Austrian Programmer And Ex Crypto CEO Likely Stole $11 Billion Of Ether

Ethereum, the second biggest crypto network, is worth $360 billion. Its creator, Vitalik Buterin, has more than 3 million Twitter followers, has made videos with Ashton Kutcher and Mila Kunis, and has met with Vladimir Putin. All the most popular trends in crypto over the last several years launched on Ethereum: initial coin offerings (ICOs), decentralized finance (DeFi), non-fungible tokens (NFTs), and decentralized autonomous organizations (DAOs). And it has spawned a whole class of blockchain imitators, often called “Ethereum killers.”

Ethereum is also the subject of a great mystery: who committed the largest theft of ether (Ethereum’s native token) ever, by hacking The DAO? The decentralized venture capital fund had raised $139 million in ether (ETH) by the time its crowd sale ended in 2016, making it the most successful crowdfunding effort to that date. Weeks later, a hacker siphoned 31% of the ETH in The DAO—3.64 million total or about 5% of all ETH then outstanding—out of the main DAO and into what became known as the DarkDAO.

Who hacked The DAO? My exclusive investigation, built on the reporting for my new book, The Cryptopians: Idealism, Greed, Lies, and the Making of the First Big Cryptocurrency Craze, appears to point to Toby Hoenisch, a 36-year-old programmer who grew up in Austria and was living in Singapore at the time of the hack. Until now, he has been best known for his role as a cofounder and CEO of TenX, which raised $80 million in a 2017 initial coin offering to build a crypto debit card—an effort that failed.

The market cap of those tokens, which spiked at $535 million, now sits at just $11 million.After being sent a document detailing the evidence pointing to him as the hacker, Hoenisch wrote in an email, “Your statement and conclusion is factually inaccurate.” In that email, Hoenisch offered to provide details refuting our findings—but never answered my repeated follow-up messages to him asking for those details.

To put the enormity of this hack in perspective, with ETH now trading around $3,000, 3.64 million ETH would be worth $11 billion. The DAO theft famously and controversially prompted Ethereum to do a hard fork—where the Ethereum network split into two as a way to restore the stolen funds—which ultimately left the DarkDAO holding not ETH, but far less valuable Ethereum Classic (ETC). The proponents of the fork had hoped ETC would die out, but it now trades around $30. That means the descendant wallets of the DarkDAO now hold more than $100 million in ETC—a high dollar monument to the biggest whodunnit in crypto.

Last year, as I was working on my book, my sources and I, utilizing (among other things), a powerful and previously secret forensics tool from crypto tracing firm Chainalysis, came to believe we had figured out who did it. Indeed, the story of The DAO and the six-year quest to identify the hacker, shows a lot about just how far the crypto world and the technology for tracking transactions have both come since the first crypto craze. Today, blockchain technology has gone mainstream. But as new applications arise, one of the first uses of crypto—as an anonymity shield—is in retreat, thanks to both regulatory pressure and the fact that transactions on public blockchains are traceable.

Since Hoenisch won’t talk to me, I can only speculate about his possible motives; back in 2016 he identified technical vulnerabilities in the DAO early and may have decided to strike after concluding his warnings weren’t being taken seriously enough by the creators of the DAO. (One of his TenX cofounders, Julian Hosp, an Austrian medical doctor who now works in blockchain full time, says of Hoenisch:

“He is a person that is super opinionated. Always believed he was right. Always.”) Looked at from that perspective, this is also a tale of the big brains and big egos that drive the crypto world–and of a hacker who may have justified his actions by telling himself he simply did what the faulty code baked into The DAO allowed him to do.

In early 2016, the Ethereum network was not even a year old, and there was only one app on it that people were interested in: The DAO, a decentralized venture fund built with a smart contract that gave its token holders the right to vote on proposals submitted for funding. It had been created by a company named Slock.it, which, instead of seeking traditional venture capital, had decided to create this DAO and then open it up for crowdfunding—with the expectation that its own project would be one of those funded by The DAO. Slock.it’s team thought The DAO might attract $5 million.

Yet when the crowd sale opened on April 30th, it took in $9 million in just the first two days, with participants exchanging one ether for 100 DAO tokens. As the money poured in, some on the team felt queasy, but it was too late to cap the sale. By the time the funding closed a month later, 15,000 to 20,000 individuals had contributed, The DAO held what was then 15% of all ether and the price of the cryptocurrency was steadily rising. At the same time, a variety of security and structural concerns were being raised about The DAO, including one that would, ironically, later prove to be crucial to limiting the hacker’s immediate access to the spoils.

That problem: withdrawing funds was too hard. Someone wanting to retrieve their money had to first create a “child DAO” or “split DAO,” which required not only a high degree of technical knowledge, but also waiting periods after each step and the agreement of anyone else who moved funds into that child DAO.

On the morning of June 17th, ETH reached a new all-time high of $21.52, making the crypto in The DAO worth $249.6 million. When American Griff Green woke up that morning in Mittweida, Germany (he was staying in the family home of two brothers who were Slock.it cofounders), he had a message on his phone from a DAO Slack community member who said something weird was happening— it looked like funds were being drained.

Green, Slock.it’s first employee and community organizer, checked: there was indeed a stream of 258-ETH (then $5,600) transactions leaving The DAO.  By the time the attack stopped a few hours later, 31% of the ETH in The DAO had been siphoned out into the DarkDAO. As awareness of the attack spread, ether had its highest trading day ever, with its price plummeting 33% from $21 to $14.


Split Fortunes

The 2016 DAO crowdfunding sale drove the price of ether (ETH) to a then record high—until the June 17th attack on The DAO sent it plummeting. After the hard fork on July 20th, the old blockchain began trading as ether classic (ETC).


Soon, the Ethereum community pinpointed the vulnerability that enabled this theft: the DAO smart contract had been written so that any time someone withdrew money, the smart contract would send the money first, before updating that person’s balance. The attacker had used a malicious smart contract that withdrew money (258 ETH at a time), then interfered with the updating of the contract, allowing them to withdraw the same ether again and again. It was as if the attacker had $101 in their bank account, withdrew $100 at a bank, then kept the bank teller from updating the balance to $1, and again requested and received another $100.

Even worse, once the vulnerability became public, the remaining 7.3 million ETH in The DAO was at risk of a copycat attack. A team of white hat hackers (that is, hackers acting ethically) formed and used the attacker’s method to divert the remaining funds into a new child DAO. But the attacker still had about 5% of all outstanding ETH, and even the rescued ether was vulnerable, given the flaws in The DAO. Plus, the clock was ticking down to a July 21st deadline—the first date when the original hacker might be able to get at the funds they had diverted into the DarkDao.

If the community wanted to keep the attacker from cashing out, they would need to put tokens in the hacker’s DarkDAO and then in any future “split DAOs” (or child DAOs) the unknown hacker created. (Under the rules of the DAO smart contract, the attacker couldn’t withdraw funds if anyone else in their split DAO objected.) Bottom line: if the white hats ever missed their window to object, the attacker would be able to abscond with the funds—meaning this informal group would have to be constantly vigilant.

Eventually, after much bickering (on Reddit, on a Slack channel, over email and on Skype calls) and Ethereum founder Buterin publicly weighing in, and after it seemed that a majority of the Ethereum community supported the measure, Ethereum did a “hard fork.” On July 20th the Ethereum blockchain was split into two. All the ETH that had been in the DAO was moved to a “withdraw” contract which gave the original contributors the right to send in their DAO tokens and get back ETH on the new blockchain. The old blockchain, which still attracted some supporters and speculators, carried on as Ethereum Classic.

• • •

On Ethereum Classic, The DAO and the attacker’s loot (in the form of 3.64 million ETC) remained. That summer, the attacker moved their ETC a few hops away to a new wallet, which remained dormant until late October, when they began trying to use an exchange called ShapeShift to cash the money out to bitcoin. Because ShapeShift didn’t at that time take personally identifying information, the attacker’s identity was not known even though all their blockchain movements were visible.

Over the next two months, the hacker managed to obtain 282 bitcoins (then worth $232,000, now more than $11 million). And then, perhaps because ShapeShift frequently blocked their attempted trades, they gave up cashing out, leaving behind 3.4 million Ether Classic (ETC), then worth $3.2 million and now more than $100 million.

That might have been the end of the story—an unknown hacker sitting on a fortune he couldn’t cash out. Except last July, one of my sources involved in the DAO rescue, a Brazilian named Alex Van de Sande (aka Avsa) reached out, saying the Brazilian Police had opened an investigation into the attack on The DAO — and whether he might be a victim or even the hacker himself.  Van de Sande decided to commission a forensics report from blockchain analytics company Coinfirm to help exonerate himself (though then, the police closed the investigation, he said). In case any similar situations arose in the future, he went forward with the report examining those cash-out attempts in 2016.

Among the early suspects in the hack had been a Swiss businessman and his associates, and in tracing the funds, Van de Sande and I also found another suspect: a Russia-based Ethereum Classic developer. But all these people were in Europe/Russia and the cash-outs mapped onto an Asian-morning-through-evening schedule—from 9 A.M. to midnight Tokyo time—when the Europeans were likely sleeping. (The timing of their social media posts suggested they kept fairly normal hours.) But based on a customer support email the hacker had submitted to ShapeShift in the leadup to the attack, I believed they spoke fluent English.

Jumping off from the Coinfirm analysis, blockchain analytics company Chainalysis saw the presumed attacker had sent 50 BTC to a Wasabi Wallet, a private desktop Bitcoin wallet that aims to anonymize transactions by mixing several together in a so-called CoinJoin. Using a capability that is being disclosed here for the first time, Chainalysis de-mixed the Wasabi transactions and tracked their output to four exchanges. In a final, crucial step, an employee at one of the exchanges confirmed to one of my sources that the funds were swapped for privacy coin Grin and withdrawn to a Grin node called grin.toby.ai. (Due to exchange privacy policies, normally this sort of customer information would not be disclosed.)

The IP address for that node also hosted Bitcoin Lightning nodes: ln.toby.ai, lnd.ln.toby.ai, etc., and was consistent for over a year; it was not a VPN.

It was hosted on Amazon Singapore. Lightning explorer 1ML showed a node at that IP called TenX.

For anyone who was into crypto in June 2017, this name may ring a bell. That month, as the ICO craze was reaching its initial peak, there was an $80 million ICO named TenX. The CEO and cofounder used the handle @tobyai on AngelList, Betalist, GitHub, Keybase, LinkedIn, Medium, Pinterest, Reddit, StackOverflow, and Twitter. His name was Toby Hoenisch.

Where was he based? In Singapore.

Although he was German-born and raised in Austria, Hoenisch is fluent in English.

The cash-out transactions occurred mainly from 8 A.M. until 11 P.M. Singapore time.

And the email address used on that account at the exchange was [name of exchange]@toby.ai.

In May 2016, as it was finishing up its historic fundraise, Hoenisch was intensely interested in The DAO. On May 12, he emailed Hosp a tip (“Profitable crypto trade coming up”) to short ETH once the DAO crowdfunding period ended. On May 17th and 18th, in the DAO Slack channel, he engaged in a long conversation in which he made, depending on how you count, 52 comments, minimum, about vulnerabilities in The DAO, getting into various aspects of the code and nitpicking over exactly what was possible given the way the code was structured.

