Today, with the publication of my book, The Cryptopians: Idealism, Greed, Lies, and the Making of the First Big Cryptocurrency Craze, I announced that my sources and I believe we have identified the person who hacked the DAO, the most popular application on Ethereum in early 2016.
The theft, which gave the hacker possession of 5% of all ETH, was then worth $78 million--or $52 million, if you took the price of ETH after its value crashed. Today -- the 3.64 million ETH they took, at the rough price of $3,000 per ETH, would be worth be worth $11 billion today.
The reason a single decentralized app on Ethereum could have such an impact on the ETH price was because, at the time, when Ethereum was less than a year old and there was little activity on the network, it practically felt like The DAO was Ethereum.
That's why the attack caused Ethereum to consider a so-called "hard fork," or non-backwards-compatible change to the network, that, in this case, would enable the people who had put their money into the DAO to get it back.
However, since not everyone agreed that Ethereum should undergo such a drastic change for a hack that didn't endanger Ethereum itself but harmed the users of an app on Ethereum, hard forking ran the risk of creating a second, competing version of Ethereum.
Indeed, that's what happened: This contentious hard fork resulted in the creation of Ethereum Classic, where the DAO and the ill-gotten goods--which are worth more than $100 million--remain.
As detailed in my book, the hacker couldn't do much with this money. Everyone knew the funds were associated with the DAO attack, and people were watching the money move. Although, at the time, the attacker was able to convert some of the ETC into about 282 bitcoins (then $232,000), basically, the ETC was useless. After the last cash-outs to bitcoin in December 2016, the hacker never touched the money again.
For years, it seemed that's where the mystery ended. When I tried to follow any leads again, the threads I began pulling on were an investigation by an employee at one of the crypto exchanges who saw what they deemed to be a suspicious trade--one that looked as though the person making the transaction had foreknowledge the night before the attack, that something might happen to the price of ETH.
I followed the leads fully for my book, interviewing everyone in that orbit, but didn't have anything conclusive. Then, as I was in the final stages of copy edits on the book, one of my sources, Alex Van de Sande, a Brazilian user experience designer who had previously worked at the Ethereum Foundation and who was involved in the trying to rescue the non-hacked money in the DAO, reached out to me saying the Brazilian Federal Cybernetics Crime Division had made him the subject of an investigation into the DAO, including whether he might be the hacker.
To help exonerate him for the interview, he decided to commission and share with me a report on the DAO attacker's transactions from blockchain analytics company Coinfirm, who gave him a dicsount in exchange for credit in my book. (The Brazilian police, concluding that no crime had been committed, and if one had, they didn't have jurisdiction, ended up closing their investigation before even interviewing Van de Sande.)
Using the report, Van de Sande and I studied the hacker's movements with their illicit funds. Their timing of their cash-outs didn't match the times that the suspects I had pursued seemed to be online, based on their social media posts. (Ditto for another suspect that Van de Sande and I identified who was based in Russia.)
In fact, the times at which the attacker was typically turning their ETC into BTC were during what looked like Asian morning-to-nighttime hours. But I had obtained a customer service email that the attacker had submitted, back in June, to ShapeShift as they were preparing for the DAO attack. Despite the brevity of the note, it was clear they were a fluent English speaker.
I sent the Coinfirm report to another company who had helped me parse data for my book: blockchain analytics firm Chainalysis. They saw that the attacker used a privacy service called a Wasabi wallet, which mixes many transactions together together to obscure the flow of their funds.
Unbeknownst to me, in what is being disclosed for the first time with this news, Chainalysis had the ability to de-mix those transactions. And from there, we were able to follow the trail until we came upon an identifiable alias and more, which lined up with the other clues I had--a daily schedule that comported with Asian waking hours, fluency in English and an intense interest in the DAO, along with a high degree of knowledge about its code. There was even enough evidence to make a hypothesis about the motive.
In the end, my years-long effort unspooled in a few weeks. I feel confident about the evidence, which my sources also felt was extremely strong. Once we had everything, they marveled: "The evidence is never this good."
Check out the news today:
Thanks for reading! If you liked this article:
💌 sign up for my daily newsletter, which comes out Monday-Friday
(Photo illustration by Jakub Porzycki/NurPhoto via Getty Images)