Get the top HN stories in your inbox every day.
miohtama
swalsh
A lot of the early Bitcoin stuff was toys which became something more than toys faster than the people running it could transform the toy infrastructure at it's core. In most cases, they didn't have the experience necessary to make it something better. Mt Gox was just a reused domain and was origionally an exchange for Magic the Gathering!
deweller
Note that modern MySQL has SERIALIZABLE transaction isolation as well:
https://dev.mysql.com/doc/refman/8.0/en/innodb-transaction-i... https://mariadb.com/kb/en/mariadb-transactions-and-isolation...
herpderperator
...how modern are we talking? SERIALIZABLE existed over a decade ago. It's mentioned here in a 2009 post.[0]
[0] https://ronaldbradford.com/blog/understanding-mysql-innodb-t...
xyzzy4747
As someone who very briefly poked around Silk Road at the time (just created an account), and as someone who has used PHP with the LAMP stack occasionally over the years, I am completely unsurprised. Race conditions can be pretty tricky to prevent in PHP, since the state is contained within different threads that can’t trivially communicate with each other. You need to be proficient with global state mutation such as via Redis or SQL.
amalcon
At the same time, this is like... data integrity 101. For future reference if you want to build a system that manipulates valuable information (such as monetary accounts), and you've never done anything like that before:
Please pick a database (relational or otherwise) with ACID transactions and replication, buy at least two different textbooks on that specific database, read both, do any exercises they suggest, and then decide whether you still want to build that system. If yes, then cool: don't hold me responsible if anything goes wrong, but you need to learn somehow.
Yes, it's possible to build systems like that on non-ACID-compliant databases, or without using the ACID functionality. It's much harder, though, and you really must understand what you're giving up in order to have a reasonable chance of success.
xyzzy4747
Probably the code had logic such as the following, which from an amateur perspective, seems to work. After all, the first check prevents the withdrawal if the account balance is too low, so what could go wrong?
$balance = sql_query(“SELECT balance FROM accounts WHERE account_id = “ . $account_id);
if ($withdrawal_amount < $balance) {
withdraw_funds($account_id, $withdrawal_amount);
}
lmm
IMO this is backwards advice. Traditional relational databases with ACID go to great lengths to create the illusion that there's a single, global state, and that's what leads to people doing things like check-and-set that seem to work. You're far better off using a non-ACID database, simply because incorrect approaches will fail more visibly and more often. Ultimately you do the same amount of work either way, but using a non-ACID database forces you to do it upfront rather than letting you silently mostly succeed with a fundamentally broken data model.
pmontra
Well, the database is there to manage and defend the data if only properly instructed to do so (CHECK constraints, locking, serialization.)
xyzzy4747
True, but it’s still not trivial, unless you’ve thought of the race condition problems in advance. My guess is that instead of keeping all the withdrawal logic in a comprehensive DB transaction with good constraint checking, the code was broken up into multiple sequential PHP statements with transactions of simpler SQL (which is likely easier from a coding perspective) and with insufficient locking. This is the easier way to code it if you haven’t thought of or heard about race condition issues.
spiorf
Can confirm. Did a double withdrawal (of about 10$ at the time) on an exchange years ago by blocking a POST request and firing two at the same time.
I alerted the exchange operator and he let me keep the 10$.
Scoundreller
And failed to even depend on bitcoin’s double-spend protections. He deposited and was able to withdraw those deposits within seconds: before any block was confirmed on the blockchain.
Beaver117
It wasnt worth anywhere near billions when he stole it. It wouldn't have been worth that much until very recently
miohtama
It was around 50k - 250k USD in 2012.
srcreigh
Can anyone explain how a serialization anomaly as described in PG docs can result in a double withdrawal?
Seems to me that REPEATABLE READ mode should be sufficient, but I'm not sure.
swellguy
Sorry, you lost me at PHP on MySQL for financial transactions. That's hilarious.
ipaddr
PHP isn't the issue here. Repeatly posting to any page normally would result in no security issue. If the balance is checked before each withdraw each request would be processed. Better method is a request is written to a transaction table and processed in sequence.
nrmitchi
I may get slammed for this, but I don’t understand the resources that apparently went into tracking down some kid who stole from an illegal marketplace a decade again.
