July 1, 2021

Private Presentations Aren't Proof

Sometimes we're not comfortable drawing conclusions until all the dots have been sufficiently connected. Let's see if we can do that for one of the more annoying open "mysteries" surrounding Craig Wright: how did he pull off the private key signings?




This article is sort of a spiritual companion piece to MyLegacyKit's comprehensive write-up of the timeline of the Wright key signings. While independently written, they pair well together as a shot and chaser. If after reading through this post you have a thirst for more details, go check it out!


Background

In the spring of 2016, Craig Wright made a big news splash when, following a months-long trail of conspicuously placed breadcrumbs painting him as Bitcoin inventor Satoshi Nakamoto, announcements were made that Wright had privately signed something with the private keys from the earliest Bitcoin block rewards, witnessed by people like Gavin Andresen, Jon Matonis and various journalists.

It is fair to say Wright was viewed very suspiciously by the Bitcoin community since he first became known in 2015, as even now any claimed evidence keeps being subsequently debunked as crude forgeries. These key signings, however, had no publicly available evidence to debunk, instead being vouched for by witnesses, and this afforded Wright with a mix of plausibility and benefit of the doubt from a lot of people. Surely all those witnesses wouldn't willingly be complicit in a scam?

Even so, the possibility of Wright actually being Satoshi was at this point already widely considered so unlikely that Andresen suddenly endorsing Wright was seen as a sign he had been compromised — either his account or he himself — and his access to the Bitcoin Core repository was revoked as a precaution.

It did not help Wright's (or Andresen's) credibility that the advertised subsequent "extraordinary proof" for the public was a complete dud: a rambling blog post containing an existing Satoshi signature simply lifted from the blockchain. If Wright was really Satoshi and really had the keys and already had signed for people, why more deception and forgeries?

This fake public signature and the continued failure of any later evidence to withstand scrutiny not only cemented Wright in infamy; Andresen's reputation in the Bitcoin community never recovered either, in no small part due to his seeming refusal to unambiguously retract his endorsement. Even now as Wright unapologetically engages in ever-escalating attacks against the Bitcoin community, Andresen seems fairly unconcerned about what he unwittingly helped enable, even as his endorsement is still being used by Wright in his brazen attempts to harass people with bogus lawsuits.

Faced with the glaring inconsistencies of his claims, Wright evangelists have argued that Wright is actually engaging in 5D chess; that he's a genius pretending to be an incompetent fraud pretending to be a genius. Such is the nature of unfalsifiable claims; you can always spin more yarn to explain away any contradictions.

Wright additionally fancies himself a legal expert, but even the highest evidentiary standards in our criminal courts don't require absolute certainty beyond any possible doubt; only proof beyond reasonable doubt.

And so it is that practically everyone who has given Wright's tales even a cursory inspection has already concluded without hesitation that there is no way he is Satoshi Nakamoto. Even ignoring the many ways Wright does not fit the profile, the expected number of lies and forgeries surrounding the real Satoshi should be approximately zero.

The rest of this article is for those of you who despite all this have a tiny, unscratched itch due to not knowing how Wright pulled the private key signings, and perhaps feel they're the only unexplained mystery of the Wright saga (even if the only reason they haven't been debunked is because none of the evidence is available for scrutiny).

To begin with, let's discuss what people expect from such key signings. After all, if the real Satoshi ever decided to reveal themselves (assuming they're still alive) they'd certainly have compelling evidence to convince us, and wouldn't be wasting our time with coffee-stained printouts or notes from their uncle.

How to convince people you're Satoshi Nakamoto (if you're actually Satoshi Nakamoto)

Say you're the pseudonymous inventor of one the most revolutionary innovations in computer science, you're still in the land of the living, and despite your decision for your online persona to disappear you eventually decide to reveal yourself after all. How do you prove to the world that you are really Satoshi Nakamoto?

While mathematical proofs may be perfect, in the real world proof, like beauty, is ultimately in the eye of the beholder, so the question really becomes: What kind of evidence will people find convincing and accept as proof? After all, it doesn't really matter how convincing you find your own evidence if no one else does.

The most knowledgeable subject matter experts, and thus those best suited to evaluate would-be-Satoshis, include people with a sufficient understanding of Bitcoin and knowledge of Satoshi's actions, especially people who worked with and communicated with Satoshi at the time.

