Everyone interested in Bitcoin, cryptocurrency and Satoshi Nakamoto must watch this video by https://twitter.com/Giovann35084111(Giovanni Santostasi)about The Bitcoin Power Law Theory:
Abstract. A purely peer-to-peer version of electronic cash would allow online payments to be sent directly from one party to another without going through a financial institution. Digital signatures provide part of the solution, but the main benefits are lost if a trusted third party is still required to prevent double-spending.We propose a solution to the double-spending problem using a peer-to-peer network.The network timestamps transactions by hashing them into an ongoing chain of hash-based proof-of-work, forming a record that cannot be changed without re doing the proof-of-work. The longest chain not only serves as proof of the sequence of events witnessed, but proof that it came from the largest pool of CPU power. As long as a majority of CPU power is controlled by nodes that are not cooperating to attack the network, they'll generate the longest chain and outpace attackers. The network itself requires minimal structure. Messages are broadcast on a best effort basis, and nodes can leave and rejoin the network at will, accepting the longest proof-of-work chain as proof of what happened while they were gone.
Satoshi Nakamoto published the bitcoin white paper 31/Oct 2008 [1], created the bitcoin genesis block 03/Jan 2009, and released the bitcoin code 08/Jan 2009. So begins a journey that leads to a $70bn bitcoin (BTC) market today.
Bitcoin is the first scarce digital object the world has ever seen. It is scarce like silver & gold, and can be send over the internet, radio, satellite etc.
" As a thought experiment, imagine there was a base metal as scarce as gold but with the following properties: boring grey in colour, not a good conductor of electricity, not particularly strong [..], not useful for any practical or ornamental purpose .. and one special, magical property: can be transported over a communications channel" — Nakamoto [2]
Surely this digital scarcity has value. But how much? In this article I quantify scarcity using stock-to-flow, and use stock-to-flow to model bitcoin’s value.
Scarcity and Stock-to-Flow
Dictionaries usually define scarcity as 'a situation in which something is not easy to find or get', and 'a lack of something'.
Nick Szabo has a more useful definition of scarcity: 'unforgeable costliness'.
"What do antiques, time, and gold have in common? They are costly, due either to their original cost or the improbability of their history, and it is difficult to spoof this costliness. [..] There are some problems involved with implementing unforgeable costliness on a computer. If such problems can be overcome, we can achieve bit gold." — Szabo [3]
"Precious metals and collectibles have an unforgeable scarcity due to the costliness of their creation. This once provided money the value of which was largely independent of any trusted third party. [..][but] you can’t pay online with metal. Thus, it would be very nice if there were a protocol whereby unforgeably costly bits could be created online with minimal dependence on trusted third parties, and then securely stored, transferred, and assayed with similar minimal trust. Bit gold." — Szabo [4]
Bitcoin has unforgeable costliness, because it costs a lot of electricity to produce new bitcoins. Producing bitcoins cannot be easily faked. Note that this is different for fiat money and also for altcoins that have no supply cap, have no proof-of-work (PoW), have low hashrate, or have a small group of people or companies that can easily influence supply etc.
Saifedean Ammous talks about scarcity in terms of stock-to-flow (SF) ratio. He explains why gold and bitcoin are different from consumable commodities like copper, zinc, nickel, brass, oil, because they have high SF.
"For any consumable commodity [..] doubling of output will dwarf any existing stockpiles, bringing the price crashing down and hurting the holders. For gold, a price spike that causes a doubling of annual production will be insignificant, increasing stockpiles by 3% rather than 1.5%."
"It is this consistently low rate of supply of gold that is the fundamental reason it has maintained its monetary role throughout human history."
"The high stock-to-flow ratio of gold makes it the commodity with the lowest price elasticity of supply."
"The existing stockpiles of Bitcoin in 2017 were around 25 times larger than the new coins produced in 2017. This is still less than half of the ratio for gold, but around the year 2022, Bitcoin's stock-to-flow ratio will overtake that of gold" — Ammous[5]
So, scarcity can be quantified by SF.
SF = stock / flow
Stock is the size of the existing stockpiles or reserves. Flow is the yearly production. Instead of SF, people also use supply growth rate (flow/stock). Note that SF = 1 / supply growth rate.
Let’s look at some SF numbers.
Gold has the highest SF 62, it takes 62 years of production to get current gold stock. Silver is second with SF 22. This high SF makes them monetary goods.
Palladium, platinum and all other commodities have SF barely higher than 1. Existing stock is usually equal or lower than yearly production, making production a very important factor. It is almost impossible for commodities to get a higher SF, because as soon as somebody hoards them, price rises, production rises, and price falls again. It is very hard to escape this trap.
Bitcoin currently has a stock of 17.5m coins and supply of 0.7m/yr = SF 25. This places bitcoin in the monetary goods category like silver and gold. Bitcoin's market value at current prices is $70bn.
Supply of bitcoin is fixed. New bitcoins are created in every new block. Blocks are created every 10 minutes (on average), when a miner finds the hash that satisfies the PoW required for a valid block. The first transaction in each block, called the coinbase, contains the block reward for the miner that found the block. The block reward consists of the fees that people pay for transactions in that block and the newly created coins (called subsidy). The subsidy started at 50 bitcoins, and is halved every 210,000 blocks (about 4 years). That's why 'halvings' are very important for bitcoins money supply and SF. Halvings also cause the supply growth rate (in bitcoin context usually called 'monetary inflation') to be stepped and not smooth.
source: https://plot.ly/~BashCo/5.embed
Stock-to-Flow and Value
The hypothesis in this study is that scarcity, as measured by SF, directly drives value. A look at the table above confirms that market values tend to be higher when SF is higher. Next step is to collect data and make a statistical model.
Data
I calculated bitcoin's monthly SF and value from Dec 2009 to Mar 2018 (111 data points in total). Number of blocks per month can be directly queried from the bitcoin blockchain with Python/RPC/bitcoind. Actual number of blocks differs quite a bit from the theoretical number, because blocks are not produced exactly every 10 minutes (e.g. in the first year 2009 there were significantly less blocks). With the number of blocks per month and known block subsidy, you can calculate flow and stock. I corrected for lost coins by arbitrarily disregarding the first million coins (7 months) in the SF calculation. More accurate adjusting for lost coins will be a subject for future research.
Bitcoin price data is available from different sources but starts at Jul 2010. I added the first known bitcoin prices (1$ for 1309 BTC Oct 2009, first quote of $0.003 on BitcoinMarket Mar 2010, 2 pizza's worth $41 for 10,000 BTC May 2010) and interpolated. Data archeology will be a subject for future research.
We already have the data points for gold (SF 62, market value $8.5trn) and silver (SF 22, market value $308bn), which I use as a benchmark.
Model
A first scatter plot of SF vs market value shows that it is better to use logarithmic values or axis for market value, because it spans 8 orders of magnitude (from $10,000 to $100bn). Using logarithmic values or axis for SF as well reveals a nice linear relationship between ln(SF) and ln(market value). Note that I use natural logarithm (ln with base e) and not common logarithm (log with base 10), which would yield similar results.
Fitting a linear regression to the data confirms what can be seen with the naked eye: a statistically significant relationship between SF and market value (95% R2, significance of F 2.3E-17, p-Value of slope 2.3E-17). The likelihood that the relationship between SF and market value is caused by chance is close to zero. Of course other factors also impact price, regulation, hacks and other news, that is why R2 is not 100% (and not all dots are on the straight black line). However, the dominant driving factor seems to be scarcity / SF.
Charts made with gnuplot and gnumerics
What is very interesting is that gold and silver, which are totally different markets, are in line with the bitcoin model values for SF. This gives extra confidence in the model. Note that at the peak of the bull market in Dec 2017 bitcoin SF was 22 and bitcoin market value was $230bn, very close to silver.
Because halvings have such a big impact on SF, I put months until the next halving as a color overlay in the chart. Dark blue is the halving month, and red is just after the halving. Next halving is May 2020. Current SF of 25 will double to 50+, very close to gold (SF 62).
The predicted market value for bitcoin after May 2020 halving is $1trn, which translates in a bitcoin price of $55,000. That is quite spectacular. I guess time will tell and we will probably know one or two years after the halving, in 2020 or 2021. A great out of sample test of this hypothesis and model.
People ask me where all the money needed for $1trn bitcoin market value would come from? My answer: silver, gold, countries with negative interest rate (Europe, Japan, US soon), countries with predatory governments (Venezuela, China, Iran, Turkey etc), billionaires and millionaires hedging against quantitative easing (QE), and institutional investors discovering the best performing asset of last 10 yrs.
We can also model bitcoin price directly with SF. The formula of course has different parameters, but the result is the same, 95% R2 and a predicted bitcoin price of $55,000 after May 2020 halving. I plotted bitcoin model price based on SF (black) and actual bitcoin price over time, with the number of blocks as color overlay.
Charts made with gnuplot and gnumericsvery close
Notice the goodness of fit, especially the almost immediate price adjustment after Nov 2012 halving. Adjustment after Jun 2016 halving was much slower, possibly due to Ethereum competition and the DAO hack. Also, you see less blocks per month (blue) in the first year 2009 and during downward difficulty adjustments end2011, mid2015 and end2018. Introduction of GPU miners in 2010-2011 and ASIC miners in 2013 resulted in more blocks per month (red).
Power Laws and Fractals
Also very interesting is that there is indication of a power law relationship.
The linear regression function: ln(market value) = 3.3 * ln(SF)+14.6
.. can be written as a power law function: market value = exp(14.6) * SF ^ 3.3
Power laws are scarce, you don’t find them very often. The possibility of a power law with 95% R2 over 8 orders of magnitude, ads confidence that the main driver of bitcoin value is correctly captured with SF.
A power law is a relationship in which a relative change in one quantity gives rise to a proportional relative change in the other quantity, independent of the initial size of those quantities. [6]. See appendix for some famous power law examples.
Power laws are interesting because they reveal an underlying regularity in the properties of seemingly random complex systems. Complex systems usually have properties where changes between phenomena at different scales are independent of the scales we are looking at. The picture we take at one scale is therefore similar in some way to the picture we take at another scale. This self-similar property underlies power law relationships . We see this in Bitcoin too: 2011, 2014 and 2018 crashes look very similar (all have -80% dips) but on totally different scales (resp. $10, $1000, $10,000), if you don't use log scales, you will not see it. Scale in-variance and self-similarity has a link with fractals. In fact, parameter a in the power law function above is the 'fractal dimension'. For more information on fractals see the famous study of length of coastlines [7]. Power laws and fractals in bitcoin will be a subject for future research.
Conclusion
Bitcoin is the first scarce digital object the world has ever seen, it is scarce like silver & gold, and can be send over the internet, radio, satellite etc.
Surely this digital scarcity has value. But how much? In this article I quantify scarcity using stock-to-flow, and use stock-to-flow to model bitcoin’s value.
A statistically significant relationship between stock-to-flow and market value exists. The likelihood that the relationship between stock-to-flow and market value is caused by chance is close to zero.
Adding confidence in the model:
Gold and silver, which are totally different markets, are in line with the bitcoin model values for SF.
There is indication of a power law relationship.
The model predicts a bitcoin market value of $1trn after next halving in May 2020, which translates in a bitcoin price of $55,000.
A purely peer-to-peer version of electronic cash would allow online payments to be sent directly from one party to another without going through a financial institution. Digital signatures provide part of the solution, but the main benefits are lost if a trusted third party is still required to prevent double-spending. We propose a solution to the double-spending problem using a peer-to-peer network. The network timestamps transactions by hashing them into an ongoing chain of hash-based proof-of-work, forming a record that cannot be changed without redoing the proof-of-work. The longest chain not only serves as proof of the sequence of events witnessed, but proof that it came from the largest pool of CPU power. As long as a majority of CPU power is controlled by nodes that are not cooperating to attack the network, they'll generate the longest chain and outpace attackers. The network itself requires minimal structure. Messages are broadcast on a best effort basis, and nodes can leave and rejoin the network at will, accepting the longest proof-of-work chain as proof of what happened while they were gone.
1. Introduction Commerce on the Internet has come to rely almost exclusively on financial institutions serving as trusted third parties to process electronic payments. While the system works well enough for most transactions, it still suffers from the inherent weaknesses of the trust based model. Completely non-reversible transactions are not really possible, since financial institutions cannot avoid mediating disputes. The cost of mediation increases transaction costs, limiting the minimum practical transaction size and cutting off the possibility for small casual transactions, and there is a broader cost in the loss of ability to make non-reversible payments for nonreversible services. With the possibility of reversal, the need for trust spreads. Merchants must be wary of their customers, hassling them for more information than they would otherwise need. A certain percentage of fraud is accepted as unavoidable. These costs and payment uncertainties can be avoided in person by using physical currency, but no mechanism exists to make payments over a communications channel without a trusted party. What is needed is an electronic payment system based on cryptographic proof instead of trust, allowing any two willing parties to transact directly with each other without the need for a trusted third party. Transactions that are computationally impractical to reverse would protect sellers from fraud, and routine escrow mechanisms could easily be implemented to protect buyers. In this paper, we propose a solution to the double-spending problem using a peer-to-peer distributed timestamp server to generate computational proof of the chronological order of transactions. The system is secure as long as honest nodes collectively control more CPU power than any cooperating group of attacker nodes.
Transactions We define an electronic coin as a chain of digital signatures. Each owner transfers the coin to the next by digitally signing a hash of the previous transaction and the public key of the next owner and adding these to the end of the coin. A payee can verify the signatures to verify the chain of ownership.
The problem of course is the payee can't verify that one of the owners did not double-spend the coin. A common solution is to introduce a trusted central authority, or mint, that checks every transaction for double spending. After each transaction, the coin must be returned to the mint to issue a new coin, and only coins issued directly from the mint are trusted not to be double-spent. The problem with this solution is that the fate of the entire money system depends on the company running the mint, with every transaction having to go through them, just like a bank. We need a way for the payee to know that the previous owners did not sign any earlier transactions. For our purposes, the earliest transaction is the one that counts, so we don't care about later attempts to double-spend. The only way to confirm the absence of a transaction is to be aware of all transactions. In the mint based model, the mint was aware of all transactions and decided which arrived first. To accomplish this without a trusted party, transactions must be publicly announced [1], and we need a system for participants to agree on a single history of the order in which they were received. The payee needs proof that at the time of each transaction, the majority of nodes agreed it was the first received.
Timestamp Server The solution we propose begins with a timestamp server. A timestamp server works by taking a hash of a block of items to be timestamped and widely publishing the hash, such as in a newspaper or Usenet post [2-5]. The timestamp proves that the data must have existed at the time, obviously, in order to get into the hash. Each timestamp includes the previous timestamp in its hash, forming a chain, with each additional timestamp reinforcing the ones before it.
Proof-of-Work To implement a distributed timestamp server on a peer-to-peer basis, we will need to use a proofof-work system similar to Adam Back's Hashcash [6], rather than newspaper or Usenet posts. The proof-of-work involves scanning for a value that when hashed, such as with SHA-256, the hash begins with a number of zero bits. The average work required is exponential in the number of zero bits required and can be verified by executing a single hash. For our timestamp network, we implement the proof-of-work by incrementing a nonce in the block until a value is found that gives the block's hash the required zero bits. Once the CPU effort has been expended to make it satisfy the proof-of-work, the block cannot be changed without redoing the work. As later blocks are chained after it, the work to change the block would include redoing all the blocks after it. The proof-of-work also solves the problem of determining representation in majority decision making. If the majority were based on one-IP-address-one-vote, it could be subverted by anyone able to allocate many IPs. Proof-of-work is essentially one-CPU-one-vote. The majority decision is represented by the longest chain, which has the greatest proof-of-work effort invested in it. If a majority of CPU power is controlled by honest nodes, the honest chain will grow the fastest and outpace any competing chains. To modify a past block, an attacker would have to redo the proof-of-work of the block and all blocks after it and then catch up with and surpass the work of the honest nodes. We will show later that the probability of a slower attacker catching up diminishes exponentially as subsequent blocks are added. To compensate for increasing hardware speed and varying interest in running nodes over time, the proof-of-work difficulty is determined by a moving average targeting an average number of blocks per hour. If they're generated too fast, the difficulty increases.
5. Network The steps to run the network are as follows: 1) New transactions are broadcast to all nodes. 2) Each node collects new transactions into a block. 3) Each node works on finding a difficult proof-of-work for its block. 4) When a node finds a proof-of-work, it broadcasts the block to all nodes. 5) Nodes accept the block only if all transactions in it are valid and not already spent. 6) Nodes express their acceptance of the block by working on creating the next block in the chain, using the hash of the accepted block as the previous hash. Nodes always consider the longest chain to be the correct one and will keep working on extending it. If two nodes broadcast different versions of the next block simultaneously, some nodes may receive one or the other first. In that case, they work on the first one they received, but save the other branch in case it becomes longer. The tie will be broken when the next proofof-work is found and one branch becomes longer; the nodes that were working on the other branch will then switch to the longer one.
Tx Tx ... New transaction broadcasts do not necessarily need to reach all nodes. As long as they reach many nodes, they will get into a block before long. Block broadcasts are also tolerant of dropped messages. If a node does not receive a block, it will request it when it receives the next block and realizes it missed one.
6. Incentive By convention, the first transaction in a block is a special transaction that starts a new coin owned by the creator of the block. This adds an incentive for nodes to support the network, and provides a way to initially distribute coins into circulation, since there is no central authority to issue them. The steady addition of a constant of amount of new coins is analogous to gold miners expending resources to add gold to circulation. In our case, it is CPU time and electricity that is expended. The incentive can also be funded with transaction fees. If the output value of a transaction is less than its input value, the difference is a transaction fee that is added to the incentive value of the block containing the transaction. Once a predetermined number of coins have entered circulation, the incentive can transition entirely to transaction fees and be completely inflation free. The incentive may help encourage nodes to stay honest. If a greedy attacker is able to assemble more CPU power than all the honest nodes, he would have to choose between using it to defraud people by stealing back his payments, or using it to generate new coins. He ought to find it more profitable to play by the rules, such rules that favour him with more new coins than everyone else combined, than to undermine the system and the validity of his own wealth.