This feels way less like “pursing justice” and more like trying to track down everything the just I’ve department can seize and auction off. If Bitcoin hadn’t drastically increased in value since the original event, would this have ever been tracked down?
I cant even count the number of much more consumer-impacting crypto-related frauds, crimes, and hacks from the last 3 years that would be more deserving of justice department attention, rather than focusing resources and attention on a double withdrawal bug from an illegal marketplace from a decade ago.
michaelt
> I don’t understand the resources that apparently went into tracking down some kid who stole from an illegal marketplace a decade again.
1. I suspect that the justice system feels that, as a matter of principle, they ought to keep the heat on darknet markets generally. That getting darknet market related arrests in the news has deterrent value, and shows they're doing their job. Obviously, arresting operators or big sellers would be even better - but any darknet market arrests are better than none at all.
2. They recovered $3.3 Billion, so the ROI on agents' time is probably pretty good. American society loves it when police departments are funded with criminals' money, through aggressive traffic ticketing and civil forfeiture! So this is really no different to fining a driver for doing 55 in a 54, except with much less police time used. From a certain perspective, this is one of the most productive uses of resources the department could possibly make.
nrmitchi
1. I agree, it’s a bit tangential to call this a “darknet market arrest” instead, since the “darknet market” was the “victim”.
2. People largely hate when cops find someone for doing 55 in a 54, so it’s probably not a great example, but I think supports my point. This isn’t about solving an actual crime, but about optimizing for how much money the justice department is able to collect. I said elsewhere that this would be more reasonable as a tax investigation, but it’s not, and it’s (in my opinion) a pretty bad precedent that investigations should be prioritized by “how much cash can we seize”
dragonwriter
> I said elsewhere that this would be more reasonable as a tax investigation
It was also a tax investigation, which is why IRS criminal investigatoes were involved, and there clearly were tax violations involved, they just weren’t part of the plea bargain.
> it’s (in my opinion) a pretty bad precedent that investigations should be prioritized by “how much cash can we seize”
I agree that prioritizing prosecutions that way would be, but Zhong doesn’t seem to have particularly been a prosecutorial priority. OTOH, spending investigative resources to find know forfeitable assets under an existing conviction seems a perfectly sane and responsible use of resources
lancesells
What parallel universe do you guys live in where there's a 54mph or 54kmh?
:)
xyzzy4747
It’s probably because he accumulated billions of dollars of property that weren’t taxed, and illegally on top of that (although they were worth much less at the time).
It kind of sucks for him that he had to forfeit the Bitcoin and not just the dollar amount he stole at the time. I am sure if it was the other way around, and Bitcoin went to $0, they would take the historical dollar amount he stole instead.
nrmitchi
I could completely see an argument for tax evasion, that is a crime where the technical victim is the government (and thus, citizenry), not where the victim is an illegal operation that no longer exists.
However, he isn’t being charged with a tax crime. He’s being charged with “wire fraud” for double withdrawing from Silk Road.
jamespo
So committing a crime against criminals is OK?
jeremyjh
Capital gains are not taxable until they are realized through sale of the assets. I would not expect he had any tax liability yet.
xyzzy4747
Stealing an asset and keeping it is considered “income” in that tax year, I believe. You would only be correct if he stole Bitcoin when it was worth 0, but it wasn’t.
pessimizer
> I may get slammed for this, but I don’t understand the resources that apparently went into tracking down some kid who stole from an illegal marketplace a decade again.
If you're not going to track down $3.36B after a decade, you really shouldn't pursue thefts of less than $1M ever.
undefined
adam_arthur
I agree, we should let crypto scams of all kinds proliferate and flourish.
Just kidding, haha. I agree that many more recent events have been more impactful, and hopefully they’re pursuing those too.
I mean the sheer numbers of ICOs with somewhat notable people involved purely to make a quick buck would be a good place to start
garyfirestorm
Low hanging fruit. We recovered X.y billion in BTC (valued at that time) hand waving, patting each others back. Instant promotion.
paulpauper
They were not just any bitcoin, they were missing silk road bitcoin. The fed had been looking for these 50k btc for awhile.
