Peter R Rizun's theory on the collapse of MtGox and its effect on the price of bitcoin

[Peter R]

I wished I found a flaw in your plot, because it is devastating for anyone's hope of ever getting stuck assets out of Gox.
But so far I didn't find any. Congrats, that all sounds quite reasonable to me.

Looking at the volume charts between mid 2011 and today, Gox may have gained about 200k-300k btc in total from fees.
That lines up well with about 800K btc missing, operating cost can probably be neglected in that calculation.

Keeping the keys for 1000000 btc on the server would not have been necessary. Once there was a substantial amount of btc on hot wallet addresses, they could have sent them to cold storage with one click, even if this was a paper wallet being locked in a bank safe.

What's left, at least for me, is to check for any confirmation of a $1000k steal on that day. We are looking for $1000k coins which mostly entered Gox during the weeks before and then were all spent more or less at once. The thief would have had to do the latter in order to prevent Gox from spending them first using a backup of the wallet, after the theft had been detected.

I wonder how plausible it is that the fact of such an amount of coins being stolen could be kept secret. But never verifying your wallets against the blockchain would  certainly be helpful. In that context, the late detection of of double-spends due to TM is even plausible without introducing TM on purpose.

Thank you for the comments.  

I agree that this process could have and should have been automated, but I also think that it's plausible that it wasn't:

1.  Prior to the run-up from $1 - $30, I imagine that the amount of bitcoins on Gox was roughly constant.  Mark never bothered to write code to automate this process since it was rarely needed, and the security was really designed to protect $100,000.  Not $30,000,000.  He knew he should write code to do this as the price was climbing, but was just too busy from the explosion of business.  

2.  I assume that MtGox was flooded with bitcoins deposits in the days before the crash from $30 to $10.  So it would make sense that the hot wallet would be very full.  If indeed transfers to the cold wallet were not yet automated, then I think what I described is still plausible.  

[1714153936]

1714153936

[1714153936]

1714153936

[oakpacific]

Sorry for interrupting the party, but in case anyone is taking it seriously please remember from a technical perspective it's all BS.

Now please carry on.

[chriswilmer]

Sorry for interrupting the party, but in case anyone is taking it seriously please remember from a technical perspective it's all BS.

Now please carry on.

What's the objection from a technical perspective? It all seemed plausible to me. (I'm genuinely curious)

[galbros]

Great write up, thank you.  So basically the theft happened long ago and malleability is just a smokescreen.  There were thieves, but long in the past.  Willy at least kind of explains the huge trading volumes on Gox during it's end of days which to me is an interesting side note of this mystery.

Thanks!

[oakpacific]

Sorry for interrupting the party, but in case anyone is taking it seriously please remember from a technical perspective it's all BS.

Now please carry on.

What's the objection from a technical perspective? It all seemed plausible to me. (I'm genuinely curious)

You raised one of the objections yourself in a previous reply.

There is never a need to put the key to a user's deposit address on an online computer, any wallet system which could remotely be considered 'cold', by definition, would not do that.

Also if there was such a jumbo tx, I am sure it would be very visible on the blockchain.

[Peter R]

Also if there was such a jumbo tx, I am sure it would be very visible on the blockchain.

The million bitcoins sent to MtGox in early June would have been deposited to several unique addresses and over several days, as these coins came form several unique customers.  The thief would have stolen them with several transactions (over a shorter period of time), rather than merging them into a single 1,000,000 BTC TX.

There is never a need to put the key to a user's deposit address on an online computer, any wallet system which could remotely be considered 'cold', by definition, would not do that.

The just-dice.com deposit addresses are "hot."  I think this is common in fact.  Just-dice uses recent deposits to pay out new withdrawal requests, thereby minimizing transfers to and from cold storage.  If you request a just-dice withdrawal, your coins will almost always come from someone else's deposit address.  [People have reported on the troll box that they've spontaneously received free coins.  This happens when someone erroneously sends just-dice.com coins to the address that sent them a withdrawal.]  Just-dice.com automatically transfers coins to cold-storage when the amount of hot coins crosses a certain threshold.  These coins are transferred manually back to the hot wallet when needed.  

My theory would have MtGox in its early years using a similar system, except automated transfers to the cold wallet were not yet implemented.  Yeah they should have been, but I believe it's plausible that they weren't given how quickly the price (and thus the risk of not doing so) increased.  

[Zangelbert Bingledack]

This would explain why Mark's attitude recently doesn't reflect that of someone who just lost all that money. It's more like a sense of resignation at a long-since bygone mistake that has been eating at him (and causing him to stress-eat) for years.