One issue spurred him to email Slock.it’s chief technology officer, Christoph Jentzsch, its lead technical engineer, Lefteris Karapetsas, and community manager Griff Green. In his email, he said he was writing a proposal for funding from The DAO for a crypto card product called DAO.PAY, and added, “For our due diligence, we went through the DAO code and found a few things that are worrisome.” He outlined three possible attack vectors and later emailed with a fourth. Jentzsch, a German who had been working on a PhD in physics before dropping out to focus on Ethereum, responded point by point, conceding some of Hoenisch’s assertions but saying others were “false” or “don’t work.” The back and forth ended with Hoenisch writing; “I’ll keep you in the loop if we find anything else.”

But instead of further email exchanges, on May 28th, Hoenish wrote four posts on Medium, beginning with, “TheDAO—risk free voting.” The second, “TheDAO—blackmailing withdrawals,” foreshadowed the main issue with The DAO and why Ethereum ultimately chose to hard fork: if it did not, the only other options were to let the attacker cash out his ill-gotten gains or for some group of DAO token holders to follow him forever into new split DAOs he created as he attempted to cash out. “TLDR: If you end upon in a DAO contract without majority voting power, then an attacker can block all withdrawals indefinitely,” he wrote. The third showed how an attacker could do this cheaply.


To put the enormity of this hack in perspective, with ETH now trading around $3,000, 3.64 million ETH would be worth $11 billion.


His last, most telling post for the day, “TheDAO—a $150m lesson in decentralized governance,” said DAO.PAY decided against making a proposal after uncovering “major security flaws” and that “Slockit down-played the severity of the attack vectors.” He wrote, “TheDAO is live … and we are still waiting for Slockit to put out a warning that THERE IS NO SAFE WAY TO WITHDRAW!”

On June 3, his last Medium post, “Announcing BlockOps: Blockchain Hack Challenges” said, “BlockOps is your playground to break encryption, steal bitcoin, break smart contracts and simply test your security knowledge.” Although he promised to “post new challenges in the field of bitcoin, ethereum and web security every 2 weeks,” I could find no record that he did so.

Two weeks later came the DAO attack. The morning after the attack, at 7:18 A.M. Singapore time, Hoenisch trolled Ethereum creator Vitalik Buterin by retweeting something Buterin had said before The DAO was attacked, but after it was known that the vulnerability used in the attack was evident in the DAO’s code. In the two-week old tweet, Buterin had said that he’d been buying DAO tokens since the security news. Over the following weeks, Hoenisch tweeted anti-hard fork posts like one titled, “Too Big to Fail is Failure Guaranteed.”

Curiously, on July 5, a couple weeks after the attack, Hoenisch and Karapetsas exchanged Reddit DMs titled “DarkDAO counter attack” — though the substance of the messages is unclear because Hoensich has deleted all his Reddit posts. (Hosp recalls that Hoenisch told him he had deleted his Reddit account after an altercation with an “idiot” on Reddit over The DAO.) Hoenisch wrote, “Sorry for not contacting first. I got carried away from finding it and telling the community that there is a way to fight back. In any case, I don’t see any way the attacker can use this.”

After Karapetsas told Hoenisch of the white hats’ plans to protect what was left in The DAO, Hoenisch replied, “I took down the post.” Karapetsas responded, “I will keep you up to date with what we do from now on.” Hoenisch’s last message in that exchange: “I’m sorry if I messed up the plan.”

On July 24th, the day after the Ethereum Classic chain revived and began trading on Poloniex, Hoenisch tweeted, “ethereum drama escalating: from #daowars to #chainwars. Ethereum classic now traded on poloniex as $ETC and miners planning attacks.” On July 26th, he retweeted Barry Silbert, the founder and CEO of the powerful and well-respected Digital Currency Group, who had tweeted, “Bought my first non-bitcoin digital currency…Ethereum Classic (ETC).”


“He (the DAO hacker) really screwed the pooch. Reputation is way more valuable than money.”


Upon hearing the name Toby Hoenisch, without knowing evidence indicated he was the DAO attacker, Karapetsas, a usually good-humored Greek software developer who was one of the DAO creators and had engaged with him by email and on Reddit, said: “He was obnoxious…. he was quite insistent on having found a lot of problems.”

After hearing that the DarkDAO ETC had been cashed out to a Grin node with Hoenisch’s alias, Karapetsas observed that if Hoenisch had instead remedied the situation while the DarkDao funds were frozen, the Ethereum community would have given him “huge kudos” for finding the weakness and then returning the ETH. Similarly, Griff Green, whose current projects lean towards helping non-profit and public causes grow in the digital world, believes the hacker missed the chance to “be a hero.” Says Green: “He really screwed the pooch…Reputation is way more valuable than money.”

Ironically, in a 2016 blog post, Hoenisch wrote, “I’m a white hat hacker by heart.’’ Twenty days later came the DAO attack.

As I noted earlier, after being sent a document laying out the evidence that he was the hacker and asking for comment for my book, Hoenisch wrote that my conclusion is “factually inaccurate.” He said in that email he could give me more details—and then did not respond to four requests for those details, nor to additional fact checking queries for this article. In addition, after receiving the first document detailing the facts I’d gathered, he deleted almost all his Twitter history (though I’ve saved the relevant tweets).

In May 2015, Hoenisch and the cofounders of his crypto debit card venture—first known as OneBit—had some success at a Mastercard Masters of Code hackathon in Singapore. They started making the card available that year on an invitation-only basis, because, as Hoenisch explained on Reddit, “We don’t want to launch a half-assed Bitcoin wallet that gets us in trouble for violating KYC (know your customer) laws. And yes, legal is the main reason we can’t just ship it.” A Bitcoin Magazine article at the time said Hoenisch had a background in AI, IT security and cryptography.

In early 2017, just months after the presumed DAO attacker stopped trying to cash out their ETC, Hoenisch’s team—by then operating as TenX—announced it had received $1 million in seed funding from (among others) Fenbushi Capital, where Ethereum founder Buterin was a general partner. Then came the $80 million ICO. In early 2018, things started to go south for TenX when its card issuer, Wavecrest, was booted from the Visa network, meaning that TenX’s users could no longer use their debit cards.

