February 14, 2015

MtGox investigation update and preliminary release

WizSec has been investigating the MtGox crash since soon after it occurred, making us probably the longest running non-official investigation. In this time, as we slowly discover more things, it has become more and more important to be careful in what we disclose, both in order not to jeopardize other investigations and also not to needlessly get any of our sources into trouble. In line with our intent to investigate responsibly, we have also signed several non-disclosure agreements.

However, it has now been a full year since MtGox, and the then customers, now creditors still don't have much to go on. There was the release of The Willy Report last May, then there was the encouraging news that Kraken was appointed as an additional official investigator in November (but as such they will also have to work mostly in silence), and later we heard speculations of MtGox involvement being tossed around in the Silk Road trial.

We wanted to share at least something publicly to help keep attention on MtGox alive, and after some consideration we think the following information is "safe" without betraying any trust or causing any trouble. This is an adaptation of a report we prepared last summer, documenting one of the things we focused on early in the investigation: a deeper look into the activities of the Willy trading bot. This is information we've already shared with official investigators and is not too sensitive, as it represents an early stage of our investigation.

Note that the report was intended as an introduction of our work at the time to other people like the MtGox trustee, police or other investigators, so while it isn't too technical it does assume some prior knowledge of bitcoin and the MtGox case. We hope to in the future be able to share more through blog posts like this one, though cooperating with official investigators will always take priority.

(Japanese translation available upon request.)



(Preliminary analysis of leaked MtGox data, August 2014)

Background

Following the collapse of MtGox in early 2014, parts of its database were leaked onto the Internet. This data included trading logs, account balances and withdrawal/deposit logs, but was incomplete and the different data covered different time periods. Despite the limited nature of the data, a lot of people tried to analyze it to gain clues as to what had happened at MtGox, and probably the deepest analysis at the time was The Willy Report, published online in late May 2014.

The Willy Report identified suspicious trading activity happening at MtGox, with certain user accounts being used to seemingly fraudulently buy large amounts of bitcoins in an automated fashion. For our preliminary analysis and demonstration we have focused on this activity and attempt to follow up on the Willy Report. Given better access to more MtGox data, we could examine other aspects equally carefully.

Summary of the Willy Report

The suspicious user accounts identified by the Willy Report all followed a particular pattern:
  • Each account was active for a single time period, and only one account was active at a time.
  • Each account bought 10-20 bitcoins every 5-10 minutes.
  • Each account only bought bitcoin with USD, and never sold any coins.
  • Each account bought bitcoin up to a very specific total USD amount (e.g. 2,500,000 USD).
  • After each account was "finished", another account would shortly become active and continue buying.
  • These accounts were seemingly able to trade even when MtGox was inaccessible to the world.
  • All trades by these accounts had unusual data in the trade log files.
This automated trading began on September 27, 2013 and continued at least until the end of the leaked log data (at the end of November 2013). After this point there is no trade data available publicly, but people claim to have observed this behavior continue into 2014, and supposedly at some point after that, the reverse started happening; automated selling of bitcoin at regular intervals.

The second half of the Willy Report investigates another suspicious account in the leaked trade logs, with seemingly incorrect fiat amounts recorded for its trades. This account exhibited different behavior but like Willy it seemed to buy a lot of bitcoin during 2013 (February through September) only to suddenly stop, mere hours before the first Willy account began trading. The report dubbed this user "Markus", and later concluded that it was using the MtGox trading account of CEO Mark Karpelès, though the log data was inconsistent and may have been intentionally manipulated specifically to conceal or obfuscate this account activity. Ultimately the relationship between Markus and Willy remains unclear.

Impact on the MtGox market

Willy bought a very large amount of bitcoin on MtGox during the period of September 27 – November 30 during 2013 (and later, though the leaked logs end on this date), a total of over 250,000 BTC. There is a very high probability that this had a large effect on the price of bitcoin, opening up the possibility that this may have been a plan to manipulate the market rather than (or in addition to) fraudulently acquiring bitcoins. Another speculation has been that MtGox for some reason had a shortage of bitcoins and used their own exchange to acquire more, trading BTC shortage for USD shortage.

To get an overview of just how significant this activity was, the following is a graph of how much of the hourly trade volume on MtGox was actually Willy, with the MtGox bitcoin price overlaid:

As clearly seen, for a lot of the time (especially when the market was otherwise quiet), Willy had a significant presence, and it is hard to think that this would not have an effect on the market and in turn the exchange price, through its added buying pressure. There are even some suspicious incidents where Willy becomes absent and soon afterwards the market "corrects" itself to a lower price level.

