How Investigators Cracked a $3.4 Billion Crypto Heist – The Journal.
This transcript was prepared by a transcription service. This version may not be in its final form and may be updated.
Ryan Knutson: In 2012, a guy named Jimmy Zhong wanted to buy some cocaine. So he went to a site on the dark web called the Silk Road, where you could buy all kinds of illegal stuff.
Bob McMillan : You could buy guns on it. You could buy drugs. The kind of products that would maybe not be sold in legitimate businesses were available on the Silk Road, but it was mainly used by people to buy drugs.
Ryan Knutson: That’s our colleague, Bob McMillan, who covers cyber crime. Zhong bought cocaine using Bitcoin, and later when he went to pull his Bitcoin off the Silk Road website, he discovered something weird.
Bob McMillan : The way he describes it is he double clicked on a part of the website that allowed him to get paid twice when he was trying to withdraw Bitcoin from it. So he would put some Bitcoin in and then try and take it out, and he found a way of getting paid multiple times. So it was like a flaw in the site. It doesn’t sound like it was a really major flaw in the site, but within a couple of days and just a few hours of effort, he withdrew 50,000 Bitcoins, which at the time was worth just over $600,000.
Ryan Knutson: It’s like going to an ATM and trying to withdraw 20 bucks, and instead it spits out 40.
Bob McMillan : It’s like going to an ATM run by criminals and trying to withdraw 20 bucks and it spits out a hundred.
Ryan Knutson: Zhong had successfully robbed the Silk Road, a criminal enterprise, of 50,000 Bitcoin. At the time, there were plenty of reasons to think he’d never get caught. After all, Bitcoin transactions were anonymous and no one running the Silk Road had any idea who Jimmy Zhong was.
Bob McMillan : You’re on this anonymous website connecting via a dark web network, so there’s no registering of IP addresses, and you’re using this currency called Bitcoin, which is being promoted as digital cash. So it just seemed like this sort of perfect crime in some ways back in 2012.
Ryan Knutson: Right. Who could possibly catch me?
Bob McMillan : Who could possibly catch him? Yeah.
Ryan Knutson: But nine years later, Jimmy Zhong did get caught, and how it happened says a lot about just how anonymous cryptocurrency really is.
Welcome to The Journal, our show about money, business, and power. I’m Ryan Knutson. It’s Thursday, April 20th.
Coming up on the show how Jimmy Zhong got caught.
Tell me a little bit more about Jimmy Zhong at the time of his death back in 2012.
Bob McMillan : So he was a 22-year-old college kid. He was really good with computers. He had undiagnosed autism, was bullied in school, had sort of gotten out of that and was in college. Sort of learned to party in college and was kind of trying to become who he would be.
Ryan Knutson: According to his lawyer in court documents Zhong got into Bitcoin early. He was mining Bitcoin way back in 2009 when it wasn’t worth very much. But as Bitcoin rose in popularity, its value grew. Soon Zhong was sitting on hundreds of thousands of dollars worth of crypto. He used his money to buy drugs and to try and impress girls.
Bob McMillan : When Jimmy was in college, he had a suitcase full of cash that he kept in his room, and his idea was that he would show this to women to impress them with the idea that they would become his girlfriend. And very sadly, in the court documents, it said this plan never worked out.
Ryan Knutson: Zhong’s Silk Road hack only added to his haul. Zhong’s heist might have seen the perfect crime, but the funny thing is that when Zhong stole from the Silk Road, technically everyone could see it. That’s because Bitcoin is actually very transparent. Every transaction, every transfer of Bitcoin from one wallet to another is publicly recorded on the blockchain for anyone to see. On the other hand though, Bitcoin is anonymous because no one knows who owns the wallets.
Bob McMillan : I mean, if you think about Bitcoin, there are websites you can go to and you can see all of the Bitcoin transactions that are happening as they happen, and what they look like is just a series of numbers and letters and then some value of Bitcoin being moved to or from one series of numbers and letters to another series of numbers and letters. So to a novice, you look at these transactions and you’re like, “It’s like I’m sitting in the phone company and I can see the phone calls going. I can see the number to and from that they’re going to, but who are these people?”
Ryan Knutson: So people can see all the phone numbers and the calls going back and forth, but there’s just no phone book to figure out who anybody is.
Bob McMillan : Right.
Ryan Knutson: But in the years after Zhong’s heist that started to change. People started to figure out how to make sense of all that publicly available blockchain data. They figured out how to track the flow of money from wallet to wallet and sometimes figure out who those wallets belong to. Basically, people started to build a phone book.
