Craig Wright is not Satoshi Nakamoto. He wasn’t Satoshi Nakamoto before or after Wired and Gizmodo suspected him to be last year, and he still isn’t Satoshi Nakamoto after trying to reveal himself to be on his own blog and to The BBC, The Economist, GQ, Jon Matonis and Gavin Andresen.
There is a long and fraught history in Bitcoin of claims and counterclaims about who Satoshi is, and one would think that lessons had been learned and a high standard would be set for subsequent claims regarding Satoshi Nakamoto. The proof posted today by Wright and others does not meet any standard for identifying him as Nakamoto.
Bitcoin is a currency based on cryptography. The ownership of coins can be proven cryptographically and verified by any network participant in a process that is at the very core of Bitcoin. The latest proof offered by Wright can not be independently verified nor cryptographically verified. On the contrary, the efforts made today by Wright are the latest in an expanding list of falsehoods and fabrications.
Below i’ll outline all of the evidence to date pointing towards Wright as Nakamoto, and then run through a list rebutting each point and offering further evidence that Wright is not Nakamoto.
If there is anything here i’ve missed – please leave a comment or email me.
- 1. The Evidence for Craig Wright being Satoshi Nakamoto
- 2. The Evidence against Craig Wright being Satoshi Nakamoto
- 3. Conclusion
1. The Evidence for Craig Wright being Satoshi Nakamoto
1. There is the evidence in the original Wired and Gizmodo reports from last year. Namely:
- Wright told a number of people that he was Satoshi, and he made reference to it in private emails.
- During a conversation with the Australian Tax Office (who are currently investigating him – more on that later) Wright said “I did my best to try and hide the fact that I’ve been running bitcoin since 2009,”
- Wright made a number of blog posts from his personal blog mentioning the upcoming release of Bitcoin. These posts turned out to be backdated.
- Wright had access to a Satoshi Nakamoto PGP key. The key turned out to be a fake and had been generated by Wright using a different email address and backdated on the PGP key server.
- There are emails in the Wright leak that are dated prior to Bitcoin’s release where he makes reference to an upcoming “p2p distributed ledger” paper he is working on.
- Wright claimed to be a holder of a large number of Bitcoin. He seeded an investment into a firm he founded, Hotwire, with $30 million worth of Bitcoin.
- In an email reply to Wired, Wright suggested he was Nakamoto when saying “I have moved on to other things”
- Based on his academic credentials and work history Wright has the ability to conceive of and build Bitcoin
- Through a company, Wright built and ran two supercomputers that ranked in the official TOP500 list – including the most powerful privately owned supercomputer.
- The documents hacked from Wright include a legal agreement between he and Dave Kleiman, now deceased, where Wright transferred to Kleiman 1.1 million Bitcoin for the purpose of establishing an offshore trust
- The 1.1 million Bitcoin figure is close to most estimates on the total Bitcoin holding of Satoshi Nakamoto
2. The proof offered by Craig Wright in a blog post he made today coming out as Satoshi Nakamoto. In the post he described how he has used 10 private keys associated with Bitcoin addresses known to be held by Satoshi Nakamoto to sign messages offered up by a number of individuals. Wright provides shell scripts (bizarrely in the format of a screen shot of the scripts) that can be used to verify the messages he has signed.
3. Jon Matonis, founder of the Bitcoin Foundation, wrote a blog post where he details how he met Craig Wright and verified that he is Satoshi. Matonis details how he met Wright at a conference in Sydney months before the Wired article and told his wife that he had a feeling he had just met Satoshi. Matonis was invited to take part in a session in London organized with a number of media organizations together with Wright where he claims to have verified Wright as Satoshi using a number of methods. First, Wright signed and verified a message using keys from block #1 and block #9. Matonis, further – from the post:
During the London proof sessions, I had the opportunity to review the relevant data along three distinct lines: cryptographic, social, and technical. Based on what I witnessed, it is my firm belief that Craig Steven Wright satisfies all three categories. For cryptographic proof in my presence, Craig signed and verified a message using the private key from block #1 newly-generated coins and from block #9 newly-generated coins (the first transaction to Hal Finney). The social evidence, including his unique personality, early emails that I received, and early drafts of the Bitcoin white paper, points to Craig as the creator. I also received satisfactory explanations to my questions about registering the bitcoin.org domain and the various time-of-day postings to the BitcoinTalk forum. Additionally, Craig’s technical working knowledge of public key cryptography, Bitcoin’s addressing system, and proof-of-work consensus in a distributed peer-to-peer environment is very strong.
