July 6, 2019

Kleiman v Craig Wright, part 3

There has been much reporting on the recent June 28th hearing in the case of Ira Kleiman v. Craig Wright, where the latter testified in person for the first time. Several reporters attended the hearing and relayed baffling events, but those of us who have been following the case were anxious to get a direct look at exactly how things played out. With the court transcript and exhibits in hand, let's go on that journey together.


For starters, check out the two previous entries in this blog series:

Craig Wright has for years now been claiming to be Bitcoin inventor Satoshi Nakamoto, and despite those claims being widely and thoroughly discredited by numerous experts (see Jameson Lopp's excellent write-up of some of the holes in Wright's claims), Wright remains financially backed by a small group of people like Calvin Ayre and retains a small but dedicated following online for his BSV altcoin.

Wright has also recently taken to suing people for libel for saying he's not Satoshi, with predictably chilling effects. Borrowing a quip from another report author: if I had found compelling evidence that Wright is Satoshi, I would so state.

Wright's claims have for a long time involved Florida computer forensics expert Dave Kleiman as some kind of partner, where exactly who did what has been unclear or has changed over time. After Kleiman's death in 2013, Wright reached out to Kleiman's relatives and told them tales of all the things Dave and Craig had been up to together, including creating Bitcoin and mining a large number of bitcoins. Wright is alleging that all the mined bitcoins are locked up in a secretive blind trust called the "Tulip Trust", which he can't access but will be given back to him some day.

A lot of the story revolves around a Florida company seemingly formed by the two, W&K Information Defense, controlled by Kleiman and holding the assets of their work. Following Kleiman's death, Wright sued the company to gain exclusive control of its assets, apparently by going through an Australian court and having one of his own associates act as a representative of W&K and forfeiting the case on its behalf. The director of W&K was also changed to Uyen Nguyen, a woman whose name appears on paper in many of Wright's business dealings. The Kleimans say these actions were all taken without their knowledge.

It is Ira Kleiman, Dave's brother, which is now suing Craig Wright over Dave's share of everything, which if Wright's story is to be believed could be over a million mined bitcoins. This puts us in an interesting situation where it is greatly in the interest of both sides that Craig Wright really is Satoshi Nakamoto and the bitcoins are real. This bears emphasizing: no one in this case is trying to prove that Craig Wright isn't Satoshi.

There's a ton of other background to Wright and this case that can't be gone over in full without ending up with pages and pages of background, so I'll just touch upon a few of them in bullet point form:

  • Wright has since the beginning been surrounded by lots of documents that appear to support his claims but upon inspection are shown to be forgeries or contain falsehoods. Once debunked, Wright sometimes then claims someone else forged it in order to frame him (by adding the fake stuff to make him look like a fraud).

  • Wright is the subject of an Australian Tax Office investigation over various tax rebates and deductions Wright had applied for for his various companies over several years. Wright left the country when the ATO raided his home, and has since resided in the United Kingdom.

  • Money has always been involved in Wright's claims to be Satoshi Nakamoto. Wright was paid to "come out" as Satoshi, Andrew O'Hagan was paid to do a write-up, and the nChain company seems to be entirely based around Wright as a central blockchain genius figure. It's not unreasonable to say that by now Wright's entire livelihood is based on this singular claim.

  • Wright has performed at least one private key signing demonstration, famously for Gavin Andresen who at least at the time believed Wright was Satoshi. Wright has also privately offered similar demonstrations to others. No independent verification of any such signatures has ever happened, with most people believing Gavin was bamboozled by a magic trick. (The apparent inconsistency of how Wright could have signed messages with keys that were locked up in a trust outside his control is touched upon later in this post.)

While there's much more that could be said about Wright's colorful back story, let's instead jump to the meat of this post: the recent court hearing.

The June 28 hearing

The reason for the June 28 hearing wasn't just to hear Wright's testimony in general, but specifically to hear why he shouldn't be held in contempt of court for repeatedly failing to comply with court orders to produce certain materials (bitcoin addresses and trust information) during discovery. Daniel Kelman has a good write-up of how contempt of court applies in this circumstance and there are definitely legal consequences for Wright if he is found in contempt.

Update: Kelman has posted a follow-up with his impressions of the hearing.

Again note that the point of the hearing was not to determine whether Wright is Satoshi as he claims, but whether he has any valid excuse for not producing what he was ordered to.

The hearing was quite long and the full transcript over 200 pages, so I've done you the favor of going through it and commenting on some of the interesting bits point by point, and will be applying basic fact checking to them below. The hearing covered Wright's testimony, which is split up into a direct examination (Wright being questioned by his lawyers), a cross examination (Wright being questioned by Kleiman's lawyers), and finally a redirect examination (follow-up questions by Wright's lawyers). As I'm expecting others to be able to better comment on the legal aspects, here I will be focusing more on technical aspects.

Be aware that there are parts in which the court reporter was struggling to follow along, especially when various technical terms were being tossed around, so there are some spelling mistakes here and there. Transcript excerpts include a reference to the page(s) and lines they can be found in the full transcript which is linked at the bottom of the post.

Direct examination by Wright's lawyers

  • Wright is asked if he is Satoshi Nakamoto and if he created Bitcoin. He says he is and he did. The Bitcoin whitepaper is submitted as defense exhibit 1.

