Satoshi’s 2014 Email Hack

Abstract: We take a look back to 8th September 2014, the day Satoshi’s GMX email account was hacked. We talk about how the hack may have been conducted and what the hacker or hackers may have seen. We also disclose some emails between the hacker and Gregory Maxwell, for the first time. On the 8th or the 9th September 2014, we were able to log into Satoshi’s GMX account ourselves, but all we saw was spam. With the benefit of hindsight, it is fortunate that it appears as if not much of the content of the early Satoshi emails were leaked and these early emails may have been deleted by Satoshi in 2011.

Overview

Part of the allure of the Bitcoin and cryptocurrency space is the never ending stream of drama. From the Bitcoin flash crash down to 1 cent in June 2011, the October 2013 Silk Road shutdown, the February 2014 MtGox failure, the March 2014 fake outing of Satoshi by Leah McGrath Goodman, the June 2016 DAO hack, the August 2016 Bitfinex hack, the November 2017 defeat of SegWit2x, the November 2022 FTX failure or more recently the defeats in court for Sam Bankman-Fried, Craig Wright and the SEC, to name but a few examples. There is another dramatic day in Bitcoin’s history that is now somewhat easy to forget, Monday 8th September 2014, the day Satoshi’s GMX email was hacked. This incident is the focus of this article.

At Least Three Compromised Accounts

It appears as if at least three of Satoshi’s accounts were compromised, Satoshi’s GMX email account, Satoshi’s account at the P2P Foundation forum and Satoshi’s Sourceforge account. The most significant hack appears to have been the emails. At around 9pm UTC on 8th September 2014, the moderator of the BitcoinTalk forum, Theymos, made the following post:

Today I received an email from satoshin@gmx.com (Satoshi’s old email address), the contents of which make me almost certain that the email account is compromised. The email was not spoofed in any way. It seems very likely that either Satoshi’s email account in particular or gmx.com in general was compromised, and the email account is now under the control of someone else. Perhaps satoshi@gmx.com expired and then someone else registered it.

Source: https://bitcointalk.org/index.php?topic=775174.0

The content of the email to Theymos apparently contained the words:

Michael, send me some coins before I hitman you

A few hours later, Bitcoin developer Peter Todd made a similar claim on Twitter:

Shortly after this, there was a post made on the https://p2pfoundation.ning.com forum, from Satoshi’s account, with the following text:

Dear Satoshi. Your dox, passwords and IP addresses are being sold on the darknet. Apparently you didn`t configure Tor properly and your IP leaked when you used your email account sometime in 2010. You are not safe. You need to get out of where you are as soon as possible before these people harm you. Thank you for inventing Bitcoin.

In a third malicious act, the Bitcoin page at the open source development website Sourceforge was also defaced. Also, somehow, during the hack, screenshots of Satoshi’s email account were made available.

Screenshot of Satoshi’s email account

Who is Satoshi?

The news of the hack led to a frenzy of activity and speculation on BitcoinTalk and IRC channels. One key question was whether the email was hacked or if the email address had been recycled due to inactivity, and someone was able to register a new account with Satoshi’s email address. If the account had been recycled, then the hacker would not have access to early Satoshi emails. Access to the emails could potentially enable the hacker to determine Satoshi’s real world identity, had Satoshi made any mistakes. Given what Peter Todd had said on Twitter, that he received an email forwarded from 2011, it appears as if this was a genuine hack and that Satsohi’s old emails may have been compromised.

Indeed, leaks were emerging of e-commerce orders sent to the email account:

Screenshot of e-commerce order

However, as we explain below, this order may be genuine, but for some reason someone may have used Satoshi’s email address on the order form, without having access to the email address and this order likely had nothing to do with Satoshi.

In addition to this, the email forwarded to Peter Todd was from July 2011, from a period when Satoshi had become inactive. It is certainly possible that Satoshi deleted all the old emails from the account when he became inactive. This would mean the hacker could not access any interesting early emails from or to Satoshi and the hack did not really expose Satoshi in any material way.

Dorian Nakamoto

Another question which quickly arose was, given that Satoshi’s accounts were compromised, perhaps the message a few months earlier from Satoshi was inauthentic. In March 2014 Satoshi posted on the P2P Foundation forum stating:

I am not Dorian Nakamoto

This was a response, possibly from Satoshi, to Leah McGrath Goodman’s unsubstantiated and quite frankly stupid Newsweek story claiming someone called Dorian Nakamoto was Satoshi Nakamoto. (The only evidence was the similar name).

However, it should be noted that the leaked screenshot from the email account contains a P2P Foundation password reset email from 8th September 2014. Therefore perhaps the hacker only gained access to the P2P Foundation forum on 8th September 2014 and the “I am not Dorian Nakamoto” post could therefore have been made by the real Satoshi.

Emails With Gregory Maxwell

Since the leaked screenshot contains emails with former Bitcoin developer Gregory Maxwell, in preparation for this article, we reached out to Mr Maxwell, asking if he would disclose the content of the emails. Gregory kindly obliged and gave us permission to publish. The most interesting extracts related to the hack are disclosed below. It starts with Gregory trying to get back control of the Sourceforge account from the hacker.

From: Gregory Maxwell
Date: Mon, Sep 8, 2014 at 11:35 PM
To: Satoshi Nakamoto

I get the sense that you’re only trying to have some fun and not cause any real harm. Mind transferring back control on sourceforge to us?  If you hand it back over before sourceforge does I’ll leave up the defacement for a couple hours for you. 🙂

From: Satoshi Nakamoto
Date: Mon, Sep 8, 2014 at 11:59 PM
To: Gregory Maxwell

Take me to dinner before you fuck me!

From: Satoshi Nakamoto
Date: Tue, Sep 9, 2014 at 12:24 AM
To: Gregory Maxwell 

To the other person who keeps hacking this account (if you see this in the sent folder): hi bro. The original sent emails folder is very interesting. You want to buy it Greg?

Gregory then advises the hacker not to publish more information about Satoshi. The hacker then responds as below.

From: Satoshi Nakamoto 
Date: Tue, Sep 9, 2014 at 2:09 AM
To: Gregory Maxwell

Yeah. I won’t release anything I have on him. He was a really smart guy so I’m not sure if his ‘mistakes’ are even mistakes, or just him tricking us. It’s sad to think that somewhere out in the world, the real Satoshi is worried about if he covered his tracks well enough. Maybe he opens his wallet and checks if anything has been taken. Or he gets suspicious when he hears a sound downstairs. He reads all the messages on the p2p foundation forum and wonders if Tor really did break on him, and whether the hackers or the NSA are trying to force him to make a move. He must live a paranoid life due to Bitcoin’s success. He might feel some relief if all his BTC were taken off him.

After reading the emails, the following stands out to us. Firstly the hacker claims there are potentially multiple hackers with access to the emails. There is no particular reason to believe the hacker is telling the truth, however given our experience a few hours later, which we talk about below, it is likely multiple people did indeed manage to access the account. The second thing which stands out to us is the hacker offering to sell “very interesting” emails in the sent folder, to Gregory Maxwell. Of course Mr Maxwell declines the offer. It is only speculation on our part, but reading that text, it feels to us more likely than not that this was a bluff by the hacker and that the hacker did not have access to emails sent by Satoshi. Of course we cannot know this for sure, but the hacker only says the emails are “very interesting” which is a vague comment and no preview was provided. On the other hand, with regards to emails sent to Satoshi post July 2011, actual content was provided, including in email chains with Gregory Maxwell. Although this is only our view, one can judge for oneself whether this hacker really did have access to Satoshi’s sent folder.

How The Hack Was Done?

The leading theory as to how the hacker accessed Satoshi’s GMX account, was that a password reset was conducted. Apparently, the lost password reset question on Satoshi’s GMX account was the date of birth. The hacker could have guessed the date of birth. Apparently one could make a new guess every 8 hours, therefore the hacker could have been trying to access the account for a while and only obtained access by guessing the correct birthday on 8 September 2014.

Satoshi’s GMX profile date of birth could have also matched the date entered on Satoshi’s P2P Foundation profile. The P2P Foundation forum requires a date of birth for signups, and displays for every member an age calculated from that date. That age on the profile changes each year on the user’s birthday and therefore one can easily determine Satoshi’s apparent birthday from this information. Technically, you would need to check the website everyday for a year until the age changes, to determine the date of birth.

Satoshi’s date of birth, according to the profile on the P2P Foundation forum, is 5th April 1975. The 5th April in 1933 is the same date an executive order was made by the president of the United States to confiscate gold. Some consider this an important reference point with respect to the economical and philosophical genesis of Bitcoin and therefore this is why Satoshi may have chosen this date. However, we consider this speculative and one can find examples of important economic events that happened on a large number of dates.

Perhaps we will never know exactly how the hacker obtained access to Satoshi’s GMX account. On the BitcoinTalk forum in the days following the hack, some users believed they identified who the hacker was. Apparently it was some high school kid. Had the hacker been more sophisticated, they could have done much more damage and it seems the hacker was somewhat amateurish in regards to their conduct once they obtained control of the account.