A key moment happened in 2014 when a cryptocurrency exchange called Mt. Gox suddenly collapsed.
Bob McMillan : Mt. Gox was the most popular place to buy and sell Bitcoin, but it was kind of the early days of cryptocurrency, and it wasn’t that professionally run. And one day Mt. Gox just stopped processing transactions, and they didn’t really explain why.
Audio: Mt. Gox, the exchange is down. It went dark. It’s offline. No one can find the CEO.
Millions of dollars are at risk, and some people who invested in the digital currency now say they are worried.
But a lot like things in Bitcoin, the details of exactly what happened are not 100% clear.
Ryan Knutson: Mt. Gox users wanted answers about what had happened to their crypto. An economist named Jonathan Levin and a blockchain expert named Michael Gronager were also curious. Together, they decided to try and crack the mystery of what happened at Mt. Gox.
Bob McMillan : So Michael and Jonathan started investigating. They started mapping out Mt. Gox and trying to understand what were the Bitcoin wallets used, how did it interface with other people who were buying and selling Bitcoin, and where was the money going? That was the fundamental question.
It took them three months to sort of map out what Mt. Gox looked like, where its assets were, what its assets amounted to. And they realized that there was some money missing, a lot of money.
Ryan Knutson: Gronager and Levin noticed that a ton of Mt. Gox’s Bitcoins, 600,000 of them weren’t where they were supposed to be. It later came out that Mt. Gox had been hacked. One person linked to that hack was eventually arrested. Bob says the technique that Gronager and Levin used to track the money was a game changer.
Bob McMillan : It was the first time that anyone had really mapped out an entire institution on the blockchain, and it showed that to a large extent parts of the Bitcoin blockchain could be de-anonymized and you could really get some useful information from this public ledger that could then point you in the direction of solving crimes.
Ryan Knutson: Levin and Gronager had taken the first step in building that Bitcoin phone book. They showed that it was possible to sift through the mountains of anonymous blockchain data and start to make sense of it. But there was one other important development that needed to happen before people like Zhong could be identified. The crypto exchanges where people stored their crypto wallets had to start asking more questions about who was setting up accounts on their sites.
What role do crypto exchanges play in the crypto tracking effort?
Bob McMillan : Well, they play an increasingly important role. In the early days, the early exchanges were not so great at responding to requests from law enforcement. They weren’t so great at enforcing really strong know your customer requirements, but it’s become clear to all of them that they’re going to need to do that or face pressure from the United States.
Ryan Knutson: Under pressure from regulators and law enforcement, many crypto exchanges started to play ball. They started collecting information about their customers like government IDs and IP addresses. And when investigators come knocking, looking for stolen crypto, they often cooperate.
Bob McMillan : When law enforcement agencies from any country identify funds that have been used in crime, they want to be able to go to the exchanges and say, “Freeze those funds. That’s stolen money. Don’t pay it out.” Then they also want the capability of seizing that money and getting it back. So if the exchanges are complying in knowing the customers, that helps them make arrests. If they’re compliant in freezing the money and sending it back to law enforcement, that helps get restitution for victims of crime.
Ryan Knutson: As a result of all this, law enforcement can now track illicit crypto as it moves through the blockchain, and sometimes they can connect those illicit funds to people’s real world identities. Bob says that changed the calculus for criminals.
Bob McMillan : The thing that I think that the criminals really miscalculated was once your anonymity is broken, once people find out who you are with one transaction, they can pretty much find out who you were for every transaction. So when your anonymity cracks, it cracks in this major, major way, and that’s just opened the flood gates to investigations.
Ryan Knutson: Coming up, how Jimmy Zhong’s anonymity finally cracked.
When Jimmy Zhong stole those Bitcoins from Silk Road in 2012, they were worth about $600,000. But as Bitcoin shot up in value, so too did the value of Zhong’s haul. By late 2020, he was sitting on more than a billion dollars worth of Bitcoin.
Zhong spent some of that money, but not very much. According to court documents and his lawyer, he had a Lamborghini, a lake house in Georgia, and he partied on boats and private jets, but most of the money he just sat on because the thing about crypto crime is that spending stolen coins is actually kind of hard.
Bob McMillan : The thing is that everybody who has Bitcoin sort of realizes that when it comes time to spend it, that’s when everything changes a little bit, right? So when you acquire the Bitcoin, you can acquire it anonymously. You can move it around anonymously, but at some point you might want to buy something in the real world and things in the real world often have a paper trail.