On Oct. 1, 2020, TenX announced it was sunsetting its services because its new card issuer, Wirecard SG, had been directed by the Monetary Authority of Singapore to cease operations. On April 9, 2021, TenX posted a blog called “TenX, Meet Mimo.” It outlined a new business that would offer a euro-pegged stablecoin, which kept its value pegged to a fiat currency such as US dollars or euros or Japanese Yen. The market cap of TenX tokens, which spiked at $535 million, now sits at just $11 million. TenX has rebranded itself as Mimo Capital and is offering holders of TenX tokens mostly worthless MIMO tokens instead at a rate of 0.37 MIMO for each TenX.

Hosp, who was the public face of the company while there, was booted by Hoenisch and another cofounder in January 2019. This occurred a couple months after some crypto publications reported on Hosp’s past affiliation with an Austrian multi-level marketing scheme. However, before hearing that evidence indicated Hoenisch was the DAO attacker, Hosp said his feeling had been that Hoenisch had perhaps pushed him out over jealousy that Hosp had sold bitcoin at the top of the bubble in late 2017, netting himself $20 million. Meanwhile, Hoenisch had kept all his crypto as the bubble – and his personal net worth – deflated.

“He came from a very poor family, he had no experience in investing, and he was in crypto in 2010 but he had literally no money, nothing, when we were in Las Vegas together [in the summer of 2016] he had nothing, and I was doing really well with my investments… he would always push for getting more salary, for having something nicer.” Hosp also mentioned Hoenisch had to send money home to his mother, who had raised him, as well as his sister and brother, as a single parent.


As new blockchain applications arise, one of the first uses of crypto—as an anonymity shield—is in retreat.


Upon hearing that Hoenisch was the likely DAO attacker, Hosp said he was “getting goose bumps” and begin recalling details from his interactions with his former partner that now seemed to take on new significance. For example, when asked if Hoenisch was into Grin (the privacy coins to which the hacker had cashed out) Hosp said, “Yes! Yes, he was. He was fascinated by that…I lost money because of those stupid coins! I invested in them because of him, because he was so fascinated by them.”

He said that Hoenisch was also obsessed with building a Bitcoin/Monero “atomic swap” – or a way to use smart contracts to swap between Bitcoin and the privacy coin Monero. At the time, Hosp was confused by that, because he felt there was no market for such a product. Later, Hosp pulled up chats from August 2016, in which Hoenisch seemed excited about the price of ETC, the coin held by the hacker after the ethereum fork.

When trying to recall the incident that he believed prompted Hoenisch to close his Reddit, Hosp began searching on his computer and muttered to himself, “He always used tobyai.” He confirmed that one of Toby’s regular email addresses ended in @toby.ai.

Recalled a still astounded Hosp: “For some weird reason, he was quite well aware of what was happening…He understood more of the DAO hack when I asked him what had happened…than I had found on the internet or anywhere.”

MORE FROM FORBES

MORE FROM FORBESHow An NFT Pivot Turned A Tiny Mobile Game Company Into Multibillion-Dollar Powerhouse MORE FROM FORBESHow Azukis Suddenly Became The World’s Best-Selling NFT Collection MORE FROM FORBESHow Crypto’s Original Bubble Boy Rode Ethereum And Is Now Pulling The Strings Of The DeFi Boom MORE FROM FORBESForbes Blockchain 50 2022 MORE FROM FORBESDAOs Aren’t A Fad – They’re A Platform

Follow me on Twitter or LinkedIn. Check out my website.

A former senior editor of Forbes, I’m a crypto journalist, host of the Unchained podcasts, and author of The Cryptopians: Idealism, Greed, Lies, and the Making of the First Big Cryptocurrency Craze. https://bit.ly/cryptopians

Source: Exclusive: Austrian Programmer And Ex Crypto CEO Likely Stole $11 Billion Of Ether

.

Recent News

Chelsea Manning Is Back, And Hacking Again, Only This Time For A Bitcoin-Based Privacy Startup

Five years ago, from her prison cell, trans whistleblower Chelsea Manning sketched out a new way to protect online privacy. Now, she is helping an MIT-affiliated cryptographer bring the next generation of privacy software online.

Chelsea Manning’s long blonde hair catches in a cool summer breeze as she turns the corner into Brooklyn’s Starr Bar, a dimly lit counter-cultural haunt in the heart of the hipster enclave of Bushwick. The 33-year-old best known for leaking hundreds of thousands of top-secret government documents to Julian Assange in 2010, then coming out as a transgender woman, walks past a poster depicting sea turtles, humans and geese merging to form the outline of a dove. Beside the image are the words, “Your Nations Cannot Contain Us.”

Dressed in a black suit and wearing a silver Omega watch, she makes her way to a small wooden table illuminated by a shaft of sunlight. She orders a Coke. Contrary to what one might expect, this whistleblower turned trans icon looks uncomfortable in the hip surroundings. A fan reverently approaches her and welcomes her back. “This is my life,” she says after he leaves, expressing gratitude for the well wishes and lamenting the loss of her privacy. “I’m not just famous—I’m in the history books.”

While serving the longest sentence ever doled out to a whistleblower after she used the privacy-protecting Tor Network to anonymously leak 700,000 government documents, she used her time in incarceration to devise a better way to cover the tracks of other online users.

Knowing that the nonprofit Tor Project she used to send files to Wikileaks had become increasingly vulnerable to the prying eyes of intelligence agencies and law enforcement, she sketched out a new way to hide internet traffic using blockchain, the technology behind bitcoin, to build a similar network, without troublesome government funding. The entire plan was hatched in a military prison, on paper.