Password Leaked

My memory of September 2014 is a little hazy, so the content in this section may be a little inaccurate, however it represents my recollections. On the Monday 8th September or Tuesday 9th September 2014 I was at work in London. My account relates to a very short period of time, perhaps around two minutes. I saw the news that Satoshi’s email account was hacked and I was keen to read as much as possible, another exciting drama day in Bitcoin. I quickly saw that not only was the account hacked, but Satoshi’s password had been leaked. I was then able to find the password, perhaps from text on a Pastebin link. Without thinking, I then went to the GMX website, entered the credentials and logged in. It worked! Somehow I had access to Satoshi’s email account.

I was immediately greeted with thousands of unread spam emails. This is different to the screenshot above which only has two unread emails and the inbox in the screenshot does not appear to contain much spam. When I logged in, almost all the emails were unread and all the emails I saw appeared to be spam, I am not sure what caused this difference. I do however remember there being around 10,000 emails, which is consistent with the above screenshot. Stupidly, I was surprised by all the spam, I was naively expecting to immediately see early interesting emails written by Satoshi from 2009. I wanted to see these early emails but could not work out how. I clicked to view the next page of emails and again it all looked like spam. I then noticed some emails for what appeared to be e-commerce related orders for consumer electronics. No way, I thought, Satoshi wouldn’t do that! That would reveal Satoshi’s address and payment details! Then it quickly dawned on me that these were very recent emails. These were probably either fake orders or perhaps real orders, where for some reason the customer used Satoshi’s email.

After a few seconds of access to the account, I started thinking about what to do. Could I get to 2009 and read some more interesting emails? Should I try and change the password to stop others accessing the account? Should I forward emails to myself, so that I can read them because access is likely to be shortly cut off? Should I try to download all the emails, perhaps via POP3 or IMAP? I was at work on my work computer, surely I could not do this until I went home and had my own computer. I then started quickly thinking about the ethics of this. Was it right for me to download the emails? These were supposed to be private. On the other hand, I got the password from the open internet, surely hundreds of people now had access. 

The above all happened in a few seconds, perhaps less than a minute. I did not have time to think through exactly what to do. Then a colleague at work approached my desk and wanted a chat, so I obliged. I locked my screen and went on a walk. I figured, no point me violating Satoshi’s privacy any further and anyway, someone else will download the emails and perhaps leak/publish them, and I could read them later. Around 30 minutes later I got back to my desk, unlocked my screen, clicked to open a spam email and I was logged out. I tried to log in again, but I had the incorrect credentials. That was that, all I had done was view some recent spam.

COPA vs CSW 2024 Trial

Almost 10 years later, while sitting in court in London, the significance of the events of September 2014 dawned on me. Craig Wright had clearly done some research into early Bitcoin and almost anything he discovered, he tried to somehow use as evidence to support his false claim to be Satoshi. For example, in court Craig complained that Satoshi no longer had login credentials for the BitcoinTalk forum. Part of Wright’s case was that even knowing this fact supported his claim to be Satoshi, because how else could he know that? Of course, Craig knew this because it was publicly available information, mentioned several times on the BitcoinTalk forum by Theymos, including in the thread about the September 2014 email hack.

Had Craig Wright managed to access Satoshi’s GMX account, as I had, he could have done tremendous damage with the information. It could have taken COPA far more time and money to refute some of Craig’s claims. The content of the proceedings in the COPA vs CSW case, including revelations and publications of some of Satoshi’s early emails with Martti Malmi, indicated to me that not many people had managed to access Satoshi’s GMX account in 2014 and perhaps nobody had archived and extracted the entire set of content. If this is the case, it is probably a good thing. 

Conclusion

In one of the emails Gregory Maxwell sent to us recently, was an email forwarded to him by Satoshi (someone logged into Satoshi’s account) at 12:37 AM on 9th September 2014. This email forwarded an email Mike Hearn sent to Satoshi in July 2014. Mike was complaining to Satoshi about the Bitcoin developers, expressing some of the arguments he expressed during The Blocksize War. This was certainly very interesting content for Mr Maxwell, a staunch small blocker, to read. As we explained, the email account had thousands of emails. Knowing that Mr Maxwell would find this July 2014 email particularly interesting, in the mess of ten thousand emails, would require some strong knowledge on Bitcoin and would require one to spend some time with the account. This certainly does not seem like a high school kid or a person threatening to “hitman” Theymos.

Therefore, we know multiple people had access to the account (including ourselves) and that some knowledgeable people spent some time there. Although we can never know this for sure, perhaps someone has this content stored somewhere. At least Mr Wright did not appear to have access to this, we hope anyway. And while this is speculation on our part, we can at least say it seems very plausible that Satoshi followed good operational security practices and perhaps deleted all the emails from before early 2011. If that is the case, Satoshi’s early emails now appear safe.