    Transcript (6/3-12)
    Q    Are you familiar with the Bitcoin system?
    A    I am familiar with the Bitcoin system I created.  I have
    less familiarity with the thing that many people call Bitcoin,
    but I don't.
    Q    You invented the Bitcoin system; is that right?
    A    That is right.
    Q    And have you gone by the pseudonym of Satoshi Nakamoto?
    A    I use the pseudonym Satoshi Nakamoto.
    Q    You are Satoshi Nakamoto; is that correct?
    A    I would more say it's a characterization that I played.

    (BSV fans, you may want to stop reading here. This is about as good as things will ever look for Wright during this hearing.)

  • Asked to explain the purpose of the original Bitcoin, Wright reads the whitepaper title and makes several incorrect claims.

    Transcript (8/7-24)
    Q    Dr. Wright, in its original design and creation, what was
    the purpose for the Bitcoin system?
    A    It was a peer-to-peer electronic cash system.  It
    operated as a Mandela network, which is a form of ultrasmall
    small-world network.  The methodology was effectively a series
    of peer-to-peer overlay networks.  The mining network acted as
    a central core peer network, where miners that could scour to
    any size, would act commercially to validate transactions
    without knowledge of the source or what the transaction was
              On top of that, there were peer layers, such as the
    IP-to-IP transfer that was removed in 2011, after I left, that
    would enable the direct peer exchange of messages.  That was
    also noted in the section of the white paper on SPV.
              SPV was simplified payment verification, which
    involved the exchange of messages between peer entities, with
    the recipient then sending it to the network to be mined for a

    • The original bitcoin client used the #bitcoin channel on irc.freenode.net to advertise itself and find other peers, not some carefully designed network topology.
    • The original paper that described and coined the term for Mandala networks was called "Mandala Networks: Ultra-small-world and highly sparse graphs" and was published in 2014. It kind of sounds like just a lazy namedrop of a random term in order to sound overly technical, but who knows, maybe Wright secretly invented this too?
    • SPV as originally envisioned in the whitepaper is about being able to verify that a transaction has been included in the blockchain even if you only have the block headers by requesting and inspecting the merkle tree of blocks. While in some circles SPV has in more recent times come to mean any manner of light client or non-full node, Wright's description here is wrong.

  • Wright insists that there's no such thing as a "public address" in Bitcoin.

    Transcript (9/16-4/19)
    Q    The questions that I'm going to ask you today are going
    to relate directly to the Court's order and to the
    circumstances surrounding, Dr. Wright, the fact that you have
    not provided the pub -- a list of the public addresses to the
              Dr. Wright, you are familiar, are you not, with the
    term "public address" as referred to in the Bitcoin system?
    A    No, there are no public addresses in the Bitcoin system.
    Q    I'm simply asking whether you are familiar with the fact
    that people have used that nomenclature, "public address," as
    it relates to the Bitcoin system.
    A    I know people incorrectly use that term.
    Q    That's my next question.
              Is the use of a public address an accurate use with
    respect to the manner in which the Bitcoin system was
    originally intended to operate?
    A    No.  That is how BitGold and eGold were derived. Bitcoin
    was exactly the opposite.  There are no public addresses at
    all in Bitcoin.  Bitcoin was derived such that a key would
    only be used once.  And if you look at the section in the
    white paper later on, it states that as an additional
    firewall, keys should not be reused.
    Q    So what role in its original design and creation of the
    Bitcoin system did the public address, as it is known today,
    A    Public addresses don't exist.
    Q    So it would be irrelevant; is that right?
    A    Yeah.  It's like saying: "How do unicorns relate to this

    The defense is making a half-hearted argument that the term "public address" doesn't mean anything in Bitcoin (seemingly because it kind of sounds like a fixed point to which you receive something whereas in Bitcoin you're not supposed to reuse keys), and thus a court order to produce "public addresses" is meaningless.

    Technically Bitcoin addresses are simply a human-readable representation of a public key hash to which a transaction output can be locked. They're derived from the public key and are representations of possible destinations for Bitcoin transactions, and they're how standard outputs are typically presented in block explorers etc.

    Only an moron would know all this but act as if sticking a superfluous "public" in front of this fundamental concept makes it mean something unacceptably different. More importantly, everyone in the room already clearly understands what is being referred to by the term, so Wright being obtuse and nitpicking at words is not impressing the judge.

  • Wright characterizes the trust holding the bitcoins mined from 2009-2010 as being a trust holding access to companies who in turn hold the legal rights to bitcoins, and that there are legal layers wrapped around technical layers of protection. These layers become a bigger point of discussion later during cross-examination since there are lots of documents talking about a multitude of different trusts, and Wright never provides any clear overview or explanation of how it's all supposed to fit together.

  • Wright mentions that he was too broke in 2011 to be able to afford to keep paying the lawyers who drafted his trust documents. Later in the hearing though he says that in late 2010 he had money put aside from casino operations and a large amount of money overseas. (I guess he spent it all in the interim.)

  • Wright explains that he encrypted the trust assets with a multiple instances of Shamir's Secret Sharing scheme.

    Transcript (11/13-25)
    Q    What was the other protective mechanism that was used for
    purposes of protecting the assets that were held in trust?
    A    There's a combination of real world and technological
    solutions.  The technological solution is the creation of a
    number of Shamir schemes.  Each of those Shamir schemes is
    basically linked to a hierarchical system of public keys and
    private keys which are using AES.
              We have a patent filed on the hierarchical
    encryption scheme.  Rather than having every single file
    encapsulated by a single key, as is standard practice now, I
    have invented a system where every single file, even down to
    partial aspects of files and disc fragments can be encrypted
    separately with a link to a related system.