Fixing the known weaknesses of these networks is about more than just protecting future whistleblowers and criminals. Private networks are also vital for big businesses who want to protect trade secrets. The privacy network industry, including the virtual private networks (VPNs) familiar to many corporate users, generated $29 billion in revenue in 2019 and is expected to triple to $75 billion by 2027.

Manning thinks that not-for-profit efforts like Tor, which relies on U.S. government funding and a worldwide network of volunteers to run its anonymous servers, aren’t robust enough. “Nonprofits are unsustainable,” says Manning casually, sipping from her Coke. “They require constant upholding by large capital funds, by large governments.”

By January 2017, she was 7 years into a 35-year sentence at Fort Leavenworth, home to the likes of former Army Major Nidal Hasan, who killed 14 fellow soldiers in 2009. As President Barack Obama prepared to leave office, he granted Manning an unconditional commutation of her sentence. Newly tasting freedom, she was contacted by Harry Halpin, the 41-year-old mathematician who worked for World Wide Web inventor Tim Berners-Lee at MIT from 2013 to 2016 helping standardize the use of cryptography across Web browsers.

Halpin asked Manning to look for security weaknesses in his new privacy project, which eventually became Nym, a Neuchâtel, Switzerland-based crypto startup. Halpin founded Nym in 2018 to send data anonymously around the Internet using the same blockchain technology underlying Bitcoin. To date, Nym has raised some $8.5 million from a group of crypto investors including Binance, Polychain Capital and NGC Ventures. The firm now employs ten people and is using its latest round of capital to double its team size.

Halpin was impressed by Manning’s technical knowledge. More than just a famous leaker who happened to have access to secret documents, Manning struck Halpin as someone with a deep technological understanding of how governments and big business seek to spy on private messages.

“We’ve very rarely had access to people who really were inside the machine, who can explain what they believe the actual capabilities of these kinds of adversaries are, what kinds of attacks are more likely,” says Halpin. “She’ll help us fix holes in our design.”

Born in Oklahoma on December 17, 1987, Manning had her first exposure to what’s called network traffic analysis in high school. She and her Welsh mother, Susan, had moved to Haverfordwest, Wales, in 2001, when Manning was 13. In a computer class there, in 2003, she first learned to circumvent blocks put in place by the school to prevent students downloading certain files—and got caught pirating music by Linkin Park, Jay-Z and others.

The headmaster had been watching remotely. “It was the first moment where it dawned on me, ‘Oh, this is a thing. You can do this.’ By 2008 Manning’s interest in network traffic analysis first brought her to The Onion Router (Tor), a volunteer network of computers that sits on top of the internet and helps hide a user’s identity. The nonprofit organization leveraged something called “onion routing,” which hides messages beneath layers of encryption.

Each message is only decipherable by a different member of the network, which routes the message to the next router, ensuring that only the sender and receiver can decipher it all. Ironically, the network colloquially known as the “Dark Web,” used by Manning to send classified documents to WikiLeaks, was developed by the U.S. government to protect spies and other government agents operating online.

At around the same time Manning discovered Tor, she joined the U.S. Army. As a young intelligence analyst her job was to sort through classified databases in search of tactical patterns. After becoming disillusioned with what she learned about the fighting in Iraq and Afghanistan, she plugged into her computer, put in her headphones, and loaded a CD with music from another of her favorite musicians, Lady Gaga.

Instead of listening to the album, though, she erased it and downloaded what would eventually be known as the largest single leak in U.S. history, ranging from sensitive diplomatic cables to video showing U.S. soldiers killing civilians, including two Reuters journalists.

In prison she studied carpentry, but she never stopped exploring her earlier vocation. “I’m a certified carpenter,” she says. “But when I wasn’t doing that, I would read a lot of cryptography papers.” In 2016, she was visited in prison by Yan Zhu, a physicist from MIT who would later go on to become chief security officer of Brave, a privacy-protecting internet browser that pays users in cryptocurrency in exchange for agreeing to see ads.

She and Zhu were concerned with vulnerabilities they saw in Tor, including its dependence on the goodwill of governments and academic institutions. In 2020 53% of its $5 million funding came from the U.S. government and 27% came from other Western governments, tax-subsidized nonprofits, foundations and companies. Worse, in their opinion, the technology being developed to break privacy was being funded at a higher rate than the technology to protect it.

“As the Dark Web, or Tor and VPN and all these other services became more prolific, the tools to do traffic analysis had dramatically improved,” says Manning. “And there’s sort of been a cold war that’s been going on between the Tor project developers, and a number of state actors and large internet service providers.” In 2014, the FBI learned how to decipher Tor data. By 2020 a single user reportedly controlled enough Tor nodes to steal bitcoin transactions initiated over the network.

Using two lined pieces of composition paper from the prison commissary, Manning drew a schematic for Zhu of what she called Tor Plus. Instead of just encrypting the data she proposed to inject the information equivalent of noise into network communications. In the margins of the document she even postulated that blockchain, the technology popularized by bitcoin, could play a role.

Then, this February Halpin woke her up late one night with an encrypted text message asking her to take a look at a paper describing Nym. Developed completely separately from Manning’s jailhouse sketch, the paper detailed an almost identical system disguising real messages with white noise. A hybrid of the decentralized Tor that relies on donor support and a corporate-owned VPN that requires trusting a company, this network promised the best of both worlds.

Organized as a for-profit enterprise, Nym would pay people and organizations running the network in cryptocurrency. “The next day I cleared my schedule,” she says. By July she’d signed a contract with Nym to run a security audit that could eventually include a closer look at the code, the math and the defensive scenarios against government attacks.

Unlike Tor, which uses the onion router to obscure data sent on a shared network, Nym uses what’s called a mix network, or mixnet, that not only shuffles the data, but also alternates the methods by which the data is shuffled, making it nearly impossible to reassemble.