4. Gavin Andresen, a Bitcoin core developer who took over the project from Nakamoto, posted that he also participated in the London sessions and was satisfied that Wright is Nakamoto:
I was flown to London to meet Dr. Wright a couple of weeks ago, after an initial email conversation convinced me that there was a very good chance he was the same person I’d communicated with in 2010 and early 2011. After spending time with him I am convinced beyond a reasonable doubt: Craig Wright is Satoshi.
Part of that time was spent on a careful cryptographic verification of messages signed with keys that only Satoshi should possess. But even before I witnessed the keys signed and then verified on a clean computer that could not have been tampered with, I was reasonably certain I was sitting next to the Father of Bitcoin.
5. There were 3 media outlets involved in the exclusive unveiling of Wright as Satoshi. The Economist concluded: “Our conclusion is that he could well be Mr Nakamoto, but that nagging questions remain.” The BBC interviewed Wright and asked him about the tax investigation in Australia amongst other things. The London Review of Books has preview of a feature about Wright up on their website. They state:
News of Craig Wright’s ownership and use of Satoshi Nakamoto’s private keys, verified by central figures in the bitcoin community, will be reported today by the BBC and the Economist. The full, long-form account will be published here later this month.
So far the reporting from these organizations offers little direct evidence itself of Wright being Nakamoto – they have relied on the testimony of Andresen and Matonis to satisfy themselves. Wright also performed the same block #1 and block #9 message signing for The Economist.
6. Evidence published since the original news reports and blog posts today. So far this involves a comment from Gavin Andresen on a reddit thread where he adds to his prior blog post about how Wright’s claims were verified by stating:
Craig signed a message that I chose (“Gavin’s favorite number is eleven. CSW” if I recall correctly) using the private key from block number 1.
That signature was copied on to a clean usb stick I brought with me to London, and then validated on a brand-new laptop with a freshly downloaded copy of electrum.
I was not allowed to keep the message or laptop (fear it would leak before Official Announcement).
I don’t have an explanation for the funky OpenSSL procedure in his blog post.
and a followup interview he conducted with Wired where he offers more detail of the process used to verify Wright’s claim:
Andresen says he demanded that the signature be checked on a completely new, clean computer. “I didn’t trust them not to monkey with the hardware,” says Andresen.
Andresen says an administrative assistant working with Wright left to buy a computer from a nearby store, and returned with what Andresen describes as a Windows laptop in a “factory-sealed” box. They installed the Bitcoin software Electrum on that machine. For their test, Andresen chose the message “Gavin’s favorite number is eleven.” Wright added his initials, “CSW,” and signed the message on his own computer. Then he put the signed message on a USB stick belonging to Andresen and they transferred it to the new laptop, where Andresen checked the signature.
At first, the Electrum software’s verification of the signature mysteriously failed. But then Andresen noticed that they’d accidentally left off Wright’s initials from the message they were testing, and checked again: The signature was valid.
2. Evidence against Craig Wright being Satoshi Nakamoto
Wired and Gizmodo, along with a number of other news outlets, went on to debunk large parts of the evidence supporting Wright as Nakamoto, and further discovered evidence that Wright may have been manipulating and falsifying evidence in support of the claim:
- Wired found that Wright had manipulated and planted the old blog posts:
- Bitcoin developer Greg Maxwell found that the PGP key controlled by Wright and believed to be Satoshi’s was generated using PGP cipher-suites not available at the time:
Incidentally; there is now more evidence that it’s faked. The PGP key being used was clearly backdated: its metadata contains cipher-suites which were not widely used until later software.
and the Wright-Nakamoto key wasn’t on the keyserver at that date:
This key was also not on the keyservers in 2011 according to my logs; which doesn’t prove it was backdated, but there is basically no evidence that it wasn’t and significant evidence that it was. And it’s not turning up in any of the older key server dumps.
