The man who solved Bitcoin's best known hit

Unlike many victims, Mr. Nilsson decided to fight back, and he worked with a lawyer and another partner who also lost the bitcoins to track down the perpetrators. What followed was a three year journey through the womb of the internet that ended last summer on a Greek beach. There, in the shadow of a 1,000-year-old monastery, FBI agents arrested a Russian man and charged him with the recycling of bitcoins worth about $ 4 billion at recent exchange rates, one of the most great crimes to be presumed in the short history of cryptocurrencies.

Mr. Nilsson's bitcoin odyssey, by an optimist adherent to an inveterate investigator, encapsulates the uncertain maturation process of cryptocurrencies while their value and use have exploded in recent years. His account of an apparent multimillion-dollar theft and a money-laundering system at the center of the Bitcoin world shows how dangerous his vast digital area is not dangerous to investors.

His work – what he calls "blockchain archeology" – has become an industry, with a crop of private cryptocurrency investigative companies that now follow the flows of money and identify possible crimes for large banks, exchanges and the forces of order. US government agencies, including the Federal Bureau of Investigation, the Central Intelligence Agency and the Internal Revenue Service, have their own cryptocurrency investigators.

In the last nine years since Bitcoin made its debut, cryptocurrency is worth more than $ 15 billion at peak prices being stolen, largely in hack like those that precipitated the Mount. The collapse of Gox. This count does not include the thefts that have not been advertised, or the cryptocurrency used in other illegal activities, such as the purchase of stolen credit cards or the payment of hackers.

Cheating is just one of the threats now facing bitcoin, which has electrified the financial world with its promise of a decentralized anonymous payment system intended to make banks obsolete.

Anonymity is evaporating as people execute large centralized transactions that collect detailed user data and provide it to government investigators. Speculators have caused huge price fluctuations that make bitcoin as enviable as money and dangerous as an investment.

Then there is crime: with little government supervision and no way to reverse bitcoin transactions, thieves have developed creative ways not only to break into exchanges, but to use bitcoins to facilitate all sorts of other schemes. Credit card thieves sell stolen bitcoin cards; Hackers, including some from North Korea, have taken the data to get the ransom in bitcoins, the IT security researchers say. Regulators now want to subject bitcoins to many of the same rules as traditional investments.

For real believers like Mr. Nilsson, a 36-year-old Swedish man who lives and works in a cramped Tokyo skyscraper, it was an accident.

Mr. Nilsson and others in Japan's enthusiastic digital currency community have amassed themselves in bitcoins at a time of post-financial crisis-optimism. Founded by an enigmatic programmer or programmer who is following the name

Satoshi Nakamoto,

bitcoin only exists online as a string of code in a digital ledger, called blockchain, outside the traditional financial system.

The ledger is managed by thousands of computers scattered all over the world. Transactions on it are publicly visible, but the people behind them are not. The agreement ensures that a person can not use the same bitcoin to pay for a good or service more than once. While bitcoins can be seen moving between "addresses" identified by strings of letters and numbers, the names of wallet owners remain hidden.

In theory, the process is decentralized and each owner is responsible for keeping track of the password. You do not need a trusted intermediary, such as a bank or credit card company, to guarantee the validity of the exchanges; the blockchain does it.

In practice, many bitcoin transactions are facilitated by exchanges, rather than by people who use blockchain directly. Many exchanges, which are largely unregulated, work much like traditional financial institutions, linking buyers with sellers and keeping their currency in online accounts. These accounts – and the exchanges of information about users collect – may be susceptible to hacking.

Mt. Gox, based in Tokyo, was one of the first and largest of these exchanges. He provided a platform to buy and sell bitcoins and a service to keep users' password-protected digital portfolios, where bitcoins are stored. In 2012, Mr. Nilsson bought his first bitcoin from a friend. A year later he started buying the cryptocurrency from the Monte. Gox, accumulating a small cache.

