In the following months blockchain certainly didn't disappear from the headlines. There was plenty of hype, and I plead “no contest” to the charge that I contributed to it. But at the same time I felt that there was something there. People like Blythe Masters don't jump into things lightly, I told myself. Blockchain seemed to have some staying power.
Masters is what you would call Wall Street famous. She's beautiful and brash and ruthless. She rose within JPMorgan from being an intern in its London office when she was 18 to sitting on a trading desk to running bank divisions. She helped create credit default swaps, the derivative that allowed investors to bet on a bond's price decline. Credit default swaps also ensnared Wall Street banks and their customers in a wicked web of interdependency during the financial crisis that required the Fed to step in and bail out the financial system. Everyone on “the Street” knows who Blythe Masters is.
There were also other big names taking blockchain seriously, like the Bank of England and the World Economic Forum. This helped me take it seriously too, and then near the end of 2016 the editor of Bloomberg Markets, Joel Weber, said he was planning a heist issue for the next year. Did I have any good heist stories?
Oh, man, did I.
●●●
I love complicated things. I love the process of figuring out how things work and then describing them to people in a way they can understand. I know for sure this trait allowed me to carve out the niche I have within Bloomberg News. When I started learning the details of the ether hack, I realized that I'd stumbled upon one of the most convoluted yet brilliant stories I could ever hope to untangle.
Metaphors will be our friends in this story. Imagine it this way: a bank has been built underground, with a central vault that holds $250 million. The design of this bank is such that once built, nothing about it can be changed. Not its layout or its vault or how any of its banking processes work. Its banking processes are weird, but we'll get more into that in a bit.
This bank has thousands of customers, the depositors, whose money makes up the $250 million. Now, under the rules of this bank, if someone wants to get their money out, they have to tell the bank 7 days ahead of time. During this week the depositor creates a small room underground near the vault. Once that's done, they have to wait for another 27 days. Let's say that it takes the bankers that amount of time to tunnel to the small room so they can deliver the money to be withdrawn.
If all goes according to plan, the money is delivered to the small room, a staircase appears, and after 34 days the customer can climb to the surface with his cash. But what if there is a flaw in the design of this bank? What if once the request to create the small room is made, the customer turns evil and realizes that they can dig a second tunnel from their room that leads back to the vault? Because of the flaw there are no security guards to block this second tunnel and it leads straight to the money in the central vault. Once the digging was done the evil customer could start grabbing as much cash as possible, like a game-show contestant in a chamber with $100 bills flying all around. Because the bank design can't be changed, the flaw that allows for the second tunnel is part of the bank, a glaring hole that customers can exploit.
That's basically what the DAO hacker accomplished, only using computer code instead of a shovel.
I spent months reporting on the hack for the magazine. It was the most fun I'd had in my career. I met and got to know almost all of the people quoted in this book during that period. We called the article “The Ether Thief,” a nod to the great New Yorker story “The Silver Thief,” which Joel Weber gave me to read for inspiration. And yet all through the reporting for the magazine story, no one I interviewed said they knew who had pulled off the heist. The ether thief's identity remained a mystery.
One of the more amazing attributes of blockchain systems is that all of the transactions I'm describing are publicly viewable. This has been the case since Bitcoin was first mined in early 2009, and it's the case with Ethereum. People often claim that blockchain allows users to remain anonymous, but this is wrong. It's pseudonymous, because it's possible to know the identity of the person behind an address. Once that link has been made, a person's activity is traceable for anyone with an Internet connection. But it's rare to know who is behind any given address. And so most of the time we have no idea who is doing what on the Ethereum blockchain. In the case of the DAO, one of the main attack addresses was 0x969837498944aE1dC0DCAc2D0c65634c88729b2D.
But who is that? Even though we can see on the public Ethereum blockchain that this address received 137 ether at 3:34:48 UTC on June 17, 2016, and that hundreds of similar transfers were then made over the next several hours, we have no way of knowing the person behind 0x969837498944aE1dC0DCAc2D0c65634c88729b2D.
It always gnawed at me. The ether thief was out there, and no one knew who they were. It also seemed, after not much time had passed, that no one even really cared anymore. I wanted to change that.
●●●
The first time I met the ether thief was two floors above a Foot Locker in Zürich, Switzerland.
That's probably not how my employer would want me to describe our Zürich bureau, but it's true. I felt nervous in a way I'd never felt before an interview. I wondered if the person I was about to accuse would become angry or violent. I wondered if they'd break down and tell me everything, if they'd feel that the burden of their story and what they'd done could finally be unloaded. I didn't know how I was going to ask small questions at the beginning until I was ready to show the person the evidence I had. It was a Tuesday in September, a beautiful day in Zürich, and I couldn't tell if my hand shook from the coffee I'd had or if I was scared.
The man across the table from me wore glasses and a plaid scarf. He was maybe in his late 50s and had lost some hair. Swiss by nationality, he'd spent his career in Zürich or thereabouts. This part of the world is known as Crypto Valley for its early role in many digital token startups, Ethereum central among them. The technical university in Zürich is known as ETH, the abbreviation for ether, which is just a delicious coincidence. The Eidgenössische Technische Hochschule Zürich is a hotbed of blockchain research, and Albert Einstein was both a former student and a professor of theoretical physics there. It made a certain amount of sense that someone who had brought Ethereum to its knees with the DAO attack would be based in its backyard.
We spoke about his background in banking, and how he grew bored with it and wanted out. Bitcoin had enthralled him, like everyone else in this story, because of how it had created its own independent monetary system without asking permission or giving a care about what anyone thought. Ethereum had been smart to base its operations in nearby Zug, he said, as in 2014 or thereabouts the Swiss regulators and tax authorities treated crypto projects very favorably. He told me that he mined Bitcoin back when you could do it with some high-powered hardware. If he'd kept all the Bitcoin he mined, he'd be a very rich man and wouldn't be talking to me right now.
He spoke English well, with a dose of a German accent. The conversation turned to the DAO attack and what he remembered of it. Then I asked him if he had a theory about who did it.
He paused and smiled.
“Next question,” he said.
I laughed because he'd been speaking quite freely up to that point. “I have more than a theory,” he said. “It's not that difficult to figure out.”
This was possibly the first person to ever say that to me about the hack. It was incredibly hard to figure out, in fact, as I had learned in my previous reporting for the magazine story and this book. The ether thief had covered his tracks meticulously.
Yet here I was sitting across from a person who for years had only been described to me as someone who lived in Switzerland. When researching the “Ether Thief” magazine story in 2017, the Ethereum people who suspected this man wouldn't reveal his name to me. It was rather cute, I thought at the time, and indicative of the ethics held by many in the Ethereum community: they wouldn't help spread the rumor that this man had been involved because they didn't really know if he'd done it.
In