Gavin Andresen certainly seemed to fit that bill; he took over the management of the Bitcoin source code repository from Satoshi, he had worked with and communicated with Satoshi, and he had a sufficient understanding of all core concepts of Bitcoin and cryptography. This is a big reason for why Andresen's endorsement of Wright was seen as significant at the time.

In advance of Andresen's participation at Wright's key signing, Andresen had actually drawn up a list of things he would expect any real Satoshi candidate to be able to do:

  1. Sign a message with Satoshi's PGP key.
  2. Sign a message with the keys from the earliest Bitcoin blocks.
  3. Provide copies of private correspondence between him and Satoshi.
  4. Have a technical conversation about Bitcoin.

Today we can make a better list of requirements by drawing on additional and lesser known knowledge of Satoshi, but Andresen's list was a decent starting point.

Unfortunately, Andresen didn't stick to his list. Of the four requirements, Wright failed two outright, as he didn't sign anything with the PGP key and could not provide any private correspondence (and as we'll see the early block signing was also incredibly suspect). Being talked into such a significant departure from your own requirements is an alarm bell.

Contrary to his initial requirements, Andresen appears to have approached the actual demonstration very uncritically; something perhaps partially explained by his belief that Wright was going to present the "real" proof publicly later, with the private demonstration being more like a sneak preview. This has only gotten more problematic due to Andresen's subsequent and continued silence more problematic however, now that his words are being used in lieu of said promised actual evidence.

Let's go over some specific problems with what Andresen and the others claim to have witnessed.

Identifying the problems with Wright's key signings

For the time being, let's ignore whether Wright is or isn't Satoshi, and simply approach the question using only simple skepticism and adversarial thinking, specifically: how might someone fake this? This is equally important from the point of view of any real Satoshi claimant, since on the flip side, delivering convincing proof means demonstrating something that couldn't be faked.

Cryptographic signatures are something of a gold standard today thanks to their ability to bestow certain actions and claims with  a degree of verifiable certainty using the power of math, but importantly, this only works when we are sufficiently rigorous!

Fortunately, the field of cryptography has spent a lot of time figuring out how to do things rigorously. Rather than give you a crash course here though, it's easier to simply point out how Wright's key signings were not rigorous, and how this opens up ways for them to have been faked. 

To get into the proper mindset to spot these, think of it like watching a stage magician and trying to figure out the trick. Assuming you don't believe the magician is doing actual magic, it's all about observing who is in control of what, and when they had an opportunity to trick you.

Given the multiple accounts of the key signings (such as the deposition of Gavin Andresen and the write-up by Andrew O'Hagan) there are multiple areas that warrant suspicion here:

  1. Wright was allowed to control the hardware
  2. Wright was allowed to control the software
  3. The network was improperly trusted
  4. Wright was allowed to alter the signed message

Additionally, Wright threw several tantrums during the proceedings which distracted and threw participants off balance.

Let's go over each of these to see how they relate to each other and why they're noteworthy:

1. Wright was allowed to control the hardware

Firstly, in his demonstrations to Matonis and journalists, after signing the messages Wright used his own computer to perform the signature verifications, with the witnesses simply observing Wright's actions or following his instructions. This is a big no-no.

In order to trust a cryptographic signature — especially one as important as this, that someone could have a large incentive to fake — you need to independently verify it on a machine you can be confident hasn't been tampered with (for example, your own computer). Otherwise, you can't be sure that the computer is actually verifying the signature, and not just telling you it did.

For example, if I get to control the verification, I can "verify" any signature with custom software that simply prints "Signature verified" to the screen, and I can similarly fake any other process (including the installation of other software) since I control the machine and what software it runs.

The demonstration for Andresen was also initially done on Wright's laptop, but Andresen then asked for a copy of the signature to verify on his own computer (a completely normal and reasonable request). Wright immediately balked at this and began making excuses, blabbering nonsense about how this could somehow compromise the keys (it can't). This is another red flag.

(It was later instead claimed that they were worried that the announcement could leak early, which is a strange excuse given that they were relying on these people as witnesses, and were perfectly fine with Andresen posting his endorsement of Wright on his blog ahead of any public proof.)

Ultimately, Andresen was never allowed to hold or inspect the signature. Instead, a compromise was reached that Wright would re-verify the signature for Andresen on a new laptop freshly purchased by one of Wright's assistants. Even if we were to trust this was indeed a new machine as claimed however (and one shouldn't), Wright was still allowed to operate it and was in control of setting it up, giving him opportunities to tamper with it.

2. Wright was allowed to control the software

Wright consistently used software of his choosing to perform the demonstrations, namely the Electrum wallet. While Electrum is a fairly standard wallet, if the signature is genuine it does not matter which wallet is used to verify it. Therefore, the witness should be able to choose the software used, if only to disallow the performer that choice.

To explain why, consider a trick relying on surreptitiously altering or replacing the wallet software used. If the performer gets to choose the wallet, he simply needs to prepare a single hacked version. If the witness gets the choose, however, the performer would need to have prepared any number of hacked versions, to anticipate each possible choice. The objective is thus to make any demonstration as hard and risky as possible to fake. Remember, if the witness asks for a wallet the performer isn't prepared for, it's game over!

Unfortunately, all the witnesses were content to let Wright dictate the software used, even though it ought to have struck them as peculiar that Wright didn't use Bitcoin Core, considering that this was a demonstration concerning the invention of that very software.

If you look at it from the perspective of faking a key signing though, then Electrum makes a lot more sense, as it's written in easily editable Python code, can be run directly from modified sources, and was less familiar to Andresen.

3. The network was improperly trusted

As the new laptop was being configured, Wright set up an instance of the Electrum wallet (either by downloading sources and/or an installer; the accounts are unclear). However, not only was Wright operating the laptop during this procedure, the files were downloaded over an untrusted network without verifying their authenticity in any way.

If a hostile adversary controls the network, they can intercept your traffic via a man-in-the-middle attack, so when you think you're visiting a trusted website you're actually being served something else controlled by the attacker.

There are ways to detect and guard against man-in-the-middle attacks; web site certificates are designed to protected against this, using trusted third parties as certificate authorities to let you verify that you are talking to who you think you are. Additionally, for file downloads, digital signatures offer a way to verify that the downloaded file is from the original publisher and hasn't been tampered with.

Fortunately for Wright though, none of the witnesses came prepared to detect any hostile network interception or verify the authenticity of what was being downloaded. Given the high profile of this demonstration, members of the public later tried to verify if the original Electrum files and signatures had been accessed on that day, but this was somewhat giving the whole thing too much credit as Andresen later made it clear that he made no attempts to verify the downloads.

In comments after the signing, Andresen revealed he never considered these things as risk vectors, casually dismissing the idea as "incredibly unlikely" — even though he was ostensibly there to verify one of the most important digital signatures ever. This is also the origin of his now infamous "it's certainly possible I was bamboozled" comment, which in context was clearly sarcastic.

Andresen appeared to reason that it's unlikely that anyone would go to any serious effort to falsely pretend to be Satoshi, but not only has he refused to reverse his position after the numerous red flags in Wright's subsequent actions and behavior, that's not even a defensible position in the first place:

If you think it's possible that someone might lie about being Satoshi — something Andresen clearly did think, since he asked for evidence — then you obviously need to also expect additional dishonesty, deceit and trickery in furtherance of that lie. After all, if someone is lying in the first place then they're probably likely to keep lying.

In a situation like this it's your responsibility to be cautious or even paranoid. If something is not under your control, you assume it is under hostile control and act accordingly. This absolutely includes any internet connection — not only would a man-in-the-middle attack be entirely realistic in this case, but it would be one of the most obvious ways to trick you. In a real high profile key signing, you wouldn't even bother downloading anything over the internet; you would verify the signature on your own machine offline.

I additionally find Andresen's mention of "the insecure connection" in the quote above curious, as it's speaking in a strangely definite sense. Was Andresen implying that Wright downloaded something over  plain unencrypted HTTP? Ultimately it doesn't matter, since Andresen says he wasn't checking any certificates or signatures anyway, but something like that would have been a big red flag to most people.

4. Altering the signed message

Even if a trickster controls the verification, if it's just naively wired up to always say the verification succeeded it's probably not going to be very convincing — what if the witness asks you to manipulate the message and expects to see that the verification correctly fails, for example?

(Relatedly, stage trick performers are keenly aware that a trick the audience doesn't believe can fail is not very impressive, and so will often intentionally fail a few times just to make the eventual success appear more significant.)

It is in light of this that a peculiar recurring aspect of Wright's key signings stands out: Wright seemed to always alter the message being signed. Andresen chose the message "Gavin's favorite number is eleven", to which Wright added "CSW" at the end without being asked. Similarly, in the signing for BBC journalist Rory Cellan-Jones, it sounds like Wright added something to the chosen message.

To recap, the point of letting the witness choose the message to be signed is that a message known in advance or decided by someone else could also have been signed by someone else in advance, at which point the signature no longer proves the person you're talking to has that private key. To eliminate or mitigate this risk, the witness is supposed to choose a custom message that no one else had any advance knowledge of.

(Note that since no one else but the witness themselves can be sure they didn't collaborate with the performer to choose an agreed-upon message, this kind of key signing technically is only proof for the witness; everyone else will have to at least somewhat take the witness's word for it.)

From a cryptographic perspective, altering the message usually only detracts from the evidentiary value of the signature, though in this case not significantly so, as the messages were still largely controlled by the witnesses. The alteration is still conspicuous though, because it's a recurring unexpected element that has no legitimate reason to be there. This is like noticing the magician's hand reaching for his pocket.

It has already been shown that altering the Electrum wallet software to make certain signatures appear as valid is not particularly difficult, for example by swapping out the key actually used for the validation. Such changes literally only require changing a few lines in the software, and can easily be made fairly convincing.

However, the conspicuous message alteration (in conjunction with the fact that at least one demonstration was described as repeatedly signing with multiple different keys in succession) speaks to a less sophisticated trick: making the software treat any message with "CSW" added to it as having a valid signature. (This too would only require a few lines to be changed.)

Andresen noted that during his demonstration the signature verification initially failed, until Wright added the same "CSW" at the end of the message being verified. Rather than assume this was just a dumb mistake, perhaps Wright initially intentionally left it out to make the demonstration more convincing when it eventually "succeeded"? As a bonus, this would have given him more excuses to engage in distractions or fiddle around with the software in order to "figure out what's wrong".

The big drawback of such a simple scheme is that Andresen could easily have asked for other modifications to be made to the message, such as changing "eleven" to "twelve" while preserving whatever Wright added. If this is indeed the trick Wright used, such challenges would have revealed the deception.

Unfortunately neither Andresen nor any other witness saw or requested any other changes to the message to verify that it would correctly fail in other cases.

The lax conditions of the demonstrations certainly afforded Wright a large amount of maneuvering room; so what would have been a practical way to exploit that to trick people?

How to convince people you're Satoshi Nakamoto (when you're not Satoshi Nakamoto)

So far we've mostly just identified aspects of the key signings that weren't rigorous enough to eliminate the possibility of fraud, including conspicuous gaps or peculiarities. But other than drawing inferences from the fact that Wright's Satoshi claim is practically universally considered a massive fraud, is there any evidence to suggest Wright actually did fake the signings in some particular way?

Let's approach the question from the other end: what would it require for someone who doesn't have Satoshi's private keys to fake the key signing in a way that fits the witness accounts of these demonstrations? And can we see any additional corroborating evidence of that happening or being prepared?

Let's start making some observations:

Firstly, a properly, independently verified cryptographic signature of a freely chosen message would be impossible to forge (barring some hitherto unknown flaw in the cryptographic algorithm). This is the gold standard.

In these demonstrations, the message appears to have been at least mostly freely chosen. Therefore, if we're looking for a way you could fake the signature, you would absolutely need to be in control of the verification process.

Secondly, if the signature is fake, the witness obviously cannot be allowed to inspect or have a copy of it, as the deception will then immediately become apparent (as happened with the faked public signature).

In contrast, "verifying" a fake signature on the signing machine would have been trivial, as any number of deceptive methods could easily have been prepared ahead of time. However, Andresen insisted on independently verifying it, later compromising on letting Wright do it on a (supposedly) new machine which he at least should not have been able to tamper with in advance.

In order for the trick to work on a new machine, you would need to be able to surreptitiously plant the same kind of fake verification as was running on your own machine. If we as an example assume the "CSW" trick theorized earlier, what would be the easiest way to implement this?

Running a patched version of Electrum

Creating and running an altered version of Electrum is actually surprisingly easy, since as mentioned before it's implemented in easy-to-modify Python code, and can be run directly from sources; even on a clean machine all you need is Python plus a dependency or two. This means that even if you don't bother re-building and creating a new installer, you can directly run the altered source code and it will look practically the same as running the "real" version.

Notably, even though using the official installer is not only significantly easier but also arguably more convincing from a proof standpoint, on the new machine for Andresen's demonstration Wright apparently opted to download and run the wallet from sources instead. While an installer may at some point also have been downloaded, Andresen's witness account doesn't confirm which version was actually used.

Creating and accepting a fake signature

As shown earlier, the patch to simply swap out the key being used for a signature is incredibly simple. The alternative approach to simply accept any message containing "CSW" is equally trivial.


It's also not hard to make a small patch that uses other tricks to produce a real-looking signature for any chosen address and that behaves like a real signature should, such as being deterministic, failing verification on any message alteration, etc. — but let's not give anyone any ideas.

The Electrum signing UI does not have a selection box for the signing address, just a simple text box, so injecting code to generate a fake signature is very straightforward, and the address does not need to actually be part of your wallet.

Note that the signing part of the patched wallet would only need to run on the signing machine, not the verifying machine, so even if a more involved process was employed, this part would not even need to be planted on the new laptop.

Displaying Satoshi's addresses on the signing machine

As in this case the witnesses were observing the signing of the message on the signing machine, the wallet on that machine really ought to display Satoshi's addresses and transactions in its UI, since it's supposed to contain those private keys.

We don't know for sure if Wright's signing wallet actually did this; during a demonstration with a journalist, Wright pulled up address details which were simply the corresponding blockchain.info page. (The journalist observed the "public notes" left for Satoshi's addresses, which were a blockchain.info specific feature.) But since blockchain.info was the default block explorer for Electrum at the time, it seems at least plausible that Wright was navigating to these pages from addresses displayed in the Electrum wallet.

Fortunately, there are a couple of fairly easy ways to make Electrum list Satoshi's addresses and transactions as if they were your own:

  • Generate a new watch-only wallet, copy-pasting in the early block reward addresses. This is a built-in feature of Electrum, though it generates a very noticeable warning that the wallet is watch-only. That warning can however be easily removed with another trivial one-line patch.
  • Alternatively, start with a legacy/imported wallet with some dummy private keys in it, then edit the wallet JSON file in a text editor and replace the address and public key of each entry with those of the early block rewards. (Conveniently, we know the full public keys since the early block rewards used P2PK rather than P2PKH.) Electrum won't touch the private key until needed for something, so it will list the edited addresses as though you have valid private keys for them.

After you've done either of these and let your wallet sync with the blockchain, you'll be presented with a wallet that lists all addresses and transactions and looks exactly like Satoshi's real wallet would on the screen — at least until you try to spend the coins.

Planting the patched software

So it turns out that patching Electrum to do what you need is actually quite trivial; even someone with very little programming skill could do it! Now you need a way to plant that version on the signing machine — even if you try to get away with doing the whole thing on your own computer, you need to be able to replicate it in a "clean" environment too if forced to.

There are a few options here. If you're very confident in your sleight of hand, maybe you could download the real Electrum sources and then apply the simple modifications live under the witness' nose, say by smuggling the files in on the USB stick with the signature and surreptitiously copying them over on top of the Electrum sources.

This sounds incredibly risky though, so you'll probably want a safer option. What if you clone the Electrum website and host it somewhere else, altering the content to swap out the appropriate download with your own prepared file? Assuming you can surreptitiously navigate to your fake website without the witness noticing the difference, this would make for a pretty natural flow where you appear to normally download the official wallet, but it's actually your patched version.

So how to perform the key step of going to your fake website while appearing to go to the original one? Well, the most common and straightforward way is one you've probably already been targeted by, as it's incredibly popular with phishing scams: just register a domain name that looks visually similar to the real domain name, say, "ellectrum.org" (note the double L). If the user is just following a link, or if you're the one actually typing in the address, something like this can easily go unnoticed.

While all this is written from a hypothetical standpoint, at this point we have to take a small detour to point out that during the period leading up to the key signings, Wright was practicing doing exactly this.

  • In February 2016, two months prior to Andresen's demonstration, the domain "silliconangle.com" (note the double L) was created, hosting a cloned and altered version of the SiliconANGLE news site.
  • Initially, the alterations simply injected a few random Bitcoin related stories.
  • However, in early May, after the key signings and as the walls were closing in on Wright after the failed public proof debacle, a fake story on Wright suddenly appeared.
  • This fake news story was largely a patchwork of text copied from existing articles but with an added claim that Wright was about to be arrested for his role as Satoshi.
  • The story was also somehow picked up by the Bitcoinist, who later had to admit to being tricked. (By whom?)
  • More notably, Wright sent an email to the people involved in organizing the key signings, linking to this article as the reason he could now no longer go through with the promised public proof.

