Bitcoin Market Manipulation Exposed On Mt. Gox?

Interesting blog post from a guy who analyzed the leaked Mt. Gox transactions and uncovered what seems to be clear evidence of a coordinated (and successful) effort to artificially inflate the price of Bitcoin in addition to wholesale, automated theft. In this first post, I'll provide a little background for those unfamiliar with Mt.Gox, the November explosion in Bitcoin value and the events earlier this year involving Mt. Gox.

Mt. Gox

The 28-year-old Karpeles was born in France, but after spending some time in Israel, he settled down in Japan. There he got married, posted cat videos and became a father. In 2011, he acquired the Mt. Gox exchange in from an American entrepreneur named Jed McCaleb.

McCaleb had registered the Mtgox.com web domain in 2007 with the idea of turning it into a trading site for the wildly popular Magic: The Gathering game cards. He never followed through on that idea, but in late 2010, McCaleb decided to repurpose the domain as a bitcoin exchange. The idea was simple: he’d provide a single place to connect bitcoin buyers and sellers. But soon, McCaleb was getting wires for tens of thousands of dollars and, realizing he was in over his head, he sold the site to Karpeles, an avid programmer, foodie, and bitcoin enthusiast who called himself Magicaltux in online forums.

Karpeles soon set about rewriting the site’s back-end software, eventually turning it into the world’s most popular bitcoin exchange.

Wired - The Inside Story of Mt. Gox, Bitcoin’s $460 Million Disaster

Bitcoin Value Explodes in November

The below chart shows the median price for Bitcoin on Mt. Gox for the last year, ending with the exchange's closure.

Excerpting myself from two threads in early November.

As I write this, BTC is trading on Mt.Gox at $433, down from today's high of $446 but still up $60 from 48 hours ago.
...
CNN Money, the Washington Post, and Forbes contend that it's Chinese investment in BTC. The Forbes article leaves the distinct impression that it was BTC China, now the largest BTC exchange on the planet, eliminating it's trading fees in September that fueled the boom.

Looking at this BTC China chart, it seems that prices tracked pretty evenly with Mt.Gox, BTC-E, etc. It bears mention that the October 2nd announcement by the FBI of the arrest of Silk Road founder Ross Ulbricht would seem to be responsible for the sharp dip in prices on the same day.

ATS - What int the world is going on with Bitcoin?

Fresh off Mt.Gox ticker:

Last price: $726.75042 High: $750.00000

11969540 BTC in circulation @ $725 = $8,677,916,500. The Winklevi are richer than ever. Even if you've never possessed a Bitcoin wallet, this is something worth taking note of.

ATS - Bitcoin, the explosion continues

and Forbes - 2013: Year Of The Bitcoin

Bitcoin made headlines on Nov. 29 as the price of a single coin hit an all-time high. Mt. Gox one of the original and biggest bitcoin exchanges, based in Tokyo, recorded the high at $1,242 per coin. For comparison, during the same day spot gold prices hit a session low of $1,240 per ounce.

The "Hack" and Bankruptcy

Its collapse into bankruptcy last week — and the disappearance of $460 million, apparently stolen by hackers, and another $27.4 million missing from its bank accounts — came as little surprise to people who had knowledge of the Tokyo-based company’s inner workings. The company, these insiders say, was largely a reflection of its CEO and majority stake holder, Mark Karpeles, a man who was more of a computer coder than a chief executive and yet was sometimes distracted even from his technical duties when they were most needed. “Mark liked the idea of being CEO, but the day-to-day reality bored him,” says one Mt. Gox insider, who spoke on condition of anonymity.

Last week, after a leaked corporate document said that hackers had raided the Mt. Gox exchange, Karpeles confirmed that a huge portion of the money controlled by the company was gone. “We had weaknesses in our system, and our bitcoins vanished. We’ve caused trouble and inconvenience to many people, and I feel deeply sorry for what has happened,” Karpeles said, speaking at a Tokyo press conference called to announce the company’s bankruptcy. This would be the second time the exchange was hacked. In June 2011, attackers lifted the equivalent of $8.75 million.