    The details of these Shamir setups are covered more closely during cross-examination, but I'll note that public and private keys do not "use" AES; AES is a symmetric cipher that usually does the bulk encryption of things while using public key cryptography to merely encrypt the AES key. Granted this is perhaps what Wright is sloppily referring to, but since he's nitpicking at words I will subject him to the same level of scrutiny.

  • Wright claims his Tulip Trust was the first Distributed Autonomous Corporation.

    Transcript (12/10-20)
    Q    So the legal structure that was implemented over the
    Bitcoin is separate and apart from the technical solution that
    you have referenced just now --
    A    Yes.
    Q    -- to protect against the Bitcoin; is that correct?
    A    Yes. The technical structure was what you would call a
    probably the first distributed autonomous corporation.  It was
    effectively a technological solution, but technological
    solutions such as that aren't at present related.  They're not
    understood by law, so a standard legal structure was placed
    around as a wrapper to the technological solution.

    This claim is dubious as it would predate things like Dash or The DAO by years, yet curiously came up with the same name for the concept. Trust documents provided by Wright supposedly dated 2012 plainly use the acronym "DAC" without qualification or explanation of what it means, even though at that time the term wasn't in public use yet.

  • Wright briefly slips back into bemoaning "public addresses".

    Transcript (13/4-14/7)
    I'd like to ask you about the first question. With
    respect to whether it is simply not credible that you would
    not hold a list of the public addresses at your disposal to
    easily access, do you believe that that is, in fact, an
    incredulous position to take?
    A    That's not how Bitcoin works.  You don't hold public
    addresses, as they're known.  It's the same as an analogy of
    having a safe full of 100-dollar notes and recording every
    serial number of every note.  You don't actually do that.  The
    modern analogy would be derived addresses, such as Electrum
    and other such wallets.  You don't necessarily need to know
    what particular Bitcoin address, so to speak, you have.
              The spending is not relevant to what people call
    public addresses at all.  It plays no part.  The address is
    only there as a template and script or predicate exchange
    mechanism to be used once and discarded.
    Q    So after the conclusion of the Bitcoin that was mined at
    the end -- or in August of 2010, did you believe it important
    or even prudent to make sure you had a list, an accessible
    list, of the public addresses identifying that Bitcoin?
    A    No, because the public addresses, as you say, which are
    listed on the public ledger, are irrelevant completely to the
    nature of Bitcoin.  The nature of Bitcoin is to do with the
    private keys.  Only spending matters when you have the private
    keys.  And the private keys, the way I had them, were actually
    derivative of a algorithm that I had created and was testing.
    Those algorithms have now been patented in a better form that
    works without causing some of the problems that resulted from,
    or would have resulted if my algorithm was out in 2010.

    Bank note serial numbers are a poor analogy for public keys (or addresses). Addresses can be used to verify that funds exist and have not been moved, for example. Note that Wright is claiming that all his mining all the way back to the genesis block used a successive key generation scheme reminiscent of modern deterministic wallets (but years before such wallets existed), in which case the only crucial piece of data is the original key or seed. This is in contrast to what Satoshi actually shipped in the original Bitcoin client, in which key management was simply a list of randomly generated keys.

  • Wright says he didn't want to be associated with Satoshi because he was ashamed of all the bad things people have done with Bitcoin. He accuses early bitcoiners Sirius and Theymos of starting darknet markets Silk Road and Hydra to facilitate assassination markets and child pornography, and Amir Taaki of promoting Bitcoin as a means of funding terrorism.

