The second time I met the ether thief was in the Chiyoda City neighborhood of Tokyo. It was January 2019 and we were on the 22nd floor of the Marunouchi Building, where Bloomberg has its Tokyo bureau. The park that surrounds the Imperial Palace could be seen from one side of the office; on the other side was the city's main train station and the Tokyo Station Hotel, a beautiful brick and granite building that looks like a palace in its own right. It was a miserable day outside, with cold rain driven by strong winds and intermittent snow flurries.
I was a half a world away from my meeting a few months earlier with the man I'd thought was the ether thief. The story had evolved since then: I had new reporting and had made a discovery on my own that had led me here to Tokyo. To explain that, we need to go back a bit to revisit why I'd thought, incorrectly, that the man in Zürich had attacked the DAO.
The first important piece of the puzzle was the encrypted message that was shared with me. That came from the 0x15def account. No one outside the RHG had ever seen the message; it was a great clue. The second puzzle piece came from a source with knowledge of the exchange world. I'd been told the identity of someone who had an account at the exchange Poloniex. The source said the person I met in Zürich had withdrawn Bitcoin from Poloniex and sent it to ShapeShift, where it was swapped for ether. That ether then shows up in the public Ethereum blockchain at the address 0x4fae.
I'd found a link between 0x15def and 0x4fae. On June 21, 2016, the 0x4fae address sent ether to address 0x15def, for a total of five ether. Why would the man in Zürich be sending ether to the account of a known DAO attacker? It was no smoking gun, but it was enough for me to get on a plane so I could meet him and ask the question.
The man in Zürich denied having anything to do with the DAO attack, though I thought it was a weak denial at best. Then I got updated information from my source and I knew I'd asked the wrong person if he'd been involved with the DAO hack. I was at home by this time; it was several weeks after I'd returned from Zürich. The news that I had the wrong person knocked me sideways. I'd thought all along that this story needed to start with the ether thief, nefariously hunched over a keyboard and waiting for just the right moment to begin his attack. I thought I had something, albeit a slender lead. And then it turned out I had nothing. It was impossible for me to write that day, even though the clock was ticking on getting my book in on time. So instead I started pouring over the blockchain records on Etherscan.
I started with 0x15def since I knew that was a bad-guy address. It had received ether from 0x4fae, but in the blockchain records I could see that these were only two transactions among dozens of others. They came in the middle of a whole lot of other activity. But I thought I should see how 0x15def began – how it had received the initial funds that were recorded on the blockchain.
The 0x15def address had received its initial funding from address 0x35f5, which had sent it two ether on June 20, 2016, at 11:29:56 UTC. In looking at 0x35f5 I could see that it had been funded by 0x4fae on that same day at 10:56:53 UTC, only about a hour before it had sent ether to 0x15def. The accounts were all linked – the connection wasn't just a few ether transactions between 0x4fae and 0x15def. I'd found a link between the Poloniex account withdrawal and the address that'd sent the encrypted message to the RHG and that had attacked the DAO on June 21. Not only had it attacked the DAO, it was the next-largest theft after the original hack on June 17. I couldn't believe what I was seeing.
I ran to tell my wife what I'd found and took her laptop to pull up the Etherscan records to show her the linked accounts. I was elated and felt like this had been there all along for anyone to see, but not everyone had had the encrypted message and the link between the Poloniex account and address 0x4fae. Two different sources had given me pieces, and I'd put them together to make this whole.
Still, I could be wrong, I thought. It's possible that different people had sent ether to either 0x35f5 or 0x15def to fund those accounts. It didn't have to be the same person. But what if it was?
I was reassured that my theory that the accounts were linked was solid because of the initiating transactions. They provided a through line. Then there was the date and times of their creations. I thought it unlikely that there were other people sending ether to 0x15def or 0x35f5, as they were funded only 33 minutes and 3 seconds apart.
I wondered if the feds had ever made the connection I'd uncovered. Various law enforcement agencies had looked into the DAO hack back in 2016. The New York attorney general and the Boston office of the Federal Bureau of Investigation had started asking questions, according to several of the people they'd spoken to who asked not to be named. The FBI's Jeff Williams was one of the agents tasked with looking into the case, these people said. The FBI also was given the blockchain records and analysis done by Poloniex, according to an executive at a major digital asset exchange who asked not to be named. This was in October 2016, and there was frustration on the exchange side that government agents weren't more adept in understanding the information they were given. After October the trail went cold and the FBI didn't contact Poloniex again, the executive said.
When I reported in 2017 on the DAO attack for Bloomberg Markets magazine, I spoke to a prosecutor who had tried digital asset cases for the Justice Department. There was a belief that many people were victims of the DAO attack, including Ethereum users in the US. But the jurisdiction would be a nightmare, I was told. It was also not an open-and-shut case: there would need to be lots of digging and subpoenas needed to get the information the government would need to try a case. Even then it would be very risky for a prosecutor to take the case due to its complexity, the former prosecutor told me. By the end of 2016, US law enforcement efforts to investigate the DAO attack had gone cold.
After I made the funding connection between 0x4fae and 0x15def I still had a problem. I'd once been given incorrect information about who owned the exchange account that withdrew the funds and sent them to 0x4fae. Forensics were much less advanced in 2016 than in 2019, so it isn't hard to believe that what looked like solid connections then might turn out not to be solid when analytics were applied three years later. The picture was much more distinct in 2019. And from what I was told, in 2016 the information the exchange had given both to me and the FBI about the owner of the Poloniex account had been the same. So at least the feds and I both got the same bad tip, I thought.
But in 2019, I still needed to know the real owner of the account. I spoke to a source again and was given a different name this time: Tomoaki Sato. I knew then that I had to make arrangements to go to Tokyo.