FYI, I've published the result of my "investigation" in the
french forum.
There's no english translation but here's a short summary.
Context3 IW urls were claimed by PG but the IW team was unable to spot 2 of them
The IW team has asked PG to provide adresses or transactions related to these 2 wallets but PG was unable to provide this kind of information.
The IW team has developed a set of scripts to parse the blockchain in order to:
- build a list of bitcoin addresses corresponding to IW deposit addresses
- check if any of these addresses has transactions matching informations sent by PG.
No matching address was found by the IW team.
AnalysisI've followed these steps:
- parsing of the blockchain to identify transactions (and addresses) matching information given by PG (date, amounts, hours)
- development of a script similar to the one implemented by the IW team, in order to list IW addresses
- matching of the 2 sets
No significant result was found.
Then, I've analyzed the principles of the script used to build the list of IW addresses:
- as a first step, the script lists addresses having sent coins to IW cold wallet. These addresses are considered as IW deposit addresses.
- in a second step, the script uses an heuristic named "multi-inputs transactions" in order to find additional IW addresses.
- the second step is repeated recursively.
The main hypothesis associated to this script is that it allows to list all IW deposit addresses. IW was a shared wallet mixing coins from all deposit addresses, thus it may sound like a reasonable hypothesis. But it appears that some cases break this assumption. One such case is when coins sent to a deposit address are consumed alone before having a chance to be sent to the cold wallet.
Activity of the cold wallet during December 2012 shows that no coin was sent to the cold wallet between 12/08 and 12/26. In fact, during this timespan, the flow was reversed (5,500btc sent from the cold wallet to the hot wallet) surely indicating a period with more withdrawals than deposits. This period also corresponds to the period indicated by PG for his initial deposit and his splitting operation. Thus, it doesn't seem unlikely that the funds deposited by PG may have been consumed during this period and can't be found by the recursive script.
This hypothesis would explain why the IW team was unable to find transactions and addresses matching information given by PG.
WRT missing urls, one of my hypotheses is that IW db may have been altered by hackers to hide that some funds had been stolen (wallets deleted from db).
Next stepsIMHO, it's required to use a backup of the IW bitcoind, in order to export the full list of addresses and be sure to avoid false negative results.
Thus, I've forwarded all results and information to the IW team. It should allow them to investigate the case further.