7. Reclaiming Disk Space Once the latest transaction in a coin is buried under enough blocks, the spent transactions before it can be discarded to save disk space. To facilitate this without breaking the block's hash, transactions are hashed in a Merkle Tree [7][2][5], with only the root included in the block's hash. Old blocks can then be compacted by stubbing off branches of the tree. The interior hashes do not need to be stored. A block header with no transactions would be about 80 bytes. If we suppose blocks are generated every 10 minutes, 80 bytes * 6 * 24 * 365 = 4.2MB per year. With computer systems typically selling with 2GB of RAM as of 2008, and Moore's Law predicting current growth of 1.2GB per year, storage should not be a problem even if the block headers must be kept in memory.
Simplified Payment Verification It is possible to verify payments without running a full network node. A user only needs to keep a copy of the block headers of the longest proof-of-work chain, which he can get by querying network nodes until he's convinced he has the longest chain, and obtain the Merkle branch linking the transaction to the block it's timestamped in. He can't check the transaction for himself, but by linking it to a place in the chain, he can see that a network node has accepted it, and blocks added after it further confirm the network has accepted it. As such, the verification is reliable as long as honest nodes control the network, but is more vulnerable if the network is overpowered by an attacker. While network nodes can verify transactions for themselves, the simplified method can be fooled by an attacker's fabricated transactions for as long as the attacker can continue to overpower the network. One strategy to protect against this would be to accept alerts from network nodes when they detect an invalid block, prompting the user's software to download the full block and alerted transactions to confirm the inconsistency. Businesses that receive frequent payments will probably still want to run their own nodes for more independent security and quicker verification.
9. Combining and Splitting Value Although it would be possible to handle coins individually, it would be unwieldy to make a separate transaction for every cent in a transfer. To allow value to be .
10. Privacy The traditional banking model achieves a level of privacy by limiting access to information to the parties involved and the trusted third party. The necessity to announce all transactions publicly precludes this method, but privacy can still be maintained by breaking the flow of information in another place: by keeping public keys anonymous. The public can see that someone is sending an amount to someone else, but without information linking the transaction to anyone. This is similar to the level of information released by stock exchanges, where the time and size of individual trades, the "tape", is made public, but without telling who the parties were. As an additional firewall, a new key pair should be used for each transaction to keep them from being linked to a common owner. Some linking is still unavoidable with multi-input transactions, which necessarily reveal that their inputs were owned by the same owner. The risk is that if the owner of a key is revealed, linking could reveal other transactions that belonged to the same owner.
11. Calculations We consider the scenario of an attacker trying to generate an alternate chain faster than the honest chain. Even if this is accomplished, it does not throw the system open to arbitrary changes, such as creating value out of thin air or taking money that never belonged to the attacker. Nodes are not going to accept an invalid transaction as payment, and honest nodes will never accept a block containing them. An attacker can only try to change one of his own transactions to take back money he recently spent. The race between the honest chain and an attacker chain can be characterized as a Binomial Random Walk. The success event is the honest chain being extended by one block, increasing its lead by +1, and the failure event is the attacker's chain being extended by one block, reducing the gap by -1. The probability of an attacker catching up from a given deficit is analogous to a Gambler's Ruin problem. Suppose a gambler with unlimited credit starts at a deficit and plays potentially an infinite number of trials to try to reach breakeven. We can calculate the probability he ever reaches breakeven, or that an attacker ever catches up with the honest chain, as follows [8]: p = probability an honest node finds the next block q = probability the attacker finds the next block qz = probability the attacker will ever catch up from z blocks behind
New Privacy Model Traditional Privacy Model Given our assumption that p > q, the probability drops exponentially as the number of blocks the attacker has to catch up with increases. With the odds against him, if he doesn't make a lucky lunge forward early on, his chances become vanishingly small as he falls further behind. We now consider how long the recipient of a new transaction needs to wait before being sufficiently certain the sender can't change the transaction. We assume the sender is an attacker who wants to make the recipient believe he paid him for a while, then switch it to pay back to himself after some time has passed. The receiver will be alerted when that happens, but the sender hopes it will be too late. The receiver generates a new key pair and gives the public key to the sender shortly before signing. This prevents the sender from preparing a chain of blocks ahead of time by working on it continuously until he is lucky enough to get far enough ahead, then executing the transaction at that moment. Once the transaction is sent, the dishonest sender starts working in secret on a parallel chain containing an alternate version of his transaction. The recipient waits until the transaction has been added to a block and z blocks have been linked after it. He doesn't know the exact amount of progress the attacker has made, but assuming the honest blocks took the average expected time per block, the attacker's potential progress will be a Poisson distribution with expected value:
12. Conclusion We have proposed a system for electronic transactions without relying on trust. We started with the usual framework of coins made from digital signatures, which provides strong control of ownership, but is incomplete without a way to prevent double-spending. To solve this, we proposed a peer-to-peer network using proof-of-work to record a public history of transactions that quickly becomes computationally impractical for an attacker to change if honest nodes control a majority of CPU power. The network is robust in its unstructured simplicity. Nodes work all at once with little coordination. They do not need to be identified, since messages are not routed to any particular place and only need to be delivered on a best effort basis. Nodes can leave and rejoin the network at will, accepting the proof-of-work chain as proof of what happened while they were gone. They vote with their CPU power, expressing their acceptance of valid blocks by working on extending them and rejecting invalid blocks by refusing to work on them. Any needed rules and incentives can be enforced with this consensus mechanism.