    Transcript (14/8-17/9)
    Q    Dr. Wright, could you please tell the Judge whether or
    not, if you could provide the public addresses at this point,
    you would.
    A    If I could, I would have not given the first 70
    addresses.  I would have given every other address.  The first
    70 addresses associate me as Satoshi.  I did not want to be
    associated with Satoshi.
              I left Bitcoin, or started leaving, in August 2010.
    I did not want to be associated with the public name Satoshi
    at all after that point.  The problem occurred because in
    June 2010 people would start -- who had been working on
    Bitcoin, decided, when I was pushing for a commercial
    application, to make the first commercial application as a
    heroin marker.
              Martti Malmi set up the forum.
              THE COURT:  I'm sorry, could you spell that name for
    the court reporter?
              THE WITNESS:  M-a-r-r-t-i M-a-l-m-i, I think off the
    top of my head. It's Norwegian.
              THE COURT:  Thank you, Doctor.  Sorry to interrupt
              THE WITNESS:  Sorry.
              THE COURT:  Please continue.
              THE WITNESS:  Theymos, T-h-e-y-m-o-s, who is known
    as █████████████████, who was a college student at the time,
    he was also running the Bitcoin.org domain.  He set up the
    forums for Silk Road.
              Both of them, together with Ross Ulbricht, set up
    Silk Road, Hydra and a number of other darker websites.  I
    protested this to them.  I set up Bitcoin to be honest money.
    I set up Bitcoin to fix the problems of every other digital
    cash that had been, whether it be eGold, or Liberty Reserve
    Cash, or DG Cash, or Brands Cash, every single one had fallen
    to crime, and I thought by having an evidentiary trial, I
    would create the world's first digital cash that would not be
    linked to crime.
              Between August and December of 2010, I pleaded, I
    said it was a bad idea with Martti and with ███████, and I
    finally left publicly as Satoshi in 2010 because they launched
    Silk Road.  On top of that, they launched Hydro.
              Silk Road was designed to sell heroin, MDMA,
    Fentanyl, weapons, et cetera.  Martti also started working on
    a reputation system to allow assassination markets.  They
    started actually working on a system designed to allow people
    to fund terrorism and others who were involved, such as
    Amir -- I can't spell his name, sorry -- went to Syria to
    promote the idea of Bitcoin as a funding mechanism.
              Hydra was worse than Silk Road.  The nature of Hydra
    that Theymos wanted was as a mechanism to have children
    exchange hard drugs for pornographic photographs.  They sought
    to alter Bitcoin to allow the distribution of encrypted child
    pornography that would be exchanged in schools for Fentanyl
    and other such drugs.
              The -- I stopped mining because of that reason
    completely in August 2010.  At that point, I brought in Dave,
    because he was a friend, and he knew who I was, and he was a
    forensic expert, and I wanted to wipe everything I had to do
    with Bitcoin from the public record.  I had money put aside
    from operations concerning casinos that I was involved with
    and had a large amount of money overseas, and I spent that
    buying other assets in Bitcoin to work on fixing the problems
    that I'd created.
    Q    Dr. Wright, am I correct in understanding that one of the
    reasons you disassociated yourself with anything that would be
    Satoshi was because the invention that you made was being
    abused and used for reasons that were completely contrary to
    its original purpose?  Is that what you're saying?
    A    Yes.
    After I left, I stopped being a pastor, I stopped
    going to church.  I couldn't face anyone I knew anymore.  My
    first marriage fell apart.  My life fell apart.
              I had worked for police in a combination as an
    expert witness in taking down peer-to-peer networks is how I
    understood them, and I worked on anti-child grooming and
    antipornography for a long time.  I have a number of cases
    where I've done that.

    For a guy who sues people over simply not believing he's Satoshi, these are some seriously slanderous accusations he's casually throwing around under oath here. If he truly believes these claims are true, and he knew the names of the people involved at the time, surely a by-the-book law-enforcement champion like Wright would have reported and helped take down these things rather than just walk away and let them happen, right? Let's hope he doesn't find himself at the end of one of those defamation lawsuits himself.

    According to attendees in the audience, this is the point where Wright started crying, but the court reporter opted not to note that down. Oh, and kudos to the court reporter for doing a better job at the names than Wright; it's M-a-r-t-t-i, and it's Finnish, not Norwegian.

  • Wright explains why he gave the court a list of the first 70 block reward addresses, and doesn't know how to spell Hal Finney's name.

    Transcript (17/10-18/3)
    Q    Dr. Wright, you've provided to the plaintiffs in this
    case, as you just testified, the first 70 addresses on the
    Bitcoin system; is that correct?
    A    Yes.
    Q    How is it that you were able to identify those addresses,
    and you are unable to identify the other addresses identifying
    the remaining Bitcoin mined during the relevant time period?
    A    Those addresses are public.  I know for the first day
    there was no one mining, and on the next day no one was
    mining.  The first block that was not mined was around block
    74, and then the next one was block 78.  After that, I don't
    remember.  So the first 70 addresses are definitively ones
    that I was involved with verifying.
              After that, there was another party at 74, I don't
    know who that individual was.  And then 78 I believe is Hal
              THE COURT REPORTER:  I'm sorry. Say that again?
    Seventy-eight is . . .
              THE WITNESS:  Hal, H-a-l, F-i-n-e (sic).

  • Wright says he isn't worried about not having access to the mined bitcoin, because if/when he gets it back he's going to give it to charity to send poor kids to school, to help repay the world for the harm Bitcoin has caused.

    Transcript (21/21-22/16)
    Q    Dr. Wright, sitting here today, you do not have a list of
    the public addresses that identify the Bitcoin mined during
    the relevant time period; is that correct?
    A    That is correct.
    Q    Does that concern you?
    A    No.
    Q    Why not?
    A    There are two reasons.
              I don't care if I get that Bitcoin.  And if I do,
    the reason I set up the trusts, which I discussed with my
    wife, is, one, I'm Wesleyan, which is the same as Andrew
    Carnegie, which is you earn as much as you can, and you spend
    as much as you can.  And I see the only way that I can save my
    soul is I make this worth as much as I can, and every one of
    those coins goes to an educational fund.  We already talked
    about that.  Those bit coin won't be -- they're out of my
    control.  They were put into my wife and family's control, not
    mine, where we discussed when and if we get control -- and
    it's still an "if" -- every one of them will go to funding
    educational charities for the poorest 1 billion people on

    This is in stark contrast to Wright previous threats to intentionally crash the BTC price with large sell orders. Which Wright do you believe?

  • Wright explains how his deterministic key generation scheme worked.

    Transcript (23/14-22)
    A    The Bitcoin that was mined at the time was done as a
    series of derivative keys.  The way this worked was the
    Genesis key was added to a hash chain.  The hash chain is
    basically a hash of values that an index using a HMAC,
    H-M-A-C, form of function multiplied by the curve generated G.
    There is a separate secret for the Genesis key and for the
    access chain.  The access chain acts as an index for each of
    these keys.  This allows separation of mapping where the keys
    were generated and spending.

