The Ghost in the Machine at MtGox

Published on February 27th, 2014 by Adam B. Levine

by Adam B. Levine, and Napoleon Cole  2/27/2014 with assistance from Ben Davenport, Martin Harrigan, Charlie Shrem, and the ##MtGox-Statement IRC Channel

Disclaimer:  This is a working theory and as such is highly speculative. While we present our findings to you for novelty and to add this information to the community conversation, the only real truth can come from MtGox.

Yesterday we published an alternative theory of where the coins went in the MtGox calamity.  But what if the coins weren't really stolen at all?  What if the perpetually bumbling exchange simply lost the keys and didn’t have the heart to tell anyone?   This idea caught fire over night and today we pick up yesterday’s thread, with a few more facts and a bunch more speculation inferred from it.

This isn’t the first time embattled exchange MtGox has had solvency concerns leveled against it. In 2011,  424,242.42424242 coins were moved from an address under the exchanges control, to another address under the exchanges control.

This exercise is the digital equivalent of moving $100 from one pants pocket to the other standing in front of a crowd.  You proved you had control of the money without exposing it to any risk.

In 2011 this served as an official “proof-of-solvency” and succeeded in quelling the concerns of the time.  When analyzed in today’s light, this same “proof” now raises more questions than it answers.

Earlier this week, a leaked Crisis Strategy Brief prepared by an outside firm for MtGox revealed the exchange has only 2,000 bitcoins in a spending or “Hot” wallet and no “Cold” (offline only) funds at all.    After much analysis, consultation and consideration, we feel there is strong circumstantial evidence that MtGox should in fact currently control at least 90,000 bitcoins in two yet unspent accounts.

Bitcoin’s nascent “blockchain forensics” is a new science that is a literal “follow the money” sort of operation.  We begin our journey in June of 2011, when concerns about Gox reached a head and CEO Mark Karpelles (magicaltux) agreed to take action as a demonstration that he controlled a non-trivial amount of coins, and so was solvent.

  1. <go1dfish> MagicalTux: 432109.87654321 is that pattern random, or was it chosen deliberately?

  2. <go1dfish> by patern I mean the fact that it looks like a countdown

  3. <sharkasgo> probably deliberate so it would be easy to search for

  4. <MagicalTux> go1dfish: it's deliberate

  5. <MagicalTux> want me to do it again? :)

  6. <go1dfish> MagicalTux: yes, if you could send like a tiny amount to an address someone throws out

  7. <go1dfish> that would do a huge amount to restore confidence

  8. <MagicalTux> I broke out the 432109.87654321 already

  9. <MagicalTux> but I'll make a new one

  10. <UberCookies> I wonder if I've reclaimed my account correctly...

  11. <xelister> do .424242

  12. <MagicalTux> xelister: 424242.42424242 ?

  13. <xelister> yeap

  14. <go1dfish> just need to see a transaction happen from an account with a huge balance with an amount listed here to an address listed here

  15. <MagicalTux> connecting the offline storage and decrypting on a firewalled system~

  16. <go1dfish> 1AbTRVrRYGri1sZvqHBadnXaCHkuXJtV5N

  17. <MagicalTux> I'll make the transaction and push it manually

  18. <notallhere> this would completely restore a lot of peoples faith

  19. <go1dfish> MagicalTux: post an address and I'll send you an amount

  20. <Ooofo> MagicalTux, to get the "free month of trading" thing, will that be automatically done based on rolled back trades or do we have to apply somehow?

  21. <MagicalTux> Ooofo: it'll be automatic

  22. <Ooofo> awesome

  23. <MagicalTux> I got all the data of all the affected users here

  24. <MagicalTux> go1dfish: no, not practical

  25. <go1dfish> ok

  26. <MagicalTux> go1dfish: I'll send 424242.42424242 bitcoins from a bunch of 50kBTC addresses (and maybe on 42kBTC) to one

  27. <MagicalTux> well, two actually

  28. <MagicalTux> one will get the 424k, the other one will get the change

  29. <go1dfish> ok, yeah all transactions get split that way as I understand it

  30. <MagicalTux> ready guys? Don't come after me claiming we have no coins after that

  31. <MagicalTux> hopefully I'll be able to work without getting too much disturbed after that~

  32. <go1dfish> yeah, ready

  33. <nanotube> MagicalTux: wasn't your last tx 432K btc? lost 8k?

  34. <geist_> no

  35. <geist_> thats just the amount someone suggested

  36. <geist_> (the 424242)

  37. <nanotube> ah

  38. <MagicalTux> 42 is the answer

  39. <go1dfish> to everything

  40. <sixEch0> 42 is my password!

  41. <noagendamarket> lol

  42. <nanotube> hehe ic

  43. <go1dfish> 42 is the solution to every block to

  44. <mabus> wait what's going on, is he proving he has our bitcoins still?

  45. <go1dfish> shit I just ruined the economy

  46. <mabus> what does this help

  47. <geist_> theres a lot of people crying wolf saying gox doesnt have their btc anymore

  48. <wumpus> don't send them to the bitcoin eater please :)

  49. <go1dfish> mabus: tux is shuffling large numbers of bitcoins to show they are still under his control

  50. <MagicalTux> anyway, going to send to 1eHhgW6vquBY... the 424242.42424242 btc

And he did!  On the blockchain we can see this very unique transaction with a timestamp that corresponds almost exactly with the IRC conversation, which brings me to...

The Timeline

2011-06-23 06:50:15 The 424,242.42424242 transaction:  https://blockchain.info/tx/3a1b9e330d32fef1ee42f8e86420d2be978bbe0dc5862f17da9027cf9e11f8c4

Mark (MagicalTux) makes the 424 transaction at approximately the same time, and on the same date as the IRC log is posted to pastebin. http://pastebin.com/d7vp06hL.  At this point we believe that MtGox has control of the coins.

2011-07-18 13:45:29 Three weeks later on July 18th, 2011 the 424,242.42424242 coins are part of a transaction that breaks them into two outputs. https://blockchain.info/tx/7a2a6f66e87ed4e72d85ba7a82eda1572605c3330c461e171f58d7ff2763ac63

The coins stay put in their respective addresses until late August, at which point they were spent in the same block.  Subsequent transactions following both amounts eventually lead to a very large 550,000 BTC transaction mentioned below.  At this point, we believe that MtGox has control of the coins.

2011-08-27 02:29:26 A series of transaction are made (largely part of the same block) to break up the two outputs of the July 18th, 2011 into many 50,000 BTC addresses.

These interconnected transactions being contained in the same block means they were performed on a local machine that didn’t have to wait for even a single confirmation before being able to send on the funds just received.  At this point, we still believe that MtGox has control of the coins.

2011-09-11 15:34:59 A few weeks later, all of the 50,000 BTC addresses are moved to new 50,000 BTC addresses. At this point, we believe MtGox still has control of the coins.

[caption id="" align="aligncenter" width="165"] Links between the July 18th and November 16th Transactions
Image courtesy of QuantaBytes[/caption]

2011-11-16 05:59:08

The next movement is in November when all but one of the 50,000 BTC addresses created on September 11, 2011 are inputs to a large 550,000 transaction with two outputs: 500,000 & 50,000

https://blockchain.info/tx/29a3efd3ef04f9153d47a990bd7b048a4b2d213daaa5fb8ed670fb85f13bdbcf

The 50,000 output is still there, unspent. https://blockchain.info/address/1P3S1grZYmcqYDuaEDVDYobJ5Fx85E9fE9

The unincluded 50,000 BTC is broken into two outputs of 40,000 & 10,000. The 40,000 output is still there, unspent. https://blockchain.info/address/1cXNTyXj4xPGopfYZNY5xfSM1EPJJvBZV

The vast majority (99.85%) of the 500,000 output is moved over several transactions to a known MtGox address two days later on the 18th of November. https://blockchain.info/tx/b269bf1b82dae8a61f7f91dbf7a9d807e30963c1ae00ddd95a8faebea6d0a007   Throughout all of this, we believe that these are internal MtGox transactions and they retain control of the coins.

What we infer from this:

1) The custody of the 424,242.42424242 transaction is reasonably established to be Mark K, CEO of MtGox.

2) All subsequent transactions leading to the 550,000 transaction on Nov 11th are synchronized, suggesting a single controller.

3) The controller of those transactions created two outputs totalling 90,000 that are unspent since Nov of 2011.  That person, which we believe to be either MtGox or Mark K. personally should still have control of those funds.

If MtGox does indeed have control of that 90,000BTC unspent since 2011, it means either the numbers on the MtGox Crisis Strategy Draft are flatly wrong and they control considerably more BTC than the document suggests, or something else is afoot.

We have established through several distinct channels that the MtGox Crisis Strategy Draft was prepared at the request of MtGox by an outside consulting firm (Mandalah Global), who used financial and BTC balances provided directly from MtGox.

If the MtGox Crisis Strategy Draft numbers are accurate it is because MtGox isn’t counting the coins because they no longer control the keys.   Mark K. has said that the coins are “unavailable.”  It is possible the keys were lost since November 2011, or they are not physically accessible for some other reason.

One possible obvious explanation of this would be if one or two users were owed and received these large amounts (one chunk of 40,000 bitcoins and one of 50,000 bitcoins), then never moved them.  While we believe this is possible, it seems unlikely to us.

So, as promised, some follow-the-money and lots of speculation.   The only person it appears who can tell us what really happened is Mark K. While ours is a minority report, we believe it provides a more plausible explanation than the originally proffered “750,000BTC was stolen via Transaction Malleability” theory.

This is not to say Transaction Malleability didn’t play a role; rather the losses it caused catalyzed the discovery within MtGox itself that what had been perceived as the safest of the safe bitcoins, the ones stored offline for years in large blocks, were in fact trapped inside a transparent, impermeable vault they no longer had the combination to.

Though MtGox’s self-induced vulnerability to transaction malleability may have played a role in its downfall, according to what we’ve seen we don’t think it could be responsible for the entire Bitcoin loss.   What do you think?
Post on Reddit Share this Post Tweet this Post +1 this Post
Tip This Post: 12uUwKC5C82FvTUn8cd9z1wYa2YpgV4DYw
Views: 1559


Comments

Make sure to make use of the "downvote" button for any spammy posts, and the "upvote" feature for interesting conversation. Be excellent.

comments powered by Disqus