bear market that bottomed near $2 later in 2011. More importantly, it planted a permanent doubt: if the dominant exchange could be turned upside down by one stolen password, what was anyone's balance really worth?

Mt. Gox survived June 2011 and even reclaimed its dominance over the next few years. But the security and operational weaknesses exposed that month never truly went away — they metastasized. In February 2014, Mt. Gox suspended withdrawals, collapsed, and filed for bankruptcy, having lost approximately 850,000 BTC belonging to customers and the company — a disaster orders of magnitude larger than the 2011 crash, and one creditors are still untangling today. The 2011 hack was the warning shot; 2014 was the catastrophe.

The lesson that outlived Mt. Gox

June 2011 is where the Bitcoin community's defining security mantra earned its teeth: "Not your keys, not your coins." When you leave bitcoin on an exchange, you don't truly own bitcoin — you own an IOU in that company's database, subject to its competence, its solvency, and its honesty. The blockchain itself was never hacked in 2011, nor in 2014. What failed both times was the centralized custodian sitting between users and their coins.

The practical takeaways are the same ones we stress across Halving Report:

• Self-custody what you're not actively trading. Move long-term holdings to a wallet whose keys only you control.
• Treat exchanges as on-ramps, not vaults. They're useful for converting fiat to bitcoin — and risky as long-term storage.
• Withdrawal limits cut both ways. The same friction that annoys you is sometimes what stops a thief from draining an exchange in a day.
• Your password is an attack surface. Reused or weakly hashed credentials turned a single breach into tens of thousands of victims.

Fifteen years on, the tools for holding your own keys are vastly better, and the Bitcoin network has run continuously the entire time. The penny crash of 2011 didn't expose a flaw in Bitcoin. It exposed the cost of not holding it yourself — a lesson worth remembering every time a balance on someone else's website starts to feel like the real thing.