Report: Mt Gox Data Provides More Clues to Trading Bot 'Willy'

Tokyo-based security specialist WizSec has released a preliminary analysis of the data that was leaked following Mt.Gox's crash.

AccessTimeIconFeb 19, 2015 at 6:45 p.m. UTC
Updated Sep 14, 2021 at 2:02 p.m. UTC
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global hub for everything crypto, blockchain and Web3.Register Now

Tokyo-based security firm WizSec has released a preliminary analysis of suspicious trading data leaked from now defunct bitcoin exchange Mt Gox.

The exchange suspended its operations in February last year and was subsequently declared bankrupt in March, having lost around 850,000 BTC (more than $450m at the time).

Since last November, bitcoin exchange Kraken has worked alongside authorities to support the investigation on behalf of creditors. Meanwhile, WizSec has been working to track Mt Gox's bitcoin transactions in an unofficial capacity.

WizSec's release follows the Willy Report, the report that an anonymous researcher published last May, which alleges suspicious trading activity at Mt Gox. It concluded that trading bots ran rampant through the system under various user IDs, including one dubbed "Willy" that placed repetitive buy-only orders that always manipulated the price upward.

Another bot, dubbed "Markus", appears to have bought and sold at random prices, paying no trading fees. Both bots were most active immediately before and during November 2013, when bitcoin's price suddenly rocketed.

By November 2013, the two bots had bought a total of 570,000 BTC – enough to have impacted the price.

Data analysis

WizSec's report, released Saturday, uses the data leaked from Mt Gox in early 2013 to provide greater insight into how Willy and its operator(s) worked.

The firm says its analysis was originally completed six months ago as a means to introduce the exchange's trustee and other investigators, including the police, to its work. The information it has divulged is "safe" and will not impact the ongoing Mt Gox investigation or its various non-disclosure agreements, WizSec says, but may provide some long-awaited clarity for creditors.

From September to November 2013 Willy had a significant impact at Mt Gox, trading over 250,000 BTC, according to the report.

As the graph below indicates, the bot frequently accounted for more than 30% of hourly trades on the platform. On a few instances Willy reached 80-90%.

willy_market_presence
willy_market_presence

But did this trading volume impact bitcoin's price during this time? WizSec says it is highly probable that the bot's behaviour had a "large effect", adding:

"[It opens] up the possibility that this may have been a plan to manipulate the market rather than – or in addition to – fraudulently acquiring bitcoins."

The firm cites incidents where the market has "corrected" itself to a lower price level following Willy's absence.

The leaked data ends on 30th November. The influence of Willy and fraudulent trading past this point remains up for speculation.

Strict parameters

By reconstructing the bot's trade orders, the firm observed that Willy operated over several different accounts. Each of these worked within strict parameters with regards to how much bitcoin could be bought with each order.

As the rising price of bitcoin continued, Willy was reconfigured to buy smaller amounts, in order not "to drain each account's deposit of USD funds too quickly".

However, WizSec also noticed the presence of "certain anomalous, high volume orders" that fall outside the parameter for automatic trading, seen circled below.

 Source: WizSec
Source: WizSec

These high orders, it says, were characterised by even amounts and would change to more "random-looking values".

For this reason, the firm believes that these trading orders were issued manually. At a later point, Willy's controller may also have deliberately used random-looking values to detract attention from these big orders.

Profiling Willy

Using timestamps, the team found that an absence of activity between 17:00 and 20:00 UTC could point to the operator's sleep cycle and location. The firm used Japan Standard Time (JST) as a frame of reference and plotted all suspected Willy events against the time of day in the following graph:

screen-shot-2015-02-19-at-10-27-33

This pattern could indicate that the suspected user is an irregular sleeper, or that there are actually two or more users.

The data also shows greater activity on weekdays, leading the firm to believe that it is more specifically related to work days, and thus an employed person, WizSec says.

The long spread of hours also hints that Willy's operator may have had access at both home and work. The bot was known to operate during periods when other users had no access to Mount Gox's system, indicating internal influence.

Long road ahead

WizSec says that there are still a few issues that require further investigation. The security consulting firm has yet to find out how such large amounts of currency could have been deposited at the exchange without raising alarm bells.

More information is also needed with regards to what happened to the bitcoins bought by Willy, as well as the USD that "reverse Willy" had accumulated in February.

Willy's purpose is also unclear. More clarity is needed to decipher whether it was simply a buying tool or whether it attempted to manipulate the market price.

There are also questions around Willy's location and whether it was running in Mt Gox's internal network or in connection with it.

Finally, WizSec says it is still investigating the role that Willy played in the events leading to the collapse of Mt Gox and urges anyone with information relating to the case to come forward.

"We have been gathering pieces to the puzzle for a long time, and every piece helps," it said.

Images via WizSec

Disclosure

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.


Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.


Read more about