“Imagine you have a deck of cards,” says Manning. “What’s really unique here is that what’s being done is that you are taking essentially a deck of cards, and you are taking a bunch of other decks of cards, and you are shuffling those decks of cards as well.”

And, as it, turns out, not every government is comfortable using a privacy network largely funded by the U.S. government. Despite Halpin’s commitment to build a network that doesn’t require government funding to operate, in July Nym accepted a €200,000 grant from the European Commission to help get it off the ground.


“Knowing that Wikileaks had become increasingly vulnerable to prying eyes from intelligence agencies and law enforcement, she sketched out a new way to hide internet traffic using blockchain, the technology behind bitcoin.”


“The problem is that there was never a financial model that made any sense to build this technology,” says Halpin. “There was no interest from users, venture capital and big companies. And now you’re seeing what we consider a once-in-a-lifetime alignment of the stars, where there’s interest in privacy from venture capital. There’s an interest in privacy for users.

There’s interest in privacy from companies. And most of the interest from the venture capital side and the company side and the user side has been driven by cryptocurrency. And this was not the case even five years ago.”Even Tor itself is exploring how to use blockchain to create the next generation of its software. After receiving 26% of its total donations in cryptocurrency last year, the Tor Project received a $670,000 grant from advocates of the Zcash cryptocurrency and sold a non-fungible token (NFT) representing the first .onion address for $2 million in May, 2021.

Now, Tor cofounder Nick Mathewson says the Seattle-based nonprofit is exploring some of the same techniques developed by cryptocurrency companies to create Tor credentials that let users develop a reputation without revealing their identity. What he calls an “anonymous blacklistable credential.”

“If you’ve got a website, and somebody does something you don’t like, you can ban them,” says Mathewson. “You can ban the person who did that activity without ever finding out what other activities they did or figuring out whom you banned.”

Though Mathewson is interested in the possibility of using blockchain to upgrade Tor itself, he warns that making for-profit privacy infrastructure could lead to more money being spent on marketing than product development. “Our mission is to encourage the use of privacy technology,” says Mathewson. “I don’t really care whether that privacy tool is the one I made or not.”

Ironically, the same cryptocurrency culture Halpin says brought so much attention from investors, deterred Manning from getting involved earlier. Though she counts herself among the earliest bitcoin adopters, claiming to have mined cryptocurrency shortly after Satoshi Nakomoto activated it in 2009, she sold her bitcoin last year for decidedly nonmonetary reasons.

“I am not a fan of the culture around blockchain and cryptocurrency,” she says. “There’s a lot of large personalities that are very out there, like your Elon Musks and whatnot,” she says. “And it‘s very, like, ‘Oh, we’re going to get rich off of blockchain.’ It’s very nouveau riche. Like a new-yuppies-bro-culture that’s surrounded it. It has gotten a little bit better in some corners. But I think that culture is what I’m talking about. It’s like Gordon Gekko, but blockchain.”

Michael del Castillo

By: Michael del Castillo

Source: Chelsea Manning Is Back, And Hacking Again, Only This Time For A Bitcoin-Based Privacy Startup

.

Related Contents:

On the Malleability of Bitcoin Transactions

Cryptocurrency thefts, fraud hit $1.2 billion in first quarter: report

Cryptocurrency Anti-Money Laundering Report

Hackers Steal $60 Million From Japanese Crypto Exchange Zaif

More than $90 million in cryptocurrency stolen after a top Japanese exchange is hacked

Major issues resulting in lost or stuck funds

$300m in cryptocurrency’ accidentally lost forever due to bug

The Multi-sig Hack: A Postmortem

Smart contracts vulnerabilities: a call for blockchain software engineering

Ethereum Fork Could Help Restore Frozen Parity Cryptocurrency

Police steamroll 1,000 bitcoin mines after ‘electricity theft’ prompts power outages

Sandwell Bitcoin mine found stealing electricity

Mac OS X Trojan steals processing power to produce Bitcoins

The Hacker News The Hacker News +1,440,833 ThAlleged Skynet Botnet creator arrested in Germany

When bitcoins go bad: 4 stories of fraud, hacking, and digital currencies

Bitstamp exchange hacked, $5M worth of bitcoin stolen

Teen Hacker and Crew of ‘Evil Geniuses’ Accused of $24 Million Crypto Theft

All About Bitcoin Mining: Road To Riches Or Fool’s Gold

US police force pay bitcoin ransom in Cryptolocker malware scam

Watch out! Mac malware spread disguised as cracked versions of Angry Birds……

Hack Brief: Hackers Stole $40 Million from Binance Cryptocurrency Exchange

Crypto Exchange And XRP Refuge Bitsane Vanishes, Scamming As Many As 246,000 Users

Exchange for Ripple's XRP scam users.

Ireland-based cryptocurrency exchange Bitsane disappeared without a trace last week, likely taking hundreds of thousands of users’ assets with it.

Account holders told Forbes that attempts to withdraw bitcoin, XRP and other cryptocurrencies began failing in May, with Bitsane’s support team writing in emails that withdrawals were “temporarily disabled due to technical reasons.” By June 17, Bitsane’s website was offline and its Twitter and Facebook accounts were deleted. Emails to multiple Bitsane accounts are now returned as undeliverable.

Victims of the scam are comparing notes in a group chat with more than 100 members on the messaging app Telegram and in a similar Facebook group. Most users in the groups claim to have lost up to $5,000, but Forbes spoke with one person in the U.S. who says he had $150,000 worth of XRP and bitcoin stored in Bitsane.

Bitsane’s disappearance is the latest cautionary tale for a cryptocurrency industry trying to shed its reputation as an unsafe asset class. Several exchanges like GateHub and Binance have been breached by hackers this year, but an exchange completely ceasing to exist with no notice or explanation is far more unusual.