A question we cannot answer without more data is what continued influence Willy had after November 30. Certainly there were additional strong price climbs later that in the light of this might now appear suspicious, but it is also a fact that the price never peaked past its high point at the end of November. Did Willy stop trading, or was the amount of bitcoins it bought no longer large enough to keep pushing the price even higher? Did Willy or similar fraudulent trading play any role in the massive price crash that began in early February? And finally, what happened to all the bitcoins that Willy seemingly amassed?

Investigation

Retracing the steps of the Willy Report, we followed up on several areas and attempted to perform a deeper analysis. The first step meant documenting the behavior of the Willy bot over time, beginning by reconstructing the trade orders it issued. The leaked trade logs contain the individual transactions used to fulfill trade orders, but not the original order amounts input by the users. Fortunately, since Willy appeared to exclusively buy bitcoins using market orders (i.e. buying regardless of price), reconstructing the original order amounts can be done mostly automatically by grouping trades that happened very closely together (e.g. within a few seconds of each other).

Grouping Willy's trades into orders reduced the amount of data from about 100,000 trades (performed by accounts associated with Willy) down to about 7,000 buy orders. The following graph plots all the buy orders issued by each Willy account over time:


Our first observation is that Willy clearly operated within strict parameters for how much bitcoin to buy with each order, and that this range was altered several times, sometimes even during the run of an account. Early on it used large ranges like 0 – 150 BTC or 0 – 50 BTC, but later decreased to 10 – 30 BTC or 10 – 20 BTC towards the end of the leaked logs. Our interpretation is that as the price of bitcoin kept going higher, Willy was reconfigured to buy lower amounts in order not to drain each account's "deposit" of USD funds too quickly. Even with these changes, the later accounts have significantly shorter "lifetimes" than the early ones, requiring Willy to switch accounts more frequently.

The graph also reveals that there were gaps between some of the periods in which Willy operated; but almost never within the span of a single account. We interpret this to mean that each Willy account was automatic once started and ran until its USD "funds" were depleted, but needed to be restarted for each new account.

Another interesting observation is the presence of certain anomalous, higher volume orders (circled above). These are outside the range parameter for the automatic trading, and there are actually quite a lot of these trades; while they are outside the graph above, plotting the volume on a logarithmic axis makes them all visible:


One notable property of these high orders is that they early on are for very even amounts, such as exactly 2,000 BTC. Later the amounts change to more random-looking values. Our interpretation here is that these are manually issued buy orders (in addition to the automatic trading on each account), and that at a later point the user behind Willy perhaps altered their strategy to use random-looking values so as not to draw too much attention to these big orders. (With an even amount, there would be a risk that someone observing the trades live would spot the nice and even totals, making it more obvious that these were single big trades rather than spontaneous market rushes.)

The next step was to also analyze how frequently Willy bought bitcoin, to see if there was a similar pattern there as well. We calculated the delay between each automatic order and the next — let's call it "cool-down time" — and plotted these over time:


Although this time there is a bit more noise, just like with the buy order sizes the pattern is still fairly clear and tells us that the cool-down time was another configurable parameter of Willy that was at times changed.

The increased noise at the end is not something we can readily explain; either the cool-down parameter was changed very frequently, or there were circumstances where Willy could issue additional trades with a shorter, often nearly non-existent delay. Possibly this was manually triggered (like some type of temporary "turbo mode"), triggered by some kind of market condition, or it could have been a bug.

In summary, Willy was a computer program which at its core likely obeyed the following logic:

parameters: MIN_AMOUNT, MAX_AMOUNT, MIN_DELAY, MAX_DELAY,
  SOURCE_CURRENCY = USD, TARGET_CURRENCY = BTC, INITIAL_DEPOSIT

deposit INITIAL_DEPOSIT into SOURCE_CURRENCY account
loop {
  if SOURCE_CURRENCY account is empty, abort.
  let AMOUNT := random number between MIN_AMOUNT and MAX_AMOUNT
  issue market order for AMOUNT of TARGET_CURRENCY
  let DELAY := random number between MIN_DELAY and MAX_DELAY
  sleep for DELAY
}

Profiling Willy

At this point, we had strong indications that Willy was an automatic bot which was at times controlled by its operator, and had already identified multiple instances of likely such interactions by this user:
  1. Starting each new Willy account
  2. Changing the buy range
  3. Changing the cool-down range
  4. Issuing a manual, high-volume buy order
  5. (Possibly issuing additional buy orders in the normal range, but sooner than scheduled)
All in all we gathered around 200 such user events. The next logical step was to analyze and compare the exact timestamps of each of these interactions, trying to get clues about the user. For example, regular absence of any activity during certain hours of the day would be a possible indication of the user's sleep cycle, which in turn could be a clue as to in which part of the world they were located (based on the time zone).