Scoundreller
I doubt they’ve been actively investigating him for 10y. Probably went through the transaction logs right at the beginning and flagged the addresses.
Big withdraws suggests seller. Big deposits and withdraws without sales suggests launderer. Small deposits, or sales and big withdraws suggests insider.
Dude finally slipped up and got identified.
swalsh
If we ever go back into a mercantilist economy based on bitcoin, the US is setting itself up to be in a solid position.
PaulWaldman
>Specifically, law enforcement located 50,491.06251844 Bitcoin of the approximately 53,500 Bitcoin Crime Proceeds (a) in an underground floor safe; and (b) on a single-board computer that was submerged under blankets in a popcorn tin stored in a bathroom closet.
It's interesting how the defendant tried to hide his bitcoin holdings in very low-tech ways.
The utility ease of holding bitcoin is apparent with this seizure. What other asset could you hide the equivalent of $1B USD in a floor safe and a popcorn tin and without having to use a 3rd party custodian?
ISL
The potential value-density of crypto is unmatched, but I'm not sure it is "easy" to store in a manner like that.
If another resident of Zhong's household had discarded the popcorn tin, he could have been out $1B. It's is difficult, but not impossible (see fat-finger transactions) to do that with other asset classes.
zmaurelius
Holding a large amount of cryptocurrency without multiple backups spread around various geographical locations is foolish. So ultimately to store cryptocurrency securely, its never actually easy when you get down to the nuts and bolts of it.
Scoundreller
Who said he didn’t have any other backups elsewhere?
Impossible to prove he didn’t have his private keys backed up elsewhere.
ilyt
Steganography might've been interesting way to deal with it, make big QR code with credentials to 1M wallet and hide 1B wallet info as steganography in that picture
int_19h
"There's always money in the banana stand!"
duxup
Agreed, the risks here are pretty high. Even just some catastrophic disk failure.
closewith
> The utility ease of holding bitcoin is apparent with this seizure. What other asset could you hide the equivalent of $1B USD in a floor safe and a popcorn tin and without having to use a 3rd party custodian?
Back in the day, the answer would have been bearer bonds, but they're no longer popular instruments.
busyant
> bearer bonds
The financial instrument of choice for movie heist villains from the 1970s to early 2000s.
closewith
And the Italian Mafia until at least 2009!
https://en.wikipedia.org/wiki/Chiasso_financial_smuggling_ca...
> The total value of the counterfeit bonds was estimated at approximately one percent of total U.S. GDP in 2008
krustyburger
They’re still relevant in that there’s always a chance someone may ask you to “do a Die Hard.”
mminer237
New bearer bonds were outlawed forty years ago is why.
closewith
The world extends beyond the US. The Panama Papers showed that bearer bonds were alive and well all the way until the mid-2010s, and Panama itself only phased them out in 2015.
Scoundreller
I wonder what percentage of old companies are still owned by « bearer » shares.
At least investment/corporate bonds usually expire, so the bearer ones eventually wash out.
bottlepalm
The money would have probably would of been safer stored as 12 words on an unhidden disused iPhone.
drewfis
A 4D chess move would be 12 1-word game saves on an old GameBoy game cartridge that is hidden amongst hundreds of other GameBoy cartridges.
thakoppno
People have memorized pi out to absurdity - surely one could memorize 192 bits with enough incentive?
antifa
The first 12 words of the last paragraph of the 42nd page of your favorite book.
kipchak
For comparison at $14k an ounce you would need 72,000 oz of rhodium, the most valuable PM, in order to hit a $1B.
kibwen
Antimatter is allegedly valued at $2,700,000,000,000,000 per gram, so you could fetch a billion for 0.37 micrograms of it. Don't try storing it in a popcorn tin, though.
thfuran
That's more of a manufacturing cost than a market price, isn't it?
Scoundreller
I mean, the magnetic field to hold it doesn’t weigh anything either.
m4jor
Sounds like it was just stored on a Trezor or Ledger hardware wallet.
danaris
Presumably this would be the case with any purely-digital asset class that has the ability to be encapsulated in a physical token or offline digital storage device.
undefined
ConcernedCoder
the problem with that type of utility being that maybe the defendant was the only person who could "cash in" these bitcoins... an untimely traffic accident away from another 50k bitcoins "lost" without the password to recover them...
