A report has been published online which analyses trading data leaked from Mt Gox. The report shows how two bots were not only using pump and dump behavior, but more worryingly were able to trade for zero cost.
The report, which appears online here, has been made by an anonymous trader, who set up the afore mentioned WordPress.com account specifically for this report, and it is the only post on the blog.
Meet the bots
In December 2013, traders (including the author) started noticed an odd pattern of trading:
“a random number between 10 and 20 bitcoin would be bought every 5-10 minutes, nonstop, for at least a month on end until the end of January.”
This bot became known as “Willy” to Mt. Gox traders. The author explained how that the pattern of trades made by Willy were so recognizable the they decided to search for it from the leaked Mt. Gox logs, and sure enough the pattern went all the way back to the beginnings of the log.
The logs revealed that the bot was using several “UIDs” (user ID numbers), and that all of the user accounts in question had a country code of “??”, which was unique. It was clearly a “smoking gun” that the observed behavior came from a single source, rather than being individuals just performing the same pattern of trades. Furthermore, all trades fell within a tight range of BTC values.
In summary, the trading pattern went as:
- An account was created
- A trade from USD to bitcoin was made in specific amounts
- A new account was created soon after.
- The UIDs numbers were much higher than normal users.
In addition to Willy, the leaked logs show that there was another trading bot (as inferred by trading patterns) with an unusually high set of user ID numbers. The author calls this bot “Markus”. It had been active for 8 months, but stopped trading just 7 hours before Willy started its activities. This, the author says, is reason to suspect they were being operated by the same party. The user accounts associated with Markus all had a country code corresponding to Tokyo (Japan), which is also where Mt. Gox itself is
The author discovered that all of Markus's trades followed trades by regular users, and that each of its trades had exactly the same dollar amount as the preceding trade, but were for huge values of bitcoin. The author speculates that Markus was buying large amounts of Bitcoin without spending anything, and just filling in the value of the previous trade. Regardless, Markus was certainly not paying the market rate for the volumes of bitcoin it bought.
Eventually, Markus sold 31,000 BTC (which was bought for nothing or at most a trivial amount of USD), for approximately $4 million. It then repurchased another 15,000 BTC in manner.
Counting the costs
The leaked logs show that $112 million was spent by Willy to buy approximately 270,000 bitcoin, the majority of which was bought in November 2013. This, the author claims, is predominant reason that the price of bitcoin increased so much in 2013; much more so than Chinese investments, the Silkroad takedown, and NYC trade hearings. In support of this, these bot trades coincide with increases in the bitcoin value on Mt Gox. Additionally, Markus gained around 300,000 BTC and $4 million (US) over its entire trading history. This gives a total of approximately 570,000 BTC .
Who dunnit?
All of the wrong doings reported here could have easily been done by either a hacker, or by somone(s) inside Mt. Gox. Certainly, all of the evidence all circumstantial. However, the Willy Report explains one more thing that points the finger towards Mt. Gox itself:
The next piece of evidence is perhaps more convincing. For some months in 2013, there were two versions of trading logs in the leaked database: a full log, and an anonymized log with user hashes and country/state codes removed. For April 2013, there was a .zip file which contained one such anonymized log – this is speculation, but one use of this may have been to send off to auditors/investors to show some internals. Upon closer inspection, it turns out the full and anonymized versions of all the logs differ in two, and ONLY two ways: 1. User hashes and country/state codes are removed. 2. Markus’ out-of-place user ID (698630) is changed to a small number (634), and its strange fixed “Money” values are corrected to the expected values. Interesting detail: from the 2011 leaked account list, the user with ID 634 has username “MagicalTux”.
A twist in the plot
To further confound us all, the WordPress account that hosted the Willy Report has been “archived or suspended” due to violations of Wordprss's terms of service.
Update: the report has been reinstated on WordPress.com