[beckspace]

Later this day, a group of hackers gained access to MtGox servers and executed fake trades that the world could see, driving the nominal price of bitcoin near $0.  Mark was frantic.  He quickly regained control of the servers and learned the dark truth: the million bitcoins that had recently flooded in earlier that month were gone.  Mark admitted publically to the hack, rewound the false trades, but kept the truth of the missing coins a secret.  

I remember a thread after the june/2011 hack from an user that bought ~200k coins at $0.01, and, theoretically, it saved mtgox from losing it all because he was able to buy before the thief had a chance to withdraw, and that drove the price back to $0.30, and the thief only got ~2600 coins. (Edit: because of the U$ 1000,00 daily limit at the time). That was the "oficial" story.

What's left, at least for me, is to check for any confirmation of a $1000k steal on that day. We are looking for $1000k coins which mostly entered Gox during the weeks before and then were all spent more or less at once. The thief would have had to do the latter in order to prevent Gox from spending them first using a backup of the wallet, after the theft had been detected.

+1

[grahvity]

This was terrific.

Cross-link to Reddit:  http://www.reddit.com/r/Bitcoin/comments/1zdnop/peter_rs_theory_on_the_collapse_of_mt_gox/

[kireinaha]

agreed with others, good write up and sounds quite plausible. once things unfold a bit more, you should publish a book, "Empty Gox"

[varta]

What's left, at least for me, is to check for any confirmation of a $1000k steal on that day. We are looking for $1000k coins which mostly entered Gox during the weeks before and then were all spent more or less at once. The thief would have had to do the latter in order to prevent Gox from spending them first using a backup of the wallet, after the theft had been detected.

Meanwhile I checked for confirmation of a $1000k steal the 15th of June 2011, but found none.
The estimated transaction volume on that and the following days is about 230k for the entire bitcoin system.
See here.
It is not plausible to me that a thief would risk a reversal of his theft, when all he needs to do is to spend the coins to a new address.

The saying is that about 2000 btc were stolen that day, conjectures about many more stolen coins, e.g. 500k, seem to be widely rejected.
Since the 1000k theft is key to your plot, I wonder if you have a particular source. Anyway, I now like your plot even better, guess why 

[Bit_Happy]

I wasn't paying attention to Willy, but 2011 was exciting. Thank you for the write-up.

...
He shifted Willy into reverse and cranked the throttle.  Willy relentlessly dumped bitcoins into the open bids.  The price fell further and further, eventually dropping well below the BitStamp price.  But still not enough people were buying!  He needed his customers to buy the GoxBTC.  Willy kept dumping coins until finally the price dropped below $100.  MtGox even acquired new USD bank wires from customers looking to purchase the cheap coins.   By this time, the majority of Gox customers had converted their dollars into bitcoins.  
...

[Peter R]

Meanwhile I checked for confirmation of a $1000k steal the 15th of June 2011, but found none.
The estimated transaction volume on that and the following days is about 230k for the entire bitcoin system.
See here.
It is not plausible to me that a thief would risk a reversal of his theft, when all he needs to do is to spend the coins to a new address.

The saying is that about 2000 btc were stolen that day, conjectures about many more stolen coins, e.g. 500k, seem to be widely rejected.
Since the 1000k theft is key to your plot, I wonder if you have a particular source. Anyway, I now like your plot even better, guess why  

Thanks for looking into this.  The link you posted reports the estimated transaction volume, where Blockchain.info has attempted to subtract off the change.  We must consider the total output value as the "change" could have gone to the thief too.  The total output volume on June 19, 2011 was 1,301,575 BTC (EDIT: and 5,000,000 BTC on the 20th and I don't know the time zones assumed.)

https://blockchain.info/charts/output-volume?showDataPoints=false&timespan=all&show_header=true&daysAverageString=1&scale=0&format=csv&address=

Furthermore, although unlikely, it may be possible that the robbery didn't happen all at once, but over a few days.  When the thieves hit their target, then they set off the alarm bells by faking the huge sale that took out all the bids.  

Anyway, I now like your plot even better, guess why  

Why?  I'm curious.

[beckspace]

I remember a thread after the june/2011 hack from an user that bought ~200k coins at $0.01, and, theoretically, it saved mtgox from losing it all because he was able to buy before the thief had a chance to withdraw, and that drove the price back to $0.30, and the thief only got ~2600 coins. (Edit: because of the U$ 1000,00 daily limit at the time). That was the "oficial" story.

