Mt Gox's missing bitcoins were stolen from the exchange over a period of time beginning in 2011, according to a new report released today by a group investigating its collapse.
They were gone long before the company's collapse in February 2014, the report said. Gox had therefore been operating on a fractional reserve basis for most of that time, either knowingly or unknowingly.
The stolen bitcoins had been withdrawn and sold off on various exchanges including Mt Gox itself, and given the timing probably at prices far below the 2013-14 highs.
Bankruptcy trustee Nobuaki Kobayashi and his police team have still not made all transaction data available, including a list of all the bitcoin addresses Mt Gox used.
WizSec's report says its team has assembled a list of over 2m bitcoin addresses related to Mt Gox by comparing leaked data with blockchain records and performing clustering analysis on addresses used at similar times.
The resulting chart shows a dramatic difference between the number of bitcoins Mt Gox should have held, and what it actually held.
The company held little or no more than 100,000 BTC from May 2013 onward. Interestingly, neither the ideal nor actual totals includes the 200,000 BTC 'found' in cold storage after the collapse.
One key question (until now) has been whether Mt Gox's bitcoins were stolen or whether they ever existed at all, and records of their deposit faked.
Report author Kim Nilsson notes that the coins did in fact leave Mt Gox, meaning they definitely were deposited there at some point.
Speaking to CoinDesk, he said the WizSec team was "happy to finally have this breakthrough out in the public", but noted that there is still a lot of investigative work to be done by those with access to more complete data.
How many bitcoins did Gox have?
After a prior security breach in mid-2011, CEO Mark Karpeles performed a transaction proving the company controlled at least 424,242.42424242 BTC.
Using that figure as a baseline, Nilsson measured changes in total BTC held since that day, arriving at 950,000 BTC on the day of Gox's collapse in February 2014.
This matched total holdings stated elsewhere in leaked data, he wrote.
One surprising revelation from the latest report is that the bitcoins likely disappeared long before the appearance of Mt Gox's infamous trading bot, nicknamed "Willy".
Speculation surrounding Gox's dying days in 2013-14 had implied Willy was related somehow to the theft, though WizSec's report says that is no longer considered possible.
The bot may, however, have existed to convert the missing bitcoins into missing fiat currency amounts instead.
Cold storage not monitored
That nearly all Mt Gox's bitcoins disappeared raises several questions about the nature of its cold storage system. How 'cold' was it?
The company was known to keep paper wallets stored under lock and key, which it added to and subtracted from as required. The cold storage system was also reportedly not monitored with any degree of scrutiny, meaning the thief was free to either compromise them or wait for the funds to be moved to a 'hot' wallet.
"A reminder to all bitcoin businesses out there: Always. Monitor. Your. Bitcoins," Nilsson wrote.
To be continued
This latest report will again confirm suspicions many had about the way Mt Gox was run.
A newspaper report at the beginning of the year claimed the theft was an 'inside job' by someone with access to the company's system. Today's revelation that Gox was indeed running a fractional reserve will also surprise few – other than the sheer length of time over which it happened.
Trustee Kobayashi announced in November that exchange Kraken would assist with the investigation, as well as manage the claims process and distributing Mt Gox's remaining assets to creditors at some point in future.
Nilsson wrote that his contribution to the research has been voluntary, and hopes the work will now prove valuable to the authorities in their continuing investigation.
The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups.