Background
For starters, check out the three previous entries in this blog series:- Kleiman v Craig Wright: The bitcoins that never were
- Kleiman v Craig Wright, part 2
- Kleiman v Craig Wright, part 3
The case is already very intricate due to the many developments and information that's surfaced so far (see earlier posts for additional backstory), but the main points are:
- Ira Kleiman is the brother of Dave Kleiman, a computer forensics expert that, following his death in 2013, has achieved fame as someone Craig Wright claims helped him develop Bitcoin. After Dave died, Wright reached out to the Kleiman family and told them of the big role Dave supposedly played, and of large amounts of money/Bitcoin that would have been Dave's. Since none of that money materialized, (Ira) Kleiman is suing Wright over any assets that passed through the company Wright and Dave Kleiman seemingly had together, W&K Information Defense. Throughout the proceedings, a number of documents provided by Craig Wright have been shown to be manipulated forgeries.
- Note how if Craig Wright is not Satoshi Nakamoto and didn't mine any early bitcoins with Dave Kleiman, a lot of the plaintiff's case seemingly evaporates (though not entirely; Ira is for example accusing Craig of fraudulently taking control of Dave's company, which is an accusation independent of whatever assets it did or did not hold).
- Craig Wright on the other hand is denying pretty much everything, being generally uncooperative to the point that this and the previous hearing were actually about whether he should be held in contempt of court for failing to produce court-ordered documents on his holdings. Despite various contradictory claims in his story so far, Wright is still insisting that he is Satoshi, however.
- This leads to the unusual situation that while Wright's claim is widely believed to be utterly baseless and unsupported by any evidence, both sides are going along with it in this trial. Kleiman's lawyers are not trying to prove that Craig Wright isn't Satoshi, only that he is a liar, a fraud and a thief (while presumably trying to avoid the implications of such a finding on the foundation of their damage claims).
- The documents Wright has been ordered to produce are details about the Tulip Trust, the supposed "blind" trust that holds a million BTC on Wright's behalf, as well as a list of all bitcoins belonging to Wright as of 2013. Wright previously claimed not to know anything about the Tulip Trust and denied being a beneficiary of it, then claimed that the trust is divided over multiple legal entities and that the holdings are protected using a complicated multisig-like encryption scheme based on Shamir's Secret Sharing, but that he doesn't know who the trustees are or who holds the key shards, then finally did a 180 degree turn and submitted a document to the court claiming that he is both the beneficiary and holds multiple trustee positions and multiple key shards.
- The case is presided over by two judges; Judge Beth Bloom is presiding over the overall case, while Judge Bruce Reinhart is presiding over the discovery process. Neither judge seems to be particularly impressed with Wright so far; Judge Reinhart threatened to handcuff Wright at one point, while Judge Bloom recently quoted poetry about the dangers of lying when denying one of Wright's motions to dismiss the case, finding Wright not credible.
Suffice to say, even if his claim of being Satoshi Nakamoto isn't being directly scrutinized, the subject of Wright's credibility is at the heart of this trial.
The August 5 hearing
This was a continuation hearing of the contempt of court hearing on June 28, this time hearing witness testimony from one of Wright's witnesses, as well as hearing the expert witness for the Kleimans who determined Wright's submitted documents to be forgeries.The full court transcript is available at the end of this post, but it is a whopping 250 pages long, so like last time I'll provide a summary of all the major arguments based on notes from my read-through, with additional observations and commentary mixed in. The hearing lasted a full day, split roughly equally between the two witnesses.
Steve Shadders (fact witness for the defense)
Steve Shadders is the CTO of nChain, the company surrounding Wright in his current efforts to push Bitcoin SV, his competing fork of Bitcoin. Shadders was called in to testify about his work to estimate Satoshi's mining addresses for Wright. His analysis has already been a topic of some conversation online, following early reporting from the hearing and the subsequent release of the produced address list.Direct examination by the defense
Shadders explains that he was asked by Wright to help provide the court with an approximated list of addresses containing mined bitcoins, based on criteria set by Wright, ostensibly based on his personal knowledge of the mining method he used. He was to prioritize avoiding false negatives (i.e. incorrectly excluding Satoshi addresses) even if that meant a higher false positive rate (i.e. incorrectly including non-Satoshi addresses).The specific criteria he was given by Wright were:
- Only blocks mined between January 3, 2009 and August 21, 2010
- Only unspent block rewards
- Only block rewards with non-reused addresses
- Only block rewards with P2PK scripts
- Only single-output coinbase transactions
- Only block nonces whose least significant byte is 58 or lower
For reference, this is what the Patoshi pattern looks:
In short, the most dominant early miner didn't actually use the Bitcoin reference client for mining, instead using custom software which produced blocks that are statistically different from "normal" blocks. In particular, the way this miner increments its extraNonces is different, and it seems to not search the entire nonce space. (The reasons for this are unknown, though there are theories). Additionally, practically no block rewards for this miner have been spent, and several of the few transactions where it did spend coins match known Satoshi transactions, leading most people to surmise this miner was Satoshi Nakamoto himself.
The full Patoshi pattern is quite a bit more intricate than this brief summary can do justice, but I won't go into the details here. Instead let's go through Wright's stated criteria:
- The timeframe criteria is probably either a guess or meant to tie into Wright's narrative timeline. The Patoshi pattern (and by extension/conjecture, Satoshi's mining) stopped well before August 2010. Wright's date range translates roughly to blocks 0–75,500.
- The Patoshi research is arguably the main reason so many people believe in the first place that Satoshi never spent any of his coins. Satoshi did spend a few of his coins though, so this criteria incorrectly excludes those. Without this criteria you can't significantly narrow down Satoshi's addresses though, so Wright/Shadders would have had no choice but to use it anyway.
- This definition is a bit unclear, but it sounds like any address that's ever been used more than once on the blockchain (does this include spam dust?), figuring that since address reuse is bad for privacy Satoshi would never have done it. However, Satoshi did reuse addresses, for example in his famous transaction to Hal Finney.
- This criteria is not wrong, but as Shadders himself discovered it's also useless; all early block reward addresses used P2PK scripts.
- The first block to contain a multi-output coinbase transaction was block 79,764, well outside the scope of Shadders' analysis, but he still testifies that this criteria filtered out 68 addresses.
As a result, what he thought were values in the 0..255 range were actually in the -128..127 range, and his check for values of 58 or lower incorrectly matched a lot more values than just the intended 0..58 range. Shadders says that this resulted in an extra 2,700 or so false positives, but his list actually contains closer to 3,900 entries in the offending range.
All in all, since the analysis performed by Shadders for Wright is clearly based on Lerner's Patoshi research it naturally produces a very similar address set. It doesn't add anything new or inventive, and the looser criteria and errors made in the analysis result in a higher false positive rate:
Shadders further testifies that the peculiar nonce pattern was due to Wright partitioning the mining work over ~60 different machines. This too is not a new explanation — this is the most popular (though not necessarily correct) theory to explain the nonce pattern, and one that Lerner himself lists it in his article. On the contrary, this theory is possibly the origin for why Wright has long been claiming to have been mining with a network of that many machines.
It should be noted that the early Bitcoin network had a very low hashrate of only a few million hashes a second, not enough to reliably produce blocks every 10 minutes even at minimum difficulty. Considering that at the time even an old single-core CPU could have cranked out up towards 1 MH/s on its own, there were clearly only a handful of computers mining bitcoin during the first year or so — definitely not a network of 60+ machines.
According to Shadders, all of these criteria were based on Wright's personal knowledge about his "proprietary mining software" (presumably the one that Wright also claims was an implementation of a deterministic wallet, long before those were actually invented). Yet those criteria are merely what anyone would be able to come up with after five minutes of googling.
While it can be generally assumed that Shadders was testifying about Wright's instructions as told to him, he makes a number of definitive statements about how Wright's mining software and other things worked, rather than qualifying his statements with "according to what I've been told". (As a fact witness you're supposed to be stating what you yourself know or have experienced, not repeating someone else's claims.)
Shadders is a bit more careful when directly asked if his list includes all of Wright's public Bitcoin addresses, to which he qualifies his answer as depending entirely on the specific criteria he was given. Wright's lawyer tries to make it sound like Shadders answered a simple "yes" instead.
(Also, hang on a minute — didn't Wright vehemently insist during the last hearing that there's no such thing as "public addresses"?)
Cross-examination by the plaintiffs
Kleiman's lawyer begins by establishing the timeline of events that led to Shadders' analysis work and testimony, finding that the idea was conceived about 2–3 weeks prior to the previous hearing in June. (This is presumably laying the groundwork to question whether Wright was really doing all he could to comply with the court order, or whether he only pursued this option after all attempts to stall the court had failed.)Shadders retells the story of how Wright offered to prove to him that he was Satoshi: during a casual conversation at a barbecue, Shadders joked to Wright about why he never showed any proof, and Wright shot back asking if he wanted to see some. Shadders, caught off-guard, declined, preferring not to know since "it would change something that I can't undo once it's done." Shadders insists that his current beliefs are not a matter of faith though, saying that it's Wright's unparalleled knowledge and understanding of Bitcoin that has Shadders convinced that Wright is Satoshi.
Shadders says that because he was traveling and there were some necessary consultations with Wright, the analysis took about two weeks, about 12–16 hours of which consisted of actual coding. Things took longer because he didn't have access to his normal work environment.
Having established that the results are only as good as the criteria used, Shadders is asked whether he attempted any independent validation of the criteria he received from Wright. He answers no, citing Wright's story about everything being locked up in the Tulip Trust, so he had no way to verify anything and was relying entirely on Wright's word.
Shadders follows this up by further commenting that even if Wright had given the court a list of public addresses, that too would rely solely on Wright's mere assertion that they're his — a correct observation, though perhaps not one you'd expect Wright's side to volunteer.
Shadders says he believes the bitcoins spent by Satoshi were separate coins mined on Wright's laptop using the standard Bitcoin software, not using the special Tulip Trust mining method. However, the coins Satoshi is known to have spent all fit cleanly into the Patoshi sequences, i.e. were likely mined along with all the other Satoshi coins. In other words, Satoshi's mined coins were accessible; they weren't mined directly into some locked-down trust like Wright claims.
Kleiman's lawyer asks if this analysis couldn't have been made months ago; Shadders says he couldn't have done it until Wright told him to, and that Wright is an "extraordinarily busy man and thinks about a lot of things", so he probably didn't remember the criteria until recently.
Shadders is asked why block 9 isn't on the list, and said it's because that block reward is spent (sent to Hal Finney). He is then asked about blocks 12 and 64, which aren't on the list either, even though Wright previously swore that he mined all first 70 blocks. Neither of those rewards are spent, so if Shadders' list is suppose to be a superset of Wright's coins, why aren't they in the list? Shadders speculated (incorrectly) that perhaps block 64 was what Satoshi sent to Mike Hearn.
Redirect examination and recross-examination
Shadders says you don't need private keys when mining, and that Wright's mining software wouldn't need to store public keys either since they would be deterministically generated on the fly. Again Shadders is stating a a fair amount of specifics about Wright's various algorithms and setups despite repeatedly admitting that he hasn't seen any of this for himself, so he's still just repeating things he's been told by Wright as though they were facts.Towards the end, Shadders starts talking about Wright's "profound respect for the sovereignty of the legal system and courts", and how it therefore "beggars belief" that he would waste an "enormous amount" of Shadders' time estimating this address list if Wright could simply produce one. (I think there's a simpler explanation, Steve...)
Matthew Edman (expert witness for the plaintiff)
Before Edman's testimony begins, the defense raises a legal challenge against Edman's expert testimony. When the judge entertains the challenge, the defense gets repeatedly rebuffed for asking the wrong kind of questions for the legal standard they invoked (the Daubert standard, specifically the qualifications/methodology of the expert testimony and its applicability to the case at hand).After getting told off by the judge enough times, the only objection that gets taken under consideration is Edman's use of the word "fraudulent" to describe Wright's documents, as this could be taken as a definite statement that Wright himself committed fraud — this would be speaking to the state of mind of Wright, something which is for the court to evaluate and not the expert witness. After clarifying that Edman's use of "fraudulent" simply refers to a document being inauthentic and manipulated to appear to be something it's not, the expert testimony is cleared to go ahead.
Direct examination by the plaintiffs
Edman has a background of assisting law enforcement like the FBI in various criminal and national security investigations, including the Silk Road case. (Since Wright also claims to be a staunch supporter of law enforcement, and cried in court during the last hearing over how horrible Silk Road was, you'd think Wright would like this guy!)Edman walks through the various exhibits of documents Wright has provided. A lot of this has been covered in numerous online threads, but the hearing makes it clearer just how overwhelming the evidence of forgery is. The defense is not really denying that the documents could be forged (even though Wright has sworn to the authenticity of some of them), but merely insists there's no evidence Wright himself forged them.
First, Edman describes the forged Tulip Trust email that purports to have been sent from Dave Kleiman to Craig Wright in 2011. The original evidence was a scan of a printout, but Wright also provided the original PDF to the plaintiffs as part of discovery. There was also another version of the PDF provided, one where the visible timestamp says 2014. (Note that the linked PDFs are from the court ledger, and have had the relevant metadata stripped out.)
The metadata extracted from the 2014 email PDF contains plenty of information:
- The XMP metadata was written by a library compiled on August 23, 2012.
- The PDF was created using Acrobat PDF Maker 11 for Microsoft Outlook.
- This software helpfully embeds a lot of the email metadata into the PDF.
- The email was received on October 17, 2014, at 12:04:57 PM in the UTC+10 time zone (eastern Australia).
- The MailFrom field indicates the email was sent by craig@panopticrypt.com (not Dave Kleiman).
- The MailTo field shows the same craig@panopticrypt.com as the recipient of the email (i.e. Wright sent the email to himself).
- The email headers, embedded in the MailTransportHeader field, contain numerous other indications that Craig Wright was the real sender:
- There's a valid DKIM signature for panopticrypt.com, timestamped October 17, 2014.
- The first machine in the Received chain to have processed the email as it was being sent was named "PCCSW01" (Craig Steven Wright's PC?) and listed craig@panopricrypt.com as an authenticated sender.
- The IP of this machine, 14.1.18.30, is registered in geo-ip databases as being associated with eastern Australia.
- The email headers contain contradictory information for when the email was sent:
- The Date header (controlled by the sender) claims the email was sent on June 24, 2011.
- The X-Mailer header says the sending email client was Microsoft Outlook 15.0. This is Outlook 2013, released in early 2013.
- The email attachment was a Tulip Trust PDF that appears to visually match the pages seen in the original scanned printout.
Next Edman compares the above to the metadata extracted from the "2011" email PDF, and finds that:
- The two PDFs have the same DocumentID, strongly indicating that one is an edited version of the other.
- The 2011 email has an embedded modification date of October 22, 2014.
- The MailFrom field in this metadata now says dave@davekleiman.com instead of craig@panopticrypt.com.
- The email headers had been truncated, leaving only a small portion.
- The remaining portion of the email headers matches up against the beginning of the headers of the 2014 email PDF, except a timestamp that used to say "Thu, 16 Oct 2014 20:05:55 -0500" now says "Thu, 24 Jun 2011 20:04:55 -0500". However, June 24, 2011 was a Friday.
- There is no way for a computer to make this kind of mistake, so this was hand-edited. Incompetently.
- For the lulz, the plaintiffs submit a plain calendar into evidence.
- The truncated email headers still include a Return-Path of craig@panopticrypt.com.
- The Microsoft SMTP Server that processed the email came out in November 2013.
Edman says he's further looked at the document structure of the PDFs, and found the marker /TouchUp_TextEdit MP in the PDF code, a tell-tale marker of someone having made edits to the PDF such as adding/removing/editing text. This is something of a recurring trait for Wright, as it appears in many documents from him, including the recent manipulated Bitcoin whitepaper. In the case of the "2011" email, the date was manually edited in the PDF:
The defense makes an objection that metadata that's generated by user input (such as Date fields) should be considered hearsay by a third party. The judge overrules the objection, and the objection is honestly pure nonsense; Edman's testimony is not relying on user-generated metadata fields being accurate, in fact he's doing the complete opposite; pointing out that they have clearly been falsified.
It turns out Wright also provided the email in question in raw form (a .msg file) ahead of the previous June 28 hearing. Edman analyzed the email headers of this file as well. While these headers were more thoroughly manipulated to look like a genuine 2011 email from Dave Kleiman, several things still reveal manipulations:
- UNIX timestamps don't match the human-readable dates (October 2012 vs. June 2011).
- This email passed through Google servers; the previous email indicated craig@panopticrypt.com was handled by servers running Microsoft software.
- According to Edman, the .msg file contained a reference to the email address craig.wright@hotwirepe.com, however that domain did not exist in June 2011.
- The headers of this email are actually from an email sent through Google servers in October 2012, and are completely different from the headers embedded in the previous PDF files.
Edman has also analyzed another email provided by Wright that contains the same document ID (indicating it was created by editing the other document). This document purports to be an email from Dave to Craig in April 2013 regarding Dave accepting a role as director of Coin-Exch. (This was three weeks before his death.) The metadata in this PDF is obviously based on and is practically identical to the earlier "2011" email, except the PDF has been edited to contain a different email body. Even the MailAttachments field is still present, even though the printed email in the PDF does not have any attachments.
This email body contains a PGP signature, which has an embedded timestamp of October 23, 2014. This is very reminiscent of the other forged email Wright was caught submitting as evidence (and subsequently withdrew). Edman is asked if he's aware that Dave Kleiman died in April 2013, which the defense objects to as irrelevant. The judge overrules, and Edman gets to explain how this signature cannot possibly be authentic. Further, the key used for this signature has been used and mentioned in other Tulip Trust documents.
Edman next talks about the metadata of a Deed of Trust previously sworn by Wright in this trial, ostensibly created in 2012 but containing font files that were created in 2015. The fonts contain a 2015 copyright notice and also contain timestamped digital signatures from May 22, 2015.
The defense objects to relevance as plaintiffs question Edman about yet another email, but the judge allows it as it pertains to Wright's intent and credibility. This email, purportedly from September 2012, also contains digital signatures, these ones timestamped February 28, 2014 and March 5, 2014 (UTC), and using a version of GnuPG (2.0.20) that was released in May 2013.
Yet another email quoting a purported email from Kleiman to Wright in 2012 containing a list Bitcoin addresses supposedly held by the Tulip Trust. The signature in this message was timestamped March 2, 2014. "Dave" describes how at least some of these bitcoins are held as paper wallets while others are on a TrueCrypt drive (directly contradicting Wright's later story about a deterministic wallet where the addresses/keys aren't stored but generated from random seeds).
The PGP key used to sign these last couple of emails was 0415E6CBE23FCC2D "Dave Kleiman (Bitcoin so we neer have to wotty about infaltion and easing) <dave@davekleiman.com>" [sic]. (Craig Wright is known to be a poor speller, and many of the forgeries also contain poor spelling.)
The hearing never goes into this, but let's have a quick look at the bitcoin addresses this email claims is part of the trust. With the exception of a single address, all the addresses in the list also appeared in the list I debunked in my first post on this topic. Ever since one of those addresses signed a public message denouncing Wright and his ownership claim, Wright has been claiming (through his followers) that my post is based on forged documents designed to frame him, and new variations of documents suddenly appeared with a different address listed instead of the debunked one.
Wright and I seem to agree that there's someone who for years has been forging lots of documents to try to make it appear that Craig Wright owns a lot of bitcoins he actually doesn't own.
Cui bono?
Next, Edman is asked to testify about Wright's submitted screenshots of various Bitmessages supposedly sent by Dave Kleiman to Wright. These messages have been extensively debunked by multiple people on Twitter, including by the current maintainer of the Bitmessage software, especially after noticing that Kleiman's lawyers had deposed Jonathan Warren, the creator of Bitmessage, for this trial. (Warren's deposition transcript is repeatedly referred to in Edman's testimony.)
Edman points out the obvious discrepancies of these screenshots, first and foremost that several messages appear to have been sent before the Bitmessage software was even publicly released (November 19, 2012). Wright's side has repeatedly tried to suggest that a pre-release version of Bitmessage could possibly have made its way to Wright and Kleiman prior to its official release, but Edman firmly rejects this possibility. (And so have the people who debunked this online.)
Presented with a file analysis printout of a "bitmessagev0.1.0.exe" (the original Bitmessage release installer) produced by the defense, Edman notes that there's a May 25, 2012 timestamp embedded in the file. Rather than prove that Bitmessage was created earlier than thought as the defense had hoped, Edman has determined that this timestamp is actually part of PyInstaller, the installer framework used by Bitmessage, and merely indicates the compilation timestamp of that tool, not Bitmessage itself. (This was later also noticed by online sleuths.)
Next, Kleiman's lawyer tries to get Edman to testify that Shadders' testimony earlier in the morning is inconsistent with a large number of emails provided by Wright — Shadders testified that all of Wright's mined bitcoins were in 50 BTC chunks (plain block rewards), whereas the many Wright emails refer to addresses containing larger amounts of bitcoins. However, the judge agrees with the defense's objection that this is outside the scope of what Edman has been admitted as an expert witness to testify on, so this line of questioning is dropped.
Instead, Edman is asked about a supposed invoice from a company called "HIGHSECURED.com" made out to Panopticryp for a large number of bitcoins. He has found that this document too has been extensively edited with a PDF editor, altering most of the details of the invoice, including the amount.
Edman sums up his overall findings: a number of the documents he reviewed, including ones Wright has sworn to be authentic, have been manipulated and are therefore not authentic.
Cross-examination by the defense
The defense focuses on establishing that PDF metadata can easily be altered, and you can't tell from the metadata who altered it. While more or less true, many people have been convicted of fraud on much less evidence than is currently stacked against Wright here. And since this is a civil case, to get Wright off the hook on these forgery accusations it's not enough to show that it's theoretically possible for someone else to have done it, nor is it enough to show that there's a reasonable possibility that someone else did it; it has to be more likely than not that someone else did it. It isn't.The defense criticizes Edman for basing his testimony purely on forensic data and not speaking with the purported sender or recipient. Reminder: Dave Kleiman has been dead since April 2013.
We get told that Edman doesn't have personal first-hand knowledge of the creation of any of these documents; Wright hasn't admitted to forging the documents, nor is there video footage of him forging them, therefore Edman can't know what really happened. This is a standard line of questioning to try to establish as much doubt as possible, but Edman is there as an expert witness to interpret the available evidence, not as a fact witness to share his personal knowledge of the events.
The defense argues that just because Edman showed that the email PDFs were inauthentic, the identical-looking scanned printout that Wright authenticated to the court hasn't been proven to be inauthentic.(True, though to think otherwise you would have to presume that there was a real email from Dave, then a forged version with a the wrong timestamps in it, and then a second forged version made to look visually identical to the real email.)
Edman defends his conclusion that the printout is inauthentic (i.e. not what it purports to be, a printout of a real email). Even though the original metadata was lost when the document was printed, the printout Wright authenticated still contains a forged digital signature.
The defense also asks why Edman didn't evaluate all other documents (of the hundreds of thousands of documents produced in discovery) to see if they too supported his conclusion that the email Wright authenticated is inauthentic. (How many times does it need to be debunked?) Edman says he skipped hash duplicates, and then has to explain to the defense that hash duplicates are identical documents, so the findings would be identical. The defense tries to get Edman to say he didn't analyze those documents then.
There is a brief argument being made that Edman can't know for sure which forged email was actually printed out as the scan Wright authenticated. (?)
We get a rehash of previously made arguments that the digital signatures could have been made by Dave Kleiman signing his emails on a separate computer with a clock that was years out of alignment, before sending the emails using a computer with a correct clock. This is possible but not particularly plausible, plus Edman reminds us that at least one signature was made with a GnuPG version that hadn't been released yet at the time the email was allegedly sent. The defense suggests that maybe an early alpha version could have been used. (Déjà vu.)
The modern font files are suggested as possibly being caused by later OCR software scanning and attaching new fonts (without touching any other metadata like the modification date). They attempt to explain the altered invoice by suggesting that maybe this company uses PDF editing instead of a word processor.
Next we get the argument about how there might have been a secret pre-release version of Bitmessage, used by Wright and Kleiman (but apparently unknown to the rest of the internet), seemingly tying into the defense's arguments during Jonathan Warren's deposition that someone could have hacked his machine and released Bitmessage early on the dark web. The defense quite blatantly mischaracterizes testimony, trying to turn an "it's possible" into "it happened". Note however that there is decisive evidence that the claimed Bitmessages could only have happened at some point after mid-2013, long after the claimed dates.
(Edman characterizes all of these theories by the defense as technically possible but implausible.)
The defense finishes by establishing that these modifications appear to have all happened circa 2014–2015 whereas the Kleiman lawsuit was filed in 2018, indicating that at the very least Wright did not forge these documents in response to this lawsuit.