The originally hack was caused by the fact that Silk Road was running PHP on MySQL without transaction isolation. Many early crypto exchanges had similar withdrawal bugs as they were running on LAMP stacks - MySQL has been notoriosly famous for having lax transaction isolation. Sometimes you could overwithdraw just by hitting refresh fast enough in a web browser.
If you deal with money use PostgreSQL + SERIALIZABLE transaction isolation level to be sure.
Also Zhong was 22 years old script kiddie when he hacked Silk Road. Any smart criminal would have left United States long time ago if you sit on the top of $3B stash.
A lot of the early Bitcoin stuff was toys which became something more than toys faster than the people running it could transform the toy infrastructure at it's core. In most cases, they didn't have the experience necessary to make it something better. Mt Gox was just a reused domain and was origionally an exchange for Magic the Gathering!
As someone who very briefly poked around Silk Road at the time (just created an account), and as someone who has used PHP with the LAMP stack occasionally over the years, I am completely unsurprised. Race conditions can be pretty tricky to prevent in PHP, since the state is contained within different threads that can’t trivially communicate with each other. You need to be proficient with global state mutation such as via Redis or SQL.
At the same time, this is like... data integrity 101. For future reference if you want to build a system that manipulates valuable information (such as monetary accounts), and you've never done anything like that before:
Please pick a database (relational or otherwise) with ACID transactions and replication, buy at least two different textbooks on that specific database, read both, do any exercises they suggest, and then decide whether you still want to build that system. If yes, then cool: don't hold me responsible if anything goes wrong, but you need to learn somehow.
Yes, it's possible to build systems like that on non-ACID-compliant databases, or without using the ACID functionality. It's much harder, though, and you really must understand what you're giving up in order to have a reasonable chance of success.
Probably the code had logic such as the following, which from an amateur perspective, seems to work. After all, the first check prevents the withdrawal if the account balance is too low, so what could go wrong?
$balance = sql_query(“SELECT balance FROM accounts WHERE account_id = “ . $account_id);
if ($withdrawal_amount < $balance) {
withdraw_funds($account_id, $withdrawal_amount);
}
The correct solution of course requires putting the checks in an ACID transaction along with the account balance updating. This requires more work upfront (SQL is harder to write than PHP) and an impatient amateur coder probably didn’t think of it. Also I’m guessing they didn’t properly index all the DB columns and this made transactions take longer which exacerbates race conditions.
IMO this is backwards advice. Traditional relational databases with ACID go to great lengths to create the illusion that there's a single, global state, and that's what leads to people doing things like check-and-set that seem to work. You're far better off using a non-ACID database, simply because incorrect approaches will fail more visibly and more often. Ultimately you do the same amount of work either way, but using a non-ACID database forces you to do it upfront rather than letting you silently mostly succeed with a fundamentally broken data model.
Realistically your DB of choice will probably try and tackle ACID half-heartedly because it's what devs expect, and that will lull you into the same false sense of security.
Many "eventually consistent" DBs will still have some concept that uses the word "transaction" that works like one until it doesn't (see DynamoDB and multi-region gotchas)
Your comment is not true for high quality databases like PostgrSQL. Check-and-set just works on the correct isolation level. There is no isolation, your transaction will fail and be rolled back.
If you are new to the subject there are extensive reports available from Jepsten, one of the leading names in distributed system and ACID anomaly testing and research.
True, but it’s still not trivial, unless you’ve thought of the race condition problems in advance. My guess is that instead of keeping all the withdrawal logic in a comprehensive DB transaction with good constraint checking, the code was broken up into multiple sequential PHP statements with transactions of simpler SQL (which is likely easier from a coding perspective) and with insufficient locking. This is the easier way to code it if you haven’t thought of or heard about race condition issues.
Yes, I'm sure that's what happened. The money withdrawal scenario is the classic example for locking in any database programming classroom but not everybody went through that or remembers it.
Even if you're not 100% sure in your DB code you can do defense in depth approach and have the code that does the money operations do some checking too.
Even executing queued operations with few seconds delay allow you to notice say a series of withdrawals putting account in negative
Yeah, and it’s Bitcoin withdrawals, nobody expects it to be anywhere near instant. I doubt the market place set its transaction fees very high either.
But then you have to create a queue that only runs 1 transaction per second. I guess another imperfect but simpler way is to create a batch file of transactions, execute hourly, but randomize or sort the sequence in a way to make sure related transactions aren’t executed together.
And failed to even depend on bitcoin’s double-spend protections. He deposited and was able to withdraw those deposits within seconds: before any block was confirmed on the blockchain.
PHP isn't the issue here. Repeatly posting to any page normally would result in no security issue. If the balance is checked before each withdraw each request would be processed. Better method is a request is written to a transaction table and processed in sequence.
I may get slammed for this, but I don’t understand the resources that apparently went into tracking down some kid who stole from an illegal marketplace a decade again.
This feels way less like “pursing justice” and more like trying to track down everything the just I’ve department can seize and auction off. If Bitcoin hadn’t drastically increased in value since the original event, would this have ever been tracked down?
I cant even count the number of much more consumer-impacting crypto-related frauds, crimes, and hacks from the last 3 years that would be more deserving of justice department attention, rather than focusing resources and attention on a double withdrawal bug from an illegal marketplace from a decade ago.
> I don’t understand the resources that apparently went into tracking down some kid who stole from an illegal marketplace a decade again.
1. I suspect that the justice system feels that, as a matter of principle, they ought to keep the heat on darknet markets generally. That getting darknet market related arrests in the news has deterrent value, and shows they're doing their job. Obviously, arresting operators or big sellers would be even better - but any darknet market arrests are better than none at all.
2. They recovered $3.3 Billion, so the ROI on agents' time is probably pretty good. American society loves it when police departments are funded with criminals' money, through aggressive traffic ticketing and civil forfeiture! So this is really no different to fining a driver for doing 55 in a 54, except with much less police time used. From a certain perspective, this is one of the most productive uses of resources the department could possibly make.
1. I agree, it’s a bit tangential to call this a “darknet market arrest” instead, since the “darknet market” was the “victim”.
2. People largely hate when cops find someone for doing 55 in a 54, so it’s probably not a great example, but I think supports my point. This isn’t about solving an actual crime, but about optimizing for how much money the justice department is able to collect. I said elsewhere that this would be more reasonable as a tax investigation, but it’s not, and it’s (in my opinion) a pretty bad precedent that investigations should be prioritized by “how much cash can we seize”
> I said elsewhere that this would be more reasonable as a tax investigation
It was also a tax investigation, which is why IRS criminal investigatoes were involved, and there clearly were tax violations involved, they just weren’t part of the plea bargain.
> it’s (in my opinion) a pretty bad precedent that investigations should be prioritized by “how much cash can we seize”
I agree that prioritizing prosecutions that way would be, but Zhong doesn’t seem to have particularly been a prosecutorial priority. OTOH, spending investigative resources to find know forfeitable assets under an existing conviction seems a perfectly sane and responsible use of resources
It’s probably because he accumulated billions of dollars of property that weren’t taxed, and illegally on top of that (although they were worth much less at the time).
It kind of sucks for him that he had to forfeit the Bitcoin and not just the dollar amount he stole at the time. I am sure if it was the other way around, and Bitcoin went to $0, they would take the historical dollar amount he stole instead.
I could completely see an argument for tax evasion, that is a crime where the technical victim is the government (and thus, citizenry), not where the victim is an illegal operation that no longer exists.
However, he isn’t being charged with a tax crime. He’s being charged with “wire fraud” for double withdrawing from Silk Road.
I can see you just trying to bait me into a non-productive debate, so I will say this.
I am not going to make any statement regarding whether or not financial crimes against known and convicted criminal enterprises should be deprioritized in relation to crimes against regular citizens.
In this case though, the "victim" has not existed for over 9 years and will never exist in the future, there are no ongoing victism, and there are no downstream victims to return restitution to.
I do not believe the justice department should be pursuing cases (cold or not) where the only goal is siezing (not recovering) assets for their own benefit.
Stealing an asset and keeping it is considered “income” in that tax year, I believe. You would only be correct if he stole Bitcoin when it was worth 0, but it wasn’t.
> I may get slammed for this, but I don’t understand the resources that apparently went into tracking down some kid who stole from an illegal marketplace a decade again.
If you're not going to track down $3.36B after a decade, you really shouldn't pursue thefts of less than $1M ever.
I doubt they’ve been actively investigating him for 10y. Probably went through the transaction logs right at the beginning and flagged the addresses.
Big withdraws suggests seller. Big deposits and withdraws without sales suggests launderer. Small deposits, or sales and big withdraws suggests insider.
> I may get slammed for this, but I don’t understand the resources that apparently went into tracking down some kid who stole from an illegal marketplace a decade again
They found the kid in the process of looking for the missing forfeitable BTC from Silk Road. Which explains why the resources...
Since there continues to be "crypto-related frauds, crimes, and hacks" then they need skilled group of crypto investigators. Think of this case as practice.
You're right it sounds like he's a real nice guy and sitting on 3.36 billion dollars for a decade sounds like time served to me. I just can't get behind the concept of "Why did they arrest me for X when there is something wrong happening over there?" It just doesn't work that way, there are plenty of things happening ant the same time and you're just making some weird assumption that the IRS bitcoin task force could have been some completely different department chasing a completely different crime.
>Specifically, law enforcement located 50,491.06251844 Bitcoin of the approximately 53,500 Bitcoin Crime Proceeds (a) in an underground floor safe; and (b) on a single-board computer that was submerged under blankets in a popcorn tin stored in a bathroom closet.
It's interesting how the defendant tried to hide his bitcoin holdings in very low-tech ways.
The utility ease of holding bitcoin is apparent with this seizure. What other asset could you hide the equivalent of $1B USD in a floor safe and a popcorn tin and without having to use a 3rd party custodian?
The potential value-density of crypto is unmatched, but I'm not sure it is "easy" to store in a manner like that.
If another resident of Zhong's household had discarded the popcorn tin, he could have been out $1B. It's is difficult, but not impossible (see fat-finger transactions) to do that with other asset classes.
Holding a large amount of cryptocurrency without multiple backups spread around various geographical locations is foolish. So ultimately to store cryptocurrency securely, its never actually easy when you get down to the nuts and bolts of it.
Steganography might've been interesting way to deal with it, make big QR code with credentials to 1M wallet and hide 1B wallet info as steganography in that picture
> The utility ease of holding bitcoin is apparent with this seizure. What other asset could you hide the equivalent of $1B USD in a floor safe and a popcorn tin and without having to use a 3rd party custodian?
Back in the day, the answer would have been bearer bonds, but they're no longer popular instruments.
> ... Japanese nationals in their 50s ... who had attempted to enter Switzerland with a suitcase ... containing what ... appeared to be U.S. Treasury Bonds worth $134.5 billion.
Enough to buy a couple of Twitters!
> The Financial Times also reported that the two suspects "had been released" by Italian authorities.
??????????????????????
edit:
> On September 18, 2009, a similar incident was reported ... by the Italian financial military police ... involving two Philippines nationals smuggling purported U.S. Treasury bonds valued at approximately $180 billion
Why do these involve Asian nationals? I'm just not a good enough crook to determine the advantage here...
> On February 17, 2012, it was reported that Italian police had seized $6 trillion in counterfeit U.S. bonds....
If you're gonna commit a crime, you might as well swing for the fences, eh?
> The Financial Times also reported that the two suspects "had been released" by Italian authorities.
I guess they helped direct the police to the actual counterfeiters.
> An earlier billion-dollar bond case was recorded in 2002, when the United States Court of Appeals for the Seventh Circuit, located in Chicago, heard a case from two men who sought $100 billion from the Federal Reserve Bank of Chicago.
So two guys tried to bring a fake bearer bond worth $100B and tried to cash it out? That's hilarious. It also sounds like they didn't even get in trouble.
The world extends beyond the US. The Panama Papers showed that bearer bonds were alive and well all the way until the mid-2010s, and Panama itself only phased them out in 2015.
Which is why I think it's absurd to think it's a coincidence that the rise of crypto happened at the exact same time world financial task-forces snuffed out bearer bonds and offshore anonymous accounts.
Antimatter is allegedly valued at $2,700,000,000,000,000 per gram, so you could fetch a billion for 0.37 micrograms of it. Don't try storing it in a popcorn tin, though.
Presumably this would be the case with any purely-digital asset class that has the ability to be encapsulated in a physical token or offline digital storage device.
the problem with that type of utility being that maybe the defendant was the only person who could "cash in" these bitcoins... an untimely traffic accident away from another 50k bitcoins "lost" without the password to recover them...
This is baffling. It would be remarkably easy to memorize 12 words, then keep no active wallet anywhere. When you want to send coins, start up a desktop wallet, enter the 12 words, send some Bitcoin, then delete the wallet.
If this was a really old Bitcoin wallet, it could be from before the "12 words" thing. IIRC, older wallets randomly generated each key, instead of deriving them from a seed passphrase (which also meant you had to be really careful with your backups, since an old backup of the wallet wouldn't have its newer keys).
I am sure you’re right. But you could just send the funds to a new address in the new wallet. He could have done that at any point in the last 5+ years.
> JAMES ZHONG pled guilty to committing wire fraud in September 2012 ... ZHONG pled guilty on Friday, November 4, 2022, ...
> U.S. Attorney Damian Williams said: “James Zhong committed wire fraud over a decade ago...."
The statute of limitations for mail fraud and wire fraud prosecutions is five years (18 U.S.C. § 3282), except for mail and wire fraud schemes that affect a financial institution, in which case the statute is ten years (18 U.S.C. § 3293).[1]
Lawyers please explain. Also, who was the victim here, and who reported the crime?
I don't think bitcoin was even a recognized currency until 2014.. It is utter madness that someone can make a game today and you can be tried for winning on players technical errors a decade after the IRS decides if it is a serious speculative game. It's like back in the first MOOGs where people wanted to arrest in game thieves. Talk about killing your industry.
If you trick somebody into giving you something, and they consider that thing valuable, you're on the hook for fraud. Doesn't have to be about official coins. Of course, if you're playing a game where thieves are part of the game, you have to accept that. Or not play the game.
In 2013. He pled guilty to wire fraud in 2012. Can FinCEN/IRS retroactively determine something (like tradable skins in a game) is property and prosecute people over it?
If you can own it, it is property; if people are paying money, or exchanging goods or services with value, for it, it is valuable property. Enforcement agencies publishing a ruling or opinion as go what kind of property it is (and isn’t) isn’t what makes it property.
If you find a bug in a multiplayer FPS (let's say d-pad rocking to allow you to wall-climb or something) that gives you a competitive advantage, and you use that competitive advantage to best players and win their assets in combat, can you be arrested for fraud/theft?
If you systematically use it at large scale and make enough money to be worth prosecuting yes. People have been arrested for writing code to play 100000 FIFA games a day in order to get in game coins to sell (https://www.theregister.com/2016/11/14/ea_hackers_charged_fo...). The wire fraud statute is incredibly vague and can be used to justify almost any prosecution. Some others: using fake names on accounts used for botting Ticketmaster is wire fraud, a wire transfer made as part of a commercial bribery scheme is wire fraud even though commercial bribery is legal federally.
That's why I emphasized always. The laws and precedents saying that anything that quacks like property is taxable property are decades old so they predate Bitcoin. In 2013 the government just said "Remember these laws from decades ago? No? They apply to you."
Bitcoin has been classified as a commodity, not a currency, so I’m not sure what you’re talking about.
I’m not sure why you’re downplaying this. If I maliciously exploited a video game for serious financial gain today, there’s a good chance that will be a crime.
> I don't think bitcoin was even a recognized currency until 2014..
It is not legally a “recognized currency” now (“virtual currencies” are essentially treated as non-currency properties), and it was both property and had value before 2014.
Maybe; i was thinking of the treatment of crypto generally and the fact that BTC specifically has been adopted as legal tender and thus might be “foreign currency” rather than merely “virtual currency” to the extent that makes a difference.
I don’t think it matters to the offense here, which only relies on it being property with value, though.
> Also, who was the victim here, and who reported the crime?
The crime seems to have been discovered as part of the tracing of assets subject to seizure in the Ross Ulbricht cases, which is why the bukk of the assets were seized and filed for forfeiture as part of that case, and not the separate case against Zhong.
On the statute of limitations issue, its worth noting that limitations may be waived in a guilty plea, and that a defendant might do so to a lesser charge rather than facing trial on more or more serious charges (such as money laundering and/or tax fraud and/or evasion charges relating to the subsequent transactions involving the Bitcoin, which occurred at least as late as 2017, would be well within the 6-year SOL that would be applicable there.)
EDIT: To be clear, I haven’t seen a link to the Zhong plea bargain or any indictment it may have replaced (much less what prosecutors might have waived at his defense as potential charges that were never filed), so the above on the Statute of Limitations is observation of what is possible in general and how that might relate to the case, not an explanation necessarily of what did happen in the case. While there are other ways the statute of limitations might have applied differently in this case than it superficially would seem to (e.g., tolling for a request for.foreign evidence if some was used to ttace the funds) the way described above still seems most likely to me, in the absence of more facts.
I just started law school so don't take this answer as definitive but a couple of things I thought of were:
1. For the statute of limitations, I believe that the time point to look at is when the lawsuit was filed (as opposed to when the guilty plea comes through). All that matters was that lawsuit was filed __before__ the statute of limitations ran out.
2. Additionally, there are scenarios where the law/courts will allow people to file suits after the statute of limitations runs out but that varies by jurisdiction and by the law that governs the crime committed. (For more info, you can check out equitable/statutory tolling).
It is called a john doe defendant. The investigation was was opened before 2017, which was the deadline, in secret. When they found the guy they changed the name from Doe to Zhong . Had the feds waited until 2018 or so before opening an investigation, it would have been too late. The statute of limitations expires only if no investigation is ever opened.
If this is actually a legitimate thing, it sounds like the most ridiculous abuse I've read in this thread. By this logic there is no reasonable concept of 'statute of limitations' if a "secret" investigation can always be opened (or assumed to have been opened).
The only reference I can find to what you're describing seems to apply to civil suits only, where the legitimate defendent name is substituted back in during discovery. It does not appear to be a stand-in in criminal investigations.
The biggest misconception is that the statute of limitations means all you need to do is run down the clock. nope. as soon as there is enough evidence to open an investigation there is no expiration unless the investigation is closed and this is all done in secrecy. Rather, the deadline is from when the crime last occurred to when the investigation is opened. For example, the investigation into the identify of the 2011 geezer bandit is still ongoing despite the most recent robbery being a decade ago. Regarding the bank robber, it's not a secret because the feds are looking for leads from the public who have be able to identify him by appearance, but in the case of the hacker it does no good to put up wanted posters.
At the spot price at this time, 51,680.32473733 Bitcoin is worth $1,066,821,439.46 (~$1.06B) USD. Some difference from the ~$3.36B on November 9th, 2021.
That was the value at the time of seizure, which is most-likely the correct time at which to value it.
It is true that the news would probably use the larger number if BTC had gone up in price since then, but I suspect that the official statement would always quote the value at the time of seizure (perhaps with a parenthetical to highlight a greater present-day value).
> That was the value at the time of seizure, which is most-likely the correct time at which to value it.
It should be marked to value at time of the crime. Value of the property is often a metric used for setting the charges/punishment and he had no idea it would appreciate the way it did. He shouldn't get penalized for it appreciating.
May differ internationally but to my knowledge it works that way over most of the US.
> Specifically, law enforcement located 50,491.06251844 Bitcoin of the approximately 53,500 Bitcoin Crime Proceeds (a) in an underground floor safe; and (b) on a single-board computer that was submerged under blankets in a popcorn tin stored in a bathroom closet
Weird that he went through all this trouble to physically hide the wallets but did not use encryption...
That is probably the fastest way to kill crypto. Seizing any coins involved in illegal activity, even if it's been through numerous other owners since (and for legal purchases). Once everyone is asking if the coins they are getting are clean they'll stop acquiring coins.
China, Russia, Egypt, and many others have already banned crypto and seize any assets regardless of legality and it hasn't killed crypto yet.
Even the USA as the largest economic market in the world couldn't kill crypto by seizing assets as there are dozens of other countries that will keep using crypto for the anti-corruption, stability, and efficiency benefits it provides. It's a lot like the internet where a country can ban or control it but ultimately it only harms their own citizens and prevents them from properly competing on the world stage.
If a criminal steals my bitcoin and spends it, everyone who accepts it and everyone who accepts it from them is taking delivery of stolen property, trivially traceable back to me. I'll want it back, because it is mine and was stolen.
No -- it means that a single instance of illegal activity can potentially be charged-back by a government through a web of otherwise-legal transactions at any time. The immutable historical retention of all transactions has at least the capacity to threaten the immutability of transactions in the real world.
> Nearly five years after ZHONG’s fraud, in August 2017, solely by virtue of ZHONG’s possession of the 50,000 Bitcoin that he unlawfully obtained from Silk Road, ZHONG received a matching amount of a related cryptocurrency — 50,000 Bitcoin Cash (“BCH Crime Proceeds”) — on top of the 50,000 Bitcoin.
And presumably, this is how he was caught. He hid his identity really well. The withdrawal of BCH eventually led to his downfall.
The feds pinned him on what appears to a mixup by the accused between his “unclean” and “clean” wallet wallets when dealing with a crypto broker with an IP that pointed to his house for several years.
Pretty impressive that we've advanced technologically and as a society to the point where we can now store somewhere between much and all of the GDP of Belize " (a) in an underground floor safe; and (b) on a single-board computer that was submerged under blankets in a popcorn tin stored in a bathroom closet."
What's stored on the computer is a number that gives access to a wallet. You could also store a number that gives access to a Swiss bank account on a piece of paper in the 18th century. I wouldn't call the technology advanced.
In some (even US) jurisdictions they call it 'mutual combat' [0] and overlook it. In some places like Washington State (not: not legal advice) one may be under the impression criminal-on-criminal combat is explicitly legal. There's also a lot of historical context (think outlaws in wild west) that suggests that those in the American West may culturally not find it surprisingly that the public would generally be OK with criminals doing themselves in.
It's my understanding that in Texas it may even be possible that killing thieves is legal there in some circumstances as well.
Edit: perhaps I wasn't as explicit in the part to read between the lines. The police in US are oft perceived as being more likely to 'overlook' or consider it 'mutual combat' for acts against criminals. I don't think the analysis "that has nothing to do with them being criminal" is really a fair conclusion.
That has nothing to do with them being criminals, though. You and I could engage in mutual combat, if we wanted. Muhammad Ali got paid quite a bit to do it.
Couldn't this guy say "silkroad knew I was doing this and approved". Prosecutors would have to get someone from the silkroad to testify to counter that.
> This seizure was then the largest cryptocurrency seizure in the history of the U.S. Department of Justice and today remains the Department’s second largest financial seizure ever.
If past history is any guide, the proceeds will be auctioned, making DOJ the largest government-sponsored bitcoin dealer in the world.
Interestingly, this will increase the supply of Bitcoin. Because more will be in circulation, having been cleared by the U.S. government. Who wouldn't want those squeaky clean coins!
The linked affidavit has more of the interesting details. Looks like the agent worked with the guy's ISP and a well-known crypto exchange to do some old fashioned IP tracing.
No. There isn't enough liquidity in the market to even sell that amount. They also do these things over the counter, in auctions, which wouldn't have an effect on market pricing at all.
Who says they have to spend a bunch of money? The amount of money anybody would pay for it is the amount they could get from selling it, which is limited by liquidity. Add the fun they would get from crashing the market, and that is fair market value that these Bitcoins can get at auction.
Yes, that is generally how markets work. However there is no central exchange for bitcoin, nor is there enough liquidity in any single exchange. So, the seller would need to open accounts in multiple exchanges and sell in all of them. Sure, bringing down one exchange could have consequences for price, but it wouldn't cover this large of an amount of BTC. Plus, half the exchanges with enough liquidity to even begin with, aren't even allowed to be used in the US.
Again, that's not how the US govt works with these things anyway (OTC auctions), so it is all a moot point.
When cryptocurrency assets are seized, do they transfer everything all to a separate wallet, which is then held in custody? If there are copies of the "seized" assets, they can just be moved to a new wallet and then the only thing seized was some hard drives, right?
This was detailed in previous seize operations like this.
2013:
> The FBI official pointed me towards this Bitcoin address, which received transfers of close to 144,000 in just the last 24 hours. "They finished moving them at 3am this morning," said the official.
> The metal items consisted of four one-ounce silver-colored bars, three one-ounce gold-colored bars, four 10-ounce silver-colored bars, and one gold-colored coin, all seized from Individual-1’s home on November 9, 2021.
My guess is they were precious metals, but the agent's report immediately after the seizure doesn't presume to know that; they just report what they can observe, and they may have them analyzed/valued later.
> ZHONG, 32, of Gainesville, Georgia, and Athens, Georgia, pled guilty to one count of wire fraud, which carries a maximum sentence of 20 years in prison.
> The maximum potential sentence in this case is prescribed by Congress and is provided here for informational purposes only, as any sentencing of the defendant will be determined by the judge. ZHONG is scheduled to be sentenced by Judge Gardephe on February 22, 2023, at 3:00 p.m.
Prosecutors in US conspire to deprive defendants of their rights by creating a 'plea bargain' system where federal defendants almost always plead guilty in exchange for not being 'taxed' with often multiples of the bargained number of years in jail for daring to exercise their right to trial, where they will be crushed by an asymmetric system of the massiveness of the US government verse whatever meager amount they have to spend on an attorney and expert witnesses.
They would likely sell the BTC with an off-market auction. Given the amount, they might auction if off in segments.
Whoever is responsible for selling a government asset is likely responsible for getting a good price. So a BTC dump, in addition to harming the markets, would be a violation of that duty.
Indeed, it's not possible to seize "11.1160005300044" bitcoins as all bitcoin amounts (outside of the lightning network) are represented with a maximum of 8 decimals. Most likely, it's just a floating-point imprecision from the fed's calculations. For example a lot of software will calculate "20.1 - 20.0 = 0.10000000000000142"
I think you're getting ahead of yourself. It's not dead, yet.
It's very much still alive (which is probably why you're being downvoted), because it has first-mover advantage and is easier to use. I think eventually privacy-by-default coins like Monero (XMR) will gain in popularity assuming people smarten up, so if it requires people being smart, then it may never gain in popularity, who knows.
> ZHONG did not list any item or service for sale on Silk Road, nor did he buy any item or service on Silk Road
> ZHONG funded the Fraud Accounts with an initial deposit of between 200 and 2,000 Bitcoin. After the initial deposit, ZHONG then quickly executed a series of withdrawals. Through his scheme to defraud, ZHONG was able to withdraw many times more Bitcoin out of Silk Road than he had deposited in the first instance. As an example, on September 19, 2012, ZHONG deposited 500 Bitcoin into a Silk Road wallet. Less than five seconds after making the initial deposit, ZHONG executed five withdrawals of 500 Bitcoin in rapid succession — i.e., within the same second — resulting in a net gain of 2,000 Bitcoin. As another example, a different Fraud Account made a single deposit and over 50 Bitcoin withdrawals before the account ceased its activity.
So Silk Road wasn’t waiting for any transaction confirmations??? And didn’t append a nonce to each withdrawal to avoid duplicates?
No. The guy he "wanted to kill" was a moderator who didn't even steal from him. A FBI agent (huray, my taxes) pretended to be a drug lord for over 2yrs convincing Ross he should kill some moderator with lies about he wanting to take over silkroad or something, and then staged a mock assassination. All that for no tangible investigative benefit other then strengthen their 2yr old bro-bond.
That agent didn't even contribute to the actual arrest. Go read wired write up of the whole thing. It's better than most fiction books. Pure comedy.
Also, the current silk road is a honeypot set up by the Feds. That's why 1) they screwed up on validating transactions (it's not their money) and 2) they want after the stolen funds.
> No. The guy he "wanted to kill" was a moderator who didn't even steal from him.
Ross Ulbricht commissioned 5 murders fully expecting each of them to be carried out.
> All that for no tangible investigative benefit other then strengthen their 2yr old bro-bond.
The murder-for-hire evidence denied him bail. But the prosecutor already had Ulbricht nailed and decided to avoid complicating the case by formally filing the murder-for-hire charges. Would your tax dollars have been better used if Mr. Ulbricht had additional life sentences and decades of prison? No, he is going to die in a prison cell either way.
Ross Ulbricht built his empire, in large part, by profiting off people's suffering. And he exhibited time and time again that he would murder people to protect it. He is nothing short of evil.
> Ross Ulbricht built his empire, in large part, by profiting off people's suffering.
He built Silk Road, which allowed people to sell drugs to one another.
If the 'people's suffering' you are referencing is the use of drugs, I hope you have this same ire for the pharmaceutical companies and physicians prescribing opioids linked to over 500k deaths in the US over the past two decades[1]. I hope you feel the same ire for the CIA who facilitated and supported the Nicaraguan Contra groups' smuggling of crack into the US to finance their coup attempt[2].
I would hope the "nothing short of evil" rhetoric isn't exclusively saved for the kid who built an onion site and then was entrapped by FBI agents into a murder-for-hire scheme of their creation.
>> Ross Ulbricht built his empire, in large part, by profiting off people's suffering.
> He built Silk Road, which allowed people to sell drugs to one another.
Actually, that's the tiniest part. [1]
The Silk Road was an online black market where buyers and sellers of illegal or
unethical items could transact anonymously. Utilizing privacy techniques such
as the Tor network and cryptocurrency transactions, people were able to
transact in drugs, hacked passwords, illegal data, and other contraband.
Or, you could look at how he used Silk Road, to contract killers. [2]
MANY OF THE ideological supporters of the Silk Road have described its
sprawling online black market for drugs as an experiment in victimless crime
and a nonviolent alternative to the bloody turf wars of the streets. But
prosecutors in the trial of Ross Ulbricht, the 30-year-old accused of running
that anonymous bazaar, have pointed to one conversation they say shows the
contrary: That the Silk Road's boss was willing to resort to the drug trade's
most violent measures when it suited his needs.
In my opinion the Sackler family has cause a lot more suffering and they see no day in prison. And they're not the only lords who get away with murder. Yet a guy like Ulbricht gets to spend a lifetime in jail... This is a miscarriage of justice unless all monsters are locked up and all would be fair. It could be argued that Ulbricht caused no suffering but alleviated it by providing a service for people to buy their "drugs" by skipping meeting a shady dealer...
That alleged right of criminals to be persecuted in strictly descending order of severity simply does not exist. Finding some bigger wrong does not make a right.
Are there any societies, historical or current, where the extremely rich and powerful face justice in the way you would like, other than by pissing off other extremely rich and powerful people?
I did wonder whether I should include 'western' or not. I probably shouldn't have, since, I agree with your point, it's not a area that distinguishes western from non-western.
To be honest I don't know, I just expect justice to do it's bidding and make the world a better place for all of us. What bothers me is that the rich get away with murder while the rest of us are held at a different standard. It also seems to me that the Sacklers' caused a lot more harm while this guy is not as evil as purported to be and doesn't disserve to be locked up for life. Should the justice be harsh for everyone I'd swallow that pill but it's not. I'm just comparing the amount of suffering caused and the received sentence. And there's no what, it's just an ordinary person's opinion, an opinion that does not change anything.
I respect where you're coming from, but here's an opinion, that if adopted, may influence where you choose to stop or continue your thought process.
I see this "comparison" form of objection quite a bit, where someone points out relative injustice without taking a stand on which way to go. Once you notice it, you start seeing it everywhere.
In terms of conversation, it almost always seems to have a muting effect, of freezing the momentum towards figuring out what should be done. Desiring consistency is honorable, but these sorts of scenarios further ask us which way we want to apply that consistency. While each individual case probably wouldn't make a difference, I think when we refuse to answer those questions as a society, it makes it more likely for these imbalances to occur. So I think it's worthwhile to try and think it through, take a stand, and voice a stand.
The Sackler's had their name stripped from museum exhibits, campuses, etc, which I'm sure hurts at the end of the day.
The US government really should have went the extra mile and stripped the Sackler family of every penny they had.. to the point that they were forced to beg for spare change on the side of the road e.g. Mortimer & Randolph Duke style.
> The bankruptcy judge acknowledged that the Sacklers had moved money to offshore accounts to protect it from claims, and he said he wished the settlement had been higher
It might have been worth them formally filing the murder-for-hire charges just to save us from having to read his supporters repeatedly say they weren't real.
But conspiracy charge depends on overt act(s), so being convicted of conspiracy doesn't necessarily mean he was convicted on the basis that particular overt act occurred. The prosecution never had to prove all the overt acts, including murder-for-hire, were true to convict for the more generalized non-murder conspiracy. Just that some subset of overt acts were true.
Silk Road reduced deaths in a black market that was always there and would always continue to be there regardless of the presence of Silk Road. Period. Given that black markets are going to continue to exist, since anti-drug laws are dumb (just like Prohibition was; regulation of an irrepressible market is always superior to "illegalization" in a vain attempt to suppress it), it is at least less bad if there are fewer killings.
Entrapment is unethical precisely because you can use it to enforce a law regardless of the ethical justification of the law. If it was a capital offense to have sex before marriage in 2040 in the United Christian Dictatorship of America, and another Ross Ulbricht type came along and made it possible for teens to seek and meet in secret online, and a christo-fascist cop pretended to be a hot girl on said system while pretending to threaten to take the whole thing down unless a ransom was paid, and ANOTHER christo-fascist cop (or the same one pretending to be someone else) offered a "solution" to this by "getting rid of" the "problem"... Do you see where I'm going with this? Future Ross Ulbricht just wanted people to be able to find physical love before committing to wed!! Certainly not guilty enough to do life in prison, because no actual murders ever actually occurred.
> Also, the current silk road is a honeypot set up by the Feds. That's why 1) they screwed up on validating transactions (it's not their money) and 2) they want after the stolen funds.
The DOJ release says these transactions were from 2012
this bitcoin theft happened in September 2012, before Ross Ulbricht got arrested (in 2013) so when Silk Road was active and not a Feds' honeypot like you describe.
Entrapment is an invention of 20th century American courts. See William E. Mikell, "The Doctrine of Entrapment in the Federal Courts," U. Pa. L. Rev. 90 (1942), calling entrapment as a defense a "purely American doctrine" not considered by earlier English writers on criminal law.
Trivia aside, no. Entrapment is a specific concept narrower than "a fed lied to me."
Given the mention of "across the pond", it seems the parent commenter was talking about the English law meaning of entrapment. That is where you are enticed to commit a crime by a law agency. Technically it's still a crime and there's no legal defence based on entrapment, but courts will tend not to prosecute if "the police did more than present the defendant with an unexceptional opportunity to commit a crime".
I'm assuming you pulled that from Wikipedia, which is what Google points to for that phrase. You've radically oversimplified Wikipedia's coverage of UK entrapment, and Wikipedia oversimplifies UK law. "More than an unexceptional opportunity to commit a crime" is just one factor in a complex analysis. The "exceptional" opportunity starts the consideration of entrapment; it doesn't end it.