- In a press release for his company CloudCroft, which owned the two super computers, Wright claimed to be in a strategic partnership with SGI, even quoting an SGI executive:
In the coming years, we will be looking to expand our involvement in the region with the creation of a combined CuDA/Xeon Phi hybrid system that we are looking to develop in conjunction with SGI. Success in this endeavor would make Australia a global leader in HPC technology as well as in the emerging crypto-currency financial fields.
Mr McKeon of SGI has stated that they “look forward to a long, sustained relationship” and that together our companies will reach the highest ranks of the Top500 list.
SGI told Forbes that Cloudcroft has never been an SGI customer, and they have no relationship with the company or with Craig Wright.
- On his LinkedIn profile, Wright claimed to hold two Phd’s from Charles Sturt University. The University told Forbes that it never granted Wright those Phd’s.
- It is known that Wright told a small number of people that he was Nakamoto. This group seemed limited to a small number of executives in his company, some investors and then the Australian authorities – who were questioning him at the time about his large tax rebates. Being Nakamoto suited Wright in some circumstances, and his claims today that he didn’t seek to be known as Nakamoto doesn’t match with him mentioning it to the Australian Tax Office.
Craig Wright is being investigated by the Australian Tax Office and appears to be accused of tax fraud. Wright operated under a number of different companies: Hotwire, DeMorgan, CloudCroft, Panopticrypt, Coin-Ex, Denariuz and at least a couple of others. We know that on the day the Wired and Gizmodo stories were written that Wright’s home and office in Sydney were raided by agents investigating for the Australian Tax Office. It was speculated that this was because of Wright’s Bitcoin holdings, and Wright told The BBC he was “being audited”, but documents from the administrators of Wright’s companies tell a different story.
The administrators note from May 2014 details what Hotwire did:
The Company’s main activity was the acquisition of various e-learning and e-payment software and undertaking research and development work in respect of this software and for software owned by related entities
how it was funded:
The Directors have advised that $30 million was subscribed to by the shareholders in paid up capital and this was injected via Bitcoins
and how that funding was spent:
The Company applied its equity as follows:
– $29 million to acquire software from the Wright Family Trust (“the Trust”); and
– $1 million to fund day to day trading activities.
What Wright did was establish a company for the purpose of carrying out research and development on e-learning software it had acquired from Wrights own trust. Wright would inject $30 million in Bitcoin to fund the company, $29 million of which would be paid to Wright’s trust to acquire the software and $1 million of which would fund operational costs – including an office in Sydney and 40 employees.
The purpose for the structure and why someone could commit fraud in this way becomes clear in the next action the company takes:
Further to incurring a range of expenses, the Company lodged its GST return for the September 2013 quarter, claiming a GST refund of $3.1 million (“the GST refund”). After various discussions and correspondence, the ATO issued a notice to the Company on 20 January 2014 notifying that it intended to withhold the refund pending further verification of transactions and the treatment of Bitcoin.
The sales tax (GST) component of the $29 million invested by Wright into the company was eligible for a refund. Thus by shuffling around some Bitcoin between entities you control yourself, it is possible to trigger a sales tax refund (in real cash).
Another Wright entity, DeMorgan, made the largest ever R&D tax concession claim in Australia – as per their own press release. The R&D tax concession is a program in Australia where companies investing in R&D are eligible for a 45% tax refund on each dollar spent. We know now that the supercomputers that were claimed to be part of this spending didn’t exist, so it is possible that the refund was an attempt to make a false claim.
While it is still early in the investigations against Wright’s companies, one can come away from reading about his firms with the conclusion that their primary business was to seek tax refunds from the government, and that most of the businesses were setup precisely for this. The administrators in the Hotwire company said as much when they describe almost the entirety of the firms assets as two outstanding refunds from the tax office (one of which, a sales tax refund, was later declined and a penalty of $1.7 million was applied to the company).
How this relates to the Nakamoto claim from Wright is potentially also the motive behind his actions. It suited Wright to be Nakamoto when he needed to raise money from investors, or to talk his way out of a problem. Nakamoto, as most know, is sitting on hundreds of millions of dollars worth of Bitcoin – investors and regulators could view this as a security – and it was in this context that Wright mentioned his ‘running’ Bitcoin to the authorities.
