Interesting work. As someone who’s spent years creating bitcoin privacy software I’ve got a few thoughts on this:

The MtGox point is just not right. That wallet cluster has not much to do with MtGox, instead it’s a big cluster containing many coinjoins (coinjoins completely break the algorithm used by walletexplorer)
For example the following address actually belongs to the JoinMarket project which can be verified by looking at the project github page, yet walletexplorer thinks it belongs to that same MtGox cluster: https://www.walletexplorer.com/wallet/MtGoxAndOthers?from_address=1AZgQZWYRteh6UyF87hwuvyWj73NvWKpL

Blockchain analysis is hard, and it’s easy to trick yourself that you are sure of something when you’re not. As you’ve just seen with the MtGox point. Blockchain analysts need to not be overconfident. Also, Bitfury’s paper on wallet clustering isn’t worth much, thats their business which they make money from so obviously they’re going to say everything is all wonderful and completely ignore things like coinjoin that break their algorithms. There’s a lot of bullshit in the blockchain analysis space unfortunately.

You believe you found the hot wallet (which I find convincing) and then talk about how there have been withdrawals even after Cotten’s death. But obviously there can be withdrawals from a hot wallet; the private keys are probably on a server somewhere accessible by the other employees. The QuadrigaCX’s claim is that they can’t access their cold wallets, not their hot wallets.

One thing about walletexplorer’s algorithm is it only works when addresses get spent *from*, and works best when addresses are reused and when lots of spends are happening, such as in a hot wallet. So if the exchange was mostly ever sending *to* its cold storage wallet, not reusing addresses and only very rarely spending *from* then that would make it difficult to find using walletexplorer. You may never find a “significant pool of bitcoins” because it wouldn’t exist due to the limitations of walletexplorer.com. I’m not suggesting this is definitely what happened, but it’s a possibility. I personally find it hard to believe an exchange didn’t use cold storage, they’re clearly aware of the concept.

As for multisig, an address starting with 3 does not imply multisig it only implies p2sh (for example it may be a single-sig segwit address). But you can easily check whether an address is multisig if it’s been spent from. The input signature will contain the full multisig script if multisig has been used.

IMO this is an exit scam, but your work here hasn’t proved it either way.