Distributed database that is used to maintain a continuously growing list of records, called blocks.
A group of WizSec enthusiasts (Bitcoin Security Specialists) has been conducting its own independent investigation for several years of the biggest and most loud stealing of the Bitcoins - the collapse of MtGox.
— WizSec (@wizsecurity) July 26, 2017
WizSec published the first part of the results of the investigation, which became publicized in the light of the arrest of Alexander Vinnik.
Let's check what WizSec had found for us.
- In September 2011, the MtGox hot wallet private keys were stolen, in a case of a simple copied wallet.dat file. This gave the hacker access to a sizable number of bitcoins immediately, but also were able to spend the incoming trickle of bitcoins deposited to any of the addresses contained.
- Over time, the hacker regularly emptied out whatever coins they could spend using the compromised keys, and sent them to wallet(s) controlled by Vinnik. This went on for long periods, but also had breaks — a prominent second phase of thefts happened later in 2012 and 2013.
- By mid 2013 when the funds spendable from the compromised keys had slowed to a near halt, the thief had taken out about 630,000 BTC from MtGox.
- In addition, the shared keypool of the wallet.dat file lead to address reuse, which confused MtGox's systems into mistakenly interpreting some of the thief's spending as deposits, crediting multiple user accounts with large sums of BTC and causing MtGox's numbers to go further out of balance by about 40,000 BTC. The majority of these funds were hurriedly withdrawn by their recipients rather than being reported.
- After the coins entered Vinnik's wallets, most were moved to BTC-e and presumably sold off or laundered (BTC-e money codes were a popular choice). In total some 300,000 BTC ended up on BTC-e, while other coins were deposited to other exchanges, including MtGox itself.
- Some of the funds moved to BTC-e seem to have moved straight to internal storage rather than customer deposit addresses, hinting at a relationship between Vinnik and BTC-e.
- The stolen MtGox coins were not the only stolen coins handled by Vinnik; coins stolen from Bitcoinica, Bitfloor and several other thefts from back in 2011 and 2012 were all laundered through the same wallets.
- Moving coins back onto MtGox was what let us identify Vinnik, as the MtGox accounts he used could be linked to his online identity "WME". As WME, Vinnik had previously made a public outcry that coins had been confiscated from him (the coins in question coming from Bitcoinica).
WizSec team made a great job, creating a visual scheme of transaction of stolen Mt. Gox Bitcoins.
Coin flow scheme by WizSec
Is the first decentralized peer-to-peer payment network that is powered by its users with no central authority or middlemen.
According to the report, some coins were deposited back to MtGox, and the team could identify which accounts were used to receive them; two in particular were of interest, and were possible to link to the online identity "WME". (Clusters that directly used these MtGox accounts are highlighted in red.) WizSec team state tthat WME has been active since a long time back, often advertising "cheap coins" on the BitcoinTalk forums and willing to trade exchange money codes.
WME was involved with an incident with stolen Bitcoinica funds, which provided yet another strong indicator that we had identified the right man, seemingly the main money launderer behind the MtGox heist. This incident also ended up revealing the name "Alexander Vinnik", though we didn't at the time think it was his real name, having seen many aliases. Arrest suggests it was real after all.
Also, team state that this investigation turned up evidence to identify Vinnik not a hacker/thief but as a money launderer. He may have merely bought cheap coins from thieves and offered a laundering service.
It worth reminding that trial of the founder of Mt Gox started 10th of July in Tokyo. 32-year old Frenchman Mark Carpeles insist on be innocent.