On the other hand it doesn’t suit Wright for a large number of people know he is Nakamoto – as, unlike investors, lawyers and regulators – he would eventually bump into somebody who would challenge him on the claim and require some form of hard proof.
In terms of why the story of Wright being Nakamoto was made public I can offer a few theories. The first is that one too many people found out and one of them, potentially a disgruntled employee or investor, decided to leak as an act of revenge. The second theory is that Wright, knowing it was over for his companies and that authorities were closing in, concocted the leak himself as the first step towards a new life in London as Satoshi Nakamoto (Wright fled Australia and has not returned).
Wright’s investments in his ventures and the other related-party transactions involved the transfer of Bitcoin worth millions of dollars. I have been unable to locate a transaction on the blockchain – but there was a lot of price volatility at the time which requires a more exhaustive search of the blocks from the September quarter in 2013. But Wright should be able to point to this transaction, or any other transaction involving large sums of Bitcoin that he was involved in (we know that this $30 million transfer did not come from the known Satoshi coins).
The story of Wright as Nakamoto is intricately linked with the story of Wright as the founder of a number of startup ventures that failed and the resulting tax issues. We will never completely understand the motives here until the full scope of what happen at these companies is understood and the Australians have completed their investigation.
The experience of those who have worked for or know Craig Wright. Sydney is a global city but in many ways it is a small town – I found out after the Wired report that I knew two people who had worked for Wright. Since the stories published today I have come to hear – either directly or second-hand – from a number of other people who either worked for or knew Wright. The conclusion is near-unanimous: Wright is not Satoshi Nakamoto, and is not capable of being Satoshi Nakamoto. One friend described how Wright is so convincing that even tho he knew he wasn’t capable of creating Bitcoin, he would at times even doubt himself. Another said that Wright has everybody convinced for at least a short period – but then it begins to unravel as his actions do not match his word. He came away from his experience convinced that Wright is a fraud. Yet another person who worked for Wright characterized him (via a third-party) as “the best conman i’ve ever met”
4. The problems with Wright’s blog post offering proof today. The most important was found by JoukeH on reddit: is that the signature Wright offers as proof is from a much later Bitcoin transaction and is not a signature of the Satre text. The details are explained in this reddit post:
JoukeH discovered that the signature on Craig Wright’s blog post is not a signature of any “Sartre” message, but just the signature inside of Satoshi’s 2009 Bitcoin transaction. It absolutely doesn’t show that Wright is Satoshi, and it does very strongly imply that the purpose of the blog post was to deceive people.
So Craig Wright is once again shown to be a likely scammer. When will the media learn?Take the signature being “verified” as proof in the blog post: MEUCIQDBKn1Uly8m0UyzETObUSL4wYdBfd4ejvtoQfVcNCIK4AIgZmMsXNQWHvo6KDd2Tu6euEl13VTC3ihl6XUlhcU+fM4= Convert to hex: 3045022100c12a7d54972f26d14cb311339b5122f8c187417dde1e8efb6841f55c34220ae0022066632c5cd4161efa3a2837764eee9eb84975dd54c2de2865e9752585c53e7cce Find it in Satoshi's 2009 transaction: https://blockchain.info/tx/828ef3b079f9c23829c56fe86e85b4a69d9e06e5b54ea597eef5fb3ffef509fe?format=hex
- In the shell script provided by Wright in his blog post there was a simple error that would cause the script to not run. (via a throwaway account on reddit)
- In his blog post, Wright quotes a single-line command that can be used to validate the signature:
>> base64 –decode signature > sig.asn1 & openssl dgst -verify sn-pub.pem -signature sig.asn1 sn7-message.txt
but it uses a single & rather than && to join the commands (via syadasti on reddit)
- Wright “provides” his two shell scripts as screenshots of the files open in Notepad – which is an inconceivably bad way to provide it. He spends a lot of time in his blog post explaining the most mundane details but completely fails to provide the core of what was required of him: reproducible proof that he is in control of a private key that only the real Satoshi Nakaomoto would have. He seems to go out of his way to obfuscate the process, redirect attention and make it as complicated as possible.