Maursault
> JAMES ZHONG pled guilty to committing wire fraud in September 2012 ... ZHONG pled guilty on Friday, November 4, 2022, ...
> U.S. Attorney Damian Williams said: “James Zhong committed wire fraud over a decade ago...."
The statute of limitations for mail fraud and wire fraud prosecutions is five years (18 U.S.C. § 3282), except for mail and wire fraud schemes that affect a financial institution, in which case the statute is ten years (18 U.S.C. § 3293).[1]
Lawyers please explain. Also, who was the victim here, and who reported the crime?
[1] https://www.justice.gov/archives/jm/criminal-resource-manual...
yakak
I don't think bitcoin was even a recognized currency until 2014.. It is utter madness that someone can make a game today and you can be tried for winning on players technical errors a decade after the IRS decides if it is a serious speculative game. It's like back in the first MOOGs where people wanted to arrest in game thieves. Talk about killing your industry.
lolc
If you trick somebody into giving you something, and they consider that thing valuable, you're on the hook for fraud. Doesn't have to be about official coins. Of course, if you're playing a game where thieves are part of the game, you have to accept that. Or not play the game.
wmf
In 2013 FinCEN and the IRS declared that Bitcoin was always property so you can't make some kind of "it's just a game" argument.
chelical
In 2013. He pled guilty to wire fraud in 2012. Can FinCEN/IRS retroactively determine something (like tradable skins in a game) is property and prosecute people over it?
qeternity
Bitcoin has been classified as a commodity, not a currency, so I’m not sure what you’re talking about.
I’m not sure why you’re downplaying this. If I maliciously exploited a video game for serious financial gain today, there’s a good chance that will be a crime.
dragonwriter
> I don't think bitcoin was even a recognized currency until 2014..
It is not legally a “recognized currency” now (“virtual currencies” are essentially treated as non-currency properties), and it was both property and had value before 2014.
pcthrowaway
Wouldn't it at the very least be a recognized foreign currency, since it's the official currency of 1(?) country
dragonwriter
> Also, who was the victim here, and who reported the crime?
The crime seems to have been discovered as part of the tracing of assets subject to seizure in the Ross Ulbricht cases, which is why the bukk of the assets were seized and filed for forfeiture as part of that case, and not the separate case against Zhong.
On the statute of limitations issue, its worth noting that limitations may be waived in a guilty plea, and that a defendant might do so to a lesser charge rather than facing trial on more or more serious charges (such as money laundering and/or tax fraud and/or evasion charges relating to the subsequent transactions involving the Bitcoin, which occurred at least as late as 2017, would be well within the 6-year SOL that would be applicable there.)
EDIT: To be clear, I haven’t seen a link to the Zhong plea bargain or any indictment it may have replaced (much less what prosecutors might have waived at his defense as potential charges that were never filed), so the above on the Statute of Limitations is observation of what is possible in general and how that might relate to the case, not an explanation necessarily of what did happen in the case. While there are other ways the statute of limitations might have applied differently in this case than it superficially would seem to (e.g., tolling for a request for.foreign evidence if some was used to ttace the funds) the way described above still seems most likely to me, in the absence of more facts.
ajonnav
I just started law school so don't take this answer as definitive but a couple of things I thought of were: 1. For the statute of limitations, I believe that the time point to look at is when the lawsuit was filed (as opposed to when the guilty plea comes through). All that matters was that lawsuit was filed __before__ the statute of limitations ran out. 2. Additionally, there are scenarios where the law/courts will allow people to file suits after the statute of limitations runs out but that varies by jurisdiction and by the law that governs the crime committed. (For more info, you can check out equitable/statutory tolling).
paulpauper
It is called a john doe defendant. The investigation was was opened before 2017, which was the deadline, in secret. When they found the guy they changed the name from Doe to Zhong . Had the feds waited until 2018 or so before opening an investigation, it would have been too late. The statute of limitations expires only if no investigation is ever opened.
nrmitchi
If this is actually a legitimate thing, it sounds like the most ridiculous abuse I've read in this thread. By this logic there is no reasonable concept of 'statute of limitations' if a "secret" investigation can always be opened (or assumed to have been opened).