    If we're very generous we can interpret this as sounding not entirely unlike the Armory wallet, where each key is used to generate the next in a chain, but... unlike genuine scientific speech it doesn't come across like a succinct description of a specific idea, rather it sounds more like a collection of ideas and terminology loosely stringed together to sound scientific. This is a recurring theme whenever Wright explains something.

  • Wright's attorney tries to present a tweet from Kleiman's lawyer saying Wright wasn't complying with court orders, as defense exhibit 2. Apparently Wright's mother saw the tweet and brought it up with Wright, and Wright is having a difficult time talking to her to try to explain all the "false news" she's seeing about him. However, upon objection from Kleiman's side this whole line of questioning is thrown out as irrelevant to today's hearing.

  • Wright says he has nChain staff working on reconstructing the Satoshi address list based on what he told them about how he mined and how he generated addresses, saying this should eventually yield the full list with only slight probabilistic errors. We'll see.

  • Wright is hinging a large part of his defense on hyping up the importance of the late Dave Kleiman as a trustee and caretaker of all Wright's bitcoins and seemingly Wright's go-to fixer for everything; we're told a large amount of crucial information for the trust, especially the things the court wants to hear, were known only to (or accessible only with the assistance of) Kleiman, which is why Wright can't answer questions now.

    The funds will probably still come back to Wright eventually though from beyond the grave, because Kleiman was supposed to set up some kind of Back-to-the-Future-esque scheme where documents get delivered to Wright at some predetermined point in the future (e.g. January/June/December 2020).

    "It's from Dave!"
    Perhaps all the other chronological inconsistencies relating to Wright claiming to have done things years in the past are similarly explained by Wright having a DeLorean, and we just need to think fourth-dimensionally?

Cross-examination by Kleiman's lawyers

Cross-examination was carried out by one of Kleiman's lawyers, Vel Freedman. Here I will summarize much more heavily because frankly a lot of it is just pointlessly going back and forth due to Wright being intentionally obtuse and rejecting questions and arguing back at Freedman. Check the full transcript for the unfiltered version.

I can't speak for the legal strategy employed by Kleiman's side, but in this hearing they appear to be greatly focusing on casting doubt onto Wright's documents and claims so as to paint him as someone who would lie and make stuff up to get what they want, and at the very least you can't trust the documents he produces, but they'll stop short of questioning his claims to being Satoshi Nakamoto (because their case benefits from that claim).

Another forged email?

You may recall that Craig Wright was caught submitting a forged email (purporting to be a signed email from Dave Kleiman appointing Uyen Nguyen as director of W&K Information Defense) as evidence in this trial. Wright quickly withdrew that evidence after sleuths quickly noticed that it appeared backdated and actually signed long after Kleiman's death.

Here Kleiman's lawyer focuses on another email produced by Wright in discovery, of Dave Kleiman sending him the original Tulip Trust formation agreement on June 24, 2011, and proceeds to present significant evidence that it too is a forgery.

  • Freedman presents a PDF of the email in question, which was produced during discover in both scanned and digital form. The latter includes embedded metadata from when the PDF was created.

  • Freedman first points out that while the PDF has a stated creation date of July 12, 2011, the software used to write the metadata is a version dated August 23, 2012. This isn't too out of the ordinary since this is metadata about metadata and a later modification to the PDF could have written the newer software version used, and Wright objects to Freedman trying to infer conclusions from just the metadata version. What it does however imply is that the document must have been modified somehow at some point, and indeed the PDF metadata lists a modification date of October 22, 2014, which Wright himself identifies. Wright denies modifying the PDF at that time.

  • Freedman pushes on with extracted data from the PDF containing the string "TouchUp_TextEdit" near the text for the "From:" field, further suggesting the document has been modified. Wright objects to this line of questioning, and on further questions about whether he modified the "From:" field Wright begins repeatedly countering that this is not an email, it's just a PDF, and that Freedman is trying to mislead the court. The judge even steps in to help clarify but Wright keeps insisting the question is invalid.

  • As the back-and-forth gets more and more heated and reminiscent of A Few Good Men, Wright accuses plaintiff's counsel of perjury by putting in crafted false evidence and throws the document out of his hand. The Judge's reaction is swift and to the point:

    Transcript (46/25-47/14)
    THE COURT:  Dr. Wright, you throw another document
    in my courtroom --
              THE WITNESS:  I'm sorry, Your Honor.
              THE COURT:  -- you will be in handcuffs so fast your
    head will spin.  Do you understand me?
              THE WITNESS:  Yes, Your Honor.
              THE COURT:  Okay.  Now --
              THE WITNESS:  I apologize.
              THE COURT:  -- answer his question, which is a
    simple question.
              THE WITNESS:  No.
              THE COURT:  Did you modify document plaintiffs'
    exhibit number 2?
              THE WITNESS:  No.
              THE COURT:  Next question.

    Freedman follows up by pointing out that there's another "TouchUp_TextEdit" string near the "Date:" field. Wright denies having edited or ever been involved with the PDF or that it is his document.

  • Asked if he is familiar with email transport headers, Wright says yes but again interjects that this is not an email. (He keeps doing this for the rest of this line of questions.)