References [1] W. Dai, "b-money," http://www.weidai.com/bmoney.txt, 1998. [2] H. Massias, X.S. Avila, and J.-J. Quisquater, "Design of a secure timestamping service with minimal trust requirements," In 20th Symposium on Information Theory in the Benelux, May 1999. [3] S. Haber, W.S. Stornetta, "How to time-stamp a digital document," In Journal of Cryptology, vol 3, no 2, pages 99-111, 1991. [4] D. Bayer, S. Haber, W.S. Stornetta, "Improving the efficiency and reliability of digital time-stamping," In Sequences II: Methods in Communication, Security and Computer Science, pages 329-334, 1993. [5] S. Haber, W.S. Stornetta, "Secure names for bit-strings," In Proceedings of the 4th ACM Conference on Computer and Communications Security, pages 28-35, April 1997. [6] A. Back, "Hashcash - a denial of service counter-measure," http://www.hashcash.org/papers/hashcash.pdf, 2002. [7] R.C. Merkle, "Protocols for public key cryptosystems," In Proc. 1980 Symposium on Security and Privacy, IEEE Computer Society, pages 122-133, April 1980. [8] W. Feller, "An introduction to probability theory and its applications," 1957.
Want to really understand how bitcoin works? Here’s a gentle primer
Ars goes deep on the breakthrough online payment network.
Timothy B. Lee - 12/15/2017, 12:35 PM
The soaring price of bitcoin—the virtual currency is now worth more than $250 billion—has gotten a lot of attention in recent weeks. But the real significance of bitcoin isn't just its rising value. It's the technological breakthrough that allowed the network to exist in the first place.
Bitcoin's still anonymous inventor, who went by the pseudonym Satoshi Nakamoto, figured out a completely new way for a decentralized network to reach a consensus about a shared transaction ledger. This innovation made possible the kind of fully decentralized electronic payment systems that cypherpunks had dreamed about for decades.
There are many theories. Is it one person? Is it a group of people?
Here are the top names that people believe could be Satoshi Nakamoto:
Hal Finney Many people believe that Hal Finney, the first person to receive a bitcoin transaction, was actually Satoshi Nakamoto. If so, the mystery of the founder’s identity may never be solved, as Finney passed away in 2014 from ALS.
A Russian or Chinese agent The Obama administration was concerned that Satoshi was an agent of Russia or China — that Bitcoin might be weaponized against us in the future. Knowing the source would help the administration understand their motives.
The CIA/NSA A group named CIA Project claims that bitcoin is a creation of the CIA or NSA. While the group provided “evidence,” such as stating the name, Satoshi Nakamoto, roughly translates to “Central Intelligence” in Japanese, their perspective is considered to be no more than a conspiracy theory.
Nick Szabo A reclusive American, deeply involved in the bitcoin project, released a blog expressing interest in the technology before Bitcoin’s release, but later reposted it to alter the publishing date. After the blog post about bit gold was determined to be from before bitcoins release, researchers at Aston University compared his writing style to Satoshi Nakamoto’s. According to Jack Grieve, a lecturer who led the project effort, the similarities were “uncanny.”
A Group of Companies Some bitcoin users have suggested (jokingly) that Satoshi Nakamoto could actually be a group of four Asian technology companies: Samsung, Toshiba, Nakamichi, and Motorola. The name can be created by taking the “sa” from Samsung, “toshi” from Toshiba, “naka” from Nakamichi, and “moto” from Motorola.
Mt. Gox and the Surprising Redemption of Bitcoin’s Biggest Villain He led the world's largest Bitcoin exchange before a mysterious heist made it go bust. As clues emerge and Bitcoin's price surges, Mark Karpelès is on the hunt for answers. By Jen Wieczner April 19, 2018
The moment that would change the history of Mt. Gox came without so much as a beep. Mark Karpelès, the CEO of what until recently had been the world’s biggest Bitcoin exchange, was finally alone, save for his tabby cat, in his palatial penthouse with a panoramic view of Tokyo. It was the evening of March 7, 2014, and Karpelès had barely slept in the week since Mt. Gox had sought bankruptcy protection, announcing that 850,000 of its Bitcoins, worth some $473 million at the time—and representing 7% of all Bitcoins then in existence—had somehow disappeared. With protesters and camera crews swarming in front of Mt. Gox’s office and the price of Bitcoin in free fall, the usually unflappable Frenchman had been confined to a self-imposed house arrest, subsisting on the buttery pastries he liked to bake and reading the hate mail that flooded in from all corners of the Internet—most of it accusing him of stealing the money himself. Today the Mt. Gox hack remains the worst disaster in Bitcoin’s short history.
It wasn’t until his lawyers had gone home for the day that Karpelès could retreat to his computer, and that’s when he noticed the shocking number on his screen. Following his company’s collapse, he’d spent days methodically double-checking Mt. Gox’s old digital wallets, where the secret alphanumeric keys for accessing Bitcoins are stored. One after another—a dozen so far—the wallets had come up empty. But this time, when the blockchain-scanning program finished running after six hours, it had silently served up an unexpected result: He’d found 200,000 Bitcoins, stashed away in an archived file in the cloud—apparently forgotten and untouched for three years.
Mark Karpelès in Tokyo’s Shinjuku district. The former Mt. Gox CEO, who once felt safe leaving his laptop on a park bench, refused to set down his bag for fear of theft. Mark Karpelès in Tokyo’s Shinjuku district. The former Mt. Gox CEO, who once felt safe leaving his laptop on a park bench, refused to set down his bag for fear of theft. Photographed by Eric Rechsteiner for Fortune In a series of conversations with Fortune, Karpelès shared for the first time the full details of what he says really happened in the final days of Mt. Gox—including his account of how he stumbled on the 200,000 Bitcoins.
The surprise discovery would turn out to be, to this day, the only hope Mt. Gox customers have of getting their money back. It’s been proved that the other 650,000 missing Bitcoins were stolen—we now know, by various hackers. But Karpelès continues to be one of the most infamous figures in cryptocurrency. And his legal fate is uncertain, even as new evidence has emerged that largely exonerates him.
