t. Gox had been depleted of most of its bitcoin by 2013 according to a new report from Wizsec, the Tokyo based bitcoin security firm, which has been conducting an ongoing unofficial investigation into Mt Gox’s collapse.
The theft had been ongoing since 2011 and many of the missing bitcoins were stolen straight out of Mt Gox’s hot wallet. A significant amount of the stolen bitcoins were deposited at various exchanges like BTC-e, Bitcoinica, Mt Gox itself, and other not yet identified wallets, and subsequently sold for cash.
This led Mt Gox to be operating “knowingly or unknowingly” at fractional reserve since at least 2012. According to the chart below, this left Mt Gox drained of bitcoin way before its filing of bankruptcy in February 2014.
Missing or Stolen?
The report asks the question, “Were the missing Mt Gox bitcoins ever actually real?” In other words, did Mt Gox ever really hold any of the coins or were they faked deposit entries to make them look real.
Scouring through over 2 million Mt Gox bitcoin addresses as the chart above shows, there was a “clear discrepancy” of hundreds of thousands of bitcoin between the actual and the expected holdings. Moreover, this discrepancy grew over time until by mid 2013 when almost all the bitcoins on Mt Gox were gone.
The next step was to plot the difference between actual and expected Mt Gox bitcoin holdings. This showed that the bitcoins went continuously missing over time, but at a decelerating pace. According to Wizsec, the rate of loss in the chart below “seems unusually smooth.”
-- Plotting Data between Expected and Actual bitcoins
Wizsec matched up most of the deposit/withdrawal log and was able to rule out that the deposits were made up while the bitcoins going in were real. Thus, this discrepancy was being caused by bitcoins that were “leaving without going through valid withdrawals.”
Wizsec noticed a glaring recurring pattern while scouring through the data:
“MtGox bitcoins would suddenly get sent to a new non-MtGox address, without any withdrawal log entry, often in fairly recognizable amounts of a few hundred BTC at a time. Shortly afterwards, these addresses in turn would get gathered up into bigger addresses holding a few thousand BTC. From there, the coins would get deposited in chunks of some hundred BTC at a time onto various bitcoin exchanges.”
The conclusion was obvious: intentional theft. Wizsec asks if the majority of the coins were kept in cold storage, then how did they leave Mt Gox?
A theory that emerges is that it was an inside job and the cold storage was compromised “either physically by someone with on-site access, or somehow electronically through some security flaw in the key generation process.”
When Mt. Gox filed for bankruptcy on February 28, 2014, the issued statement read in part:
"We believe that there is a high probability that these bitcoins were stolen as a result of an abuse of this bug. We are looking [at a] variety of causes including hacking by third parties."
The new report concludes by stating the deposited Mt Gox coins were real, definitely stolen, and then sold for cash. This leaves it highly unlikely that any creditors will recover their bitcoins from Mt Gox. With no definitive answer as to who was behind the theft, Wizsec is continuing the investigation.