The only reference I can find to what you're describing seems to apply to civil suits only, where the legitimate defendent name is substituted back in during discovery. It does not appear to be a stand-in in criminal investigations.
paulpauper
The biggest misconception is that the statute of limitations means all you need to do is run down the clock. nope. as soon as there is enough evidence to open an investigation there is no expiration unless the investigation is closed and this is all done in secrecy. Rather, the deadline is from when the crime last occurred to when the investigation is opened. For example, the investigation into the identify of the 2011 geezer bandit is still ongoing despite the most recent robbery being a decade ago. Regarding the bank robber, it's not a secret because the feds are looking for leads from the public who have be able to identify him by appearance, but in the case of the hacker it does no good to put up wanted posters.
closewith
At the spot price at this time, 51,680.32473733 Bitcoin is worth $1,066,821,439.46 (~$1.06B) USD. Some difference from the ~$3.36B on November 9th, 2021.
greyface-
And in September 2012, the time of the heist, they were worth about $500k.
ta988
Most news and law enforcement will always inflate the numbers like that.
ISL
That was the value at the time of seizure, which is most-likely the correct time at which to value it.
It is true that the news would probably use the larger number if BTC had gone up in price since then, but I suspect that the official statement would always quote the value at the time of seizure (perhaps with a parenthetical to highlight a greater present-day value).
conductr
> That was the value at the time of seizure, which is most-likely the correct time at which to value it.
It should be marked to value at time of the crime. Value of the property is often a metric used for setting the charges/punishment and he had no idea it would appreciate the way it did. He shouldn't get penalized for it appreciating.
May differ internationally but to my knowledge it works that way over most of the US.
olalonde
> Specifically, law enforcement located 50,491.06251844 Bitcoin of the approximately 53,500 Bitcoin Crime Proceeds (a) in an underground floor safe; and (b) on a single-board computer that was submerged under blankets in a popcorn tin stored in a bathroom closet
Weird that he went through all this trouble to physically hide the wallets but did not use encryption...
m4jor
Seems like it was stored on a hardware wallet like a ledger or trezor.
He most likely voluntarily gave them the passwords and access as he turned himself in as well as turned over additional bitcoin.
sidewndr46
Almost like the details released don't match up with reality.
kube-system
The article does not say he didn't.
ur-whale
My thoughts exactly.
ISL
With a public blockchain, it seems at least technically possible to seize any funds that were used in a transaction later shown to be illegal.
If you thought KYC constraints were invasive today...
jonwachob91
That is probably the fastest way to kill crypto. Seizing any coins involved in illegal activity, even if it's been through numerous other owners since (and for legal purchases). Once everyone is asking if the coins they are getting are clean they'll stop acquiring coins.
Sargos
China, Russia, Egypt, and many others have already banned crypto and seize any assets regardless of legality and it hasn't killed crypto yet.
Even the USA as the largest economic market in the world couldn't kill crypto by seizing assets as there are dozens of other countries that will keep using crypto for the anti-corruption, stability, and efficiency benefits it provides. It's a lot like the internet where a country can ban or control it but ultimately it only harms their own citizens and prevents them from properly competing on the world stage.
landemva
Government cleans crime proceeds when they auction it off. Same for planes and cars.
ISL
Yes, but that is after they seize it.
If a criminal steals my bitcoin and spends it, everyone who accepts it and everyone who accepts it from them is taking delivery of stolen property, trivially traceable back to me. I'll want it back, because it is mine and was stolen.
https://en.wikipedia.org/wiki/Possession_of_stolen_goods
As a practical matter, if crypto continues to gain adoption, law must emerge to keep the ecosystem from getting jammed up.
counttheforks
Which government, and are there international agreements about this?
three_seagrass
Isn't that just admitting that the primary use case of crypto is illegal activity?
ISL
No -- it means that a single instance of illegal activity can potentially be charged-back by a government through a web of otherwise-legal transactions at any time. The immutable historical retention of all transactions has at least the capacity to threaten the immutability of transactions in the real world.
gzer0
> Nearly five years after ZHONG’s fraud, in August 2017, solely by virtue of ZHONG’s possession of the 50,000 Bitcoin that he unlawfully obtained from Silk Road, ZHONG received a matching amount of a related cryptocurrency — 50,000 Bitcoin Cash (“BCH Crime Proceeds”) — on top of the 50,000 Bitcoin.
