Report: Mt Gox Data Provides More Clues to Trading Bot ‘Willy’

WizSec
19 February 2015

Tokyo-based security firm WizSec has released a preliminary analysis of suspicious trading data leaked from now defunct bitcoin exchange Mt Gox.

The exchange suspended its operations in February last year and was subsequently declared bankrupt in March, having lost around 850,000 BTC (more than $450m at the time).

Since last November, bitcoin exchange Kraken has worked alongside authorities to support the investigation on behalf of creditors. Meanwhile, WizSec has been working to track Mt Gox’s bitcoin transactions in an unofficial capacity.

WizSec’s release follows the Willy Report, the report that an anonymous researcher published last May, which alleges suspicious trading activity at Mt Gox. It concluded that trading bots ran rampant through the system under various user IDs, including one dubbed “Willy” that placed repetitive buy-only orders that always manipulated the price upward.

Another bot, dubbed “Markus”, appears to have bought and sold at random prices, paying no trading fees. Both bots were most active immediately before and during November 2013, when bitcoin’s price suddenly rocketed.

By November 2013, the two bots had bought a total of 570,000 BTC – enough to have impacted the price.

Data analysis

WizSec’s report, released Saturday, uses the data leaked from Mt Gox in early 2013 to provide greater insight into how Willy and its operator(s) worked.

The firm says its analysis was originally completed six months ago as a means to introduce the exchange’s trustee and other investigators, including the police, to its work. The information it has divulged is “safe” and will not impact the ongoing Mt Gox investigation or its various non-disclosure agreements, WizSec says, but may provide some long-awaited clarity for creditors.

From September to November 2013 Willy had a significant impact at Mt Gox, trading over 250,000 BTC, according to the report.

As the graph below indicates, the bot frequently accounted for more than 30% of hourly trades on the platform. On a few instances Willy reached 80-90%.

willy_market_presence

But did this trading volume impact bitcoin’s price during this time? WizSec says it is highly probable that the bot’s behaviour had a “large effect”, adding:

“[It opens] up the possibility that this may have been a plan to manipulate the market rather than – or in addition to – fraudulently acquiring bitcoins.”

The firm cites incidents where the market has “corrected” itself to a lower price level following Willy’s absence.

The leaked data ends on 30th November. The influence of Willy and fraudulent trading past this point remains up for speculation.

Strict parameters

By reconstructing the bot’s trade orders, the firm observed that Willy operated over several different accounts. Each of these worked within strict parameters with regards to how much bitcoin could be bought with each order.

As the rising price of bitcoin continued, Willy was reconfigured to buy smaller amounts, in order not “to drain each account’s deposit of USD funds too quickly”.

However, WizSec also noticed the presence of “certain anomalous, high volume orders” that fall outside the parameter for automatic trading, seen circled below.

Willy Bot trading 2Source: WizSec

These high orders, it says, were characterised by even amounts and would change to more “random-looking values”.

For this reason, the firm believes that these trading orders were issued manually. At a later point, Willy’s controller may also have deliberately used random-looking values to detract attention from these big orders.

Profiling Willy

Using timestamps, the team found that an absence of activity between 17:00 and 20:00 UTC could point to the operator’s sleep cycle and location. The firm used Japan Standard Time (JST) as a frame of reference and plotted all suspected Willy events against the time of day in the following graph:

Willy activity timingSource: WizSec

This pattern could indicate that the suspected user is an irregular sleeper, or that there are actually two or more users.

The data also shows greater activity on weekdays, leading the firm to believe that it is more specifically related to work days, and thus an employed person, WizSec says.

The long spread of hours also hints that Willy’s operator may have had access at both home and work. The bot was known to operate during periods when other users had no access to Mount Gox’s system, indicating internal influence.

Long road ahead

WizSec says that there are still a few issues that require further investigation. The security consulting firm has yet to find out how such large amounts of currency could have been deposited at the exchange without raising alarm bells.

More information is also needed with regards to what happened to the bitcoins bought by Willy, as well as the USD that “reverse Willy” had accumulated in February.

Willy’s purpose is also unclear. More clarity is needed to decipher whether it was simply a buying tool or whether it attempted to manipulate the market price.

There are also questions around Willy’s location and whether it was running in Mt Gox’s internal network or in connection with it.

Finally, WizSec says it is still investigating the role that Willy played in the events leading to the collapse of Mt Gox and urges anyone with information relating to the case to come forward.

“We have been gathering pieces to the puzzle for a long time, and every piece helps,” it said.

Images via WizSec

Read more

Exchanges News Mt Gox