With a tuft of beard and the dark wardrobe of a hacker of the 90s or a fan at a Rush concert, Mr. Nilsson lived in Tokyo for about a decade. [19659004] Unknown to buyers at the moment, mt. Gox was looking for trouble. The hackers gained access to private keys in 2011 and started to steal bitcoins from their online portfolios: about 630,000 over four years.

Mt. The owner Gox Mark Karpelès, a French expatriate in Tokyo, tried to hide the thefts until the beginning of 2014. Mt. Gox interrupted the withdrawals and declared bankruptcy

The defeat, the biggest in the short history of bitcoin , left hundreds of victims. A Californian man lost about $ 40,000; a Chicago investor over $ 50,000.

Daniel Kelman,

a lawyer educated in Brooklyn who lived in Taiwan, lost 44.5 bitcoins, or about $ 400,000 today, and went to Tokyo hoping to get to the bottom of the theft.

At a bitcoin meetup in a skyscraper bar, the lawyer met

Jason Maurice,

a floppy-haired Hawaiian. Mr. Maurice, who passes by "Wiz", has handed down the name of a colleague, Mr. Nilsson, who had the programming ribs to solve Mt. Gox.

During dinner at Teddy's Bigger Burger, one of the many Hawaiian chains that Mr. Maurice often insisted, the men erased a plan to find the missing cryptocurrency and exploit their success in a business.

documentaries about Kennedy's assassins and see them 20 years later? "Mr. Kelman, the lawyer, remembers talking to his partners." They will be there in 20 years. "

Lords, Nilsson, Kelman and Maurice called their company WizSec, after Mr.'s nickname Maurice, and adopted the slogan "Bitcoin Security Specialists." The business never took off

"It quickly became just myself sitting at the front of the technician," says Nilsson, without money for new technology or an office, led the Investigations outside his 650-square-meter apartment in a skyscraper outside the center of Tokyo

With only his home PC he had built for videogaming from online parts, Nilsson did not have the computing power to look for efficient bitcoin blockchain.The researches could have consumed a whole night.

Mr Nilsson instead developed a program to index the blockchain, which allowed him to quickly search input, output and addresses of each transaction. one.

Although patterns began to emerge, they were difficult to decipher because the blockchain does not identify who is behind every transaction and there is no online address book that links blockchain addresses to real people.

A lucky break kept him alive. Parts of the mountain The Gox database was leaked, partly on the Internet and other parts of journalists. Mr. Nilsson got the data leaked private data exchanges, withdrawals, deposits and balances of users.

In May 2014 another programmer published an analysis of such leaked information. He discovered that the accounts were buying bitcoins in a way that seemed automatic and created to support the price of the mountain. Holdings of Gox.

Returning to the report, Mr. Nilsson realized that he could use the database to figure out how much bitcoin he had. Gox lost by locating each bitcoin portfolio associated with the exchange, then tracing their transactions.

The investigation was dominating his life. Still working full-time, his nights became Coke Zero sessions before three light screens, one with lines of code, another with a spreadsheet to record key information and a third to write narrative notes.

After months of work, Mr. Nilsson had nearly 2 million addresses associated with the mountain. Gox, but has no idea who used each address or for what purpose. He needed help from an insider.

At that point, the Japanese order forces were investigating the Mount. Gox. His boss, Mr. Karpelès, was lying down. Mr. Kelman had contacted a bitcoin channel on the Internet Relay Chat messaging program that he knew Mr. Karpelès was dating. "One day I took IRC and started to accuse Mark of embezzlement," says Mr. Kelman.

Eager to cancel his name, Mr. Karpelès agreed to meet Mrs. Nilsson and Kelman at another hamburger restaurant. He confirmed the account information that Mr. Nilsson has compiled and helped him develop a complete list of Mt. Gox Addresses. The two investors say that he also told them something that would not become public until much later: suspicious trading on the mountain. Gox was the work of a program that Mr. Karpelès developed to hide the thefts of unknown authors.

Mr. Karpelès declined to comment, but previously denied the misappropriation of funds from the Mount. Gox.