And presumably, this is how he was caught. He hid his identity really well. The withdrawal of BCH eventually led to his downfall.
Scoundreller
It didn’t, not officially anyway.
The feds pinned him on what appears to a mixup by the accused between his “unclean” and “clean” wallet wallets when dealing with a crypto broker with an IP that pointed to his house for several years.
Starts around 22 here: https://www.justice.gov/usao-sdny/press-release/file/1549821...
paulpauper
What are you basing this on? It could have been any other possibility
ISL
Pretty impressive that we've advanced technologically and as a society to the point where we can now store somewhere between much and all of the GDP of Belize " (a) in an underground floor safe; and (b) on a single-board computer that was submerged under blankets in a popcorn tin stored in a bathroom closet."
lern_too_spel
What's stored on the computer is a number that gives access to a wallet. You could also store a number that gives access to a Swiss bank account on a piece of paper in the 18th century. I wouldn't call the technology advanced.
evilos
This guy had 3 billion dollars in stolen crypto and didn't flee the country? Insane.
frontman1988
Not only that, he didn't even use much of it for the past 10 years. Atleast he didn't have to work after college though : https://www.linkedin.com/in/jimmy-zhong-01678025
m4jor
>Large early bitcoin investor with extensive knowledge of its inner workings.
An interesting way to put it.
dagaci
The question is will the USA government refund what was stolen to the victim "Silk Road"? (https://www.investopedia.com/terms/s/silk-road.asp) Is there a protocol for this kind of event?
jwithington
TIL that you can get in trouble for stealing from other criminals
ceejayoz
Why would that be surprising? You can't murder them, either.
notch656a
In some (even US) jurisdictions they call it 'mutual combat' [0] and overlook it. In some places like Washington State (not: not legal advice) one may be under the impression criminal-on-criminal combat is explicitly legal. There's also a lot of historical context (think outlaws in wild west) that suggests that those in the American West may culturally not find it surprisingly that the public would generally be OK with criminals doing themselves in.
It's my understanding that in Texas it may even be possible that killing thieves is legal there in some circumstances as well.
Edit: perhaps I wasn't as explicit in the part to read between the lines. The police in US are oft perceived as being more likely to 'overlook' or consider it 'mutual combat' for acts against criminals. I don't think the analysis "that has nothing to do with them being criminal" is really a fair conclusion.
[0] https://torontosun.com/news/world/no-charges-in-deadly-chica...
ceejayoz
That has nothing to do with them being criminals, though. You and I could engage in mutual combat, if we wanted. Muhammad Ali got paid quite a bit to do it.
adrr
Couldn't this guy say "silkroad knew I was doing this and approved". Prosecutors would have to get someone from the silkroad to testify to counter that.
Scoundreller
That’s probably what flagged them in the first place: Lots of withdrawals without any deposits or sales, so appeared to be a site operator.
heavenlyblue
Using/owning proceeds of a crime is a crime.
londons_explore
But don't the prosecutors have to prove you knew they were proceeds of crime?
rideontime
This logic didn't work for Armin Meiwes, it probably wouldn't work for this guy either.
toyg
In a honest state, with great powers, come great regulations about what you are supposed to do with such powers. Occasionally some responsibility too.
duxup
You also should report that income to the IRS.
Get the top HN stories in your inbox every day.
The originally hack was caused by the fact that Silk Road was running PHP on MySQL without transaction isolation. Many early crypto exchanges had similar withdrawal bugs as they were running on LAMP stacks - MySQL has been notoriosly famous for having lax transaction isolation. Sometimes you could overwithdraw just by hitting refresh fast enough in a web browser.
If you deal with money use PostgreSQL + SERIALIZABLE transaction isolation level to be sure.
More in PostgreSQL documentation https://www.postgresql.org/docs/current/transaction-iso.html
Also Zhong was 22 years old script kiddie when he hacked Silk Road. Any smart criminal would have left United States long time ago if you sit on the top of $3B stash.