[While] MtGox claimed to have lost 850,000 bitcoins due to malleability attacks, we merely observed a total of 302,000 bitcoins ever being involved in malleability attacks. Of these, only 1,811 bitcoins were in attacks before MtGox stopped users from withdrawing bitcoins. Even more, 78.64% of these attacks were ineffective.
The researchers then cast serious doubt on the narrative that Mt.Gox’s missing coins are strongly related to transaction malleability attacks.
As such, barely 386 bitcoins could have been stolen using malleability attacks from MtGox or from other businesses. Even if all of these attacks were targeted against MtGox, MtGox needs to explain the whereabouts of 849,600 bitcoins.
Mt.Gox announced last week that it had “found” roughly 200,000 missing coins in an “old format” wallet, and many have since speculated that flaws in the exchange’s cold storage system were to blame for the company’s woes. CEO Mark Karpeles has made several vaguely worded statements about the funds being “temporarily unavailable” rather than stolen, although many have interpreted this as wishful thinking rather than fact.
On Sunday, rumors began to surface on Twitter that Mt.Gox had located an additional 670,000 BTC in their system, and would soon be releasing funds to customers. While the initial tweet was dismissed by many as a little more than trolling, the new report seems to support the theory that coins were never actually stolen from Mt.Gox on a catastrophic scale.