New WIZSEC Report Points To Definitive Insider Trading At Mt. Gox

Published at: Feb. 23, 2015

In the latest report from WizSec, a Tokyo-based security firm, conclusive evidence has been found of insider trading and price manipulation at the defunct Mt. Gox exchange.

The report states this price manipulation started in February 2013 when the price was around US$25 and continued all the way until February 2014 when the price crashed from its all time high above US$1,000. The report concludes that 570,000 BTC were bought in the period between February and November and that this definitely had a meaningful impact on price.

Willy Report Overview

WizSec corroborates the findings of the original Willy report, which showed that automated trading began on September 27, 2013 and continued at least until the end of November. It then claims that the automated trading went on through February 2014.

However, prior to this, there was suspicious trading activity from February until September of 2013 that seemed to buy a lot of bitcoin and conveniently stopped just a few hours before the Willybot appeared. Willy bought 250,000 BTC between September 27 and November 30.

The report concludes there was a high probability this had a large effect on the BTC price, which climbed to over US$1,000 during this time. The chart below shows the trading activity of the Willybot and the run-up in price. Notice the few suspicious incidents where Willy isn’t trading and the price corrects itself.

The WizSec report states:

“Our first observation is that Willy clearly operated within strict parameters for how much bitcoin to buy with each order, and that this range was altered several times, sometimes even during the run of an account. Early on it used large ranges like 0 – 150 BTC or 0 – 50 BTC, but later decreased to 10 – 30 BTC or 10 – 20 BTC towards the end of the leaked logs. Our interpretation is that as the price of bitcoin kept going higher, Willy was reconfigured to buy lower amounts in order not to drain each account's ‘deposit’ of USD funds too quickly.”

Other Interesting Findings

Willy also made a lot of trades that were outside of the range listed above,  meaning higher amounts of bitcoin that they wanted to make appear random.

At first there were even numbers like 2,000 BTC, but the report concludes later that these were changed to look more “random” so uneven numbered trades were put in, like for example 1,845 bitcoin, so that these large buy orders wouldn’t draw attention from savvy market participants. Therefore, the insiders wanted to make it look like spontaneous market rushes rather than single orderly trades.

Apparently these trades were done manually as they were outside of the parameters of the Willybot. The chart below shows that these trades were not random at all.

Who Was Behind Willybot

The report also studied the time of user activity in order to find a pattern in the sleep cycle so as to get a clue where the user was based. Conclusive evidence was found that there was no user activity between the hours of 17:00 and 20:00 UTC. These time zones fall within the normal sleeping hours of Australasia.

These short periods brought up more questions and made WizSec think there was more than 1 user between the Willybot and that these users worked together to cover most of the day. All activity also appears to happen during weekdays with no activity whatsoever on weekends. The conclusion that can be drawn here is that this person worked a normal day job and was off on weekends.

Trading activity was spread out through most of the day, which includes any possible working hours during weekdays. This leads to a conclusion that the Willybot could be controlled by its user from a work environment and from their home.

Below is a chart plotting all suspected Willybot trades against time of day:

Willy Did Not Stop in November, 2013

WizSec states that while leaked data suggests Willy ended November 30, 2013, they have different conclusions. They found that the Willybot kept operating throughout December and January though with longer gaps between trading. This could have been holiday related.

Even more important, on January 28, 2014, the pattern reverses and starts driving price down by issuing massive sell orders instead of buys. WizSec believes this was the Willybot and bases it on the available data as well as customer eye witnesses who reported the Willybot operating into February, implicating that Willy had a large hand in the Mt. Gox price crash in February.

Did you enjoy this article? You may also be interested in reading these ones:

Charlie Shrem: ‘Mark Karpeles Wanted to Take the Weekend Off’ After Mt. Gox Collapsed Police Suspect Mt. Gox Inside Job DHS Agent Believed Mark Karpeles to Be Head of Silk Road
Tags
Security
Mt. Gox
Wizsec
Related Posts
Karpeles Warns of another Mt. Gox, but BitFinex might have the Answer
Former CEO Mark Karpeles warns Mt. Gox's US$500 million loss of funds could happen again, just as BitFinex announces its own possible solution. As Mark Karpeles expressed his concern that digital currency exchanges are still holding customer deposits, BitFinex has announced a new system designed to verifiably hold each account's funds separately on the blockchain. 'Another disaster waiting to happen' The scale of the problem both are addressing is huge with 818,000 bitcoins being reported as stolen between 2010 and early 2014. With Karpeles being CEO of the Mt. Gox exchange when it lost US$500 million of customer deposits, his …
Blockchain / June 3, 2015
Mt Gox Depleted of Bitcoins by 2013 Says New Wizsec Report
Mt Gox had been depleted of most of its bitcoin by 2013 according to a new report from Wizsec, the Tokyo based bitcoin security firm, which has been conducting an ongoing unofficial investigation into Mt Gox’s collapse. The theft had been ongoing since 2011 and many of the missing bitcoins were stolen straight out of Mt Gox’s hot wallet. A significant amount of the stolen bitcoins were deposited at various exchanges like BTC-e, Bitcoinica, Mt Gox itself, and other not yet identified wallets, and subsequently sold for cash. This led Mt Gox to be operating “knowingly or unknowingly” at fractional …
Bitcoin / April 20, 2015
Cybersecurity Firm ESET Manages to Disrupt Major Monero-Mining Botnet
Slovakian cybersecurity firm ESET has reported some success in disrupting the workings of a previously undetected Monero (XMR)-mining botnet in Latin America. In an announcement on April 23, ESET said the malware had infected over 35,000 computers since May 2019, with 90% of compromised devices located in Peru. Researchers have had some success in tackling the threat ESET researchers have dubbed the botnet VictoryGate, noting that its main activity has been illicit Monero mining — also known as cryptojacking. This is the industry term for stealth crypto-mining attacks that work by installing malware that uses a computer’s processing power to …
Technology / April 23, 2020
Coinbase Exploring Eight New Assets in Bid to Expand Market Access
Major crypto platform Coinbase announced today that it is exploring support for eight new digital assets. The expansion is part of a larger agenda by the exchange to give customers access to 90% of the aggregate market capitalization of all digital assets. Coinbase announced its plans in an official blog post on Aug. 5. As part of the announcement, Coinbase noted that they may roll out public-facing APIs and show other indications of engineering work during the exploratory phase. Per the announcement, the exchange is currently exploring support for Algorand (ALGO), Cosmos (ATOM), Dash (DASH), Decred (DCR), Matic (MATIC), Harmony …
Bitcoin / Aug. 5, 2019
Online How-To Platform Partners with Blockchain Startup to Boost User Security
Online guide platform wikiHow and the Blockchain startup Civic are partnering up in their bid to bolster users’ login security. Under the collaboration, users of wikiHow will be able to swap out their old login methods for Civic’s mobile application (app). wikiHow offers various guides and how-to articles on different subjects. The website was founded by Internet entrepreneur Jack Herrick in 2005. According to Civic, wikiHow users who use its app can avoid the pitfalls of handling passwords and usernames that are vulnerable to cyber theft. "The simple, quick process verifies Personally Identifiable Information (PII) to ensure ownership of the …
Blockchain / Aug. 26, 2017