Attack of the 50 Foot Blockchain
Page 5
By late 2010, McCaleb was doing well from Mt. Gox, even though it was a completely amateur operation – he didn’t even talk to a lawyer about the regulatory implications of his business until December 2010, though it was taking and holding people’s actual money, uninsured, unregistered and unregulated. But he was finding it enough work to be annoying, he was tiring of attempted hacker attacks, PayPal kept cutting him off, and he worried about the amounts of money he was personally moving around.
He befriended Mark Karpelès, a French web developer. Karpelès was a massive fan of Japanese animation – his online handle MagicalTux was a reference to the anime Sailor Moon – so had moved to Japan in 2009. (He also left France before a 2010 fraud trial, in which he was sentenced in absentia to a year’s jail.98) McCaleb first offered to sell Mt. Gox to Karpelès in January 2011 and finalised the sale in February, announcing it to the world in March.
The deal used a contract they worked out between them, without either of them using a lawyer. It included terms such as:99
the Seller is uncertain if mtgox.com is compliant or not with any applicable U.S. code or statute, or law of any country.
The buyer agrees to indemnify Seller against any legal action that is taken against Buyer or Seller with regards to mtgox.com or anything acquired under this agreement.
It was only in April, after the handover, that Karpelès realised that 80,000 bitcoins (then worth $62,400) had already been missing when he bought Mt. Gox. McCaleb told him “maybe you don’t really need to worry about it” and suggested he buy up more BTC to cover the shortfall, shuffle his internal accounts around, get an investor or just mine more himself – but didn’t offer any explanation of where the coins might have got to or how.
Karpelès tried to fill the hole himself, but the price of bitcoins kept going up. By June, the missing coins were worth $800,000. Unfortunately, a nondisclosure agreement with McCaleb meant he felt he couldn’t tell anyone about the massive hole in the accounts. (He didn’t even reveal it to Mt. Gox’s own accountant until shortly before the company went bankrupt in February 2014.)
On 18 and 19 June 2011, someone hacked into Mt. Gox. The attacker shuffled hundreds of thousands of bitcoins around – only inside the exchange, not on the public blockchain, though Mt. Gox was the main trading venue to such a degree that this momentarily drove the price of one BTC from $17 down to 1 cent. (The usual surmise is that the hacker wanted to get as many coins as possible out past Mt. Gox’s $1000/day withdrawal limit.) The price oscillated between $1 and $20 for the rest of the day; this severe volatility affected other exchanges.
Around 19:15 UTC on 17 June, someone posted a complete list of 61,016 Mt. Gox usernames, email addresses and password hashes to the Bitcoin forums. Many of the passwords were “unsalted”100 and so could be more easily cracked. The attacker appeared to have come in through McCaleb’s administrative account, which was still active.
Karpelès went into a panic, taking much of the exchange’s Bitcoin store and putting it into offline cold wallets – keys printed on paper and stored in safety deposit boxes around Tokyo – where it couldn’t be hacked. Since the hacker’s trading was internal to Mt. Gox, Karpelès was able to roll back most of the transactions; eventual losses were a few thousand BTC, which the company could cover.
Roger Ver, who was also living in Japan by then, came over to help Mt. Gox (still a one-man operation at this stage) in dealing with the hack, and got to know Karpelès – Ver realised that Mt. Gox was critical at this time to Bitcoin’s continued growth.
In the aftermath of the hack, Karpelès’ paranoia overcame accounting considerations. He kept putting off reconciling the cold wallets with customer accounts, even as his accountant begged him to, as taking them out of cold storage would risk them being hackable. Thus, Mt. Gox was increasingly running on virtual paper money that it wasn’t keeping track of.
Mt. Gox continued in this manner through 2012 and 2013. Karpelès took on staff, but remained chronically unable to manage or delegate to them. Ver sometimes had to visit the Mt. Gox offices to make sure his own important transactions went through. The company was still by far the largest Bitcoin exchange, running on the increasing popularity of the Silk Road, as it struggled to keep up with demand – 75,000 new users joined in the first ten days of April 2013.
On 14 May 2013, the US government seized $2.9 million from Mt. Gox, shutting down the main account it used to pay US customers, on the basis that Mt. Gox was transmitting money while having claimed not to be in the money transmission business. In June, the US seized another $2.1 million; Mt. Gox temporarily suspended US dollar transfers. In July, Roger Ver recorded his video assurance that all Mt. Gox’s problems were with the “traditional banking system.” The exchange partnered with CoinLab to serve its US customers, but this arrangement broke down soon after, Mt. Gox and CoinLab suing each other. By late 2013, customers were complaining of long delays in withdrawing US dollars, just as the Bitcoin bubble was reaching its peak.
On 7 February 2014, Mt. Gox shut down all withdrawals, of bitcoins as well as dollars. According to a leaked “Crisis Strategy Document”, Mt. Gox was insolvent after losing track of 744,408 bitcoins – about $350 million at the time.101 Karpelès had also been topping up the active online hot wallet with coins moved from the paper cold wallets and had not properly kept track.
The bitcoin leak was attributed by Karpelès to what became known as the transaction malleability bug. Bitcoin transaction IDs are not fixed – you can sometimes intercept an unprocessed transaction, modify the transaction ID (though not the amounts or the sender or receiver addresses) and send it on, meaning it’s added to the blockchain with a different transaction ID to the one it was sent with. This can lead to someone thinking a transaction they knew they sent didn’t go through when it did, and sending the amount again.102 Once this came out, other exchanges were also attacked in this manner. This news alone crashed the bitcoin price from $700 to $600.103 (Researchers later ascertained from examining the blockchain that there was no way all of Mt. Gox’s claimed 750,000 BTC loss could have been due to transaction malleability attacks.104)
Mt. Gox had leaked bitcoins before this. In October 2011, 2,609 BTC had been lost to a programming error that sent bitcoins to a nonexistent address.105 The exchange had been technically insolvent since about 2012, knowingly or unknowingly.106 It remains entirely unclear how much in total was hacked and how much was just lost.
On 24 February, Mt. Gox finally closed down. $400 million in customer dollars and bitcoins had gone up in smoke.
Karpelès is still dealing with the Japanese authorities, including being arrested for embezzlement in August 2015 and held in custody for several months, with his trial starting in July 2017 (though he maintains his innocence). McCaleb went on to develop the cryptocurrencies Ripple and Stellar; his LinkedIn page107 details his career back to eDonkey, but chooses to omit Mt. Gox.
Drugs and the Darknet: The Silk Road
Both Anne Frank, and Ross Ulbricht created dark markets to help people hide from violent oppressors who were trying to hurt peaceful people.
– Roger Ver108
Anonymous or pseudonymous cryptocurrency has one obvious application: paying for things you’d rather not be caught buying or selling. Drug users take to new communication channels as soon as they’re invented; the first known e-commerce was the sale of marijuana between Stanford and MIT students over email in 1971 or 1972.109 Nakamoto noted in September 2010:110
Bitcoin would be convenient for people who don’t have a credit card or don’t want to use the cards they have, either don’t want the spouse to see it on the bill or don’t trust giving their number to “porn guys”, or afraid of recurring billing.
Ross Ulbricht grew up in Austin, Texas, born to a well-off family. He was an Eagle Scout; friends and acquaintances were widely impressed by what a polite, helpful young man he was. He studied physics and materials science at college. At Penn State, he took up wit
h the College Libertarians group, and was an activist in support of Ron Paul’s 2008 presidential bid.
He left Penn State in 2010 and posted on his LinkedIn page that he was moving from physics to “use economic theory as a means to abolish the use of coercion and aggression amongst mankind … I am creating an economic simulation to give people a first-hand experience of what it would be like to live in a world without the systemic use of force.”
Tor is a protocol and network created in 2002 to let you browse the web in privacy, heavily sponsored by the US government, both for their own use and to aid dissidents in oppressive countries.111 112 (And, of course, it’s popular with annoying Internet trolls.) You can also set up servers, only available through the Tor network, whose real location can’t be traced.113 Ulbricht realised in 2010 that Tor plus Bitcoin meant you could build a secret marketplace to deal in anything, licit or illicit. He adopted the name “Dread Pirate Roberts” (from the book and movie The Princess Bride) and launched the Silk Road in January 2011.
The Silk Road was avowedly ideological. Ulbricht was a huge fan of von Mises, Rothbard, Austrian economics and anarcho-capitalism, even hosting a libertarian book club on the Silk Road forums. He consistently put forward the Silk Road as being not just a market, but an experiment to reshape the world.
The site was a sort of eBay for illicit goods. The first sale was psychedelic mushrooms Ulbricht had grown himself, though he quickly moved to just taking a percentage on others’ transactions. As well as almost any drug, you could buy steroids, forged government identification (but not private company identification), medical and lab supplies (build your drug lab without being flagged), hacking tutorials or drug synthesis tutorials. Sellers were pseudonymous, but relied on building up good ratings from customers. Even investigating FBI and DHS agents found it was surprisingly reliable in both delivery and quality.114
One thing you couldn’t buy was child pornography – even crooks have standards, and Ulbricht forbade child pornography as not being victimless. No weapons of mass destruction, no stolen credit card numbers.
The Silk Road was publicised in March 2011 on libertarian podcast Free Talk Live (the episode that got Roger Ver into Bitcoin). By May, the site, as the one place you could actually use Bitcoin, had driven the price of 1 BTC to $10; when the site went down in mid-May for upgrading, the price of a bitcoin dropped.
The site got a massive boost in June from an article in Gawker describing it as an anonymous and convenient drug marketplace, providing a link to the site and directing people to Mt. Gox if they wanted to buy bitcoins to spend there.115 Jeff Garzik, a Bitcoin core developer, explained to Gawker that Bitcoin wasn’t “anonymous” but pseudonymous at best, given the blockchain had every transaction ever conducted. “Attempting major illicit transactions with bitcoin, given existing statistical analysis techniques deployed in the field by law enforcement, is pretty damned dumb.”
Ulbricht emphasised the site’s ideological mission to Gawker: “The state is the primary source of violence, oppression, theft and all forms of coercion. Stop funding the state with your tax dollars and direct your productive energies into the black market.”
By November 2011, Ulbricht was making $30,000 a month in transaction fees. By early 2012, it was still the only functioning marketplace using bitcoins, and for some time it remained the primary driver of the Bitcoin economy.
Ulbricht had big plans for the Silk Road, as a “brand people can come to trust and rely on … Silk Road chat, Silk Road exchange, Silk Road credit union, Silk Road market, Silk Road everything!”
Around the end of 2012, Ulbricht contracted the murder of a Silk Road administrator who had been arrested, and who he believed had stolen bitcoins from him, fearing he would talk to the police and endanger the Silk Road project. When he received photos of the murdered man, he wired payment for the hit. He would order five more hits over the next few months, the last of which included killing the target’s three roommates as well.
(In reality, most were faked by law enforcement agents who were out to catch “Roberts,” and one by a scammer who successfully bilked Ulbricht of $500,000. His negotiations and payments to procure murder came up in his eventual trial, and are the subject of a separate Grand Jury indictment in Maryland.)
Ulbricht had been doing all his Silk Road work from his main daily laptop. One afternoon in September 2013, he was sitting in a library, using their wi-fi to administer the site, and talking to a friend in the site’s online chat. Two apparently-homeless people started arguing loudly behind him; he turned to look, and the slight young woman using the desk opposite snatched his laptop. She was a government agent. So were the homeless people. So was the friend he was chatting to.
The laptop contained the near-complete collection of smoking gun evidence on the Silk Road, gift-wrapped with a little bow on top. It included the list of Silk Road servers and the names Ulbricht had used to rent them, the Silk Road accounting spreadsheets (including the purchase of the laptop), on-site chat logs, the PHP code for the site itself, photo ID for other Silk Road administrators, all the encryption keys for the site, 144,000 bitcoins … and log.txt, Ulbricht’s daily diary of his Silk Road activities: building the site, dealing with business issues, ordering hits on people.116
“I imagine that someday I may have a story written about my life, and it would be good to have a detailed account of it,” he wrote in January 2012.
