In what some will undoubtedly characterize as just the latest example of the sordid underbelly of the world of “cryptocurrencies” peeking through, BTC Core developer Luke Dashjr last night reported the theft of millions of dollars of BTC from a private server he operated. On New Year’s Eve, four transactions moved a total of 216.9 BTC—valued at $3.6 million at the time of publication—to a single address that Dashjr says belongs to the attacker.
PSA: My PGP key is compromised, and at least many of my bitcoins stolen. I have no idea how. Help please. #Bitcoin
A visible public presence in the BTC community, Dashjr is the longest-serving developer still actively working on BTC Core—having been a contributor since 2011. In addition to his work with BTC Core, Dashjr is the lead developer of the Bitcoin Knots node software and was a co-founder of Blockstream back in 2014. That is to say, Dashjr is a seasoned and experienced member of the space—and one who by all accounts knows his stuff—which has made it all the more troubling for the general digital asset community that he was able to be hacked at such great personal cost.
But if you’ve been paying attention, it shouldn’t come as a surprise.
Just like in the physical world, those who have the most will always have the biggest targets on their back. And that goes doubly so for those who eschew the shield of anonymity and operate in the open.
A familiar MO
The theft of Dashjr’s BTC in many ways echoes that of Dr. Craig Wright, where in February 2020, his personal computer was hacked and the private keys to two addresses—the so-called 1Feex and 12ib7 addresses—holding a veritable fortune of BTC (a combined 111,000 BTC or $1.85 billion at time of publication) were audaciously stolen from his Surrey home.
Much like Dr. Wright, Dashjr has been a repeated target of hackers looking to misappropriate his own BTC fortune, with several known intrusions on computers and servers that he controlled prior to the successful theft.
In November, Dashjr reported that a server he operated had been compromised, with several remote shell backdoors detected, leading to him issuing a blanket warning to users of his Bitcoin Knots node and wallet software to take extra precautions—an action he again repeated today.
“Confirmed presence of new malware/backdoors on the system, no evidence yet that it was used for anything, but be extra careful,” said Dashjr following the November encroachment.
“Further investigation is suggesting this is not a bog standard trojan, but something created specifically for compromising my server.”
Dashjr went on to reveal that the source of that infiltration was not just a sophisticated online attack, but one that had been initiated by a criminal with physical access to the server using external media—such as a USB stick or hard drive—to boot from and compromise his private files.
Then again, on Christmas day, Dashjr reported that his server had once more been improperly accessed. Whether either of these attacks was a test run or a precursor to the New Year’s Eve coin theft is not yet clear. But what we do know is that the same attack vector was employed by the offenders, with Dashjr confirming that “the only possible explanation is they had access to my machine live.”
Dashjr’s experiences read eerily similar to that of Dr. Wright, who was first the likely victim of a physical burglary of his private residence as a precursor to the billion-dollar heist of his assets.
“Although I cannot be sure how the hacking occurred, I suspect that it was through (in combination, among other things) a wireless router which I found located in a discreet location in my home, and which does not belong to my family or me,” Dr. Wright explained.
“I believe that it must have been planted there by the hackers, either when tradesmen were in our home or by breaking in.”
And just like in the case of Dr. Wright—for all of the technical nous and connections within the industry that both men possess—in the face of theft and great loss, Dashjr did what any reasonable person could be expected to do: he turned to law enforcement.
But also like Dr. Wright, Dashjr will be all too aware that the options law enforcement has at their disposal are limited, to say the least. The legislation necessary to remedy such a breach has still not been formulated in any jurisdiction, let alone be close to becoming law. Attempts to establish common law precedent remain a work in progress and are being actively opposed by Dashjr’s fellow BTC Core developers in the U.K. court system.
They didn't care
So, for the time being, Dashjr—again, just like Dr. Wright—will be forced to play a waiting game while no doubt obsessively monitoring the movement of the stolen coins.
The termites come out of the woodwork
While it won’t come as a surprise to those that have been in the space for any reasonable amount of time, the misfortune of a high-profile figure in “cryptocurrency” circles almost always spells opportunity for the grifters of the industry, with the Dashjr theft just the latest example.
Binance CEO Changpeng “CZ” Zhao was quick to take to Twitter after news of the hack broke, offering the unsolicited services of his exchange to help track down the attacker and mitigate losses.
Sad to see even an OG #Bitcoin Core Developer lost 200+ BTC ($3.5 million). Self custody have a different set of risks.
We will try to monitor and see where we can help. 🙏 https://t.co/9eGZ7AFgC2
— CZ 🔶 Binance (@cz_binance) January 1, 2023
Sorry to see you lose so much. Informed our security team to monitor. If it comes our way, we will freeze it. If there is anything else we can help with, please let us know. We deal with these often, and have Law Enforcement (LE) relationships worldwide.
— CZ 🔶 Binance (@cz_binance) January 1, 2023
But of course, anybody with knowledge of CZ and how he conducts business is all too familiar that altruism isn’t a word within his verbiage. Instead, he used the headlines as an opportunity to shoehorn in the messaging from a “follower” and amplify it to his own audience of more than 8 million that the hack of Dashjr was yet another sign that digital asset users should not self-custody.
The unsaid part of that message is that they should instead trust centralized exchanges like Binance to custody their assets for them to insulate against the risk of bad actors. That sure worked out well for the customer base of the last high-profile exchange CEO advocating a similar stance on social media (ahem Sam Bankman-Fried).