- In a blog post titled “Is Craig Wright?”, Adam Goucher highlites some of the technical errors Wright made in his blog post:
his blog post is rather suspicious, as it contains various misconceptions that one would not expect from an expert in the field, let alone the originator of Bitcoin.
Several paragraphs into the post, he begins discussing technical details and making various errors
It is worth reading – it covers a number of points.
The time gap between Wright being named and him coming out today. Why did it take Wright almost 6 months? Proving the ownership of addresses does not require so much time – it is a standard feature in many clients and certainly isn’t beyond what the creator of Bitcoin could do in a matter of minutes. Why did it have to be co-ordinated on an exclusive basis with three media organizations and two witnesses? Wright also claims to want to “keep his head down” and not seek the attention of the media. He told the BBC that he doesn’t want money and he doesn’t want fame – yet he said this during an elaborate and stage-managed exclusive media event organized by an agency on Wright’s behalf and involving months of negotiation.
There is very little, if nothing, in open source intelligence that connects Wright with Nakamoto. Researching based on nothing but what is publicly known about Nakamoto and Wright would not lead any reasonable researcher to conclude that the two are linked, or even suspected of being linked. Many others have written about this extensively – from differences in style and writing through to Wright’s casual disregard for the correct spelling of words (this also rules me out as being Nakamoto).
In the blog posts from Jon and Gavin, they don’t provide any hard proof that can be verified by outside parties or reproduced. In a case where the claimant has been shown to have previously fabricated evidence, it is inconceivable that a session would be held for the purpose of finally verifying his identity and validating his claims and without one of the outcomes of that meeting being evidence that can be verified independently by outside parties.
Further, the evidence offered so far does not meet Gavin’s own previous statements on the evidence he would require from someone claiming to be Satoshi. He recently was recently quoted in Wired:
Gavin Andresen, one of the few people in the world who’s corresponded by email with Satoshi Nakamoto before the bitcoin founder ghosted from the internet in 2011, has his own list of criteria for Wright to prove himself, which he first shared with the Financial Times, and it’s long. He wants messages signed with both Nakamoto’s PGP key and keys from early bitcoin blocks, private messages he sent to Andresen alone, and an emailed correspondence with Wright to get a feel for whether he’s the same person Andresen communicated with in Bitcoin’s early days. “It’d take multiple lines of evidence to convince me,” Andresen wrote in an email to WIRED.
What Wright did offer, in a process that was stage managed, was very specific. The most revealing aspect is that nobody who took part on the signature verification was allowed to take the signature with them. The reasoning offered for this was the risk that the news would leak early – but surely the risk in that was already present by inviting these parties to the session and allowing them to witness the signing process?
This should have been a huge red flag to anybody participating in this validation session. There is no reasonable conclusion to draw from the fact that Wright kept the resultant signatures to himself other than he was hiding something. Far too much of the process was in Wright’s control.
note this section is very speculative (edit: turns out possibly not so speculative)
It is also notable that the Electrum Bitcoin client was used to validate the messages signed by Wright. Electrum is a thin client that doesn’t retain it’s own complete copy of the blockchain, but rather sends queries to a server or set of servers and then processes the response. The advantage for bitcoiners, and the reason why Electrum has become popular, is that you don’t need to download an entire copy of the blockchain to use the application (currently at 55GB). The downside is that you’re shifting trust from your own local client to a server that you may not know much about.
A cursory glance at the source shows that SSL isn’t enforced in the communication between the client and the server, and if the client cannot connect to a server and protocol pair it’s failure mode is to keep trying the next set until it can connect.
This is worth investigating further – but it seems that, in theory, it would be possible to setup a fork of an Electrum server that responds to transaction public key, or signature validation queries with a fake key which would in turn produce an expected result. It would require a DNS hijack to point to the local fake Electrum server instance on a network controlled by Wright, and possibly blocking outbound connections to the SSL ports so that it fails and then falls back onto a cleartext connection.