Wired - The Inside Story of Mt. Gox, Bitcoin’s $460 Million Disaster

Leaked Transactions

The hackers also posted a 716 megabyte file to Karpeles’ personal website that they said comprised stolen data from Mt. Gox’s servers. It appears to include an Excel spreadsheet of over a million trades, a file that purports to show the company’s balances in eighteen difference currencies, the backoffice application for some sort of administrative access to the databases of Mt. Gox’s parent company Tibanne Limited, a screenshot of the hackers’ access to those databases, a list of Mark Karpeles’ home addresses and Karpeles’ personal CV.

Forbes - Hackers Hit Mt. Gox Exchange's CEO, Claim To Publish Evidence Of Fraud

Anonymous hackers have defaced Mt.Gox CEO Mark Karpeles’ blog and have uploaded a data dump of customer data that, according to users with accounts on the site, is accurate. A Reddit user created an Excel spreadsheet [mirror] of anonymized user accounts with balances, and many current Mt.Gox users have found their balances present.

Tech Crunch - Mt.Gox Hack Allegedly Reveals Bitcoin Balances, Customer Account Totals

The following analysis was posted in a wordpress blog, The Willy Report by Reddit user, Yan_bk with the title, The Willy Report: proof of massive fraudulent trading activity at Mt. Gox, and how it has affected the price of Bitcoin.

Conspiracy Exposed?

Somewhere in December 2013, a number of traders including myself began noticing suspicious bot behavior on Mt. Gox. Basically, a random number between 10 and 20 bitcoin would be bought every 5-10 minutes, non-stop, for at least a month on end until the end of January. The bot was dubbed “Willy” at some point,

The blog's author claims he was able to tie the activity of multiple accounts together using anomalous account data:

I noticed here that all of these accounts had one thing in common; the User_Country and User_State field both had “??” as entry. This was unusual. Normally, these fields contained country/state FIPS codes (for verified users?), nothing (unverified users?), or “!!” (users who failed verification or suspicious users?).

So I went back and gathered all of these “??” users, aggregated their trades, and summed the amount of BTC that each of these accounts bought (they never performed a single sell). They seamlessly connected to each other: when one user became inactive, the next became active usually within a few hours. Their trading activity went back all the way to September 27th.

At this point, I noticed that the first Willy account (created on September 27th) unlike all the others had some crazy high user ID: 807884, even though regular accounts at that point only went up to 650000 or so. So I went looking for other unusually high user IDs within that month, and lo and behold, there was another time-traveller account with an ID of 698630 – and this account, after being active for close to 8 months, became completely inactive just 7 hours before the first Willy account became active

He nicknamed the older account "Markus" and analyzing his transactions, stumbled upon something even more incriminating:

Account 698630 actually had a registered country and state: “JP”, “40″ – the FIPS code for Tokyo, Japan. So I went and compiled all trades for this account. For convenience, I will dub this user “Markus”.

There were several peculiar things about Markus. First, its fees paid were always 0. Second, its fiat spent when buying coins was all over the place, with seemingly completely random prices paid per bitcoin.

regardless of the volume of BTC bought, the value paid is always $15.13. This is speculation, but perhaps for Markus, the “Money” spent field is in fact empty, and the program that generates the trading logs simply takes whatever value was already there before. In other words, Markus is somehow buying tons of BTC without spending a dime. Interestingly, Markus also sells every now and then, and for some reason the price values are correct this case.

Sell 31k BTC, receive $4 million, re-buy 15k BTC, spend nothing. Awesome! Here is the corresponding chart for this day, just to show that these trades (from 8:00 to 10:00 am) actually occurred “on-market”, and had a significant effect on the price.

However, none of the Willy accounts until November appear in the leaked balance summary at the time of collapse, and there seem to be no corresponding withdrawals for those amounts of bitcoin bought. Markus does have a balance: around 20 BTC and small amounts of EUR, JPY and PLN. No USD balance. In other words, only currencies for which Mt. Gox actively controlled bank accounts.

Claims & Conclusions

The gist of the authors conclusion is that either a hacker or Mark Karpeles himself, was gaming the system and inflating the value of Bitcoin on Mt.Gox through thousands of small, automated purchases from accounts that had been edited from one set of the transaction logs and even worse, it appears that payment for this Bitcoin was in effect embezzled from Mt. Gox and ultimately, from it's customer's accounts.

So basically, each time, (1) an account was created, (2) the account spent some very exact amount of USD to market-buy coins ($2,500,000 was most common), (3) a new account was created very shortly after. Repeat. In total, a staggering ~$112 million was spent to buy close to 270,000 BTC – the bulk of which was bought in November.