Bitsane had 246,000 registered users according to its website as of May 30, the last time its homepage was saved on the Internet Archive’s Wayback Machine. Its daily trading volume was $7 million on March 31, according to CoinMarketCap.

“I was trying to transfer XRP out to bitcoin or cash or anything, and it kept saying ‘temporarily disabled.’ I knew right away there was some kind of problem,” says the user who claims to have lost $150,000 and asked to remain anonymous. “I went back in to try to look at those tickets to see if they were still pending, and you could no longer access Bitsane.”

At the height of the cryptocurrency craze in late 2017 and early 2018, Bitsane attracted casual investors because it allowed them to buy and sell Ripple’s XRP, which at the time was not listed on Coinbase, the most popular U.S. cryptocurrency exchange. CNBC published a story on January 2, 2018 with the headline “How to buy XRP, one of the hottest bitcoin competitors.” It explained how to buy bitcoin or ethereum on Coinbase, transfer it to Bitsane and then exchange it for XRP.

Three of the five Bitsane users Forbes spoke to found out about the exchange through the CNBC article. Ripple also listed Bitsane as an available exchange for XRP on its website until recently. A Ripple spokesperson did not respond to a request for comment.

Bitsane went live in November 2016 according to a press release, registering in Dublin as Bitsane LP under CEO Aidas Rupsys, and its chief technology officer was Dmitry Prudnikov. Prudnikov’s LinkedIn account has been deleted, and neither he nor Rupsys could be reached for comment.

A separate company, Bitsane Limited, was incorporated in England in August 2017 by Maksim Zmitrovich. He wanted to own the intellectual property rights to part of Bitsane’s code and use it for a trading platform his company, Azbit, was building. Zmitrovich says Bitsane’s developers insisted that their exchange’s name be on the new legal entity he was forming. But Azbit never ended up using any of the code since the partnership did not materialize, and Bitsane Limited did not provide any services to Bitsane LP.

On May 16, Bitsane Limited filed for dissolution because Zmitrovich wasn’t doing anything with it and the company’s registration was up for renewal. Some of the Bitsane exchange’s victims have found the public filing and suspected Zmitrovich as part of the scam, but he insists accusations against him are unfounded.

He says he hasn’t spoken to Prudnikov—who was in charge of negotiations with Azbit—in at least five months, and Prudnikov has not returned his calls since account holders searching for answers began contacting him. Azbit wrote a blog post about the Bitsane scam on June 13, explaining Bitsane Limited’s lack of involvement.

“I’m sick and tired of these accusations,” Zmitrovich says. “This company didn’t even have a bank account.”

The location of the money and whereabouts of any of Bitsane LP’s employees remain a mystery to the scam victims, who are unsure about what action to take next. Multiple account holders in the U.S. say they have filed complaints with the FBI, but all of them are concerned that their cash is gone for good.

Follow me on Twitter or LinkedIn. Send me a secure tip.

I’m a reporter on Forbes’ wealth team covering billionaires and their fortunes. I was previously an assistant editor reporting on money and markets for Forbes, and I covered stocks as an intern at Bloomberg. I graduated from Duke University in 2019, where I majored in math and was the sports editor for our student newspaper, The Chronicle. Send news tips to htucker@forbes.com.

Source: Crypto Exchange And XRP Refuge Bitsane Vanishes, Scamming As Many As 246,000 Users

.

Critics:

Cryptocurrency and crime describes attempts to obtain digital currencies by illegal means, for instance through phishing, scamming, a supply chain attack or hacking, or the measures to prevent unauthorized cryptocurrency transactions, and storage technologies. In extreme cases even a computer which is not connected to any network can be hacked.

In 2018, around US$1.7 billion in cryptocurrency was lost due to scams theft and fraud. In the first quarter 2019, the amount of such losses was US$1.2 billion.

Exchanges

Notable cryptrocurrency exchange hacks, resulting in the theft of cryptocurrencies include:

  • Bitstamp In 2015 cryptocurrencies worth $5 million were stolen
  • Mt. Gox Between 2011 and 2014, $350 million worth of bitcoin were stolen
  • Bitfinex In 2016, $72 million were stolen through exploiting the exchange wallet, users were refunded.
  • NiceHash In 2017 more than $60 million worth of cryptocurrency was stolen.
  • Coincheck NEM tokens worth $400 million were stolen in 2018
  • Zaif $60 million in Bitcoin, Bitcoin Cash and Monacoin stolen in September 2018
  • Binance In 2019 cryptocurrencies worth $40 million were stolen.

Josh Garza, who founded the cryptocurrency startups GAW Miners and ZenMiner in 2014, acknowledged in a plea agreement that the companies were part of a pyramid scheme, and pleaded guilty to wire fraud in 2015. The U.S. Securities and Exchange Commission separately brought a civil enforcement action against Garza, who was eventually ordered to pay a judgment of $9.1 million plus $700,000 in interest. The SEC’s complaint stated that Garza, through his companies, had fraudulently sold “investment contracts representing shares in the profits they claimed would be generated” from mining.

Following its shut-down, in 2018 a class action lawsuit for $771,000 was filed against the cryptocurrency platform known as BitConnect, including the platform promoting YouTube channels. Prior fraud warnings in regards to BitConnect, and cease-and-desist orders by the Texas State Securities Board cited the promise of massive monthly returns.

OneCoin was a massive world-wide multi-level marketing Ponzi scheme promoted as (but not involving) a cryptocurrency, causing losses of $4 billion worldwide. Several people behind the scheme were arrested in 2018 and 2019.

See also

BlockFi Mistakenly Deposits Outsized Bitcoin Payments

In this photo illustration the cryptocurrency exchange...

BlockFi, the crypto lending and trading business, mistakenly deposited large amounts of crypto to user accounts. The payments were associated with a promotion they were running, in which users would receive bonuses in USD stablecoins.