Mr. Nilsson has gone through the remaining thousands of portfolios and has established that while the Mt. Gox should have had about 900,000 bitcoins, instead it had less than 200,000. And he saw the coins disappeared in 2011. "Knowledgeable or not," he wrote in a blog post in 2015, "Mt. Gox was technically insolvent since at least 2012."

After those coins left for other exchanges, some they seemed to be sold for cash. Mr. Nilsson did not understand who was stealing or selling them, but he felt he was on the path.

In the hope of getting rid of further information, in April 2015 he published the results on the WizSec blog. He outlined what he knew, and his belief that someone other than Mr. Karpelès stole the bitcoins. "So," concluded the post, "Who was it then?"

Shortly thereafter, he received an unexpected message.

Gary Alford,

an agent with the United States Internal Revenue Service, he was known in cryptographic circles as the investigator who identified the owner of Silk Road, an online market where you could buy drugs and bitcoin weapons. It was one of the biggest prosecutions related to bitcoin, and Mr. Alford followed bitcoin connected to the Silk Road investigation in some of the same places where Mr. Nilsson was looking for his lost currency.

It was a moment of unease. Mr. Nilsson took part in the bitcoin in part to escape from the regulators. "There's a stigma on the IRS, of course, in the kind of circles I'm moving to," he says. "The tax department is not the most appreciated entity."

But the lords Kelman and Nilsson thought that the US government – with its vast scope and superior finance and technology – would be able to help.

Instead, "it was like a one-way street," says Kelman. "We gave them everything." Mr. Alford offered nothing but the certainty that "you guys are on the right track," says Kelman.

Mr. Nilsson doubled. He traced the flows of coins that left the Mount. Gox in other exchanges, including a BTC-E call. Then he found something unexpected: Portfolios where the mountain. Gox bitcoins ended up containing bitcoins stolen from other well-known – and apparently unrelated – thefts from other exchanges.

Mr. Nilsson made the cross reference of some of those transactions with information from one of the Mt. Gox data leaks. He saw that some coins stolen from the Mount. Gox had been deposited in other Mt. Gox Accounts – and one of those had received a cash deposit with an attached note that simply said "WME". Mr. Nilsson knew that anyone in possession of the WME account had been in possession of the stolen Mount. Gox Coins He just needed to figure out who that person was.

At that point, Mr. Nilsson passed from the blockchain analysis to old-fashioned trawling.

Other excavations revealed a WME that claimed to have traded currency exchanges in Moscow.

"Hi, I've been trading for over 10 years, now I started working with bitcoins, I can trade them for anything," WME wrote in 2011 on the Bitcointalk.org bulletin board.

"I prefer large sums", added WME.

Deeper drilling, Mr. Nilsson discovered that the WME wallets were connected to the BTC-E crypto exchange.

Some bitcoins from the Mount. Gox ended up in the BTC-E accounts and never seemed to leave, instead of being traded they remained in wallets connected to the BTC-E administrator. Could BTC-E be in on theft?

The next step was to identify WME.

It seemed difficult. A criminal who uses different portfolios for each transaction and is careful to never leave information that links a pseudonym with a true identity may be difficult to capture.

Apparently WME was not careful. Through what Mr. Nilsson calls "careless management of identity", there was a trail of clues

First there were posts that linked WME to specific accounts. Then Mr. Nilsson found a post on the 2012 message board in which an outraged "WME" supported another "commercial platform" that has been cheated and escaped with my money. "

"This is a scam report against CryptoXchange, which stole $ 100,000 USD from me and refuses to return it," says the post.

To reinforce his case, WME published messages between him and CryptoXchange, along with a letter from his lawyer to the company. At the end of a message, CryptoXchange told WME where he deposited his money: an account owned by a "VINNIK ALEXANDER."

Mr. Nilsson was shocked. "I did not even believe it was a real name," he says. "I thought it was an alias or something." Why would someone in the crypt publish his real name and online banking information? "

Mr. Nilsson passed the name, with a typo, to the IRS agent, Mr. Alford.That was then the summer of 2016. Mr. Nilsson had worked for two years on the case

What he did not know at the time was that the BTC-E was a target for government investigators of an ocean away. "Inside a federal Kennedy court on one The shabby lock of the San Francisco thread, agents and prosecutors were using the US Department of Justice's subjugation power, technical know-how and budget to get to the same spot as Mr. Nilsson.

