If the attack vector is "my coins never arrived" followed by GOX either returning the coins to the users account or issuing a second transaction then everything needed to track down the culprits is in the help records because every report that "my coins never arrived" would have to go to the help desk.
So, simply scan through all the help desk records and find out who was reporting lost transactions.
Now, if all the attacker had to do was open a separate new unverified account for each "lost transaction", and they were smart about it we will never know exactly who did it. But the extent of the fraud would be easily known from those records.
That's the point. It's so easy (for mtgox) to audit the whole issue up to the last satoshi that the vague excuses just dont match.
Also, any time I try think of a situation in which this happenned from a long time ago (ability to withdraw without verification) its almost impossible that it wasn't detected on time before a HUGE hole, and unthinkable that it wouldnt be detected afterwards any time during the past year.
I hope that when the criminal charges press him, he will give some better and more detailed explanations of WHAT (and HOW) REALLY happenned.
Also, the "fact" that we can't follow the traces up to a certain identity is a common myth. Given enough (internal) data about the whole issue, and considering the INMENSE ammount of BTC we are talking about and that humans make mistakes, I am very confident that with mtgox colaboration (if they really are not into it) it would be possible to follow the traces of the MANY "leaks" to individual entitities.
But the vague explanations, trying to blame theoretical vulnerabilities without giving ANY proof of it actual impact, etc... makes me think the answer its much more simple than all that.
P.S.: Also, I want to point some thing:
The reason for having a hot/cold/deep wallets system is because when you run an online exchange you can't trust whatever your online databases (ie: BALANCES) says, because it can be hacked, manipulated, etc...
I mean, if you take advantage of a vulnerability that makes the online system belive you have a balance of 1000 BTC you do some checks before withdrawal, or, at the very least, you risk your hot wallet to be emptied and ANY time that happens, BEFORE loading one of the cold wallets to replenish the hot wallet, you reconciliate the balances to check that everything is ok and you arent being fooled by altered data.
Not doing so, would be the equal of not having a cold/hot wallet protection at all, and you could simply be putting all your balance on a hot wallet anyways.
So no, not only saying they didnt periodically reconcicle the balances IS criminal negligence... it is also *FALSE*.
