How Matthew Leising Confronted His Suspects in the DAO Attacks

Matthew Leising, a reporter at Bloomberg who began covering crypto in 2015, is out with a new book Out of the Ether: The Amazing Story of Ethereum and the $55 Million Heist that Almost Destroyed It All. In this episode, he discusses:

• the catalyst that led to him writing his new book, which covers the early history of Ethereum and the DAO attack of 2016
• why he thought the story of the DAO hack was compelling enough to make a book, and how he went about reporting it
• the surprising things he learned about Ethereum’s early days and Vitalik
• the twists and turns during his quest to discover the identity of the DAO attacker
• why he thinks separate people were responsible for the two biggest DAO attacks
• his meeting in Tokyo with one of the prime suspects of a copycat DAO attack
• why he decided to end his story at the Ethereum hard fork and chose not to write about Ethereum Classic 
• what he feels the long-term significance of the DAO and the hard fork has been for Ethereum
• why he thinks the lessons of the DAO are not being heeded today
• what he thinks the next chapter of Ethereum will be and how it will unfold
• the differences he’s found as a journalist covering crypto as opposed to covering more traditional finance
• and how the book is about more than just the DAO

Thank you to our sponsors! 

Crypto.com: https://www.crypto.com

Gods Unchained: https://playgu.co/unchainedpod

Episode links: 

Matthew Leising: https://twitter.com/mattleising

Out of the Ether: The Amazing Story of Ethereum and the $55 Million Heist that Almost Destroyed It All: https://www.wiley.com/en-us/Out+of+the+Ether%3A+The+Amazing+Story+of+Ethereum+and+the+%2455+Million+Heist+that+Almost+Destroyed+It+All-p-9781119602934

Matt’s original Bloomberg article on the DAO attack, “The Ether Thief”: https://www.bloomberg.com/features/2017-the-ether-thief/

Excerpt in Bloomberg: https://www.bloomberg.com/news/articles/2020-09-16/a-trip-down-the-crypto-rabbit-hole-in-search-of-the-dao-hacker

Excerpt in CoinDesk: https://www.coindesk.com/55m-hack-ethereum-down

Decrypt’s interview with Matt about the book: https://decrypt.co/41952/book-sheds-new-light-on-ethereums-55-million-dao-hack

Transcript:

Laura Shin: 

Hi, everyone. Welcome to Unchained your no-hype resource for all things crypto. I’m your host, Laura Shin, a journalist with over two decades of experience. I started covering crypto five years ago, and as a senior editor at Forbes, was the first mainstream media reporter to cover cryptocurrency full-time. Subscribe to Unchained on YouTube where you can watch the videos of me and my guests. Go to youtube.com/c/unchainedpodcast and subscribe today. 

This show is sponsored by Gods Unchained, the digital card game that offers true ownership to players. It’s fun, engaging, competitive and has more NFTs than any other Ethereum game on the market. You can try the game out at https://playgu.co/unchainedpod Crypto.com Crypto.com is waiving the 3.5% credit card fee for all crypto purchases until the end of September. Download the Crypto.com app today.

Laura Shin: 

Today’s guest is Matthew Leising, reporter at Bloomberg and author of Out of the Ether, the amazing story of Ethereum and the 55-million-dollar heist that almost destroyed it all. Welcome, Matt.

Matt Leising:

Hey, Laura. Thank you very much.

Laura Shin:

Congrats on the publication of your book, Out of the Ether, which comes out the week after this podcast drops. Tell us what it’s about.

Matt Leising:

Thank you. Yeah, so it’s an early history of Ethereum starting with Vitalik and going on through his life and how he came to invent Ethereum, and the co-founders that he gathered around him, and the ups and downs of launching the network. 

It’s also a bit of a deep dive in the DAO hack in 2016 where I wrote a magazine story about it a couple years ago in 2017, and I just always in the back of my mind wanted to do a little more reporting, and I thought a book would be a great format to try to find out as much as I could about who was behind the hack and just I knew that there was a lot of great stuff that I hadn’t used in the magazine story, so that was a big part of it, and then it’s also just about how Mainstreet and Wall Street are really coming to Ethereum and how it’s starting to sort of work its way not just into finance but into things like Reddit and all sorts of other parts of the economy.