    Freedman then points out that the original PDF export from Outlook has actually embedded some mail headers into the PDF, and that the Return-Path header is "craig@panopticrypt.com". (This is suggesting that the original email was just sent by Wright to himself.) Wright denies that this is his email address. Well, not since 2013. Ish.

  • Freedman points out that the embedded Received header says Thursday, June 24th, 2011, indicating that's when the email server received the email. He then submits a new piece of evidence: a calendar for June 2011 showing that the 24th was a Friday. Asked to comment on this discrepancy, Wright offers the following explanation:

    Transcript (52/21-53/3)
    THE WITNESS:  It's a Friday.
    Q    It's a Friday.
              Dr. Wright, do computers often mistake the day of
    the week?
    A    When someone has modified a file on a compromised server
    that was hacked, and is known to be hacked, then all sorts of
    funny things happen.

    In the real world, there is no way for a computer to make this kind of mistake; your first suspicion should instead be that someone has edited the text date in the header string by hand but gotten the weekday wrong.

  • Freedman now brings up a third version of the email, also produced by Wright's side during discovery; this one says it was sent on Friday October 17, 2014 and actually contains a full set of email metadata (whereas in the previous version the headers were truncated). This metadata much more clearly shows the email as being sent by Wright to himself. The original sender is a computer named "PCCSW01", which Freedman comments on by noting that Wright's initials are "CSW". Wright continues to insist he did not send this email.

  • Wright's constant objections and avoiding answering basic questions during this time draws the ire of the judge again, who calls a five minute recess and suggests that the defense lawyers may want to have a chat with their client about how to answer questions.

  • Finally Freedman walks Wright through the timestamps of the 2014 email's Received header chain and comparing it to the earlier version. They're identical up to the point where the earlier version's metadata was truncated, save for the year, month and date of the final Received step. Notably, while the 2014 version was sent on a Friday, due to time zones the final step was logged on a Thursday. If someone took the 2014 email, edited the metadata to 2011, but forgot to change the day of the week, you'd end up with the mysterious incorrect weekday.

    Wright disagrees, saying it would be more complex than that. (Not sure if he's talking about the other steps involved in forging other aspects of the email?)

  • The 2014 PDF raw data shows the same indications of an edited "From:" field as the 2011 PDF (but with an intact "Date:" field), and the two PDFs have the same generated DocumentID, suggesting one was created from the other (rather than from two exports of the same email). Freedman also points out that the 2014 PDF has a modification date preceding its creation date, further suggesting date manipulations being involved in the creation of these documents. Wright himself offers the possible method of changing your system date before printing as a way to achieve this.

All the evidence presented by the plaintiff raise significant doubts as to the authenticity of this supposed email from Dave Kleiman. No legitimate document should show this many signs of manipulation, and even if Wright denies that he forged anything, all of this is hurting the credibility of any other documents Wright's side has submitted, if not Wright's own credibility.

Font troubles spell trust issues

Next up is a deed of trust document purporting to be from October 23, 2012 between "Wright International Investments Ltd" and "Tulip Trading Ltd" as parties and beneficiaries of a new trust to be known as the "Tulip Trust". The document was produced by Wright in discovery, and like many other documents associated with Wright it contains a certain degree of spelling mistakes. It's also about to be torn apart much like the email due to the inner contents of the PDF.

  • Freedman presents a deed of trust PDF from Wright's side. Wright again refuses to make anything but minimal representations about the document's authenticity, so the judge steps in and tells Wright just to answer whether he's modified any of these documents in his possession or not. He says he hasn't. He keeps saying he was merely handed all these documents by other people, though.

  • Plaintiff's forensics expert has extracted embedded font metadata from the PDF. It shows an embedded copy of the "Calibri" font, with a copyright notice dated 2015. (The document claims to have been created and signed in 2012.)

  • Asked to explain this discrepancy, Wright says that the Calibri font got an update in 2015, so if the document was re-printed at any time after that, it would have picked up the new font. This only makes sense if the "signed" document is just a Word document with pasted images of signatures (i.e. not signed digitally), and someone created a new PDF from it. Of course, such a document would also be trivial to modify after the fact, for example to backdate it...

  • The trust document is executed by a service company called "Abacus (Seychelles) Limited", and Wright tries to shift any responsibility onto them, saying that he only received the document from them and has no other knowledge about it, so if it's been forged then maybe it was them.

  • Wright claims ignorance as to whether this is the trust incorporation he has been referring to in his previous depositions, and about anything really. While Freedman keeps trying to drag information out of Wright, the Judge almost takes over questioning again just so they can all agree that the company IBC numbers on the document do match what Wright has previously stated.

  • Freedman next brings out an email thread of Wright purchasing an aged shelf company from Abacus (Seychelles) Limited. Aged shelf companies are companies registered by a reseller and left inactive until sold years later to someone who for whatever reason needs to own a company that's been around a few years. On October 17, 2014, the same day as Craig sent the forged Dave Kleiman email to himself, Wright ordered a company called "Tulip Trading Limited" with an original registration date of July 2011.

    The inference here is that if in 2014 Wright needed to retroactively establish companies for a 2011 trust, he would have been looking to buy a preexisting company with an appropriate registration date. The email thread seems to show this happening. Is this random off the shelf company the source of the "Tulip" name?