Again the unknown hackers producing exactly what Wright needs whenever he needs it!

The obvious inference is that Wright tried his hand at spoofing a news site, and then reused this project when he urgently needed an excuse to get out of the hole he dug for himself (with a fake news article telling his associates that rather than being a fraud, he had Totally Justifiable Reasons for not being able to do what he promised).

If we allow ourselves to play connect-the-dots for a moment: Why was Wright learning to spoof websites in the months leading up to the key signings? The site seemingly wasn't used for anything important until the desperate excuse later, and was never used again. Was it just his training ground for some more important spoofing he needed to pull off around that time?

Again, for more detailed information on this, check out MyLegacyKit's write-up.

Planting the patched software (improved)

So you've got your trick wallet and you made a fake download site to help plant it, but maybe you're not so confident in the redirection part. After all, if the witness spots your lookalike domain name it's instant game over! If only there existed some sort of easy way to intercept and redirect the network traffic itself, preferably available as a convenient consumer appliance...

If you hadn't connected the dots on this yet, then grab a pen and say hello to the Pineapple, a WiFi device with built-in features to make it easy to do any kind of security testing on WiFi connections. With one of these, a man-in-the-middle attack to intercept and replace traffic to one or more domains is so easy and straightforward that it was the plot of a Silicon Valley episode:

A Pineapple can be set up as its own access point you connect to normally, or it can masquerade as an existing access point, tricking nearby devices into connecting to it preferentially. As it is an inexpensive consumer device with a user friendly interface, even unskilled hackers with little technical knowledge can perform eavesdropping or phishing/spoofing attacks.

Put simply, get one of these and plop it into the room, and you can make it look like you're connecting to, say, the hotel WiFi; you're typing in the real electrum.org address, but you're in reality being redirected to your spoofed content. All this from just using built-in functionality or following simple online guides.

Why is this noteworthy? Well, in addition to a Pineapple being an eminently plausible and practical way of making this sort of trick more believable, coupled with the failure of Andresen to be observant about this attack angle even though witnesses observed ongoing connectivity issues, a more pertinent observation is that Wright had a Pineapple at home.

When Wright recently sued a large number of Bitcoin developers in a bogus lawsuit over his supposed ownership of certain Bitcoin addresses, it was premised on the somewhat far-fetched claim that "hackers" (again...) broke into Wright's home and planted a Pineapple, hacked his home network though it, and stole and deleted his private keys, which held billions of dollars worth of Bitcoin.

To be clear: Wright's claim is fictitious. Even ignoring the far-fetched nature of the claim, the addresses Wright claims were stolen from him are demonstrably not his — one of them holds bitcoins stolen from MtGox! This is merely the latest chapter in a long-running habit where Wright has claimed to own any number of high-balance Bitcoin addresses.

When we work our way backwards from that falsehood, we're left with an elephant in the room: If there was no theft then there were no thieves. If there were no thieves then no one broke into Wright's house. If no one broke into Wright's house, then no one planted a Pineapple. If no one planted a Pineapple, then it either didn't exist or it belonged to the house occupant.

Either way, Wright appears to have lied to police (and to the court) about this supposed theft, and now additionally has let slip the likelihood that he conveniently owned a network interception device, much like how his fake news article revealed that he was dabbling in website spoofing. For whatever reason, Wright seemingly can't help repurposing his previous tricks for additional uses, even when doing so amounts to drawing attention to the gimmick.

The implication should be obvious, but let's all connect the last dot together: Why did Wright own a network interception device? They certainly have plenty of legitimate uses for network and security professionals, but in Wright's case specifically there was this one time when having one of these would have been really, really useful...

TL;DR

Wright's private key signings were so unrigorous and his witnesses so unprepared to scrutinize anything that Wright could have snuck an elephant under their noses. It would have been trivial for a competent individual to fake a signing under these lax standards, and perfectly doable for someone like Wright, too. Furthermore, if you pay attention, Wright's own actions are loudly pointing to particular ways of faking it.

If this were a murder mystery novel, it would turn out that the guy on the first page with the victim's blood on his gloves did it. There was never any inexplicable mystery, just Occam's Razor, and in hindsight wondering why none of the other characters figured it out sooner.

He's never going to admit that he did it. But we know anyway.