Edit: A couple of people have pointed out that Electrum carries out signature verification on the client. Another pointed out that the way the story is told, the USB stick went to and from the new fresh computer that Electrum was installed on twice – which may suggest that the first time the signature was copied and the second the key. If both the source address, the text and the signature were provided then Electrum is doing nothing more than running as an alternative to OpenSSL or similar – it isn’t verifying the address/key against the blockchain, and it would depend on the participant to verify it. I don’t think we’ll have any answers here until what happen is clarified completely by those who were in the room. With the validation being done on the client, it could mean that despite being a capable of much more, Electrum was used for nothing more than carrying out the signature validation process on a fresh computer.
Edit II: Andresen told Wired that Electrum was downloaded and installed on a fresh laptop. A developer for Electrum checked their logs and came back to say he couldn’t find a single download from the UK IP range for the .asc files used to verify package downloads. There are many potential explanations as to why he didn’t see or find the download, but it is definitely an interesting data point to take into consideration.
This gap in the testing procedure could have been avoided if someone had bought along a copy of the blockchain, or if the signatures were validated on a machine or network not controlled by Wright. It demonstrates why the testing and validation procedure should have been designed by an outside party, and the conditions negotiated by the participants prior to their acceptance.
For now i’m leaning towards assuming that Wright spent the months between December and today figuring out how to pull off this trick. I believe the trick was designed around a very narrow case where he creates the signatures on his laptop and then verifies them either on his laptop or using an Electrum client communicating with a server he controls. Any requests outside of these bounds would likely have been met with a response similar to the previous “you can’t do that because we’re worried about it leaking”.
Entirely plausible – and again, not proof of Wright as Satoshi.
MtGox suffered a number of breaches where user and trading data was leaked. On reddit users winlifeat and apoefjmqdsfls published Wright’s trading history on MtGox and it does not reflect the the trades of the founder of Bitcoin who holds 1.1M coins:
Craig was user ‘e62d5e53-0dbc-44be-9591-725cd55ca9dd’ at the Mtgox exchange. With this identifier, it’s possible to look up his trades in the 2014 leak. I posted the raw data in this pastebin, you can import it into spreadsheet software like Excel to play with it yourself.
He started trading at 22/04/2013, this is just after the crash of the April 2013 bubble (or the ‘Cyprus bubble’). He lost interest pretty quickly, because activity stopped 27/04, only to come back 25/11 around the peak of the last bitcoin bubble. His average price is actually $120 and he bought around 50 bitcoins, but his last buy was 17 bitcoins at around $1200. He ends up with a balance of just under 15 bitcoins when mtgox shuts down, so he probably lost another few bitcoins with trading. (The trade data in the leak stops at November 2013)
The highlights are that Wright not only lost coins on MtGox, but was purchasing Bitcoin at the very peak of the MtGox bubble ($1200 USD).
A gold standard stops the havoc that governments have been setting on the global economy whilst also fixing inflation to natural means and not arbitrary measures created by politicians with rent seeking in mind.
A payment measure in the form of PayPal that offers a currency exchange mechanism and a gold based currency is a solution.
It isn’t plausible that somebody who had invented Bitocin 4 years earlier would propose a centralized payment application similar to PayPal but backed by gold.
Wright has a history of fabricating evidence in support of his claim that he is Satoshi Nakamoto. Despite his claims of not wanting the notoriety or the attention, he is going to a lot of trouble to construct a reality of himself as Satoshi Nakamoto. In the almost 6 months since the first Wired and Gizmodo stories were published he has had ample opportunity to prove conclusively that he is Satoshi, and the protocol and requirements for doing so are well understood and not onerous. They do not require a 10 page blog post with notepad screenshots of shell scripts explaining Linux commands, file formats or OpenSSL. They also do not involve tightly controlled demonstrations in an environment completely under his control. The real creator of Bitcoin would know this.
The burden of proof for anybody claiming to be Nakamoto should be high. In the case of Wright, because of his previous fabrications, that burden is greater. His claims have to be treated with a great amount of skepticism, and his actions treated not as those of a sincere person, but rather as those of a person with a history and reputation for deception. Wright has yet to meet this burden, and until he does, Craig Wright is not Satoshi Nakamoto.
Thanks to @securedmh and @octal for suggestions and running through parts of this with me, along with a number of people on Twitter both in public and in DM’s who helped out with suggestions, ideas and pure crazy speculation, and also the large community of Bitcoiners on reddit, bitcointalk and other places who tore this story apart and provided a lot of useful pointers.