  • When Freedman brings up a matching invoice and bank transfer details for Wright's purchase of the aged shelf company, Wright suddenly objects that this is document is fake because the recipient bank account is in New York, and according to Wright Abacus does not do any business in the US. The documents were provided by Wright's side in discovery however, same as all the other documents. Freedman tops this off by showing an email where Abacus delivers the Certificate of Incorporation and Articles of Association for Tulip Trading Limited.

  • Asked to explain how a trust document from 2012 can mention a company that Wright didn't commission until 2014, Wright refuses to recognize the documents (despite them coming from Wright's own files), and suggests that whatever this is, it was produced by someone or something else in his organization and not him.

  • Freedman has by now drummed up a crescendo of more and more assertive point-blank accusations that Wright forged the entire trust setup to make it seem like Dave Kleiman transferred bitcoins into this trust in 2011/2012 when in fact all the events of the so-called trust formation took place in 2014, long after Kleiman's death.

  • Freedman says that additional listed trustee, CO1N Ltd, was also a preexisting company that Wright purchased in 2014 and retroactively folded into these trusts. Wright denies having purchased CO1N Ltd, but he leaves some weaseling room by talking about how he didn't directly deal with finances etc. and had other employees for that. Freedman says that CO1N Ltd is one of the aspects of Wright's dealing that the Australian Tax Office was looking at as part of their audit/investigation.

At this point the questioning drifted more towards the encryption scheme and key distribution Wright claims protects the Satoshi bitcoins along with other assets.

Gone today, here tomorrow

There is a ton of going back and forth over precisely what stands in the way of accessing the information the court has ordered (a list of addresses in the trust), with Wright constantly adding new statements to the mix to make for a moving target, so I'll attempt to summarize just what Wright seemed to be claiming towards the end of questioning and not the whole journey.

  • Wright claims that he has invented a hierarchical encryption scheme with multiple layers of keys and using Shamir's Secret Sharing scheme, meaning that a subset out of a collection of key slices are needed to unlock the file (like a mathematical multisig). Files inside the archive are either encrypted individually or in chunks or in levels or based on the files' hashes, or... (sigh). Wright's technical descriptions are generally not conducive to actual understanding, nor do I believe they're intended to be.

  • In different documents Wright has claimed different numbers of total and required slices for the trust, which he now explains as there being multiple encrypted stashes behind different variations of the setup. Whenever Freedman pointed out a document that mentioned different unlocking requirements, Wright replied that this was for a different trust or a different part of the trust.

  • Wright says that the main archive with Satoshi's coins is protected by an 8-of-15 Shamir scheme where the keys have to be in a given order. Shamir's Secret Sharing is intrinsically unordered, so this is nonsense. Wright further says that there are about 32 million possible ways to order the keys. This is actually the number of ways to pick 7 out of 15 things (not 8).

  • Wright claims Kleiman's key slices for this archive are scheduled via bonded courier to return to Wright sometime in 2020. This is movie style grand conspiracy stuff all just to explain why Wright can be Satoshi, but not be in possession of any of Satoshi's coins or anything to corroborate this claim, yet still be able to wield Satoshi's authority because he'll get it back some day! Just not today.

  • Another 12-of-15 scheme appears in purported communications from Dave Kleiman to Craig Wright in 2012, in particular a Bitmessage on November 6, 2012. The message talks about a loan to Wright and how the process will look, but during testimony Wright insists that this 12-of-15 scheme is only protecting the genesis block key and that the loan is about something unrelated. Wright claims this scheme needs keys in a particular order.

    The bigger problem with this message? Bitmessage wasn't publicly released until November 19, 2012. Wright insists that if you look on GitHub, the first version of Bitmessage originally came out in July 2012. (On November 12, 2012, the Bitmessage GitHub repo looked like this.)

  • Wright accidentally drops an f-bomb in court (according to attendees, Wright's lawyer facepalmed):

    Transcript (116/7-14)
    foundation, Dave was similar to me.  Dave's a good guy.  We
    didn't plan on spending it.  I didn't plan on spending it.
    Not for me to get a jet or a yacht, not for me to buy a big
    house, for us to do something to make up for what I saw as my
    fuck up.
    Q    So the way this document starts is: As you wanted" --
              THE WITNESS: Excuse me language, sorry.
              THE COURT: Okay.

  • Another document apparently describing a generalized trust concept based on the Tulip Trust as a prototype says the Tulip Trust is protected by a 3-of-5 scheme. When confronted with the discrepancy, Wright says he called everything the Tulip Trust.

  • Wright has a document to explain how he could have made key signing demonstrations to people like Gavin Andresen, with a trustee (conveniently the same guy Wright bought the Tulip Trading company from) granting Wright the use of the first 10 block keys. Very conveniently, these keys were already encrypted separately in a different archive with different access requirements than the rest of Satoshi's coins which remain inaccessible. It's almost as if whenever Wright needs something, it has already retroactively happened!

    In an email allegedly discussing this file, Wright says it's protected by an 8-of-15 scheme with no order requirements.

  • Wright doesn't know how many slices he has, he hasn't checked, says no one has asked him to look at the file. This is a pretty cavalier attitude for someone facing possible contempt of court charges for failing to produce records.

