Cyber Incident Victim: Satoshi Nakamoto Institute
Date:
Sep 2014
Location:
United Kingdom
Summary
An individual identifying as 'Jeffrey' compromised an email account associated with bitcoin's creator, threatening to sell purported secrets—including emails and identity-revealing information—for 25 bitcoins. The attacker leveraged the account to post unauthorized messages on the P2P Foundation website, warning of potential harm due to an alleged IP leak, and defaced a bitcoin developer page on Sourceforge. While claiming possession of correspondence dating to 2011, Jeffrey provided no substantiating evidence. The compromise method remained unclear, with possibilities ranging from account hijacking to re-registration after prolonged inactivity. A forum administrator confirmed receiving an excerpt of his own past email to the compromised account but dismissed the incident as likely trolling.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In September 2014, an individual identifying himself as 'Jeffrey' claimed unauthorized access to the [email protected] email account historically associated with Bitcoin creator Satoshi Nakamoto. Jeffrey contacted WIRED, asserting control over the account and possession of emails dating to 2011 that could reveal Nakamoto’s identity. He demanded 25 bitcoins (approximately $12,000 at the time) via a Pastebin post, threatening to release the information unless paid. Jeffrey attributed his access to Nakamoto’s alleged operational security failures, stating the creator used a primary GMX account under his real name with email aliases, adding, "He's also alive." The attacker leveraged the compromised email to post messages on Nakamoto’s P2P Foundation forum account on September 8, warning Nakamoto that his IP address had leaked in 2010 due to improper Tor configuration and urging him to flee before "these people harm you." Jeffrey also defaced an archived Bitcoin developer page on Sourceforge using another linked account. No verifiable evidence substantiated Jeffrey’s claims about possessing sensitive data or IP leaks, and he declined to elaborate on his intrusion methods when questioned by reporters.
The incident raised concerns about the integrity of Nakamoto’s dormant digital footprint. Jeffrey provided Michael Marquardt, administrator of Bitcointalk.org, with a March 2014 email excerpt sent to Nakamoto, suggesting the account had been compromised for at least six months. Marquardt dismissed the threat as a troll attempt "for the laughs," noting the lack of proof regarding the attacker’s access to historically significant correspondence. GMX.com, the U.K.-based email provider, did not respond to inquiries about whether the account was hijacked or simply re-registered after years of inactivity. The defacements and threats highlighted persistent interest in unmasking Bitcoin’s creator but yielded no conclusive breach of Nakamoto’s anonymity. No public evidence emerged of payments to Jeffrey or subsequent data leaks tied to the incident.