While the data is scarcely sufficient for conclusions, there is one notable gap with no user activity, between 17:00 and 20:00 UTC. The time zones for which this range falls within "normal" sleeping hours cover much of Australasia; in Japan, for example, these hours correspond to 02:00 – 05:00 JST, though the data can be interpreted to plausibly fit any timezone from UTC+8 through UTC+12. We'll use Japan Standard Time as a frame of reference in this report.

The relatively short period of inactivity increases the margin for error and raises questions; while the average rest is longer than the three-hour "common" range (i.e. the rest time frame varies), it is often shorter than six hours and rarely longer than seven, shorter than an average person sleeps each night. The shortest observed rest period is only about four hours.

A full plot of all suspected Willy events against the time of day can be seen below:


Speculating, this kind of sleep pattern could mean that this person sleeps somewhat irregularly (e.g. does the occasional all-nighter etc.), or alternatively that there are two or more users, covering more of the day by working together.

We note that nearly all activity happens on weekdays (as opposed to weekends), which leads us to suspect that it's more specifically related to workdays. We speculate that days with low activity may have been times when this person was off or occupied with something else.

We also note that activity is spread out through most of the day, including any possible work hours, from which we surmise that this person was able to control Willy from his work environment as well as from home. There is also a possibility the person did not have a job at the time, though the workday pattern would seem to indicate a regular work schedule.

After the leaked data

Since the leaked trade logs end on November 30, 2013, we cannot directly trace any continued activity past this date without access to more data. However, based on what we learned so far of Willy's behavior, we attempted to find traces of Willy in the public MtGox trade ticker. This was a web service offered by MtGox that provided a live feed of trades happening, however the reported data was limited to just the time of the trade, the exchange rate and the amount of bitcoins bought/sold; no account information is present.

Since we knew Willy operated exclusively with market orders, we performed the same type of analysis as earlier, attempting to reconstruct trade orders from individual trades by combining trades that happened close together. (We used a threshold of two seconds to separate different trade orders.) Further, for the resulting recombined orders, we tried to detect if the driving market order was a buy order or a sell order by observing if the exchange rate climbed or fell as the individual trades were being executed.

While this method is very imprecise and we expected a lot of errors, when carefully plotted in a graph of these bitcoin trade orders over time there is still a quite visible pattern caused by Willy:


The vertical bars of bitcoin purchases for amounts in specified ranges show up clearly, and match the pattern in the earlier graph of Willy account activity, and as expected they show up as buy market orders (blue) by driving the market price upwards. The graph tells us with fairly high certainty that Willy kept operating through-out December and January, though with longer gaps between accounts – there are notable absences of activity around Christmas and in the middle of January.

More importantly, around January 28 the pattern suddenly reverses and now appears to be driving the market price downwards by issuing sell market orders (orange) rather than buying. This confirms eye-witness accounts in the Willy Report of Willy operating in reverse in February, and casts a strong suspicion that Willy had a hand in the large price crash on MtGox in February.

Questions to investigate further

  • Willy spent a large amount of USD buying bitcoins. If this money was legitimate, how did such large amounts of currency flow into a few accounts without raising suspicion? If instead the account balances were faked, how was this done?
  • What happened to the bitcoins Willy bought? No Willy accounts appear in the leaked account balances, meaning the accounts were either completely emptied, wiped from the logs, wiped from the database itself, or somehow the entire accounts themselves were faked.
  • When Willy switched to selling bitcoin, did it sell the coins previously bought from other accounts, or did it again use fake balances, "selling" non-existent coins?
  • Similarly, what happened to the USD that "reverse Willy" accumulated in February? Was it withdrawn?
  • What was the purpose of Willy? Was it to buy and sell bitcoin (possibly fraudulently), or was it an attempt to manipulate the market price?
  • Where was Willy operating? If it was able to trade even when MtGox was unavailable to the rest of the world, was it running in or connected to MtGox's internal network?
  • What role did Willy play in the events that lead to the collapse of MtGox? Could it have been solely responsible for the currently known shortage in currency and bitcoin?




Again, please keep in mind that this report is by now over six months old already, and represents an earlier state of our investigation. Since putting together this report, we have continued to dig deeper into both Willy and other aspects of the case, though as mentioned earlier we have to be careful with what we reveal.

We hope that rather than be disappointed we're not releasing more at this time, people will be more motivated than before to help get to the bottom of what actually happened at MtGox. If you possess information relevant to the case, please do not hesitate to contact us and/or any of the official investigators. We have been gathering pieces to the puzzle for a long time, and every piece helps.