  • At this point the judge takes over questioning again and extracts a series of specific answers from Wright:

    Transcript (125/4-127/15)
    THE COURT:  Can I interrupt for a second? Let me
    try it this way.
    Q    Dr. Wright, there's an outermost encrypted file, correct?
    A    Yes.
    Q    Okay. How many slices do you need for that file?
    A    Eight of 15.
    Q    Who has them?
    A    I don't know.
    Q    What efforts have you made to find them?
    A    I've tried looking through documents, et cetera.  The way
    it was set up was I gave slices to Dave, and he was directed
    to give them to bonded couriers that would send slices based
    on different events.  One of those events was June 20, 2020,
    was one to be returned, or one set to be returned.
              I don't know whether Dave set those up correctly.
    They used a DX service, which is bonded courier in this
    country, I guess, where you pay someone so that if an event
    happens, they will send the mail, a registered post for
              I can't ask Dave whether he did that correctly.  To
    be able to tell the Australian tax office that I had zero
    control, I needed to hand over enough slices to Dave that I
    didn't have control.
    Q    Understood, but let me go back.  For this outermost
    encrypt file, you say you need eight of 15.  Do those have to
    be in a particular order or can they be in any order?
    A    Those ones have to be in order.
    Q    Okay.  Where is that order kept?
    A    With the --
    Q    Where is the necessary information to know that order
    A    With the actual slice.  They have a number indexing them
    for each one.
    Q    Okay.
    A    So it would be zero one number, zero two number.
    Q    Okay.  And how many of those slices were -- did you keep?
    A    Um, I have and can get a total of seven.
    Q    Who else besides you and Dave do you know of who has
    A    I know Uyen potentially had some slices.
    Q    Okay. Who else?
    A    I don't know.  I was basically instructing Dave to make
    sure I didn't know who he gave them to.
    Q    Okay.  And so you haven't had contact with Uyen since
    2016, correct?
    A    That's correct.
    Q    So since 2016, you'd have known that you have no way to
    access these files, correct?
    A    I believe --
    Q    Until at least 2020, you have no ability to get to these
    files, is that what your testimony is?
    A    Yes, Your Honor.
    Q    Okay.  And so you knew that fact on February 19th of this
    year, correct?
    A    Yes.
    Q    You knew that on March 14th of this year, correct?
    A    Yes.
    Q    And you new that on April 8th of this year?
    A    Yes.
              THE COURT:  Okay.  That's all I have.

    While it may look like the judge is merely helping the plaintiff extract the answers they sought, some of these questions are unsolicited and have more to do with establishing that Wright should have immediately informed the court at previous discovery hearings that it is impossible to access the bitcoin addresses in question if that's indeed the case, not belatedly bring this up months later.

  • When questioned about other trust documents talking about how assets would be returned to Wright 15 months following Kleiman's death (a curiously specific clause to put into a business arrangement), and why this didn't then happen a year or two later, Wright insists that this is yet another trust construct for "the Liberty Reserve Bitcoin". But Liberty Reserve didn't deal in Bitcoin...?

It's at this point that I begin tuning out and the rest of the transcript turns into soothing screen flicker. There's more to dig into but I'm exhausted for the moment. The redirect examination is for now left as an exercise to the reader (see link below), but it's primarily emphasizing that assuming the trust exists as described by Wright, he would indeed be unable to comply with the court order to produce the list of bitcoin addresses. This brings us back to what everyone already knew, that everything effectively hinges on the credibility of Wright and his various documents.

To be continued...

Look, Wright has been throwing around word salad and misdirection for years. Hopefully reading this has just been an amusing further confirmation of your suspicions. If you're not already getting a pretty good idea of the guy from everything he's been up to so far and is still willing to give him the benefit of the doubt and believe him, then congratulations! You're the kind of guy scammers hope to run into.

Wright has for many years been constantly surrounded by forged documents supporting whatever he's claiming at the time, usually backdated and often written in someone else's name. If one document becomes irreparably discredited publicly, he denounces it as a forgery that must have been planted by someone. If that's the case then these mysterious forgers must be Wright's guardian angels since the documents always seem to appear whenever Wright needs them, and saying what Wright needs them to say. It's only later, after they're publicly discredited as forgeries, that they appear damaging to Wright, by being forgeries.

These forgeries are also usually also pretty sloppy. Digital alterations aren't very deep, just the basics and enough to pass a cursory glance. They aren't meant to stand up to expert scrutiny, they're meant to convince laypeople who are satisfied to uncritically take things presented to them at face value, where a document just needs to exist to appear believable.

So is Wright himself the forger and a massive serial fraudster? That's certainly what the plaintiffs are implying and presenting some pretty suggestive evidence for, and this kind of circumstance does appear to have been following Wright around for years. Wright has historically been caught wrong or lying on a large number of occasions, as outlined by various investigators, to the point where he has little to no credibility on any topic as far as most bitcoiners are concerned. Even the judge is openly signaling that Wright's credibility is a crucial question in the case and something he'll have to eventually rule on.

Meanwhile experts have long pointed out that Wright's technical "explanations" are just technobabble, word salad not meant to help a less technical audience understand, but to keep it from understanding or questioning. Are you going to stand up and accuse him of being a liar about something you don't even understand yourself? Safer to just sit down and take in on faith, he sure seems to know what he's talking about, speaking so confidently like that. This is a basic scammer's trick; the "con" in con artist stands for confidence, after all.

Keeping an open mind is nice and all, but that requires active critical thinking and that you do your own research properly so you don't get taken advantage of. If someone has been caught lying 999 times, you're not obligated to keep an open mind for number one thousand.

▶  Full court transcript (HT @MagicalTux)