Ironically, today Karpelès doesn’t view the retrieval of the 200,000 Bitcoins as a lucky break. They’ve become such a subject of contention, in fact, that he wonders whether it might have been better if they’d remained lost. “At the time, I felt finding these was a good thing for everyone,” recalls Karpelès, now 32, his French accent still strong after nearly nine years in Japan. “But now this is also the main reason why we are stuck fighting.”
To many, the belated revelation seemed too good to be true—making the unemotional programmer-turned-mogul look even guiltier. Was he just coughing up his go-bag in an attempt to wiggle out of trouble? Soon, they had even more reason to suspect him: Leaked trading records suggested that what could only be an internal Mt. Gox account—widely known today as the “Willy bot”—was artificially inflating its account balance and using the money to buy Bitcoins. When Mt. Gox ran low on Bitcoins, Willy helped make up the shortfall. Sometimes its trades went the other way, selling borrowed Bitcoins to generate cash. Critics speculate that it was a fraudulent, if failed, exercise to keep Mt. Gox afloat.
That suspicious activity by the Willy bot led to Karpelès’s arrest in August 2015 on charges of manipulating electronic data; he admitted in court last summer to running what he called the “obligation exchange” but disputes doing anything illegal. After spending almost a year in jail, Karpelès is currently on trial in Tokyo, facing criminal allegations such as embezzlement and breach of trust, all unrelated to the missing Bitcoins.
But it was an unforeseen twist that today is causing Karpelès the greatest angst. Between the time Mt. Gox shut down and when it entered liquidation in April 2014, the price of Bitcoin had plummeted more than 20% to $483. It would be over two and a half years before Bitcoin would regain its previous high—long enough that many Mt. Gox victims didn’t even bother filing a claim for what they considered an insignificant sum. Then early last year, Bitcoin finally broke its old record. By late May, it was trading at nearly $2,200, making Mt. Gox’s remaining Bitcoins—202,185 to be exact—worth more than everything it owed in claims. When the Bitcoin price peaked at $20,000 in December, the value of Mt. Gox’s assets (by then including Bitcoin derivatives such as Bitcoin Cash) ballooned to $4.4 billion—nearly 10 times the amount Mt. Gox said it lost in the first place. “The fact that you have a bankruptcy where the only asset that it owns goes up by 5,000%, that’s pretty unprecedented,” says Daniel Kelman, a lawyer and Mt. Gox creditor who spent a year in Tokyo working on the case.
After months studying Japan’s bankruptcy code while in solitary confinement, Karpelès knew there was a wrinkle: Under the law, most of that excess would return to shareholders of Mt. Gox, of which he held 88%. At current prices, the windfall would make him a billionaire. It would also mean an interminable nightmare of lawsuits and threats that Karpelès—who is also in personal bankruptcy—is desperate to avoid. He says he’d happily give the money back if it came to him, but the estimated 60% tax triggered in the process would be catastrophic.
“I never expected to get anything out of this,” Karpelès tells me when we meet in Tokyo in March. “It would bring more trouble than anything.”
We’re on the second floor of a Japanese café, in a stuffy meeting room that Karpelès says is not much bigger than his jail cell. Deprived of a computer behind bars, he passed time by measuring the room using the length of his notebook. (After his release, Karpelès sent friends a chart of the 70 pounds he’d lost while detained.) It’s the first day in Tokyo that finally feels like spring, cherry blossoms in bloom, but he has holed up here in the café because it’s roughly equidistant from the offices of his various lawyers, as well as the bankruptcy trustee, whom he meets with regularly out of a sense of “duty” to his former customers. He’s been so busy, he says, he didn’t have time to shave that morning.
Karpelès took control of Mt. Gox—the name is an acronym for Magic: The Gathering Online eXchange, after the trading card game that inspired the original site—in 2011 from founder Jed McCaleb. Employees don’t remember Karpelès ever seeming fazed about anything: He took meetings from a vibrating massage chair and churned out combs using a 3D printer he’d bought for the office. His hallmark reply to questions: “Should be fine.”
But he’s lately developed a sense of gallows humor uncharacteristic of his Mt. Gox days. Even if he wanted to buy Bitcoin today, he doubts he could find an exchange that would take his money, he laughs, and notes that it’s been a few months since he’s received any death threats—“a new record.” He turns serious, though, when he recounts the sleepless nights in February 2014 when he says he first discovered that all of Mt. Gox’s Bitcoins were missing. “I think this really is the worst experience for anyone to have in life,” he says. Still, he’s not sure he could have done the job better. “If I knew at the time what I know today, I would have done things differently, of course,” he says with a practiced tone. “But based on the information I had at the time, and the situation at the time, I still think that I’ve done the best I could do with what I had.”
The question of what Karpelès knew, and when, though, remains more of a mystery than even who stole the coins. Bitcoin’s public ledger, or blockchain, allows anyone to trace the path of transactions, showing the wallets where Mt. Gox’s Bitcoins went. But the same blockchain analysis, multiple experts have confirmed, has also revealed an unsettling fact: By mid-2013, Mt. Gox had already lost all its Bitcoins—eight months before it admitted so publicly.
The timing of this insolvency, analysis shows, coincided with the Willy bot kicking into high gear—perhaps providing a hint as to Karpelès’s true motivations. “I feel that this is a reaction to this revelation that okay, all the money is gone,” says Michael Gronager, CEO of Chainalysis, which was hired by the Mt. Gox bankruptcy trustee to investigate the Bitcoins’ disappearance. Yet it’s also why he doesn’t believe Karpelès was planning to run away with the 200,000 Bitcoins. “I think that had he found them before he went bankrupt, he would never have gone bankrupt,” says Gronager. Rather, he says, Karpelès would have used the hoard to cover his losses.
When Mt. Gox froze Bitcoin withdrawals in 2014, a customer named Kolin Burges hopped a flight from London to Tokyo. For more than two weeks, until Mt. Gox declared bankruptcy, he kept vigil outside the exchange’s headquarters, holding a sign reading, “MTGOX WHERE IS OUR MONEY?” Other protesters soon joined him, demonstrating the frustration of Mt. Gox customers worldwide.
