Investors were left millions of dollars out of pocket when Mt. Gox died, but was the exchange's hoard of virtual currency long gone before the abrupt closure?
According to a new analysis and results of an investigation conducted by WizSec, Mt. Gox's stolen bitcoin reserves -- worth over $300 million at the time's trading rates -- were taken from the virtual currency exchange's hot wallet systematically over time. However, the theft did not take place in 2014; rather, WizSec lead investigator Kim Nilsson alleges that the funds were taken from late 2011 onwards.
The bitcoin security specialist firm says "most or all" of the missing bitcoins were stolen over time, leaving Mt. Gox "knowingly or not" working on a fractional reserve -- which was basically depleted by 2013. The report says:
"A significant number of stolen bitcoins were deposited onto various exchanges, including MtGox itself, and probably sold for cash (which at the bitcoin prices of the day would have been substantially less than the hundreds of millions of dollars they were worth at the time of MtGox's collapse)."
Mt. Gox closed its doors without warning in February 2014. At the time, it was believed that 650,000BTC had been stolen, although 200,000 were later "recovered" from an old-style wallet. However, the closure left many investors out of pocket, and Mt. Gox has filed for bankruptcy in both the US and Japan. Former Mt. Gox CEO Mark Karpeles said the closure was due to "weaknesses in the system" and apologized to users, but refunds are yet to be issued, if ever.
Since Mt. Gox shut down, rumors have surfaced claiming the theft was an inside job and the result of fraud, and the police are investigating whether the bitcoin exchange had links to the now-defunct online black market, Silk Road.
WizSec has conducted an ongoing, informal investigation into Mt. Gox, and the latest release shows the match-up of logged deposits and withdrawals from leaked transactions together with blockchain activity. Beyond matching up records, the company also attempted to deduce ownership through clustering analysis, pairing addresses owned by individual entities and using insider sources to fill in data gaps.
Overall, WizSec sourced over two million Mt. Gox addresses and plotted the holdings of these addresses over time. Before the security breach, Karpeles performed a test transaction which proved the exchange had at least 424,242.42424242BTC under its control. Using this figure, the firm estimates that in February 2014, Mt. Gox should have held approximately 950,000BTC -- 200,000 of which in the old wallet, and roughly 100,000BTC belonging to Mt. Gox -- which leaves 650,000BTC belonging to customers missing.
However, the graph below shows discrepancies between how much virtual currency Mt. Gox should have held, and what WizSec estimates was actually the case.
The gaps in the chart above are caused when coins went through cold storage -- and in addition the 200,000 recovered bitcoins have been excluded.
"By the end of 2011 we are past most data gaps, but we are seeing a clear discrepancy of several hundred thousand BTC between expected holdings and actual holdings," WizSec says.
"Furthermore, if we look closely, this discrepancy seems to be growing over time. By the middle of 2013, there are practically no bitcoins left at all. "
Nilsson notes that there was one recurring pattern in Mt. Gox transactions during the time period shown above. Without withdrawal log entries, a few hundred BTC at a time would be sent to new non-Mt. Gox addresses -- which would later be pulled together, holding up to a few thousand bitcoins each. This virtual currency would then be deposited in trading exchanges, such as Mt. Gox itself, BTC-e and Bitcoinica.
The firm believes the virtual currency was sold off for cash in these cases.
Another interesting facet of the report relates to "Willy," the Mt. Gox automated bitcoin bulk buying bot. While some former investors claimed the bot was linked to the bitcoin theft, WizSec does not believe this to be the case -- as by the time Willy came along, "most of MtGox's deposited bitcoins were already long gone."
Nilsson says the company is unwilling to release its data at the moment, as their goal is to aid law enforcement and the release of bulk data could prove problematic to the investigation.
Read on: In the world of security
- Yahoo launches password-free logins
- Feds hot on the trail of JPMorgan hackers
- EquationDrug: Sophisticated, stealthy data theft for over a decade
- Symantec research highlights security failures in the connected home
- New CryptoLocker ransomware targets gamers
Read on: Fixes and Flaws