BTC- E is cyber security researchers around the world say, cybersecurity researchers say their banking relationships in Europe allow customers to buy bitcoins or convert them into euros and rubles A private sector blockchain researcher estimates that BTC – And it appeared from 60% to 70% of all cases of criminal cryptocurrency until 2016.

"Nobody knew who the BTC-E was. Nobody knew who the owners were. We thought it could be in Bulgaria, or maybe in Cyprus, "he says

Tigran Gambaryan,

an IRS investigator who is now the main agent of the Vinnik investigation.

What the agents knew was that BTC-E was one of the biggest bitcoin exchanges of the era and that "did not ask questions" about the identities of its users, says Mr. Gambaryan. Mr. Alford declined to comment

federal investigators, as determined by the courts, also identified a "WME" check account with stolen Monte. Gox coins, and connected to BTC-E.

The agents tracked blockchain transactions and bank records mentioned in the alternative. They established that between 2013 and 2015, an account linked to BTC-E and a Russian citizen was involved in transfers of money to the banks of Cyprus and Latvia, the jurisdictions that money launders use as an access point to the main banks of the continent.

At the end of 2016, prosecutors had enough to accuse Mr. Vinnik.

Because Russia will generally not expel suspected cybercriminals, US agents have sought a way to arrest it elsewhere. They filed a federal indictment sealed in January 2017 accusing Mr. Vinnik and unnamed nominees of recycling about $ 4 billion via BTC-E. When Mr. Vinnik took a holiday in Greece, the FBI and the local police were ready.

On July 25, undercover agents in casual clothes surrounded Mr. Vinnik on a beach and arrested him. They have seized two laptops, two tablets, five mobile phones and a router – possible tests to understand the BTC-E, according to a Greek law enforcement official, citing the court's depositions.

Mr. Vinnik's future is not clear. The United States is trying to extradite it, but Russia has objected, saying it wants it back to Moscow to face a 9,500-euro fraud case.

At court hearings in the Greek court, Mr. Vinnik's Russian lawyer denied the allegations, said his client is not an employee of BTC-E and said he is fighting US dominance of the financial system global. The lawyer appealed to the Orthodox Christian tradition shared by the Greeks and the Russians, saying they could not send "a brother of the same religion" to the United States. Mr. Vinnik spent the deportation hearings reading the Bible.

On July 30, a group of Greek judges agreed to extradite Mr. Vinnik to Russia, although several Greek courts have also decided that he should go to the United States or France. If Vinnik's asylum offer in Greece fails, it will be up to the Minister of Justice to decide where to send him.

The arrest was among the largest in the world of digital money. But as they descended on Mr. Vinnik, the agents knew that arresting the Russian was unlikely to stop the BTC-E. It is not clear whether Mr. Vinnik was the head of BTC-E or even a particularly important person in the operation, say the people involved in the investigation. In fact, they and Mr. Nilsson say it's possible that his mind remains somewhere in the former Soviet block, rich in bitcoin and still operational.

Within a few days of Mr. Vinnik's arrest, BTC-E came back online with a new name. Its last operators – whose identities have not been determined – have maintained the BTC-E customer list and many elements of its technology, but they say the site is managed differently. At the beginning of this month, those operators announced that they were closing the exchange. It was not possible to reach them for a comment

The federal prosecutors see Mr. Vinnik as the first of many objectives of BTC-E, they say that people are familiar with the probe.

Mr. Nilsson was happy with the arrest, but remains frustrated. He hears that he has found his boyfriend, but his money is stuck in Mt. Gox bankruptcy proceedings. Mr. Nilsson expected Bitcoin to allow him to avoid governments, financial institutions and fraudsters. Instead he and his handful of bitcoins are involved in all three. "It's a sad and sordid story," he says.

-Nektaria Stamouli in Athens contributed to this article.

Write to Justin Scheck at [email protected] and Bradley Hope at [email protected]