Kim Nilsson was just as vexed, but standing in the snow wasn’t his style. A modest Swedish software engineer with a goatee and a quiet voice, Nilsson, who also owned Bitcoins at Mt. Gox, had never before worked on blockchain technology. But he had a reputation for getting to the bottom of the toughest software bugs; in his off-time, he’d been known to beat all the levels of Super Mario Bros. 2 in an afternoon sitting. And that’s how he approached Mt. Gox: “It was basically just the world’s biggest puzzle at the time—like whoever solves this, imagine the recognition.”
Kim Nilsson, the software engineer who cracked the Mt. Gox case, standing on the street near Shinjuku Station in Tokyo. Kim Nilsson, the software engineer who cracked the Mt. Gox case, standing on the street near Shinjuku Station in Tokyo. Photographed by Eric Rechsteiner for Fortune He teamed up with some other Mt. Gox customers to launch WizSec, a blockchain security firm dedicated to cracking the case. But while the company quickly dissolved, Nilsson stayed on the case in secret, teaching himself blockchain analysis and painstakingly tracing the money stolen from Mt. Gox. Although Nilsson started off investigating Karpelès’s role in the theft, he soon realized the CEO was just as eager as he was to know what happened. At a time when Karpelès needed friends most, the WizSec team scored an invite to his apartment by offering to bring the Frenchman the ingredients he needed to bake his famous apple quiche. Soon, Karpelès was feeding Nilsson internal Mt. Gox data that could help solve the case. “I wish I had stolen the money, because then I could just give it back,” Karpelès told them at the time.
Over the next four years, Nilsson estimates he spent a year-and-a-half’s worth of full-time hours pursuing the Mt. Gox hackers. He’s never been paid for his work; his 12.7 Bitcoin claim at Mt. Gox makes him one of its smallest creditors. To J. Maurice, who helped found WizSec but left the company early on and was not involved in the investigation, Nilsson’s effort epitomizes the virtues of Bitcoin—a decentralized system free of government control, which relies instead on individual users to sustain it. “Kim is humble, he doesn’t brag, he doesn’t even want to get rich. He’s just working hard on something for years as his passion project,” Maurice says. “That’s what Bitcoin is.”
By early 2016, Nilsson had a suspect. As he tracked the stolen funds, he saw that, of the 650,000 Bitcoins reported stolen from Mt. Gox, 630,000 had gone straight into wallets controlled by the same person. That person also had an account at Mt. Gox, associated with the username WME. Then Nilsson stumbled across an old post in an online Bitcoin forum in which someone with the handle WME had thrown a tantrum, complaining that another cryptocurrency exchange had frozen his funds. “Give [me] my CLEAN MONEY!” read the post. In the process, WME dropped clues that he owned some of the Bitcoin wallets in question. But the big break came when the same user posted a letter from his lawyer, his first and last name visible for the whole world to see. Nilsson, as he routinely did with his findings, dashed off an email to Gary Alford, a special agent with the IRS in New York who has helped catch cybercriminals.
Then one scorching day last July, police stormed a beach in Greece to arrest a Russian citizen vacationing with his family. U.S. federal prosecutors charged Alexander Vinnik, a 38-year-old IT specialist, with laundering 530,000 of the stolen Mt. Gox Bitcoins through his WME wallets and other accounts. They also accused him of helping to run the exchange BTC-e, whose primary purpose was allegedly to launder money. It is plausible, investigators say, that BTC-e was founded specifically to launder funds stolen from Mt. Gox. Blockchain analysis shows that the hack that devastated Mt. Gox began in autumn 2011, around the time BTC-e started up. Keys to Mt. Gox’s “hot wallet”—its online Bitcoin repository—were stolen and copied, compromising the exchange’s deposit addresses. So for the next two years, in nine out of 10 instances, coins were being stolen as soon as they came in, says Chainalysis’ Gronager, who is also a creditor: “It meant that you had a hole in the bottom of the well, and someone was just draining money.”
Karpelès claims he never noticed because the hackers stole small amounts at a time, and the balances generally seemed to move upward. “Bitcoin didn’t exactly decrease,” he says. “It’s just that they didn’t increase as much as they should.”
Nilsson, who believes he has convincingly linked Vinnik to at least 100,000 more Mt. Gox Bitcoins than the feds allege, still doesn’t know whether he helped the government’s investigation or simply confirmed its conclusions. With Vinnik fighting extradition from Greece and five outstanding defendants whose names remain redacted in the U.S. indictment, the IRS won’t comment on the “active and ongoing” investigation. But Kathryn Haun, a former federal prosecutor who signed off on the indictment, says Vinnik’s use of Bitcoin helps clearly connect him to the crime: “At first blush what seemed unsolvable turned out to be traceable through the use of digital currency.”
For Karpelès, Vinnik’s arrest reinforced a long-held theory: that Russian Bitcoin exchange administrators were behind a series of denial-of-service and other cyberattacks that hit Mt. Gox in 2011. Says Karpelès, “What he did, Mt. Gox is a victim of this, which means that all creditors are victims of this, and I am too a victim of this.”
Vinnik, who has denied the charges, has not been charged with stealing from Mt. Gox. But the magnitude and duration of his involvement points to some familiarity with the thieves whose profits he was allegedly laundering: “I assume at least he knows where to send the check,” says Nilsson.
Still, there’s an ironic punch line to the case: Because the stolen Bitcoins were sold right away, allegedly by Vinnik and long before Mt. Gox disclosed the hack, victims lost much more, in dollar value, than the hackers ever made—which, according to Chainalysis, was only about $20 million.
And as soon as the Bitcoins were converted to cash, the blockchain trail was broken. That means that even if authorities seize Bitcoins from the suspects, there won’t be anything to prove they’re from Mt. Gox. Sean Hays, a creditor in Arizona who says his 338 Bitcoin claim would be “life-changing,” adds, “I’ll be glad to have part of it back, but I think there will always be the hunt for where’s the rest?”
But for Burges, the key question that inspired his protest has finally been answered. “We know where the coins went, and we won’t get them back,” he says. “As far as I’m concerned, it’s solved.”
For almost four years, Josh Jones assumed he’d eventually receive his rightful portion of his nearly 44,000 Bitcoins locked inside Mt. Gox. By mid-2017, Bitcoin’s price was soaring, and Mt. Gox had enough to pay out the $430 million it owed in claims several times over. Then last September, Mt. Gox trustee Nobuaki Kobayashi, a top restructuring lawyer also representing Takata in the airbag-maker’s bankruptcy, broke the news: Under Japanese bankruptcy law, the value of creditors’ claims were capped at what they were worth back in 2014: $483 per Bitcoin. “That’s just crazy,” says Jones, who held most of the coins on behalf of his clients at Bitcoin Builder, the service he built to facilitate arbitrage trading at Mt. Gox in its final weeks. “That can’t be how it’s going to work out.”
But while there was little Jones could do back home in Santa Monica, another major creditor took it upon himself to ensure the Bitcoins would be fully divvied up among Mt. Gox victims. Richard Folsom, an American who worked for Bain & Co. in Tokyo before founding one of the first private equity shops in Japan, hired the biggest Japanese law firm and came up with a plan: What if Mt. Gox wasn’t technically bankrupt anymore? Their petition for “civil rehabilitation” of Mt. Gox, filed in November, is now pending before the Tokyo District Court; an outside examiner recommended in its favor in February. Shin Fukuoka, the partner at Nishimura & Asahi leading the effort, is confident it will be approved, as early as the end of April. “We think that the court has sufficient understanding about the problems in the case of proceeding with bankruptcy,” Fukuoka says.
Those problems, of course, include the fact that the majority of Mt. Gox’s assets would otherwise accrue to Mark Karpelès. “Such an outcome would be a travesty,” says Jesse Powell, CEO of Kraken, the San Francisco–based Bitcoin exchange appointed to help investigate and distribute Mt. Gox claims (and himself a substantial creditor).
If Fukuoka’s plan works, it would be the first time in Japan that a business “abolished” in bankruptcy was rehabilitated, he says: “These are very unique circumstances.” In a traditional civil rehabilitation, once the court gives the green light, it typically takes six months for the plan to be finalized—meaning optimistically, creditors could begin to get paid, preferably in Bitcoins, as soon as late this year. Fukuoka says he’s also considering mandating further investigation into the stolen Bitcoins as part of the rehab plan, in hopes more will be recovered. (A $75 million lawsuit from CoinLab that has held up the bankruptcy process could be sidestepped by setting aside a legal reserve fund in the meantime, he adds.) It would be an extraordinary outcome for creditors like Thomas Braziel, managing partner of New York–based hedge fund B.E. Capital Management, who has bought up $1 million worth of claims at 80¢ on the dollar, believing he will turn a profit no matter what. “Of course, if the rehabilitation happens, it’s a bonanza, and you make eight, nine, 10 times your money,” Braziel says.
That would be a relief to Mt. Gox’s disgraced CEO, who says he’s had enough of the cryptocurrency business to last a lifetime: “The only thing I’m touching related to cryptocurrency is how to solve this bankruptcy. Nothing more,” says Karpelès. Besides, he has lost faith in the initial promise of digital money: “Bitcoin right now is, I believe, doomed.”
Since his release from jail two summers ago, Karpelès has been moving apartments every few months out of concerns for his own safety. During three months of all-day interrogations while detained, he refused to confess to the accusations Japanese authorities threw at him—including, at one point, that he was Satoshi Nakamoto, Bitcoin’s mysterious founder. Still, despite what he feels is a weak case against him, he thinks the odds are he’ll be found guilty, at least during this first trial; Japan, which has a more than 99% conviction rate, is also one of a few countries that allows prosecutors to appeal an acquittal twice. In a year or two, he could be sent back behind bars. “After I came out, I felt like in a kind of dream, like I didn’t feel things were real,” he says, over a slice of cake with cream and cherries. “Even today I’m not sure yet.”
Karpelès, though, is not on trial for what even his sympathizers fault him for the most: lying about Mt. Gox’s insolvency. “When Mt. Gox didn’t have any of the coins, he was getting new deposits from other customers to pay off other people—kind of like a Bernie Madoff,” says Kelman, the lawyer.
For now, Karpelès, who’s never been to the United States (and isn’t allowed to leave Japan while on trial), is leveraging his mastery of Japanese and the country’s formal business customs. The arrest of Vinnik has made it easier to find work, he says, by lifting some blame from Karpelès. Even so, the taint of Mt. Gox follows him. “He is unhirable,” says Mike Kayamori, the CEO of Japanese cryptocurrency exchange Quoine.
Yet earlier this year, Mark Karpelès landed a big new job: chief technology officer at London Trust Media, a Denver-based corporation that runs the largest virtual private network (VPN) service in the world. It has recently been expanding into cryptocurrency-related ventures. “I am more than willing to give a second chance to Mark in this fight’s critical hour,” says Andrew Lee, cofounder and chairman of London Trust Media, who also briefly ran Mt. Gox’s U.S. operations.
Even if Mt. Gox’s rehabilitation succeeds, the company is unlikely to take another voyage. Still, that hasn’t stopped Karpelès from dreaming up schemes to get back the missing 650,000 Bitcoins. Even if the original coins can’t be retrieved, perhaps Mt. Gox could be revived long enough to generate revenue to finally make creditors whole; Karpelès also says he’s found one exchange that seems interested in pledging some of its own profits to victims.
But others, such as Kraken’s Powell, say the hole is simply too deep to fill. Besides, even if Mt. Gox did reopen, who would want to trade there? Adds Burges, the Mt. Gox protester, “It’s like having another ship called the Titanic.” For him, closure means letting the rest of the Bitcoins go down with the ship.
Satoshi Nakamoto's original paper is still recommended reading for anyone studying how Bitcoin works. Bitcoin: A Peer-to-Peer Electronic Cash System. The paper that first introduced Bitcoin Download the PDF: https://bitcoin.org/bitcoin.pdf