Thread in question:

I'm Kevin, here's my side.
https://bitcointalk.org/index.php?topic=20207.msg252680#msg252680

[opet]

Regarding the discovery of Willy, it wasn't "Wall Observers," whoever that is...

I discovered and named him. My original thread here:
http://www.reddit.com/r/BitcoinMarkets/comments/1uhjrb/intriguing_bot_activity_on_gox_for_the_last_2

Not a big deal, but kinda rude to take away what might be my only contribution to the upcoming Mount Gox movie...

PS: not a bad theory.

[varta]

The link you posted reports the estimated transaction volume, where Blockchain.info has attempted to subtract off the change.  We must consider the total output value as the "change" would have gone to the thief too.  The total output volume on June 19, 2011 was 1,301,575 BTC (EDIT: and 5,000,000 BTC on the 20th and I don't know the time zones assumed.)

It was even 9235k the 16th. I considered the total output volume too, but it made no sense to me that the thief would need any change, because he has no reason for not spending the entire inputs, except to obscure what he's doing.
OTOH, the volatility of the total output volume was so high those days, that I find it impossible to see an indication for a $1000k move.

Anyway, I now like your plot even better, guess why  

Why?  I'm curious.

Now I have a reason to get more popcorn and hope for a happier ending.

[Peter R]

Regarding the discovery of Willy, it wasn't "Wall Observers," whoever that is...

I discovered and named him. My original thread here:
http://www.reddit.com/r/BitcoinMarkets/comments/1uhjrb/intriguing_bot_activity_on_gox_for_the_last_2

Not a big deal, but kinda rude to take away what might be my only contribution to the upcoming Mount Gox movie...

PS: not a bad theory.

I apologize if I didn't give credit where credit was due.  I actually don't know who first noticed Willy nor do I know who named him.  The only place I've read about him is in the Wall Observer thread, so yes I was too quick in assuming that fellow Wall Observers were the first to notice him.

But your Reddit posts says its from "about a month ago."  Weren't we talking about Willy in December on the Wall Observer thread?  Does anyone remember when exactly the web and API interface went down and we watched Willy execute trades all alone?  Wasn't that November or December?  Were we calling him "Willy" at that point?

[opet]

I apologize if I didn't give credit where credit was due.  I actually don't know who first noticed Willy nor do I know who named him.  The only place I've read about him is in the Wall Observer thread, so yes I was too quick in assuming that fellow Wall Observers were the first to notice him.

But your Reddit posts says its from "about a month ago."  Weren't we talking about Willy in December on the Wall Observer thread?  Does anyone remember when exactly the web and API interface went down and we watched Willy execute trades all alone?  Wasn't that November or December?  Were we calling him "Willy" at that point?

The discovery of the bot actually happened in December, yes.  I had briefly described it during a live broadcast as a guest on Bonavest's trading show.  It was also during a later broadcast that I took suggestions for a name.  One of the other guests listed "Willy" as an option, so I later chose that one as the best of the bunch.  From that point on, the name stuck. (It's kinda cool that it spread to everyone, LOL)

Check out the reddit thread I linked and you'll also see that I'm the one who captured and shared the screenshots the night the trading API went down.  That was when I decided that it was highly likely that Willy was owned and operated by Gox itself.  (A fact that I also shared on another live Bonavest trading show, as well as other places like tradingview.com)

Interestingly enough, I confronted neotufur (sp?) in the #mtgox channel on IRC about the bot a few weeks later, and he (or she?) adamantly denied the fact that the bot belonged to Gox.  His explanation for how the bot could trade when nobody else could was something to the effect of: "if you have enough money, you can buy a direct privileged connection to our servers, so that's probably how the bot kept going when nobody else can trade."  He then called me crazy for believing it belonged to Gox and almost banned me from the channel!  (I'll try to dig up the IRC log for ya... it was amusing as hell!)

Whatever the case, I meant it when I said that it's no big deal.  I really do like how you summarized the role that Willy might have had in this mess, and it's definitely plausible!

Edit:  Here's some of my screenshots from when the trading API went down on January 7, 2013, but Willy was still making trades for the next 90 minutes while it was down for everyone else: http://imgur.com/Ub46sWE
and another: http://imgur.com/wyW1g4p

[opet]

On another note, here's a thread I created on 25 January warning of the impending doom at MtGox: https://bitcointalk.org/index.php?topic=431117.0

[Peter R]

...

Opet, I sent you a PM to clarify and will edit my article to give you priority for "Willy" once we clear up the dates.