To begin with, the Blockchain.info API is probably not the place to look for detecting anomalous activity on the Bitcoin network. By consuming the API rather than running your own node(s) on the network, you will only receive pre-processed data. It's like having someone chew your food for you. It's best you run your own node.
Furthermore, hacking in general is not something that can be easily detected. What you can do is search for occurrences of a particular exploit, once you know that a vulnerability exists. For example, let's pretend you know about a vulnerability that can cause a double spend attack. You know that in order to exploit this vulnerability, an attacker would need to broadcast 2 transactions simultaneously from opposite sides of the network, each spending the same UTXOs. In order to detect this, you would need to have multiple nodes on the network that could detect the broadcast of each transaction (remember that nodes that already heard of one, won't broadcast the second because of the double spend). Your nodes would have to communicate back to you, where the double spend attempt could be detected.
Keep in mind that the above example is an extremely naive double spend attack, that the Bitcoin network easily handles, but it exemplifies the complexity of your problem. The MtGox exploit you mention used transaction malleability to trick a recipient into thinking they would get paid, when in fact they wouldn't. It works because only one of two broadcast transactions will ever get into the blockchain. Simply looking at the historical data in the blockchain will reveal only that a valid transaction went through...nothing suspicious. You need to monitor an attack in real time to be able to detect it.
One more thing that you may have a problem with is reporting any activity to the "respective authority". I think in your sample, you mean MtGox. In order to do that, you would have to be able to identify who the victim of the malicious activity is. That is not something easily done in Bitcoin, since users are pseudonymous. You would need some way of mapping addresses to this "respective authority" in order to be able to do proper reporting.
To sum up, you need to:
- Identify an exploit you want to track, not just general suspicious activity
- Learn what needs to be detected for that particular exploit
- Monitor the network directly, rather than consuming an API
- Identify the victim so that reporting can be done (would be easiest if you are just monitoring cases where you are the victim)
Best of luck