[lvs]

That sounds a bit speculative. If someone has a link that shows one of these "non-canonical transactions," that might lend some credence to the idea. Furthermore, if Gox was always issuing weird transaction formats, then looking for addresses that show a statistic prevalence of these would be trivial. Showing that the attack took place would simply require showing addresses that occasionally issued a proper tx, but statistically favored outgoing transactions of the type you describe. That is, there will be evidence in the blockchain if the type of transaction you describe is very specific to gox.

[gojomo]

Their history of oddly-composed transactions could help identify more of their likely addresses, if noone else did the same thing, but that would still be of limited use in funds-tracing depending on whether such addresses were ever reused.

That they've long been issuing valid but unusual signatures was mentioned among other places at: http://www.reddit.com/r/Bitcoin/comments/1x93tf/some_irc_cha...

I'm not sure if this was just a tiny sliver of their transactions, or a large proportion... but it complicates easy analysis of what the malleability losses could be.