Cyber Incident Victim: Bitcoin
Date:
Sep 2014
Location:
United Kingdom
Summary
An individual identifying as 'Jeffrey' compromised the email account associated with bitcoin's creator, Satoshi Nakamoto, threatening to sell undisclosed secrets—including purported emails and identity-revealing information—for 25 bitcoins. The attacker leveraged control of the email to post unauthorized messages on the P2P Foundation website and deface a bitcoin developer page on Sourceforge, claiming the victim’s IP address had leaked years earlier due to misconfigured Tor, though no evidence was provided. The breach may have resulted from either account inactivity allowing email re-registration or direct hacking, potentially exposing historical correspondence. A forum administrator confirmed receiving an excerpt of a past email to Nakamoto from the attacker, suggesting the compromise dated back months, but dismissed the incident as likely trolling.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In September 2014, an individual identifying himself as 'Jeffrey' gained control of the [email protected] email account historically associated with Bitcoin creator Satoshi Nakamoto. Jeffrey contacted WIRED, claiming possession of emails and information that could reveal Nakamoto's identity, which he offered to sell for 25 bitcoins (approximately $12,000 at the time). He asserted Nakamoto had used a primary GMX email account under his real name with aliases, adding "He's also alive" when questioned about the account takeover method. Jeffrey leveraged the compromised email to access other accounts linked to Nakamoto, including defacing a Bitcoin developer page on Sourceforge and posting a message to Nakamoto's P2P Foundation account on September 8, 2014. The P2P Foundation message warned Nakamoto that his IP address had leaked in 2010 due to improper Tor configuration while using the email, urging him to flee before being harmed.
Jeffrey provided no verifiable evidence supporting his claims about Nakamoto's identity or the alleged IP leak. Michael Marquardt, administrator of Bitcointalk.org, received an email excerpt from Jeffrey that Marquardt had originally sent to Nakamoto in March 2014, suggesting the account compromise occurred at least six months prior. GMX.com, the UK-based email provider, could not be immediately reached to confirm whether the account was hacked or re-registered due to inactivity following Nakamoto's disappearance from public communications in 2010. Marquardt dismissed the incident as likely trolling rather than a legitimate threat. The attacker's actions temporarily disrupted historical Bitcoin community resources but yielded no conclusive evidence about Nakamoto's identity or whereabouts.