Ryan Knutson: Zhong tried to be careful.
Bob McMillan : He took some steps to cover his tracks. He used these things called mixers. It’s like you’re walking through the snow and you take a branch and you cover, you kind of obfuscate your footprints, but ultimately he slipped up. And what he did was he mixed money that he had stolen with money that was not stolen, that he had put in a Bitcoin exchange.
Ryan Knutson: This was a big mistake because unbeknownst to Zhong, federal investigators were tracking his stolen Bitcoin. The Fed’s first got wind of Zhong’s heist in 2019 according to court documents and someone familiar with the investigation. At the time, they were looking into yet another Silk Road hack when they noticed that 50,000 of Silk Road’s bitcoins were missing. Then in 2020, a cyber investigator working for the IRS saw some of those 50,000 stolen Bitcoins land in a wallet at a Bitcoin exchange.
Bob McMillan : And when you see the Bitcoin exchange pop up, you’re like, “Aha, I’ll betcha they have some information about this person,” right? Because Bitcoin exchanges are supposed to collect the know your customer information.
Ryan Knutson: Sure enough, the exchange did have some information. It had Zhong’s IP address.
Bob McMillan : And when the investigators asked the internet service provider about this IP address, the internet service provider said, “This is Jimmy Zhong’s IP address.” So then they had a name.
Ryan Knutson: So investigators connect Zhong to these stolen funds, and then what happens next?
Bob McMillan : Well, then they search his place. They got to prove that he actually has the Bitcoin, that it’s really him. And so they search his house.
Ryan Knutson: On a November morning in 2021, IRS agents showed up at Zhong’s lake house in Georgia.
Bob McMillan : So they come in. They search his residence and they find a couple of things hidden. They find in a floor safe in the basement, a bunch of cash, and they also find in the bathroom, they find this Cheetos flavored popcorn tin that has a blanket inside it and underneath the blanket, there’s a computer motherboard.
Ryan Knutson: On that motherboard were the secret passcodes to some of Zhong’s Bitcoin wallets. Investigators found more passcodes in the basement safe. And how much money did they recover?
Bob McMillan : $3.4 billion at the time.
Ryan Knutson: That’s a lot of money. That’s a lot of money.
Bob McMillan : That’s a lot of money to be keeping like in a popcorn tin in your bathroom.
Ryan Knutson: Those Bitcoins must be real small.
Zhong pled guilty to wire fraud. Last week he was sentenced to a year and a day in prison.
Okay, so now that law enforcement has this playbook for tracking crypto and trying to get people’s identity in the real world, how is law enforcement using this tool?
Bob McMillan : Oh, they have … It turns out that they have cracked a ton of cases over the last few years in part using some of these techniques. They’ve been using it against all kinds of criminals, money launderers, child pornographers. They used it in the takedown of AlphaBay, which was sort of a successor to the Silk Road. It’s been boom time for the federal government. The IRS has seized more than $10 billion in the last two years as a result of cases that were cracked using these techniques.
Ryan Knutson: Is it just the federal government that are using these techniques to go after criminals?
Bob McMillan : No, and this is actually one of the things that I found the most interesting about this story, is that local law enforcement is really interested in all of this stuff.
There are investigators like Erin West, this prosecutor in Santa Clara who has just evangelized this technique of tracing the money after somebody gets defrauded, going to the place that the money winds up at, usually a Bitcoin exchange and saying, “Hey, this is stolen money. We’re a US law enforcement investigation agency. We want you to freeze the money, and then we want you to send it back to us so we can give it back to the victims.” She recovered $2 million last year doing this.
Ryan Knutson: Wow.
Bob McMillan : And in a way, it’s the first chance that a lot of local law enforcement investigators have ever had at actually doing something significant about cyber crime.
Ryan Knutson: What is this going to mean for criminals?
Bob McMillan : I mean, there was a time, I think, when cryptocurrency was much easier for them to acquire and spend, and it’s becoming harder. Like they’re having a harder time going to just any exchange to convert their stolen Bitcoin into local currency. Bottom line, it’s becoming more expensive to do cyber crime because of these techniques.
Ryan Knutson: That’s all for today, Thursday, April 20th. The Journal is a co-production of Gimlet and the Wall Street Journal. If you like our show, follow us on Spotify or wherever you get your podcasts around every weekday afternoon. Thanks for listening. See you tomorrow.
