[gliptic]

This would require you to discard all the blocks since the transactions started happening and re-mine them with those transactions excluded. This would be completely impossible unless you dedicated most of the mining equipment to this for months and asked those miners to part with their earned mining rewards until this rewritten chain caught up with the official one. Hardly likely.

[xdarnold]

I don't think this is what I'm suggesting at all. If a popular majority of miners agreed to accept transactions double spending the original coins, this would be tantamount to generating 750k new Bitcoin, not initially invalidating any blocks or other transactions.

With forensics on the initial theft, miners could then tree-traverse back up to blacklist future transactions on stolen coins. There are probably lots of ways to accomplish basically this. This would render all stolen btc dead in the water, hence the "force Gox to repay legitimate requests for reimbursement of those who transacted for stolen coins."

That second part, though, isn't crucial to the idea. The community could just double spend the coins to mitigate harm done without attempting to stop the stolen coins downstream.

[gliptic]

You can't double-spend the outputs unless you get rid of the blocks they were originally spent in, i.e. rewinding and re-mining all of them.

[xdarnold]

Why is this?

My understanding of the way the network operates is that a group with 51% of hashing power can essentially arbitrarily manipulate the blockchain going forward. Nothing could stop them from confirming otherwise invalid transactions (re-spending the original outputs) and mining those new transactions. After which, clients, only looking backwards to the first block a transaction resides in, wouldn't notice that the funds were originally double-spent.

[gliptic]

Only if they completely change how the protocol and the blockchain works so that you can somehow invalidate previously confirmed transactions. Then they need to make everyone upgrade all clients or suffer a hard fork. In the end, this would have to invalidate all the transactions that are dependent on the "evil" ones, reversing a boatload of transactions pretty much arbitrarily throughout the blockchain.

This means that if the purported thieves have transferred their coins to e.g. an exchange, potentially any of the transactions the exchange has made since then could be reversed, cascading from there.

[xdarnold]

I don't think I'm understanding your point. Why would they need to invalidate previously confirmed transaction?

[gliptic]

How else do you plan to get rid of the transactions?