Upon closer inspection, it turns out the full and anonymized versions of all the logs differ in two, and ONLY two ways:

User hashes and country/state codes are removed.
Markus’ out-of-place user ID (698630) is changed to a small number (634), and its strange fixed “Money” values are corrected to the expected values.
Interesting detail: from the 2011 leaked account list, the user with ID 634 has username “MagicalTux”

Combined with Willy’s buys, that’s around 570,000 BTC in total. Although there are no trading logs after November, Willy was observed by multiple traders to be active for the most part of December until the end of January as well. Although this was at a slower, more consistent pace (around 2000 BTC per day), it should roughly add up to another 80,000 BTC or so bought. So that’s a total that’s suspiciously close to the supposedly lost ~650,000 BTC.

A few words of caution. I have not analyzed this data myself. The files were allegedly stolen and disseminated to the public by a "hacker." Parts of the data have purportedly been independently verified by a number of users but the provenance is questionable to say the least. Assuming the data is genuine and properly interpreted, there are at least three possible conclusions that could be reasonably drawn and they're not mutually exclusive:

1. An unknown individual or group had comprised Mt. Gox security and was engaging in theft and market manipulation over the course of several months.
2. Mark Karpeles and possibly others were engaging in a coordinated market manipulation and embezzlement and are blaming their actions on an intruder.
3. Unbeknownst to Mark Karpeles, someone from within his organization was responsible.

The blog post of course goes into greater detail and covers topics including the effect on Bitcoin price outside of Mt. Gox and the April 2013 Bitcoin bubble. My own experiences in cryptocurrency, Mt. Gox and other exchanges leave me a bit jaded, but I find it entirely reasonable that it was an inside job and Mark Karpeles was behind it.

Brief PS regarding Mark Karpeles's claims and refutation from two Swiss researchers at ETH Zurich University in Switzerland.

On Wednesday, Tokyo-based Bitcoin exchange Mt. Gox “reassured everyone” that its CEO Mark Karpeles was still in Japan and working to “ find a solution to our recent issues.” It turns out that solution is filing for bankruptcy. Having halted withdrawals for over a month, and complaining about a “transaction malleability” Bitcoin bug that let users steal coins, the exchange now says its Bitcoin loss is higher than the 744,000 figure cited in a “crisis plan” leaked this week. Mt. Gox says 750,000 of its customers’ Bitcoins are gone and more than 100,000 of its own. At Bitcoin’s current surprising stable $550 – $570 value, and more than 100,000 of its own coins, that’s around $475 million. Ouch.

Forbes - Mt. Gox CEO Says All The Bitcoin Is Gone In Bankruptcy Filing

About the Transaction Malleability bug:

In Bitcoin, transaction malleability describes the fact that the signatures that prove the ownership of bitcoins being transferred in a transaction do not provide any integrity guarantee for the signatures themselves. This allows an attacker to mount a malleability attack in which it intercepts, modifies, and rebroadcasts a transaction, causing the transaction issuer to believe that the original transaction was not confirmed. In February 2014 MtGox, once the largest Bitcoin exchange, closed and filed for bankruptcy claiming that attackers used malleability attacks to drain its accounts. In this work we use traces of the Bitcoin network for over a year preceding the filing to show that, while the problem is real, there was no widespread use of malleability attacks before the closure of MtGox

arXiv abstract - Bitcoin Transaction Malleability and MtGox

Paper cited, NBC News - Mt. Gox Hack Only Amounted to A Handful of Bitcoins: Study

An analysis by Swiss researchers of bitcoin transaction data suggests that bankrupt exchange Mt. Gox, which blamed a bug in bitcoin itself for the loss of millions in the virtual currency, could in fact have only lost a tiny fraction of that amount.

But the data show that only a few hundred occurred while the exchange was actually operating normally. The vast majority occurred after Mt. Gox shut down withdrawals on Feb. 8 — so the attacks couldn't actually target it. In fact, it appears to be the exchange's announcement about the vulnerability that caused the wave of attacks to occur.

What's more, of the hundreds of attacks that did target Mt. Gox while it was operational, less than a quarter appeared to have actually worked. The final tally, by the researcher's reckoning: 386 bitcoins, or about $203,000.

spam