The promotion was intended to be “paid out in one lump sum in GUSD” according to their website. Instead, some accounts were paid the amount denominated in Bitcoin, with some receiving over 700 BTC (worth >$28,000,000 at current prices).

A screenshot from one affected user who withdrew the funds shows threat of possible legal action should they not be returned, and a pay-out of $500 should they return them by a set time.

BlockFi clearly has their hands full dealing with the mistakenly deposited bonus payments, and users have reported experiencing additional issues with the company’s services. The BlockFi subreddit is full of posts with individuals receiving the mistaken funds, having difficulty withdrawing, and being unable to trade. One user claims to have been falsely accused of withdrawing mistaken funds after withdrawing USDC which he or she had been deposited a month earlier.

A statement by BlockFi, noted that “fewer than 100 clients were incorrectly credited,” and “BlockFi has contacted these clients and is working with them to rectify the issue.”

There are risks with using centralized services like lending platforms and exchanges—these are especially well known by early Bitcoiner’s who have witnesses a great number of hacks, exit-scams, and insolvencies wipe out customer funds held by large custodians.

BlockFi claims that “client funds are not impacted and are safeguarded.” After raising a recent $350 million funding round, the company likely has large pools of capital to pull from should they be unable to recoup any of the mis-credited funds from users who withdrew to personal wallets.

BlockFi’s previous promotion was, indeed, a friend referral promotion which offered (albeit small) BTC rewards.

I am the Director of Research and Development at Inca Digital, a data and intelligence provider in the digital asset space. I use Inca’s proprietary data system, NTerminal, to aggregate and analyze structured and unstructured data.

Before Inca, I helped start up a pharmacogenetics laboratory and worked in neurodegenerative research. My scientific background influences the way that I think about complex systems such as blockchain networks, and the models used to understand them.

Source: BlockFi Mistakenly Deposits Outsized Bitcoin Payments

.

Reversing the excess bitcoin rewards

One user who reached out to CoinDesk said they received a large sum of BTC in their account which they thought was a reward for referring their friends – so they sent it to their cold storage wallet. BlockFi’s previous promotion was, indeed, a friend referral promotion which offered (albeit small) BTC rewards.

The user said after looking at the transaction in more detail, they realized it was an error, so they requested a cancellation of the withdrawal. The cancelation request was confirmed via email and their account shows the BTC transaction was reversed, with a note specifying they had reversed the bonus transaction. Nevertheless, the user said the bitcoin reward ended up in their cold storage wallet. They shared these documents with CoinDesk, and the blockchain shows that the funds were indeed transferred to their wallet address.

The next day, they received a phone call and an email (which CoinDesk has reviewed) from BlockFi threatening legal action if they didn’t return the funds, but also offering $1,000 worth of the stablecoin GUSD for any trouble this may have caused.

Other users on Reddit posted images of BlockFi’s “generous” giveaway, with one deposit amounting to over 700 BTC. That transaction, according to the user, was reversed. Another said their friend received 5 BTC and was, in fact, able to move it off the platform.

Yet another user said they received both BTC and GUSD, only to have the BTC reversed. The GUSD remained, but a couple of days later when they tried to withdraw some USDC (+0.09%), a different stablecoin they had deposited a month earlier, BlockFi sent an email accusing them of withdrawing funds that weren’t theirs.

Turkey Crypto Exchange CEO Flees Country As Probe Is Launched

Turkish Crypto Exchange Exit Scam: CEO Flees Country, 62 People Detained, Users Cannot Access $2 Billion of Funds

One of Turkey’s largest cryptocurrency exchanges said it lacked the financial strength to continue operations, leaving hundreds of thousands of investors fearing their savings have evaporated as authorities sought to locate the company’s 27-year-old founder, who fled the country.

Confusion reigned about how many users of the Thodex exchange were affected and how much money was at stake. In a statement from an unknown location, Thodex Chief Executive Officer Faruk Fatih Ozer promised to repay investors and to return to Turkey to face justice after he did. The government moved to block the company’s accounts and police raided its head office in Istanbul.

Losses could be as high as $2 billion, according to Haberturk newspaper, and a lawyer for the victims said the money invested by about 390,000 active users had become “irretrievable.” Both figures have been disputed by Ozer. About 30,000 users have been impacted, he said in a statement on the company’s website on Thursday.

While authorities and customers tried to work out the details of what happened, a senior official in President Recep Tayyip Erdogan’s office called for rapid regulation of the crypto market. Globally, the surge in the prices of digital tokens has been accompanied by convictions and regulatory measures after various scams tied to trading platforms.

The Turkish government should take action “as soon as possible,” Cemil Ertem, a senior economic adviser to Erdogan, told Bloomberg. “Pyramid schemes are being established. Turkey will undoubtedly carry out a regulation that’s in line with its economy but also by following global developments.”

Police searched the company’s Istanbul offices and seized materials on Thursday. Arrest warrants have been issued for 78 suspects and police have so far detained 62 people in eight cities, including Istanbul, in connection to the case.

Cryptocurrencies have recently gained popularity among some Turkish citizens looking to protect their savings from soaring inflation and sinking lira. Turkey’s central bank recently banned the use of cryptocurrencies as a means of payment. President Recep Tayyip Erdogan has called for swift regulation of cryptocurrencies, warning of the rising number of pyramid schemes in the crypto markets.

Alternative Investments

Thodex was part of the cryptocurrency boom that has drawn in legions of Turks seeking to protect their savings from rampant inflation and an unstable currency. Inflation hit 16.2% in March, more than three times the central bank’s target of 5%. The Turkish lira has weakened 10% against the dollar this year, its ninth consecutive year of losses.

Source: Turkey: Crypto exchange CEO flees country as probe is launched | Business and Economy News | Al Jazeera

.

%d bloggers like this: