Hacker News new | past | comments | ask | show | jobs | submit login
US Attorney Announces $3.36B Cryptocurrency Seizure in Connection with Silk Road (justice.gov)
320 points by jmsflknr on Nov 7, 2022 | hide | past | favorite | 276 comments



The originally hack was caused by the fact that Silk Road was running PHP on MySQL without transaction isolation. Many early crypto exchanges had similar withdrawal bugs as they were running on LAMP stacks - MySQL has been notoriosly famous for having lax transaction isolation. Sometimes you could overwithdraw just by hitting refresh fast enough in a web browser.

If you deal with money use PostgreSQL + SERIALIZABLE transaction isolation level to be sure.

More in PostgreSQL documentation https://www.postgresql.org/docs/current/transaction-iso.html

Also Zhong was 22 years old script kiddie when he hacked Silk Road. Any smart criminal would have left United States long time ago if you sit on the top of $3B stash.


A lot of the early Bitcoin stuff was toys which became something more than toys faster than the people running it could transform the toy infrastructure at it's core. In most cases, they didn't have the experience necessary to make it something better. Mt Gox was just a reused domain and was origionally an exchange for Magic the Gathering!



...how modern are we talking? SERIALIZABLE existed over a decade ago. It's mentioned here in a 2009 post.[0]

[0] https://ronaldbradford.com/blog/understanding-mysql-innodb-t...


As someone who very briefly poked around Silk Road at the time (just created an account), and as someone who has used PHP with the LAMP stack occasionally over the years, I am completely unsurprised. Race conditions can be pretty tricky to prevent in PHP, since the state is contained within different threads that can’t trivially communicate with each other. You need to be proficient with global state mutation such as via Redis or SQL.


At the same time, this is like... data integrity 101. For future reference if you want to build a system that manipulates valuable information (such as monetary accounts), and you've never done anything like that before:

Please pick a database (relational or otherwise) with ACID transactions and replication, buy at least two different textbooks on that specific database, read both, do any exercises they suggest, and then decide whether you still want to build that system. If yes, then cool: don't hold me responsible if anything goes wrong, but you need to learn somehow.

Yes, it's possible to build systems like that on non-ACID-compliant databases, or without using the ACID functionality. It's much harder, though, and you really must understand what you're giving up in order to have a reasonable chance of success.


Probably the code had logic such as the following, which from an amateur perspective, seems to work. After all, the first check prevents the withdrawal if the account balance is too low, so what could go wrong?

  $balance = sql_query(“SELECT balance FROM accounts WHERE account_id = “ . $account_id);
  if ($withdrawal_amount < $balance) {
    withdraw_funds($account_id, $withdrawal_amount);
  }
The correct solution of course requires putting the checks in an ACID transaction along with the account balance updating. This requires more work upfront (SQL is harder to write than PHP) and an impatient amateur coder probably didn’t think of it. Also I’m guessing they didn’t properly index all the DB columns and this made transactions take longer which exacerbates race conditions.


IMO this is backwards advice. Traditional relational databases with ACID go to great lengths to create the illusion that there's a single, global state, and that's what leads to people doing things like check-and-set that seem to work. You're far better off using a non-ACID database, simply because incorrect approaches will fail more visibly and more often. Ultimately you do the same amount of work either way, but using a non-ACID database forces you to do it upfront rather than letting you silently mostly succeed with a fundamentally broken data model.


This is a really optimistic take...

Realistically your DB of choice will probably try and tackle ACID half-heartedly because it's what devs expect, and that will lull you into the same false sense of security.

Many "eventually consistent" DBs will still have some concept that uses the word "transaction" that works like one until it doesn't (see DynamoDB and multi-region gotchas)


Your comment is not true for high quality databases like PostgrSQL. Check-and-set just works on the correct isolation level. There is no isolation, your transaction will fail and be rolled back.

If you are new to the subject there are extensive reports available from Jepsten, one of the leading names in distributed system and ACID anomaly testing and research.

https://jepsen.io/


> Check-and-set just works on the correct isolation level.

Which is not the default one.

> There is no isolation, your transaction will fail and be rolled back.

How so? Isn't it more likely you'll silently corrupt your data?

Even if it does fail noisily, this is a condition you're unlikely to hit in testing, so you'll probably be dealing with it in production.


Well, the database is there to manage and defend the data if only properly instructed to do so (CHECK constraints, locking, serialization.)


True, but it’s still not trivial, unless you’ve thought of the race condition problems in advance. My guess is that instead of keeping all the withdrawal logic in a comprehensive DB transaction with good constraint checking, the code was broken up into multiple sequential PHP statements with transactions of simpler SQL (which is likely easier from a coding perspective) and with insufficient locking. This is the easier way to code it if you haven’t thought of or heard about race condition issues.


Yes, I'm sure that's what happened. The money withdrawal scenario is the classic example for locking in any database programming classroom but not everybody went through that or remembers it.


Even if you're not 100% sure in your DB code you can do defense in depth approach and have the code that does the money operations do some checking too.

Even executing queued operations with few seconds delay allow you to notice say a series of withdrawals putting account in negative


Yeah, and it’s Bitcoin withdrawals, nobody expects it to be anywhere near instant. I doubt the market place set its transaction fees very high either.

But then you have to create a queue that only runs 1 transaction per second. I guess another imperfect but simpler way is to create a batch file of transactions, execute hourly, but randomize or sort the sequence in a way to make sure related transactions aren’t executed together.


Can confirm. Did a double withdrawal (of about 10$ at the time) on an exchange years ago by blocking a POST request and firing two at the same time.

I alerted the exchange operator and he let me keep the 10$.


And failed to even depend on bitcoin’s double-spend protections. He deposited and was able to withdraw those deposits within seconds: before any block was confirmed on the blockchain.


It wasnt worth anywhere near billions when he stole it. It wouldn't have been worth that much until very recently


It was around 50k - 250k USD in 2012.


Can anyone explain how a serialization anomaly as described in PG docs can result in a double withdrawal?

Seems to me that REPEATABLE READ mode should be sufficient, but I'm not sure.


Sorry, you lost me at PHP on MySQL for financial transactions. That's hilarious.


PHP isn't the issue here. Repeatly posting to any page normally would result in no security issue. If the balance is checked before each withdraw each request would be processed. Better method is a request is written to a transaction table and processed in sequence.


they would have arrested him overseas too


Yeah, look no further than the example of Kim Dotcom.


I may get slammed for this, but I don’t understand the resources that apparently went into tracking down some kid who stole from an illegal marketplace a decade again.

This feels way less like “pursing justice” and more like trying to track down everything the just I’ve department can seize and auction off. If Bitcoin hadn’t drastically increased in value since the original event, would this have ever been tracked down?

I cant even count the number of much more consumer-impacting crypto-related frauds, crimes, and hacks from the last 3 years that would be more deserving of justice department attention, rather than focusing resources and attention on a double withdrawal bug from an illegal marketplace from a decade ago.


> I don’t understand the resources that apparently went into tracking down some kid who stole from an illegal marketplace a decade again.

1. I suspect that the justice system feels that, as a matter of principle, they ought to keep the heat on darknet markets generally. That getting darknet market related arrests in the news has deterrent value, and shows they're doing their job. Obviously, arresting operators or big sellers would be even better - but any darknet market arrests are better than none at all.

2. They recovered $3.3 Billion, so the ROI on agents' time is probably pretty good. American society loves it when police departments are funded with criminals' money, through aggressive traffic ticketing and civil forfeiture! So this is really no different to fining a driver for doing 55 in a 54, except with much less police time used. From a certain perspective, this is one of the most productive uses of resources the department could possibly make.


1. I agree, it’s a bit tangential to call this a “darknet market arrest” instead, since the “darknet market” was the “victim”.

2. People largely hate when cops find someone for doing 55 in a 54, so it’s probably not a great example, but I think supports my point. This isn’t about solving an actual crime, but about optimizing for how much money the justice department is able to collect. I said elsewhere that this would be more reasonable as a tax investigation, but it’s not, and it’s (in my opinion) a pretty bad precedent that investigations should be prioritized by “how much cash can we seize”


> I said elsewhere that this would be more reasonable as a tax investigation

It was also a tax investigation, which is why IRS criminal investigatoes were involved, and there clearly were tax violations involved, they just weren’t part of the plea bargain.

> it’s (in my opinion) a pretty bad precedent that investigations should be prioritized by “how much cash can we seize”

I agree that prioritizing prosecutions that way would be, but Zhong doesn’t seem to have particularly been a prosecutorial priority. OTOH, spending investigative resources to find know forfeitable assets under an existing conviction seems a perfectly sane and responsible use of resources


What parallel universe do you guys live in where there's a 54mph or 54kmh?

:)


It's a reference to the famous Jay Z track, 99 problems


It’s probably because he accumulated billions of dollars of property that weren’t taxed, and illegally on top of that (although they were worth much less at the time).

It kind of sucks for him that he had to forfeit the Bitcoin and not just the dollar amount he stole at the time. I am sure if it was the other way around, and Bitcoin went to $0, they would take the historical dollar amount he stole instead.


I could completely see an argument for tax evasion, that is a crime where the technical victim is the government (and thus, citizenry), not where the victim is an illegal operation that no longer exists.

However, he isn’t being charged with a tax crime. He’s being charged with “wire fraud” for double withdrawing from Silk Road.


So committing a crime against criminals is OK?


I can see you just trying to bait me into a non-productive debate, so I will say this.

I am not going to make any statement regarding whether or not financial crimes against known and convicted criminal enterprises should be deprioritized in relation to crimes against regular citizens.

In this case though, the "victim" has not existed for over 9 years and will never exist in the future, there are no ongoing victism, and there are no downstream victims to return restitution to.

I do not believe the justice department should be pursuing cases (cold or not) where the only goal is siezing (not recovering) assets for their own benefit.


Capital gains are not taxable until they are realized through sale of the assets. I would not expect he had any tax liability yet.


Stealing an asset and keeping it is considered “income” in that tax year, I believe. You would only be correct if he stole Bitcoin when it was worth 0, but it wasn’t.


That's true, he'd owe taxes on the $500k it was worth at the time.


> I may get slammed for this, but I don’t understand the resources that apparently went into tracking down some kid who stole from an illegal marketplace a decade again.

If you're not going to track down $3.36B after a decade, you really shouldn't pursue thefts of less than $1M ever.


I agree, we should let crypto scams of all kinds proliferate and flourish.

Just kidding, haha. I agree that many more recent events have been more impactful, and hopefully they’re pursuing those too.

I mean the sheer numbers of ICOs with somewhat notable people involved purely to make a quick buck would be a good place to start


Low hanging fruit. We recovered X.y billion in BTC (valued at that time) hand waving, patting each others back. Instant promotion.


They were not just any bitcoin, they were missing silk road bitcoin. The fed had been looking for these 50k btc for awhile.


I doubt they’ve been actively investigating him for 10y. Probably went through the transaction logs right at the beginning and flagged the addresses.

Big withdraws suggests seller. Big deposits and withdraws without sales suggests launderer. Small deposits, or sales and big withdraws suggests insider.

Dude finally slipped up and got identified.


If we ever go back into a mercantilist economy based on bitcoin, the US is setting itself up to be in a solid position.


> I may get slammed for this, but I don’t understand the resources that apparently went into tracking down some kid who stole from an illegal marketplace a decade again

They found the kid in the process of looking for the missing forfeitable BTC from Silk Road. Which explains why the resources...


Since there continues to be "crypto-related frauds, crimes, and hacks" then they need skilled group of crypto investigators. Think of this case as practice.


You're right it sounds like he's a real nice guy and sitting on 3.36 billion dollars for a decade sounds like time served to me. I just can't get behind the concept of "Why did they arrest me for X when there is something wrong happening over there?" It just doesn't work that way, there are plenty of things happening ant the same time and you're just making some weird assumption that the IRS bitcoin task force could have been some completely different department chasing a completely different crime.


This is Hacker News, different morality applies here


>Specifically, law enforcement located 50,491.06251844 Bitcoin of the approximately 53,500 Bitcoin Crime Proceeds (a) in an underground floor safe; and (b) on a single-board computer that was submerged under blankets in a popcorn tin stored in a bathroom closet.

It's interesting how the defendant tried to hide his bitcoin holdings in very low-tech ways.

The utility ease of holding bitcoin is apparent with this seizure. What other asset could you hide the equivalent of $1B USD in a floor safe and a popcorn tin and without having to use a 3rd party custodian?


The potential value-density of crypto is unmatched, but I'm not sure it is "easy" to store in a manner like that.

If another resident of Zhong's household had discarded the popcorn tin, he could have been out $1B. It's is difficult, but not impossible (see fat-finger transactions) to do that with other asset classes.


Holding a large amount of cryptocurrency without multiple backups spread around various geographical locations is foolish. So ultimately to store cryptocurrency securely, its never actually easy when you get down to the nuts and bolts of it.


Who said he didn’t have any other backups elsewhere?

Impossible to prove he didn’t have his private keys backed up elsewhere.


Steganography might've been interesting way to deal with it, make big QR code with credentials to 1M wallet and hide 1B wallet info as steganography in that picture


"There's always money in the banana stand!"


Agreed, the risks here are pretty high. Even just some catastrophic disk failure.


> The utility ease of holding bitcoin is apparent with this seizure. What other asset could you hide the equivalent of $1B USD in a floor safe and a popcorn tin and without having to use a 3rd party custodian?

Back in the day, the answer would have been bearer bonds, but they're no longer popular instruments.


> bearer bonds

The financial instrument of choice for movie heist villains from the 1970s to early 2000s.


And the Italian Mafia until at least 2009!

https://en.wikipedia.org/wiki/Chiasso_financial_smuggling_ca...

> The total value of the counterfeit bonds was estimated at approximately one percent of total U.S. GDP in 2008


Good lord, that story is insane.

Some choice excerpts:

> ... Japanese nationals in their 50s ... who had attempted to enter Switzerland with a suitcase ... containing what ... appeared to be U.S. Treasury Bonds worth $134.5 billion.

Enough to buy a couple of Twitters!

> The Financial Times also reported that the two suspects "had been released" by Italian authorities.

??????????????????????

edit:

> On September 18, 2009, a similar incident was reported ... by the Italian financial military police ... involving two Philippines nationals smuggling purported U.S. Treasury bonds valued at approximately $180 billion

Why do these involve Asian nationals? I'm just not a good enough crook to determine the advantage here...

> On February 17, 2012, it was reported that Italian police had seized $6 trillion in counterfeit U.S. bonds....

If you're gonna commit a crime, you might as well swing for the fences, eh?

This is Dr. Evil type stuff!


> Why do these involve Asian nationals? I'm just not a good enough crook to determine the advantage here...

Kansas City shuffle. You find someone who wants to help run the con, but they're actually the mark.


What a fascinating story. Very mysterious...

> The Financial Times also reported that the two suspects "had been released" by Italian authorities.

I guess they helped direct the police to the actual counterfeiters.

> An earlier billion-dollar bond case was recorded in 2002, when the United States Court of Appeals for the Seventh Circuit, located in Chicago, heard a case from two men who sought $100 billion from the Federal Reserve Bank of Chicago.

So two guys tried to bring a fake bearer bond worth $100B and tried to cash it out? That's hilarious. It also sounds like they didn't even get in trouble.


They’re still relevant in that there’s always a chance someone may ask you to “do a Die Hard.”


New bearer bonds were outlawed forty years ago is why.


The world extends beyond the US. The Panama Papers showed that bearer bonds were alive and well all the way until the mid-2010s, and Panama itself only phased them out in 2015.


Which is why I think it's absurd to think it's a coincidence that the rise of crypto happened at the exact same time world financial task-forces snuffed out bearer bonds and offshore anonymous accounts.


I wonder what percentage of old companies are still owned by « bearer » shares.

At least investment/corporate bonds usually expire, so the bearer ones eventually wash out.


The money would have probably would of been safer stored as 12 words on an unhidden disused iPhone.


A 4D chess move would be 12 1-word game saves on an old GameBoy game cartridge that is hidden amongst hundreds of other GameBoy cartridges.


People have memorized pi out to absurdity - surely one could memorize 192 bits with enough incentive?


The first 12 words of the last paragraph of the 42nd page of your favorite book.


For comparison at $14k an ounce you would need 72,000 oz of rhodium, the most valuable PM, in order to hit a $1B.


Antimatter is allegedly valued at $2,700,000,000,000,000 per gram, so you could fetch a billion for 0.37 micrograms of it. Don't try storing it in a popcorn tin, though.


That's more of a manufacturing cost than a market price, isn't it?


I mean, the magnetic field to hold it doesn’t weigh anything either.


Sounds like it was just stored on a Trezor or Ledger hardware wallet.


Presumably this would be the case with any purely-digital asset class that has the ability to be encapsulated in a physical token or offline digital storage device.


the problem with that type of utility being that maybe the defendant was the only person who could "cash in" these bitcoins... an untimely traffic accident away from another 50k bitcoins "lost" without the password to recover them...


and no encryption apparently too


This is baffling. It would be remarkably easy to memorize 12 words, then keep no active wallet anywhere. When you want to send coins, start up a desktop wallet, enter the 12 words, send some Bitcoin, then delete the wallet.


If this was a really old Bitcoin wallet, it could be from before the "12 words" thing. IIRC, older wallets randomly generated each key, instead of deriving them from a seed passphrase (which also meant you had to be really careful with your backups, since an old backup of the wallet wouldn't have its newer keys).


I am sure you’re right. But you could just send the funds to a new address in the new wallet. He could have done that at any point in the last 5+ years.


And one day you hit your head and can't remember the words anymore.


maybe buy twelve items that represent the words and have them around the house


I saw that movie!


What is the movie?


Would he want to have all the funds in 1 wallet?

(I understand these hardware wallets let you load up as many as you want.)


He was more or less doing that already anyway. He could at least have used an even moderate amount of modern Bitcoin opsec.


> JAMES ZHONG pled guilty to committing wire fraud in September 2012 ... ZHONG pled guilty on Friday, November 4, 2022, ...

> U.S. Attorney Damian Williams said: “James Zhong committed wire fraud over a decade ago...."

The statute of limitations for mail fraud and wire fraud prosecutions is five years (18 U.S.C. § 3282), except for mail and wire fraud schemes that affect a financial institution, in which case the statute is ten years (18 U.S.C. § 3293).[1]

Lawyers please explain. Also, who was the victim here, and who reported the crime?

[1] https://www.justice.gov/archives/jm/criminal-resource-manual...


I don't think bitcoin was even a recognized currency until 2014.. It is utter madness that someone can make a game today and you can be tried for winning on players technical errors a decade after the IRS decides if it is a serious speculative game. It's like back in the first MOOGs where people wanted to arrest in game thieves. Talk about killing your industry.


If you trick somebody into giving you something, and they consider that thing valuable, you're on the hook for fraud. Doesn't have to be about official coins. Of course, if you're playing a game where thieves are part of the game, you have to accept that. Or not play the game.


In 2013 FinCEN and the IRS declared that Bitcoin was always property so you can't make some kind of "it's just a game" argument.


In 2013. He pled guilty to wire fraud in 2012. Can FinCEN/IRS retroactively determine something (like tradable skins in a game) is property and prosecute people over it?


If you can own it, it is property; if people are paying money, or exchanging goods or services with value, for it, it is valuable property. Enforcement agencies publishing a ruling or opinion as go what kind of property it is (and isn’t) isn’t what makes it property.


If you find a bug in a multiplayer FPS (let's say d-pad rocking to allow you to wall-climb or something) that gives you a competitive advantage, and you use that competitive advantage to best players and win their assets in combat, can you be arrested for fraud/theft?


If you systematically use it at large scale and make enough money to be worth prosecuting yes. People have been arrested for writing code to play 100000 FIFA games a day in order to get in game coins to sell (https://www.theregister.com/2016/11/14/ea_hackers_charged_fo...). The wire fraud statute is incredibly vague and can be used to justify almost any prosecution. Some others: using fake names on accounts used for botting Ticketmaster is wire fraud, a wire transfer made as part of a commercial bribery scheme is wire fraud even though commercial bribery is legal federally.


That's why I emphasized always. The laws and precedents saying that anything that quacks like property is taxable property are decades old so they predate Bitcoin. In 2013 the government just said "Remember these laws from decades ago? No? They apply to you."


> In 2013. He pled guilty to wire fraud in 2012.

He pled guilty on Nov 4 2022, the wire fraud occurred in 2012.


If it's not property, what is it?


Bitcoin has been classified as a commodity, not a currency, so I’m not sure what you’re talking about.

I’m not sure why you’re downplaying this. If I maliciously exploited a video game for serious financial gain today, there’s a good chance that will be a crime.


> I don't think bitcoin was even a recognized currency until 2014..

It is not legally a “recognized currency” now (“virtual currencies” are essentially treated as non-currency properties), and it was both property and had value before 2014.


Wouldn't it at the very least be a recognized foreign currency, since it's the official currency of 1(?) country


Maybe; i was thinking of the treatment of crypto generally and the fact that BTC specifically has been adopted as legal tender and thus might be “foreign currency” rather than merely “virtual currency” to the extent that makes a difference.

I don’t think it matters to the offense here, which only relies on it being property with value, though.


> Also, who was the victim here, and who reported the crime?

The crime seems to have been discovered as part of the tracing of assets subject to seizure in the Ross Ulbricht cases, which is why the bukk of the assets were seized and filed for forfeiture as part of that case, and not the separate case against Zhong.

On the statute of limitations issue, its worth noting that limitations may be waived in a guilty plea, and that a defendant might do so to a lesser charge rather than facing trial on more or more serious charges (such as money laundering and/or tax fraud and/or evasion charges relating to the subsequent transactions involving the Bitcoin, which occurred at least as late as 2017, would be well within the 6-year SOL that would be applicable there.)

EDIT: To be clear, I haven’t seen a link to the Zhong plea bargain or any indictment it may have replaced (much less what prosecutors might have waived at his defense as potential charges that were never filed), so the above on the Statute of Limitations is observation of what is possible in general and how that might relate to the case, not an explanation necessarily of what did happen in the case. While there are other ways the statute of limitations might have applied differently in this case than it superficially would seem to (e.g., tolling for a request for.foreign evidence if some was used to ttace the funds) the way described above still seems most likely to me, in the absence of more facts.


I just started law school so don't take this answer as definitive but a couple of things I thought of were: 1. For the statute of limitations, I believe that the time point to look at is when the lawsuit was filed (as opposed to when the guilty plea comes through). All that matters was that lawsuit was filed __before__ the statute of limitations ran out. 2. Additionally, there are scenarios where the law/courts will allow people to file suits after the statute of limitations runs out but that varies by jurisdiction and by the law that governs the crime committed. (For more info, you can check out equitable/statutory tolling).


It is called a john doe defendant. The investigation was was opened before 2017, which was the deadline, in secret. When they found the guy they changed the name from Doe to Zhong . Had the feds waited until 2018 or so before opening an investigation, it would have been too late. The statute of limitations expires only if no investigation is ever opened.


If this is actually a legitimate thing, it sounds like the most ridiculous abuse I've read in this thread. By this logic there is no reasonable concept of 'statute of limitations' if a "secret" investigation can always be opened (or assumed to have been opened).

The only reference I can find to what you're describing seems to apply to civil suits only, where the legitimate defendent name is substituted back in during discovery. It does not appear to be a stand-in in criminal investigations.


The biggest misconception is that the statute of limitations means all you need to do is run down the clock. nope. as soon as there is enough evidence to open an investigation there is no expiration unless the investigation is closed and this is all done in secrecy. Rather, the deadline is from when the crime last occurred to when the investigation is opened. For example, the investigation into the identify of the 2011 geezer bandit is still ongoing despite the most recent robbery being a decade ago. Regarding the bank robber, it's not a secret because the feds are looking for leads from the public who have be able to identify him by appearance, but in the case of the hacker it does no good to put up wanted posters.


At the spot price at this time, 51,680.32473733 Bitcoin is worth $1,066,821,439.46 (~$1.06B) USD. Some difference from the ~$3.36B on November 9th, 2021.


And in September 2012, the time of the heist, they were worth about $500k.


Most news and law enforcement will always inflate the numbers like that.


That was the value at the time of seizure, which is most-likely the correct time at which to value it.

It is true that the news would probably use the larger number if BTC had gone up in price since then, but I suspect that the official statement would always quote the value at the time of seizure (perhaps with a parenthetical to highlight a greater present-day value).


> That was the value at the time of seizure, which is most-likely the correct time at which to value it.

It should be marked to value at time of the crime. Value of the property is often a metric used for setting the charges/punishment and he had no idea it would appreciate the way it did. He shouldn't get penalized for it appreciating.

May differ internationally but to my knowledge it works that way over most of the US.


> It should be marked to value at time of the crime. Value of the property is often a metric used for setting the charges/punishment

In the context of charges/punishment, when thr charges apply to specific direct proceeds, that would seem correct.

In the context of reporting a seizure, the value at the time of the seizure is relevant.

Those are two different things, even though they might relate to the same property at different points in time.


Good point. I suppose it’s a measure of disruption.


> Specifically, law enforcement located 50,491.06251844 Bitcoin of the approximately 53,500 Bitcoin Crime Proceeds (a) in an underground floor safe; and (b) on a single-board computer that was submerged under blankets in a popcorn tin stored in a bathroom closet

Weird that he went through all this trouble to physically hide the wallets but did not use encryption...


Seems like it was stored on a hardware wallet like a ledger or trezor.

He most likely voluntarily gave them the passwords and access as he turned himself in as well as turned over additional bitcoin.


Almost like the details released don't match up with reality.


The article does not say he didn't.


My thoughts exactly.


With a public blockchain, it seems at least technically possible to seize any funds that were used in a transaction later shown to be illegal.

If you thought KYC constraints were invasive today...


That is probably the fastest way to kill crypto. Seizing any coins involved in illegal activity, even if it's been through numerous other owners since (and for legal purchases). Once everyone is asking if the coins they are getting are clean they'll stop acquiring coins.


China, Russia, Egypt, and many others have already banned crypto and seize any assets regardless of legality and it hasn't killed crypto yet.

Even the USA as the largest economic market in the world couldn't kill crypto by seizing assets as there are dozens of other countries that will keep using crypto for the anti-corruption, stability, and efficiency benefits it provides. It's a lot like the internet where a country can ban or control it but ultimately it only harms their own citizens and prevents them from properly competing on the world stage.


Government cleans crime proceeds when they auction it off. Same for planes and cars.


Yes, but that is after they seize it.

If a criminal steals my bitcoin and spends it, everyone who accepts it and everyone who accepts it from them is taking delivery of stolen property, trivially traceable back to me. I'll want it back, because it is mine and was stolen.

https://en.wikipedia.org/wiki/Possession_of_stolen_goods

As a practical matter, if crypto continues to gain adoption, law must emerge to keep the ecosystem from getting jammed up.


Which government, and are there international agreements about this?


USA federal government sold seized bitcoin years ago. https://www.reuters.com/article/us-usa-bitcoin/venture-capit...

And local and State government. https://www.nyc.gov/site/nypd/services/vehicles-property/pol...

USA is sovereign and does not respect international agreements.


Ireland sold seized Monero (XMR) and Bitcoin (BTC) in an online auction in 2019. I think they even opened it up to foreigners.


I'd assume whichever government seized the goods.


Isn't that just admitting that the primary use case of crypto is illegal activity?


No -- it means that a single instance of illegal activity can potentially be charged-back by a government through a web of otherwise-legal transactions at any time. The immutable historical retention of all transactions has at least the capacity to threaten the immutability of transactions in the real world.


> Nearly five years after ZHONG’s fraud, in August 2017, solely by virtue of ZHONG’s possession of the 50,000 Bitcoin that he unlawfully obtained from Silk Road, ZHONG received a matching amount of a related cryptocurrency — 50,000 Bitcoin Cash (“BCH Crime Proceeds”) — on top of the 50,000 Bitcoin.

And presumably, this is how he was caught. He hid his identity really well. The withdrawal of BCH eventually led to his downfall.


It didn’t, not officially anyway.

The feds pinned him on what appears to a mixup by the accused between his “unclean” and “clean” wallet wallets when dealing with a crypto broker with an IP that pointed to his house for several years.

Starts around 22 here: https://www.justice.gov/usao-sdny/press-release/file/1549821...


What are you basing this on? It could have been any other possibility


Pretty impressive that we've advanced technologically and as a society to the point where we can now store somewhere between much and all of the GDP of Belize " (a) in an underground floor safe; and (b) on a single-board computer that was submerged under blankets in a popcorn tin stored in a bathroom closet."



What's stored on the computer is a number that gives access to a wallet. You could also store a number that gives access to a Swiss bank account on a piece of paper in the 18th century. I wouldn't call the technology advanced.


This guy had 3 billion dollars in stolen crypto and didn't flee the country? Insane.


Not only that, he didn't even use much of it for the past 10 years. Atleast he didn't have to work after college though : https://www.linkedin.com/in/jimmy-zhong-01678025


>Large early bitcoin investor with extensive knowledge of its inner workings.

An interesting way to put it.


No, he had $500k in stolen crypto. This was 2012.


The question is will the USA government refund what was stolen to the victim "Silk Road"? (https://www.investopedia.com/terms/s/silk-road.asp) Is there a protocol for this kind of event?


TIL that you can get in trouble for stealing from other criminals


Why would that be surprising? You can't murder them, either.


In some (even US) jurisdictions they call it 'mutual combat' [0] and overlook it. In some places like Washington State (not: not legal advice) one may be under the impression criminal-on-criminal combat is explicitly legal. There's also a lot of historical context (think outlaws in wild west) that suggests that those in the American West may culturally not find it surprisingly that the public would generally be OK with criminals doing themselves in.

It's my understanding that in Texas it may even be possible that killing thieves is legal there in some circumstances as well.

Edit: perhaps I wasn't as explicit in the part to read between the lines. The police in US are oft perceived as being more likely to 'overlook' or consider it 'mutual combat' for acts against criminals. I don't think the analysis "that has nothing to do with them being criminal" is really a fair conclusion.

[0] https://torontosun.com/news/world/no-charges-in-deadly-chica...


That has nothing to do with them being criminals, though. You and I could engage in mutual combat, if we wanted. Muhammad Ali got paid quite a bit to do it.


Couldn't this guy say "silkroad knew I was doing this and approved". Prosecutors would have to get someone from the silkroad to testify to counter that.


That’s probably what flagged them in the first place: Lots of withdrawals without any deposits or sales, so appeared to be a site operator.


Using/owning proceeds of a crime is a crime.


But don't the prosecutors have to prove you knew they were proceeds of crime?


With this context that's the easy part. His behavior - in numerous ways - revealed he knew what he was doing and knew what Silk Road was.


Did Silk Road offer anything legitimate? I assume fake followers for social networks isn’t illegal in the US.


This logic didn't work for Armin Meiwes, it probably wouldn't work for this guy either.


In a honest state, with great powers, come great regulations about what you are supposed to do with such powers. Occasionally some responsibility too.


You also should report that income to the IRS.


Interestingly, in this case Silk Road is the Victim, not the accused.


If that is truly the case, could the 'Silk Road' drop the charges?


> This seizure was then the largest cryptocurrency seizure in the history of the U.S. Department of Justice and today remains the Department’s second largest financial seizure ever.

If past history is any guide, the proceeds will be auctioned, making DOJ the largest government-sponsored bitcoin dealer in the world.


Interestingly, this will increase the supply of Bitcoin. Because more will be in circulation, having been cleared by the U.S. government. Who wouldn't want those squeaky clean coins!


The linked affidavit has more of the interesting details. Looks like the agent worked with the guy's ISP and a well-known crypto exchange to do some old fashioned IP tracing.


The guy didn't even use VPN? That's pretty amusing for a billionare thief.


Had a static ip address for a few years, lol


Claimed to have lots of VPNs too.

Lotta crypto brokers look down on VPNs for obvious reasons.

But they seemed to have gotten their wallets mixed up and that gave away their identity on of one of the early 10k Bitcoin wallets.


The US could crash BTC by trying to sell all of this now.


No. There isn't enough liquidity in the market to even sell that amount. They also do these things over the counter, in auctions, which wouldn't have an effect on market pricing at all.


“ There isn't enough liquidity in the market to even sell that amount. “

That’s exactly my point ;)

If they overwhelm liquidity, the price can collapse because they can always underbid those trying to sell.


Except, that isn't what happens, so it makes your statement incorrect.

The US could also overwhelm [insert any free market] by simply executing eminent domain and/or printing enough money.


OK, fine. The person who buys these Bitcoins at auction could cause BTC to crash on all the exchanges.


Why would someone spend a bunch of money to buy bitcoin and then crash the price?

Is that like the ultimate tax loss write-off? ;-)


Who says they have to spend a bunch of money? The amount of money anybody would pay for it is the amount they could get from selling it, which is limited by liquidity. Add the fun they would get from crashing the market, and that is fair market value that these Bitcoins can get at auction.


They could buy futures at a lower price before crashing the markets.


The lack of liquidity is what would push the price down, since demand is higher at lower prices.


Yes, that is generally how markets work. However there is no central exchange for bitcoin, nor is there enough liquidity in any single exchange. So, the seller would need to open accounts in multiple exchanges and sell in all of them. Sure, bringing down one exchange could have consequences for price, but it wouldn't cover this large of an amount of BTC. Plus, half the exchanges with enough liquidity to even begin with, aren't even allowed to be used in the US.

Again, that's not how the US govt works with these things anyway (OTC auctions), so it is all a moot point.


There absolutely are HFTs running off arbitrage on the major exchanges, so you wouldn't need to hit many, just a couple major ones.

We are talking about theoretically crashing the market, not an auction, and illiquidity won't protect it.


Ok, so someone buys the bitcoin at auction for pennies on the dollar, turns around and undercuts every other seller out there.


It is an auction, it won't be pennies on the dollar.

The last person who got that good of a deal was Tim Draper in 2014, which was a brilliant play and even then, I doubt he's sold it all.

https://www.cnbc.com/2021/12/19/what-the-us-government-does-...


When cryptocurrency assets are seized, do they transfer everything all to a separate wallet, which is then held in custody? If there are copies of the "seized" assets, they can just be moved to a new wallet and then the only thing seized was some hard drives, right?


Yes, they move them immediately.

This was detailed in previous seize operations like this.

2013:

> The FBI official pointed me towards this Bitcoin address, which received transfers of close to 144,000 in just the last 24 hours. "They finished moving them at 3am this morning," said the official.

https://www.forbes.com/sites/andygreenberg/2013/10/25/fbi-sa...


That’s what they should do.

The quadrigacx (Canadian crypto exchange) bankruptcy trustee didn’t move the little they found into a wallet they controlled.

Lucky for them, it seems like nobody else had/acted on having the private keys.


I'm curious, what kind of endgame was he planning, if any?

How do you launder and benefit from even any of the coins, if you know you're a wanted man and everyone is watching to see where the coin pops up?


Aside from ultimately getting caught, this Zhong guy seems pretty smart.


>various metals also seized from ZHONG’s home.

Anyone know what this refers to? Gold seized? or maybe metal plates with cold wallet keys taken from the safe?


From the affidavit (https://www.justice.gov/usao-sdny/press-release/file/1549821...):

> The metal items consisted of four one-ounce silver-colored bars, three one-ounce gold-colored bars, four 10-ounce silver-colored bars, and one gold-colored coin, all seized from Individual-1’s home on November 9, 2021.


> silver-colored

So they weren't actual silver... So they were probably just novelty display pieces?

And even if they were real metals, the total dollar value of that lot isn't very high.


My guess is they were precious metals, but the agent's report immediately after the seizure doesn't presume to know that; they just report what they can observe, and they may have them analyzed/valued later.


Or they didn’t bother sending it away for analysis, since it’s such a tiny aspect of the case financially.


This guy is fucked, how long will he be in jail?


> ZHONG, 32, of Gainesville, Georgia, and Athens, Georgia, pled guilty to one count of wire fraud, which carries a maximum sentence of 20 years in prison.

> The maximum potential sentence in this case is prescribed by Congress and is provided here for informational purposes only, as any sentencing of the defendant will be determined by the judge. ZHONG is scheduled to be sentenced by Judge Gardephe on February 22, 2023, at 3:00 p.m.

To be determined!


Why is there no jury of peers? I do not understand legal system in America.


Prosecutors in US conspire to deprive defendants of their rights by creating a 'plea bargain' system where federal defendants almost always plead guilty in exchange for not being 'taxed' with often multiples of the bargained number of years in jail for daring to exercise their right to trial, where they will be crushed by an asymmetric system of the massiveness of the US government verse whatever meager amount they have to spend on an attorney and expert witnesses.


There’s no jury if you plead guilty. He didn’t have to be convicted because he admitted to the crime as part of a plea bargain.


Genuine question: what happens to the BTC? If they liquidate - couldn't that cause the price to go to near zero?


They would likely sell the BTC with an off-market auction. Given the amount, they might auction if off in segments.

Whoever is responsible for selling a government asset is likely responsible for getting a good price. So a BTC dump, in addition to harming the markets, would be a violation of that duty.

https://www.fool.com/investing/2022/01/14/the-us-government-...


11.1160005300044 is a very odd looking number, I wonder if it is encoded as something.

11, 116, 53, 44


Indeed, it's not possible to seize "11.1160005300044" bitcoins as all bitcoin amounts (outside of the lightning network) are represented with a maximum of 8 decimals. Most likely, it's just a floating-point imprecision from the fed's calculations. For example a lot of software will calculate "20.1 - 20.0 = 0.10000000000000142"


how did they link it to his home address. did he try to cash them out using real ID?



Crypto without privacy (by default) is dead.


I think you're getting ahead of yourself. It's not dead, yet.

It's very much still alive (which is probably why you're being downvoted), because it has first-mover advantage and is easier to use. I think eventually privacy-by-default coins like Monero (XMR) will gain in popularity assuming people smarten up, so if it requires people being smart, then it may never gain in popularity, who knows.


> ZHONG did not list any item or service for sale on Silk Road, nor did he buy any item or service on Silk Road

> ZHONG funded the Fraud Accounts with an initial deposit of between 200 and 2,000 Bitcoin. After the initial deposit, ZHONG then quickly executed a series of withdrawals. Through his scheme to defraud, ZHONG was able to withdraw many times more Bitcoin out of Silk Road than he had deposited in the first instance. As an example, on September 19, 2012, ZHONG deposited 500 Bitcoin into a Silk Road wallet. Less than five seconds after making the initial deposit, ZHONG executed five withdrawals of 500 Bitcoin in rapid succession — i.e., within the same second — resulting in a net gain of 2,000 Bitcoin. As another example, a different Fraud Account made a single deposit and over 50 Bitcoin withdrawals before the account ceased its activity.

So Silk Road wasn’t waiting for any transaction confirmations??? And didn’t append a nonce to each withdrawal to avoid duplicates?

Is this the guy that Ross wanted to kill?


> Is this the guy that Ross wanted to kill?

No. The guy he "wanted to kill" was a moderator who didn't even steal from him. A FBI agent (huray, my taxes) pretended to be a drug lord for over 2yrs convincing Ross he should kill some moderator with lies about he wanting to take over silkroad or something, and then staged a mock assassination. All that for no tangible investigative benefit other then strengthen their 2yr old bro-bond.

That agent didn't even contribute to the actual arrest. Go read wired write up of the whole thing. It's better than most fiction books. Pure comedy.

Also, the current silk road is a honeypot set up by the Feds. That's why 1) they screwed up on validating transactions (it's not their money) and 2) they want after the stolen funds.


> No. The guy he "wanted to kill" was a moderator who didn't even steal from him.

Ross Ulbricht commissioned 5 murders fully expecting each of them to be carried out.

> All that for no tangible investigative benefit other then strengthen their 2yr old bro-bond.

The murder-for-hire evidence denied him bail. But the prosecutor already had Ulbricht nailed and decided to avoid complicating the case by formally filing the murder-for-hire charges. Would your tax dollars have been better used if Mr. Ulbricht had additional life sentences and decades of prison? No, he is going to die in a prison cell either way.

Ross Ulbricht built his empire, in large part, by profiting off people's suffering. And he exhibited time and time again that he would murder people to protect it. He is nothing short of evil.


> Ross Ulbricht built his empire, in large part, by profiting off people's suffering.

He built Silk Road, which allowed people to sell drugs to one another.

If the 'people's suffering' you are referencing is the use of drugs, I hope you have this same ire for the pharmaceutical companies and physicians prescribing opioids linked to over 500k deaths in the US over the past two decades[1]. I hope you feel the same ire for the CIA who facilitated and supported the Nicaraguan Contra groups' smuggling of crack into the US to finance their coup attempt[2].

I would hope the "nothing short of evil" rhetoric isn't exclusively saved for the kid who built an onion site and then was entrapped by FBI agents into a murder-for-hire scheme of their creation.

[1]https://www.npr.org/2022/11/02/1133523740/cvs-health-agrees-... [2]https://nsarchive2.gwu.edu/NSAEBB/NSAEBB113/north06.pdf


>> Ross Ulbricht built his empire, in large part, by profiting off people's suffering.

> He built Silk Road, which allowed people to sell drugs to one another.

Actually, that's the tiniest part. [1]

  The Silk Road was an online black market where buyers and sellers of illegal or
  unethical items could transact anonymously. Utilizing privacy techniques such
  as the Tor network and cryptocurrency transactions, people were able to
  transact in drugs, hacked passwords, illegal data, and other contraband.
Or, you could look at how he used Silk Road, to contract killers. [2]

  MANY OF THE ideological supporters of the Silk Road have described its
  sprawling online black market for drugs as an experiment in victimless crime
  and a nonviolent alternative to the bloody turf wars of the streets. But
  prosecutors in the trial of Ross Ulbricht, the 30-year-old accused of running
  that anonymous bazaar, have pointed to one conversation they say shows the
  contrary: That the Silk Road's boss was willing to resort to the drug trade's
  most violent measures when it suited his needs.
[1] https://www.investopedia.com/terms/s/silk-road.asp

[2] https://www.wired.com/2015/02/read-transcript-silk-roads-bos...


Literally fake news. Don't believe everything you read, especially if the source is a prosecutor.


In my opinion the Sackler family has cause a lot more suffering and they see no day in prison. And they're not the only lords who get away with murder. Yet a guy like Ulbricht gets to spend a lifetime in jail... This is a miscarriage of justice unless all monsters are locked up and all would be fair. It could be argued that Ulbricht caused no suffering but alleviated it by providing a service for people to buy their "drugs" by skipping meeting a shady dealer...


That alleged right of criminals to be persecuted in strictly descending order of severity simply does not exist. Finding some bigger wrong does not make a right.


> That alleged right of criminals to be persecuted in strictly descending order of severity simply does not exist.

Exactly. Justice does not exist at that level of wealth, and this is a core problem in western society.

Well pointed out.


> this is a core problem in western society

Are there any societies, historical or current, where the extremely rich and powerful face justice in the way you would like, other than by pissing off other extremely rich and powerful people?


I did wonder whether I should include 'western' or not. I probably shouldn't have, since, I agree with your point, it's not a area that distinguishes western from non-western.


In China they say you can get away with anything as long as nobody dies.

For example, in the 2008 Chinese milk scandal, two people were sentenced to death and three received life sentences.


> In my opinion the Sackler family has cause a lot more suffering and they see no day in prison.

So what? Which is it, are you in favor of a lighter sentence for Ulbricht, or a heavier sentence for the Sackler family?


To be honest I don't know, I just expect justice to do it's bidding and make the world a better place for all of us. What bothers me is that the rich get away with murder while the rest of us are held at a different standard. It also seems to me that the Sacklers' caused a lot more harm while this guy is not as evil as purported to be and doesn't disserve to be locked up for life. Should the justice be harsh for everyone I'd swallow that pill but it's not. I'm just comparing the amount of suffering caused and the received sentence. And there's no what, it's just an ordinary person's opinion, an opinion that does not change anything.


I respect where you're coming from, but here's an opinion, that if adopted, may influence where you choose to stop or continue your thought process.

I see this "comparison" form of objection quite a bit, where someone points out relative injustice without taking a stand on which way to go. Once you notice it, you start seeing it everywhere.

In terms of conversation, it almost always seems to have a muting effect, of freezing the momentum towards figuring out what should be done. Desiring consistency is honorable, but these sorts of scenarios further ask us which way we want to apply that consistency. While each individual case probably wouldn't make a difference, I think when we refuse to answer those questions as a society, it makes it more likely for these imbalances to occur. So I think it's worthwhile to try and think it through, take a stand, and voice a stand.


The Sackler's had their name stripped from museum exhibits, campuses, etc, which I'm sure hurts at the end of the day.

The US government really should have went the extra mile and stripped the Sackler family of every penny they had.. to the point that they were forced to beg for spare change on the side of the road e.g. Mortimer & Randolph Duke style.

> The bankruptcy judge acknowledged that the Sacklers had moved money to offshore accounts to protect it from claims, and he said he wished the settlement had been higher

https://www.nytimes.com/2021/09/01/health/purdue-sacklers-op...


The arbitrary nature of what's become of "justice" is only magnified as the wealth gap increases.


It might have been worth them formally filing the murder-for-hire charges just to save us from having to read his supporters repeatedly say they weren't real.


Don't worry, even though he wasn't convicted of them, his sentencing included the alleged activity and punished him for it anyway!


A reminder that the murder-for-hire schemes were a predicate of the conspiracy charge in his indictment; he was in part charged for them.


But conspiracy charge depends on overt act(s), so being convicted of conspiracy doesn't necessarily mean he was convicted on the basis that particular overt act occurred. The prosecution never had to prove all the overt acts, including murder-for-hire, were true to convict for the more generalized non-murder conspiracy. Just that some subset of overt acts were true.


> prove

There are different levels of proof. For example, civil court only requires a preponderance of evidence.


> built his empire, in large part, by profiting off people's suffering.

LOL. Wow. You clearly have no sense for nuance whatsoever.

https://www.wired.com/2014/06/silk-road-study/

https://www.theatlantic.com/technology/archive/2013/10/did-s...

Silk Road reduced deaths in a black market that was always there and would always continue to be there regardless of the presence of Silk Road. Period. Given that black markets are going to continue to exist, since anti-drug laws are dumb (just like Prohibition was; regulation of an irrepressible market is always superior to "illegalization" in a vain attempt to suppress it), it is at least less bad if there are fewer killings.

Entrapment is unethical precisely because you can use it to enforce a law regardless of the ethical justification of the law. If it was a capital offense to have sex before marriage in 2040 in the United Christian Dictatorship of America, and another Ross Ulbricht type came along and made it possible for teens to seek and meet in secret online, and a christo-fascist cop pretended to be a hot girl on said system while pretending to threaten to take the whole thing down unless a ransom was paid, and ANOTHER christo-fascist cop (or the same one pretending to be someone else) offered a "solution" to this by "getting rid of" the "problem"... Do you see where I'm going with this? Future Ross Ulbricht just wanted people to be able to find physical love before committing to wed!! Certainly not guilty enough to do life in prison, because no actual murders ever actually occurred.


> Also, the current silk road is a honeypot set up by the Feds. That's why 1) they screwed up on validating transactions (it's not their money) and 2) they want after the stolen funds.

The DOJ release says these transactions were from 2012


this bitcoin theft happened in September 2012, before Ross Ulbricht got arrested (in 2013) so when Silk Road was active and not a Feds' honeypot like you describe.


Part I of an account of the wild story can be found here; it’s really quite interesting, at the least!

https://web.archive.org/web/20220112152207/https://www.wired...


Has the concept of "Entrapment" not made its way across the pond yet? This seem highly unethical on the part of the FBI.


Entrapment is an invention of 20th century American courts. See William E. Mikell, "The Doctrine of Entrapment in the Federal Courts," U. Pa. L. Rev. 90 (1942), calling entrapment as a defense a "purely American doctrine" not considered by earlier English writers on criminal law.

Trivia aside, no. Entrapment is a specific concept narrower than "a fed lied to me."


Given the mention of "across the pond", it seems the parent commenter was talking about the English law meaning of entrapment. That is where you are enticed to commit a crime by a law agency. Technically it's still a crime and there's no legal defence based on entrapment, but courts will tend not to prosecute if "the police did more than present the defendant with an unexceptional opportunity to commit a crime".


I'm assuming you pulled that from Wikipedia, which is what Google points to for that phrase. You've radically oversimplified Wikipedia's coverage of UK entrapment, and Wikipedia oversimplifies UK law. "More than an unexceptional opportunity to commit a crime" is just one factor in a complex analysis. The "exceptional" opportunity starts the consideration of entrapment; it doesn't end it.


Yes I got that quote via Wikipedia. It, in turn, is a direct quote from a judgement from the Law Lords, which set a precedent – the main precedent on the subject if that Wikipedia article is to be believed. So it's not just a random Wikipedia editor's view on the subject.

Yes, no kidding it's a more complicated subject than that one short sentence. But my point was just that it's different from any notion of entrapment, or lack of, in the US.


The point is that it's simply not the case that the state tends not to prosecute in cases where "the police did more than present the defendant with an unexceptional opportunity to commit a crime".


FBI gets a wide berth from the courts. A couple of years ago, they seized some TOR child porn website, and then started making upgrades to it causing the userbase to increase by 30%. Then they tried to pin that user count on the person they arrested.


FBI is federal, unlike the police, so they can do whatever, at least that’s how it’s playing out. The FBI is supposed to be effective, not ethical. It’s what’s “on the tin” and has always been. A good example is their treatment of MLK.


The FBI is supposed to be ethical, that's what's on the USA tin containing the FBI tin.

You can provide a billion examples of how the US hasn't lived up to that notion, but 'liberty and justice for all' is, "what's on the tin."


I think we agree, probably that what is and what should be are not the same. The tension is that voters will often reward politicians that are effective, rather than those whom are ethical. When it comes to the safety of your child, most humans go for effective over ethical.


> When it comes to the safety of your child, most humans go for effective over ethical.

Wouldn't the balance of the child's needs change the ethical judgement (now considered ethical as well as effective)? I don't see how they would be mutually exclusive.


We disagree insofar as your statement, "The FBI is supposed to be effective, not ethical." They are supposed to be ethical, and then effective.


> As another example, a different Fraud Account made a single deposit and over 50 Bitcoin withdrawals before the account ceased its activity.

> So Silk Road wasn’t waiting for any transaction confirmations??? And didn’t append a nonce to each withdrawal to avoid duplicates?

See the ACID properties of databases. [1] These are often put to the wayside in order to have greater transaction speed. We can see the results.

  In computer science, ACID (atomicity, consistency, isolation, durability) is a
  set of properties of database transactions intended to guarantee data validity
  despite errors, power failures, and other mishaps.[1] In the context of
  databases, a sequence of database operations that satisfies the ACID properties
  (which can be perceived as a single logical operation on the data) is called a
  transaction. For example, a transfer of funds from one bank account to another,
  even involving multiple changes such as debiting one account and crediting
  another, is a single transaction.
[1] https://en.wikipedia.org/wiki/ACID


Which of the ACID property is broken here? Transaction is by definition atomic, internal consistency was not broken, and isolation and durability are fine.

ACID makes sense in internal transfer, like the example you gave:

> debiting one account and crediting another, is a single transaction.

Blockchain is ACID compliant, their internal database could be ACID compliant hard part is linking it together.

The solution here is exactly going opposite of ACID. Do a transaction in database first, and hope the transaction goes through Bitcoin, if not have another job reverse the transaction. If the reverse job fails, have a support agent manually revert the transaction. A common mistake someone could do is to put transaction in processing state in the database, and have another job update it to success.


> Blockchain is ACID compliant, their internal database could be ACID compliant hard part is linking it together.

That's the issue, ACID is not ACID for a tiny bit but for the transaction. See the definition you quoted, "debiting one account and crediting another, is a single transaction." Blockchain is absolutely not ACID compliant. There must be a deterministic methodology not miner consensus for ACID. Miners can even change the blockchain.

However, why are you even mentioning blockchain instead of MYSQL without SERIALIZABLE, which enforces atomicity?

> The solution here is exactly going opposite of ACID.

What solution are you talking about? There was no solution put in place, which was the cause of the thefts.


> See the ACID properties of databases. [1]

But since this is "blockchain", is it more like... they weren't polling for the right confirmation/status/update from the blockchain network API thingie?


> But since this is "blockchain", is it more like... they weren't polling for the right confirmation/status/update from the blockchain network API thingie?

That's the exact same mistake I referenced. The consuming website should not be in charge of the atomicity of transactions.

It doesn't matter whether the API was used incorrectly, blockchain was used, or finanglesperunk was the technology. The vagaries of the implementation don't matter. Sending money should be atomic with the request instead of whatever this was, otherwise the result might be $3.36 Billion in theft.

PS Blockchain is a database. The developer can choose to enforce SALT instead of ACID, but something wasn't done right.


No, it's not blockchain. It's a SQL usage error.


I knew a guy about 10 years ago that upgraded his iphone through the apple website and AT&T website at the same time, received two phones, and never heard from either company about a double transaction. I love these kinds of hacks -- I guess it's one way to profit from hard-learned database lessons :)


I didn't get into the UC of my choice. So I appealed. This was in 2006, and the appeal process was not through an online application. You had to mail in a packet with your appeal letter, transcripts, etc. I sent one in by the postmark deadline (Friday), but it wasn't very good. So, come Monday morning, I overnighted a much better one. After a week or whatever, I got a message notifying me that my application status had changed, but I did not get in. Then a day or two later, I got another one, to which I _did_ get in.

Now, I don't know for sure, but I like to think two different reviewers got my packets in parallel and never knew it, and upon changing my status the second reviewer probably wouldn't have seen any evidence of the last status change having been from an appeal.


> I got a message notifying me that my application status had changed, but I did not get in. Then a day or two later, I got another one, to which I _did_ get in.

Back in the days before email was common, I applied for a postdoc position at <famous prof's lab @ MIT>.

I mailed my letter to <famous prof>, expressing interest in working in his lab.

A few days later, I asked 3 profs in my graduate program to write letters of recommendation on my behalf to be mailed to <famous prof>.

After ~10 days, I received a response letter from <famous prof>, to the effect of: "Sorry, my lab is full. Won't have any openings for several years. etc. etc. Thanks, but no thanks."

I figured "Oh well.... No big deal."

But I was too lazy to inform the profs who were writing my recommendations to stop.

About a week after my "rejection" letter, <famous prof> phones me and says, "I always send a standard rejection letter because I'm only interested in people who are _aggressive_. Thanks for sending your recommendation letters. I _definitely_ have openings in my lab."

I didn't have the heart to tell him that he only got those letters because of my laziness.


Couldnt it be the case that one packet was reviewed and they updated your status, then they just chucked the duplicate?


Yes I suppose. I just vaguely remember two different notifications about it


When I was a kid we had vending machines for drinks in school.

One morning I put 20p in and it immediately came back out. It wasn’t accepting the coin so I tried two in quick succession. Both were spat back out… but the machine registered one of them.

I of course would never exploit that repeatedly for a couple free drinks and some extra change too.


The soda machine in my dorm at college had separate mechanisms for “I released a soda” and “you actually got a soda” and if you knew this, you could trigger the “I released a soda” mechanism and delay the “you actually got a soda” event until after you got your money back. You just had to stick your arm up the machine and not let the released soda fall while you hit the cancel button. Then you got your money back and then a soda. Atomicity fail.


They were not around for very long but there was a soda machine that had a conveyor belt that drinks would drop down onto and then be pushed out of a flap door into the bucket. The machine could detect when a drink was actually vended but didn't seem to be able to detect when someone was holding the door shut. You'd pay for a drink and hold the door shut while the machine tried to push your drink out the door. Since the door wasn't opening, the machine would think that no drink ever dropped down onto the conveyor belt so it would mark that specific drink number as out of stock and return your money. Except your drink selection was still sitting on the belt. You'd pick a new drink and pay for it but this time not holding the door shut, two drinks would come out for the price of one. You could do this quite a few times over to either get a couple free drinks or just jam the machine. Out of all the vending machine "hacks" I learned about in middle school, this was the only thing that ever worked and only for a short time before they got quickly replaced.

The new machines use either a basket to hold the drink instead of a conveyor belt or some sort of shield to prevent you from messing with the flap door until it knows a drink has been vended.


Seems like it was working as intended, that if there was some blockage in the machine that resulted in the soda getting released but then getting stuck, you'd want a refund.


Somehow I doubt giving out unlimited free sodas is "as intended." This is why it's an atomicity fail, leading to an inconsistent transaction. It should never be blocked according to the payment mechanism and unblocked according to the delivery mechanism.


No it's literally just a good faith effort to err on the side of customer satisfaction being exploited to steal a soda.


The tumble dryers in my halls of residence were meant to take 20p (oh, those were the days, it's probably a quid now), but if you put in a 1p slowly and kept turning the handle it would trick it.


Reminds of my older brothers friend who in second grade got back in line to get his yearbook picture taken and showed up twice in the yearbook with slightly different pics.


I have to fess up, too.

Back in the early 1990s, I withdrew $10 from an ATM.

But the machine gave me two $10s (they were stuck to each other).

I then went back for a second transaction (secretly hoping there were multiple "stuck $10s" waiting to be released).

The machine only dispensed a single $10 the second time, so I stopped.

Let it be known that I owe Chemical Bank (or whoever bought them) $10 + interest.


Opposite experience here! Requested $100, got back $60 with two of them folded over on the corners. $100 debited from bank account, filed a complaint with the bank. The temporary refunded the money, did an investigation, then said that the ATM actually settled at the correct number, and took the money back from me. Not cool


Back before all of the banks were wired together, I had a friend with what we called a "bottomless ATM card."

He could withdraw whatever amount he wanted from the ATMs at college, but since that region's ATM network wasn't hooked up to his home bank's ATM network, it took months for everything to reconcile.

He could keep withdrawing, even if he had taken out far more cash than he had in his home bank account.

On breaks, he would go back home and pick up enough hours at his part-time job to cover the difference (it wasn't unusual for people to be paid weekly or in cash back then), make a deposit, and everything was fine. He just had to keep one step ahead of the computer batch processes.

Also, I think Chemical is Citibank now. I had a Chemical account, and a Dime account. I still think of Citi as "Chemical," though.


First time Im hearing of an ATM dispensing $10 bills. Granted, first time I started using ATMs was in the early 2000s...


I think they even dispensed $5s at the time, but my memory is a bit hazy about that.

At the time, my girlfriend (now wife) used to tell me I wasted so much $$ on ATM fees by only withdrawing $10 at a shot.

I told her I was not good at budgeting my money and I had a tendency to spend whatever was in my pocket, irrespective of the amount.

So, $10 was my way of putting brakes on my spending. Fees were just part of the cost of my budgeting method.

She married me anyway.


First time Im hearing of an ATM dispensing $10 bills.

Back when ATMs were new, you could get any amount, including change.

The ATMs at the Chase bank next door currently dispense any bills you want, but not change. After you tell it how much you want, it asks you how you would like it and you can tap different denominations.

Last month I took out $17, just to see it work.


"the code is the contract"

"oh wait we fucked something up? shit no, give me my money back"


Isn't that the silly thing they say about etherium, not Bitcoin?


No, the bug was in the withdrawal code. Concurrency bug, numerous simultaneous withdrawals have a high change of succeeding and you are able to withdraw more than your actual balance. Very common in amateur coded websites.


> Very common in amateur coded websites.

Also common in professionally coded websites.


« Do not click PAY more than once »


Sure, but if silk road waited for X confirmations, it would have made it at least a bit more complex to pull off.

(Maybe you could have just hammered it continuously, but hopefully would have to predict when the blocks would be confirmed. They’re not exactly every 10 minutes).

It’s not exactly related to this hack, but poor blockchain practice on the part of silk road if it permitted withdraws this quick after deposits.


From what they said it sounds like the issue was executing the same withdrawal request more than once, unrelated to the bitcoin confirmation window. The fraudulent withdrawals had to happen on the same second, not merely on the same hour.


That’s correct. I read the indictment and the first one was done within 5 seconds of deposit, while the next successful one was after 24 minutes.


If the bug is a read-modify-write sequence without a transaction, then regardless of whether you wait for more confirmations, the withdrawal action will always be racy and vulnerable to this exploit.

Not waiting for confirmations would leave you vulnerable to random chain forks and make 51% attacks cheaper.


In 2012 bitcoin was worth ~ $7.00. So 2,000 bitcoin is only $14,000 but the feds too $3 billion back. Does not seem fair.


> " IRS-CI Special Agents are the best in the world at following the money through cyberspace or wherever our financial investigations lead us. We will continue to work with our partners at the US Attorney’s Office to track down these criminals and bring them to justice."

They might want to look into this:

Many U.S. corporations use offshore tax havens and other accounting gimmicks to avoid paying as much as $90 billion a year in federal income taxes. A large loophole at the heart of U.S. tax law enables corporations to avoid paying taxes on foreign profits until they are brought home. Known as “deferral,” it provides a huge incentive to keep profits offshore as long as possible. Many corporations choose never to bring the profits home and never pay U.S. taxes on them.

https://americansfortaxfairness.org/tax-fairness-briefing-bo...

Yes, these tax loopholes are legal, but I bet the IRS and its world-class money trackers could, if they wanted, find quite a few outfits going well beyond what's technically legal.


They could, but then the IRS would have contend with an army of lawyers to claw their money back. In this case, going after a small time criminal with no connections is an easy win, so it makes sense from a resource allocation perspective for them focus on cases like this instead.


Anyone who stole and has held on to 51,000 BTC is not exactly a small-time criminal any more.

They were when the theft occurred, but this is like when you steal a cargo container full of crap, and five years later discover that both the Mona Lisa and a nuclear football is in it.


> They could, but then the IRS would have contend with an army of lawyers to claw their money back.

Always reminds me on how Scientology managed to get charitable. tl;dr: Cause so much work for the IRS (or appear to be able to do so) and they'll back down.

The tax code is like the MasterLock of laws: looks complex on the outside, keeps honest people honest but is so weak it can be exploited by anyone willing to do so.


They said they were the best in the world, not that they were any good.




Consider applying for YC's W25 batch! Applications are open till Nov 12.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: