A Tokyo-based bitcoin security consultancy revealed today it has been actively investigating the disappearance of 850,000 BTC from Mt Gox “for the past few months”.

Given full access to official records, it says, it could potentially reveal much more of what actually happened at the ill-fated exchange.

The company, Wiz Technologies, has been “unofficially and independently” analyzing data using a partially complete database of all Mt Gox’s historical trading data that it reconstructed from various public and other available sources.

Wiz’s founder and ‘chief hacking officer’ J. Maurice told CoinDesk that his team wished to present its preliminary findings to Mt Gox bankruptcy trustee Nobuaki Kobayashi, in the hope of being assigned an official role in the investigation.

He said:

“We’re the only exclusively-bitcoin security consultancy working in Tokyo, so we’re the only ones really qualified to investigate this sort of case. We’re in the right place, with the right people and the right skills.”

More information needed for full analysis

Although Wiz has spent months analyzing the “ticker tape of Mt Gox trades” in its unofficial database, it still needs access to the complete, official database that is currently only accessible to Kobayashi’s team and the Tokyo Metropolitan police.

That database would include personally identifiable customer information and bitcoin addresses, allowing Wiz to reconcile their existing knowledge with the actual bitcoin block chain, and likely reveal more information about the missing 850,000 BTC that led to Mt Gox’s abrupt shutdown in February.

Wiz’s unofficial trading database was built from sources including trading data leaked after the shutdown, real name and account ID information leaked from an earlier Gox hack in 2011, lesser-known third-party sites that logged trading data, plus other, assorted pieces of data the team gleaned from sources via Internet Relay Chat (IRC).

Maurice added:

“There’s a lot of huge stuff that’s going to come out, and this is just the beginning.”

The bitcoin security consultants

Maurice rose to prominence last May, when he played an essential role in defending Roger Ver against the infamous ‘ransom’ hack attack. The Wiz Technologies team also includes lead engineer Kim Nilsson, who heads the technical investigation in this case, and attorney Daniel Kelman, who takes care of legal matters and has been at the forefront of the Gox case on behalf of its creditors.

Although Tokyo detectives posses the official database and have been conducting their own investigation into the case, their more limited knowledge of and experience with bitcoin’s inner workings could slow their progress, Maurice said.

Wiz has formed several theories about what happened at Mt Gox and how bitcoin’s largest ever heist was executed, but all its findings remain unconfirmed until it can access all records.

Maurice stressed that Wiz would not charge a fee to Mt Gox creditors and would find external sponsors to finance any official investigation.

The return of Willy and Markus, the Gox trading bots

The most thorough records of Mt Gox’s trading history were obtained when Japanese hacker ‘nanashi’ (Japanese for ‘anonymous’) posted trading data up to November 2013 on the homepage of CEO Mark Karpeles.

From this data, another anonymous researcher wrote the now-famous Willy Report. This report identifies the bizarre trading activity of two specific Mt Gox accounts, dubbed ‘Markus’ and ‘Willy’.

Beginning Valentines Day 2013, Markus traded erratically at seemingly bizarre prices until September, when the account shut down. Seven hours later, the ‘Willy’ account was created.

Willy exhibited less attention-grabbing behavior, but was systematic and appeared to be a bot, or trading algorithm, always trading at market prices in random amounts within set limits. It would trade at regular intervals of a few minutes before going dormant.

The truth is already out there

Maurice said the information about the Mt Gox theft that this report reveals has been out in public for some time, but its complex and technical nature mean few have actually read the Willy Report completely or understood its true implications.

Both unusual accounts, he said, were likely created by someone associated with the disappearance of the 850,000 BTC. The hacker had access to Gox’s inner workings and was able to compromise its database by creating new accounts and setting fake balances “with money that didn’t exist”.

Between them, the Markus and Willy accounts are shown to have ‘bought’ hundreds of thousands in bitcoin before November 2013, when the leaked data ends.

Wiz would have to see the full records to determine what happened to those bitcoins once Markus and Willy were finished. Whether it was later withdrawn, and where it might have gone, is yet to be ascertained. The first step of any official investigation would be to uncover those basic facts.

“We can see every trade that happened within the Mt Gox system, but once it left we can’t see where it went,” Maurice concluded.

Image via cosma / Shutterstock