The DEA had started investigating the Silk Road in late 2011. They had first started looking into Ulbricht himself in July 2013, when they intercepted a package of fake passports and driver’s licenses he had ordered on his own site. He had asked questions on a programming forum about using Tor via PHP as user “Altoid,” a handle he had used to promote the Silk Road when he had just launched it, and had included his GMail address, which the FBI obtained a search warrant on. The Silk Road server had been traced when its real address leaked; they had found the name “Frosty” for the apparent system administrator, an alias Ulbricht had used with forum accounts linked to his GMail account and in many other places. Multiple FBI agents had befriended him on the site and even become administrators.
Everyone had assumed that “Dread Pirate Roberts” had the most painstaking operational security imaginable. It turned out Ulbricht was protected by nothing more than an impenetrable shield of narcissism, and an apparent belief that he was too smart and virtuous to be caught.
At trial, on charges of money laundering, computer hacking, conspiracy to traffic fraudulent identity documents and conspiracy to traffic narcotics, Ulbricht’s defense amounted to digital identity being ambiguous, with unsubstantiated claims that someone else had set him up.
Unfortunately for Ulbricht, the prosecution had a powerful weapon on its side: overwhelming evidence. Not just from the laptop, but also from the Silk Road server, seized from its hosting company in Iceland. They also had evidence from the Bitcoin blockchain – which, of course, contained a tamper-proofed record of every transaction ever conducted on it and which addresses were involved.117 Which is why Bitcoin is otherwise known as “prosecution futures”.118
The defence threw various Hail Mary passes – when your client’s been live-logging his criminal activities in real time, there’s a limit to what sweet reason and even the most silver tongue can achieve. They admitted Ulbricht had started the Silk Road – then they claimed he then sold it to someone else, who duped him into buying it back just as the FBI was closing in; they claimed that Mark Karpelès was the real “Dread Pirate Roberts” (the DEA had looked into Karpelès in 2012, but decided it wasn’t him); they attempted to call surprise last-second expert witnesses (this being slapped down in no uncertain terms by the judge, who told them to stop playing silly buggers119); they claimed that all the chat logs, spreadsheets and the daily diary could have somehow been planted on the laptop via BitTorrent; they claimed there was no way the real “Dread Pirate Roberts” would be so stupid as to have kept a diary of crimes on the lap
top he daily ran the site from.
The charges of procuring murder were lined up to be dealt with in Maryland. However, the negotiations and payments for the hits were brought into the New York trial as evidence for the conspiracy charges, and mentioned in sentencing concerning Ulbricht’s character: his freedom-loving anarcho-capitalist ideals and adherence to the non-aggression principle apparently being completely compatible with murdering all the roommates of someone who’d trespassed upon his bitcoins.
In fairness, some of the case against Ulbricht was not flawlessly kosher. The FBI may not have touched all legal bases when tracing the Silk Road server120 (though the defence failed to challenge the evidence, despite the judge suggesting it to them repeatedly); and two of the agents on the case, Carl Mark Force IV and Shaun Bridges, turned out to have been stealing bitcoins from Ulbricht and the Silk Road and were later jailed. (They too were substantially busted by evidence straight from the blockchain.) Despite this, the evidence was sufficiently convincing that the jury took four hours, including lunch, to find Ulbricht guilty on all seven counts. He was sentenced to life imprisonment without parole.
Ulbricht’s fans and family remain unshakably convinced of his innocence and virtuous character: he didn’t do it, you can’t prove he did it, what he did was harm reduction in the war on drugs, he was jailed just for running a website like anyone could, the murders didn’t actually happen so paying to murder people and all their roommates isn’t a crime and shouldn’t have been mentioned in the other trial, he hasn’t been convicted of procuring murder so it probably never happened and he’s really a good guy, he was entrapped into paying hundreds of thousands of dollars to murder someone and all their roommates, the government ignores the Constitution, also freedom. Darknet posters had threatened the judge, Katherine B. Forrest, and posted private personal information about her in October 2014,121 and 8chan /baphomet/ posted private information about her again between the verdict and the sentencing.122 His mother, Lyn Ulbricht, maintains FreeRoss.org:123