Yes I got that quote via Wikipedia. It, in turn, is a direct quote from a judgement from the Law Lords, which set a precedent – the main precedent on the subject if that Wikipedia article is to be believed. So it's not just a random Wikipedia editor's view on the subject.
Yes, no kidding it's a more complicated subject than that one short sentence. But my point was just that it's different from any notion of entrapment, or lack of, in the US.
The point is that it's simply not the case that the state tends not to prosecute in cases where "the police did more than present the defendant with an unexceptional opportunity to commit a crime".
FBI gets a wide berth from the courts. A couple of years ago, they seized some TOR child porn website, and then started making upgrades to it causing the userbase to increase by 30%. Then they tried to pin that user count on the person they arrested.
FBI is federal, unlike the police, so they can do whatever, at least that’s how it’s playing out. The FBI is supposed to be effective, not ethical. It’s what’s “on the tin” and has always been. A good example is their treatment of MLK.
I think we agree, probably that what is and what should be are not the same. The tension is that voters will often reward politicians that are effective, rather than those whom are ethical. When it comes to the safety of your child, most humans go for effective over ethical.
> When it comes to the safety of your child, most humans go for effective over ethical.
Wouldn't the balance of the child's needs change the ethical judgement (now considered ethical as well as effective)? I don't see how they would be mutually exclusive.
> As another example, a different Fraud Account made a single deposit and over 50 Bitcoin withdrawals before the account ceased its activity.
> So Silk Road wasn’t waiting for any transaction confirmations??? And didn’t append a nonce to each withdrawal to avoid duplicates?
See the ACID properties of databases. [1] These are often put to the wayside in order to have greater transaction speed. We can see the results.
In computer science, ACID (atomicity, consistency, isolation, durability) is a
set of properties of database transactions intended to guarantee data validity
despite errors, power failures, and other mishaps.[1] In the context of
databases, a sequence of database operations that satisfies the ACID properties
(which can be perceived as a single logical operation on the data) is called a
transaction. For example, a transfer of funds from one bank account to another,
even involving multiple changes such as debiting one account and crediting
another, is a single transaction.
Which of the ACID property is broken here? Transaction is by definition atomic, internal consistency was not broken, and isolation and durability are fine.
ACID makes sense in internal transfer, like the example you gave:
> debiting one account and crediting another, is a single transaction.
Blockchain is ACID compliant, their internal database could be ACID compliant hard part is linking it together.
The solution here is exactly going opposite of ACID. Do a transaction in database first, and hope the transaction goes through Bitcoin, if not have another job reverse the transaction. If the reverse job fails, have a support agent manually revert the transaction. A common mistake someone could do is to put transaction in processing state in the database, and have another job update it to success.
> Blockchain is ACID compliant, their internal database could be ACID compliant hard part is linking it together.
That's the issue, ACID is not ACID for a tiny bit but for the transaction. See the definition you quoted, "debiting one account and crediting another, is a single transaction." Blockchain is absolutely not ACID compliant. There must be a deterministic methodology not miner consensus for ACID. Miners can even change the blockchain.
However, why are you even mentioning blockchain instead of MYSQL without SERIALIZABLE, which enforces atomicity?
> The solution here is exactly going opposite of ACID.
What solution are you talking about? There was no solution put in place, which was the cause of the thefts.
But since this is "blockchain", is it more like... they weren't polling for the right confirmation/status/update from the blockchain network API thingie?
> But since this is "blockchain", is it more like... they weren't polling for the right confirmation/status/update from the blockchain network API thingie?
That's the exact same mistake I referenced. The consuming website should not be in charge of the atomicity of transactions.
It doesn't matter whether the API was used incorrectly, blockchain was used, or finanglesperunk was the technology. The vagaries of the implementation don't matter. Sending money should be atomic with the request instead of whatever this was, otherwise the result might be $3.36 Billion in theft.
PS Blockchain is a database. The developer can choose to enforce SALT instead of ACID, but something wasn't done right.
I knew a guy about 10 years ago that upgraded his iphone through the apple website and AT&T website at the same time, received two phones, and never heard from either company about a double transaction. I love these kinds of hacks -- I guess it's one way to profit from hard-learned database lessons :)
I didn't get into the UC of my choice. So I appealed. This was in 2006, and the appeal process was not through an online application. You had to mail in a packet with your appeal letter, transcripts, etc. I sent one in by the postmark deadline (Friday), but it wasn't very good. So, come Monday morning, I overnighted a much better one. After a week or whatever, I got a message notifying me that my application status had changed, but I did not get in. Then a day or two later, I got another one, to which I _did_ get in.
Now, I don't know for sure, but I like to think two different reviewers got my packets in parallel and never knew it, and upon changing my status the second reviewer probably wouldn't have seen any evidence of the last status change having been from an appeal.
> I got a message notifying me that my application status had changed, but I did not get in. Then a day or two later, I got another one, to which I _did_ get in.
Back in the days before email was common, I applied for a postdoc position at <famous prof's lab @ MIT>.
I mailed my letter to <famous prof>, expressing interest in working in his lab.
A few days later, I asked 3 profs in my graduate program to write letters of recommendation on my behalf to be mailed to <famous prof>.
After ~10 days, I received a response letter from <famous prof>, to the effect of: "Sorry, my lab is full. Won't have any openings for several years. etc. etc. Thanks, but no thanks."
I figured "Oh well.... No big deal."
But I was too lazy to inform the profs who were writing my recommendations to stop.
About a week after my "rejection" letter, <famous prof> phones me and says, "I always send a standard rejection letter because I'm only interested in people who are _aggressive_. Thanks for sending your recommendation letters. I _definitely_ have openings in my lab."
I didn't have the heart to tell him that he only got those letters because of my laziness.
When I was a kid we had vending machines for drinks in school.
One morning I put 20p in and it immediately came back out. It wasn’t accepting the coin so I tried two in quick succession. Both were spat back out… but the machine registered one of them.