No, the solution to eliminating bad actors from the digital asset space and protecting the property rights of its users is most certainly not imparting more trust in grifters who have demonstrated time and time again that they are unworthy of it.
The solution is for the industry to finally grow up and get serious about inviting, not resisting, regulation.
Regulation is the remedy
The reality is that the theft of Dashjr’s BTC is yet another chapter in an ever-growing collection of tales illustrating the clear need for legislation and regulation in the blockchain and digital asset realm—not just to rid the space of bad actors and scam artists, of which there are plenty—but to introduce the protection and surety for end users of the technology that stands as both an obvious precursor and current barrier to true mass adoption.
The distinct lack of regulation becomes an increasingly pressing issue with each headline-grabbing theft, pushing the prospect of the truly transformational potential of blockchain further and further away. As it stands, individuals who fall victim to the malicious actors which populate the space, have no established recourse to enforce their property rights nor mechanism to return what rightfully belongs to them—an unfortunate lesson that Dashjr is learning in real-time.
Property rights have been an essential element to a fair, just, and secure society in the physical world for centuries. So why is this not the case in the digital space? By setting clear regulations and guidelines for digital assets—including a framework for recovering misappropriated property and providing restitution—we have the ability not only to dissuade criminals, but to engender real confidence in blockchain technology and the digital space as a whole.
But with lawmakers the world around shying away from tackling the issue head-on (and in the process giving tacit approval to the contemporary situation), the first real strides in this area—particularly with regards to the issues of recovery and remedy—have been taken by the father of Bitcoin himself, Dr. Craig Wright.
In 2021, Dr. Wright initiated action on behalf of Tulip Trading Limited against a cabal of BTC Core developers, in an effort to obligate them to rightfully restore the BTC that was stolen from him in the elaborate hack and home invasion the year prior. In the process, this would establish a common law precedent concerning property rights and their application to digital assets.
Refusing to negotiate with Dr. Wright in good faith, the BTC Core developers instead decided that a courtroom was the proper venue to adjudicate these issues—despite the inherent contradiction that represents to many of their self-described anarchistic principles.
One of the key tenets of the BTC Core developer’s arguments against returning Dr. Wright’s BTC that was stolen was that they lacked the ability to make changes to the node software and even if they could, that nodes on the network would refuse to adopt the new software resulting in a fork of the chain—a position that Dr. Wright has strongly opposed, as set out in the decision of the Chancery Court:
“Dr. Wright maintains that it is not technically difficult for a patch to the computer code that operates the relevant Network to be developed which would have the effect of transferring the digital assets to which access has been lost to a new address. That new address would have a (new) private key, which the rightful owner could then use to regain access to their digital assets, and a public key.”
That case is presently under consideration by the U.K. Court of Appeal, as the BTC Core Developers try to slither out of giving Dr. Wright his day in court on a jurisdictional technicality. A decision is expected in the coming weeks and months, which may provide leave for the next real evolution in common law around property rights in the digital asset space.
It’s time for tools not talk
But while well-paid lawyers continue to battle over the semantics of the case, the Bitcoin Association for BSV has put in place the infrastructure that will demonstrate exactly what Dr. Wright said could be done to remedy stolen coins and disprove what BTC developers insisted was impossible.
In October, BA introduced the Blacklist Manager and Notary Toolset to the Bitcoin SV node software, the first tools in an eventual suite of software designed and engineered to enforce property rights for digital assets. With a valid court order or legal equivalent that has been notarized into machine-readable format and broadcast across the network, BSV nodes will be able to receive and action legal freezing requests—and in time—return digital assets to their rightful owners, a paradigm shift in the narrative that has been perpetuated since rogue developers removed the alert key functionality from Bitcoin.
“Bitcoin Association and the broader BSV ecosystem do not believe that “code is law”. All the laws in the classical sense still apply to blockchain technology and therefore BSV. If someone has a valid right to digital assets but doesn’t have the technical means to access them, there should be a way to recover access to those assets,” explained Marcin Zarakowski, Managing Director at Bitcoin Association for BSV.
“If we want to have a massive adoption of blockchain technology by the corporate world, large firms, banks, and governments, there needs to be a way to recover lost or stolen assets.”
The digital asset space is eagerly awaiting the first test case for the use of the full digital asset recovery process on the BSV network, with expectations that it will serve as an example—to the courts and to the wider digital asset space alike—both as to what is possible and how these situations can and should be remedied. Whether that will occur soon enough to provide some respite to Dashjr remains to be seen. But in the interim, Dr. Wright has extended an olive branch of the benefit of his experience in this nascent arena to the embattled developer, should he be willing to accept it.
If he wants help.
— Dr Craig S Wright (@Dr_CSWright) January 1, 2023
For the sake of the entire digital asset sector, I for one am hoping that he does, as it gets everyone a major step closer to an honest and equitable environment in which blockchain technology can thrive.
Follow CoinGeek’s Crypto Crime Cartel series, which delves into the stream of groups—from BitMEX to Binance, Bitcoin.com, Blockstream, ShapeShift, Coinbase, Ripple,
Ethereum, FTX and Tether—who have co-opted the digital asset revolution and turned the industry into a minefield for naïve (and even experienced) players in the market.
New to Bitcoin? Check out CoinGeek’s Bitcoin for Beginners section, the ultimate resource guide to learn more about Bitcoin—as originally envisioned by Satoshi Nakamoto—and blockchain.