Tokyo-based security firm WizSec has released a preliminary analysis of suspicious trading data leaked from now defunct bitcoin exchange Mt Gox.
The exchange suspended its operations in February last year and was subsequently declared bankrupt in March, having lost around 850,000 BTC (more than $450m at the time).
Since last November, bitcoin exchange Kraken has worked alongside authorities to support the investigation on behalf of creditors. Meanwhile, WizSec has been working to track Mt Goxâs bitcoin transactions in an unofficial capacity.
WizSecâs release follows the Willy Report, the report that an anonymous researcher published last May, which alleges suspicious trading activity at Mt Gox. It concluded that trading bots ran rampant through the system under various user IDs, including one dubbed âWillyâ that placed repetitive buy-only orders that always manipulated the price upward.
Another bot, dubbed âMarkusâ, appears to have bought and sold at random prices, paying no trading fees. Both bots were most active immediately before and during November 2013, when bitcoinâs price suddenly rocketed.
By November 2013, the two bots had bought a total of 570,000 BTC â enough to have impacted the price.
WizSecâs report, released Saturday, uses the data leaked from Mt Gox in early 2013 to provide greater insight into how Willy and its operator(s) worked.
The firm says its analysis was originally completed six months ago as a means to introduce the exchangeâs trustee and other investigators, including the police, to its work. The information it has divulged is âsafeâ and will not impact the ongoing Mt Gox investigation or its various non-disclosure agreements, WizSec says, but may provide some long-awaited clarity for creditors.
From September to November 2013 Willy had a significant impact at Mt Gox, trading over 250,000 BTC, according to the report.
As the graph below indicates, the bot frequently accounted for more than 30% of hourly trades on the platform. On a few instances Willy reached 80-90%.
But did this trading volume impact bitcoinâs price during this time? WizSec says it is highly probable that the botâs behaviour had a âlarge effectâ, adding:
â[It opens] up the possibility that this may have been a plan to manipulate the market rather than â or in addition to â fraudulently acquiring bitcoins.â
The firm cites incidents where the market has âcorrectedâ itself to a lower price level following Willyâs absence.
The leaked data ends on 30th November. The influence of Willy and fraudulent trading past this point remains up for speculation.
By reconstructing the botâs trade orders, the firm observed that Willy operated over several different accounts. Each of these worked within strict parameters with regards to how much bitcoin could be bought with each order.
As the rising price of bitcoin continued, Willy was reconfigured to buy smaller amounts, in order not âto drain each accountâs deposit of USD funds too quicklyâ.
However, WizSec also noticed the presence of âcertain anomalous, high volume ordersâ that fall outside the parameter for automatic trading, seen circled below.
Source: WizSecThese high orders, it says, were characterised by even amounts and would change to more ârandom-looking valuesâ.
For this reason, the firm believes that these trading orders were issued manually. At a later point, Willyâs controller may also have deliberately used random-looking values to detract attention from these big orders.
Using timestamps, the team found that an absence of activity between 17:00 and 20:00 UTC could point to the operatorâs sleep cycle and location. The firm used Japan Standard Time (JST) as a frame of reference and plotted all suspected Willy events against the time of day in the following graph:
Source: WizSecThis pattern could indicate that the suspected user is an irregular sleeper, or that there are actually two or more users.
The data also shows greater activity on weekdays, leading the firm to believe that it is more specifically related to work days, and thus an employed person, WizSec says.
The long spread of hours also hints that Willyâs operator may have had access at both home and work. The bot was known to operate during periods when other users had no access to Mount Goxâs system, indicating internal influence.
WizSec says that there are still a few issues that require further investigation. The security consulting firm has yet to find out how such large amounts of currency could have been deposited at the exchange without raising alarm bells.
More information is also needed with regards to what happened to the bitcoins bought by Willy, as well as the USD that âreverse Willyâ had accumulated in February.
Willyâs purpose is also unclear. More clarity is needed to decipher whether it was simply a buying tool or whether it attempted to manipulate the market price.
There are also questions around Willyâs location and whether it was running in Mt Goxâs internal network or in connection with it.
Finally, WizSec says it is still investigating the role that Willy played in the events leading to the collapse of Mt Gox and urges anyone with information relating to the case to come forward.
âWe have been gathering pieces to the puzzle for a long time, and every piece helps,â it said.
Images via WizSec