I of course would never exploit that repeatedly for a couple free drinks and some extra change too.
The soda machine in my dorm at college had separate mechanisms for “I released a soda” and “you actually got a soda” and if you knew this, you could trigger the “I released a soda” mechanism and delay the “you actually got a soda” event until after you got your money back. You just had to stick your arm up the machine and not let the released soda fall while you hit the cancel button. Then you got your money back and then a soda. Atomicity fail.
They were not around for very long but there was a soda machine that had a conveyor belt that drinks would drop down onto and then be pushed out of a flap door into the bucket. The machine could detect when a drink was actually vended but didn't seem to be able to detect when someone was holding the door shut. You'd pay for a drink and hold the door shut while the machine tried to push your drink out the door. Since the door wasn't opening, the machine would think that no drink ever dropped down onto the conveyor belt so it would mark that specific drink number as out of stock and return your money. Except your drink selection was still sitting on the belt. You'd pick a new drink and pay for it but this time not holding the door shut, two drinks would come out for the price of one. You could do this quite a few times over to either get a couple free drinks or just jam the machine. Out of all the vending machine "hacks" I learned about in middle school, this was the only thing that ever worked and only for a short time before they got quickly replaced.
The new machines use either a basket to hold the drink instead of a conveyor belt or some sort of shield to prevent you from messing with the flap door until it knows a drink has been vended.
Seems like it was working as intended, that if there was some blockage in the machine that resulted in the soda getting released but then getting stuck, you'd want a refund.
Somehow I doubt giving out unlimited free sodas is "as intended." This is why it's an atomicity fail, leading to an inconsistent transaction. It should never be blocked according to the payment mechanism and unblocked according to the delivery mechanism.
The tumble dryers in my halls of residence were meant to take 20p (oh, those were the days, it's probably a quid now), but if you put in a 1p slowly and kept turning the handle it would trick it.
Reminds of my older brothers friend who in second grade got back in line to get his yearbook picture taken and showed up twice in the yearbook with slightly different pics.
Opposite experience here! Requested $100, got back $60 with two of them folded over on the corners. $100 debited from bank account, filed a complaint with the bank. The temporary refunded the money, did an investigation, then said that the ATM actually settled at the correct number, and took the money back from me. Not cool
Back before all of the banks were wired together, I had a friend with what we called a "bottomless ATM card."
He could withdraw whatever amount he wanted from the ATMs at college, but since that region's ATM network wasn't hooked up to his home bank's ATM network, it took months for everything to reconcile.
He could keep withdrawing, even if he had taken out far more cash than he had in his home bank account.
On breaks, he would go back home and pick up enough hours at his part-time job to cover the difference (it wasn't unusual for people to be paid weekly or in cash back then), make a deposit, and everything was fine. He just had to keep one step ahead of the computer batch processes.
Also, I think Chemical is Citibank now. I had a Chemical account, and a Dime account. I still think of Citi as "Chemical," though.
First time Im hearing of an ATM dispensing $10 bills.
Back when ATMs were new, you could get any amount, including change.
The ATMs at the Chase bank next door currently dispense any bills you want, but not change. After you tell it how much you want, it asks you how you would like it and you can tap different denominations.
No, the bug was in the withdrawal code. Concurrency bug, numerous simultaneous withdrawals have a high change of succeeding and you are able to withdraw more than your actual balance. Very common in amateur coded websites.
Sure, but if silk road waited for X confirmations, it would have made it at least a bit more complex to pull off.
(Maybe you could have just hammered it continuously, but hopefully would have to predict when the blocks would be confirmed. They’re not exactly every 10 minutes).
It’s not exactly related to this hack, but poor blockchain practice on the part of silk road if it permitted withdraws this quick after deposits.
From what they said it sounds like the issue was executing the same withdrawal request more than once, unrelated to the bitcoin confirmation window. The fraudulent withdrawals had to happen on the same second, not merely on the same hour.
If the bug is a read-modify-write sequence without a transaction, then regardless of whether you wait for more confirmations, the withdrawal action will always be racy and vulnerable to this exploit.
Not waiting for confirmations would leave you vulnerable to random chain forks and make 51% attacks cheaper.
> " IRS-CI Special Agents are the best in the world at following the money through cyberspace or wherever our financial investigations lead us. We will continue to work with our partners at the US Attorney’s Office to track down these criminals and bring them to justice."
They might want to look into this:
Many U.S. corporations use offshore tax havens and other accounting gimmicks to avoid paying as much as $90 billion a year in federal income taxes. A large loophole at the heart of U.S. tax law enables corporations to avoid paying taxes on foreign profits until they are brought home. Known as “deferral,” it provides a huge incentive to keep profits offshore as long as possible. Many corporations choose never to bring the profits home and never pay U.S. taxes on them.
Yes, these tax loopholes are legal, but I bet the IRS and its world-class money trackers could, if they wanted, find quite a few outfits going well beyond what's technically legal.
They could, but then the IRS would have contend with an army of lawyers to claw their money back. In this case, going after a small time criminal with no connections is an easy win, so it makes sense from a resource allocation perspective for them focus on cases like this instead.
Anyone who stole and has held on to 51,000 BTC is not exactly a small-time criminal any more.
They were when the theft occurred, but this is like when you steal a cargo container full of crap, and five years later discover that both the Mona Lisa and a nuclear football is in it.
> They could, but then the IRS would have contend with an army of lawyers to claw their money back.
Always reminds me on how Scientology managed to get charitable. tl;dr: Cause so much work for the IRS (or appear to be able to do so) and they'll back down.
The tax code is like the MasterLock of laws: looks complex on the outside, keeps honest people honest but is so weak it can be exploited by anyone willing to do so.
If you deal with money use PostgreSQL + SERIALIZABLE transaction isolation level to be sure.
More in PostgreSQL documentation https://www.postgresql.org/docs/current/transaction-iso.html
Also Zhong was 22 years old script kiddie when he hacked Silk Road. Any smart criminal would have left United States long time ago if you sit on the top of $3B stash.