Laura Shin: 

As you mentioned, one of the main catalysts for you to write the book was that earlier article on the DAO attack, how did that article come about?

Matt Leising:

Well, so I remember that Friday in 2016 when the DAO was hacked, I was home sick on my couch, and I looked at my phone and was like, oh. I was aware of the DAO, I had paid a little bit of attention to it, and then I’m like, oh my god, everything was blowing up, and it’s like being robbed, as I was sitting there on my couch, and I thought it was fascinating, but it wasn’t the right time at Bloomberg to really be talking about the DAO or Ethereum, for that matter, it was still really early in the project, the DAO was kind of like the only thing going really at that point, and it didn’t have much to do with finance or the Wall Street sort of audience Bloomberg News writes to, so I just sort of paid attention, but then forgot about it until later that year, I think it was the end of the year, the editor of the magazine came to me and said, hey, we’re doing a heist issue, we do this every year, do you have any good heist stories, and so the DAO just popped into my mind immediately because I had watched what had happened, and I knew the fork was there, and all this crazy stuff in Ether Classic, and again, like I said, it’s not something you can really capture I think in a news story, you need a longer format, and so I thought a magazine story would be great for that, and it turned out to be like the most fun I’ve ever had, I really enjoyed getting to know everybody, the story is just absolutely bonkers, and so I was just really happy with that and the way it turned out, and so I was able to take that magazine story and use it to write a book proposal, and here we are. 

Laura Shin:

I highly recommend that readers check out that article. I remember when it came out because there were so many cool interactive elements, as well, where you could learn the technology that were sort of like in these…like in a magazine, we would call them sidebars, I actually didn’t look at the physical copy, but online, you guys literally did them almost like sidebars, like they would like pop up on the side and then you could kind of go down like little mini rabbit holes. 

Matt Leising:

Right, so like as we had mentioned, a Tweet, it would show up on the side, and you’d see like Alex’s tweet about the DAO being drained, and then what I liked too was on the left side, the actual DAO code was there, and as you scroll down the story, it sort of follows along the code because the famous line in there is line 666, it’s where the bug was, and so you know truth is stranger than fiction, so we just sort of like had a really fun time playing with that stuff. 

Laura Shin:

Before writing that article, how familiar were you with Ethereum and crypto, and what, in general, was your history covering the blockchain space?

Matt Leising: 

Yeah, so I had gotten into it in 2015, the year before, so it might be for people who don’t know is like market structure is a general term, it’s how markets work or don’t work, how they’re like being updated, manipulation, like I covered Dodd-Frank really closely because that was a real-time regulation of the swaps market, and so I had heard about bitcoin but dismissed it because I just didn’t get it, to be honest, and I didn’t believe in the ones and zeros kind of thing of like having value, but that was me in 2014 or so. 

Once in 2015, I read something about blockchain and what it could do in terms of like a backend and how it might apply to all these financial markets that I covered, so I said to my editor, I’m like, hey, I want to cover blockchain, and he’s like, great, what’s blockchain, so I was one of the first at Bloomberg to sort of start digging into it. 

We did a story pretty early on when Blythe Masters was appointed to be the CEO of Digital Asset Holdings, that made it on the cover of Markets magazine, and as I’ve heard in years since, you know, that was sort of a big deal for people on the street that blockchain was something to take seriously, but that wasn’t really Ethereum, I didn’t get into that until the next year early in 2016, I remember going out to see Joe Lubin at ConsenSys in their Bushwick Headquarters, and he made the lightbulb go off over my head, you know, after repeating the phrase – world computer – enough times. It just really kind of took it from this sort of abstract thing that I’d been writing about and made it a lot more concrete to me, and after that, you know, we still say it’s early days, and this was 2016, and it was really early days, like there was very little to point to in terms of like a real project or something you could do besides buying and selling Ether, then the DAO happened, and that was obviously a huge deal, I think it was what put Ethereum on the map, it was wildly ambitious, and it just ended up going down in flames in front of everyone, and so that’s kind of my arc to the DAO, and so since 2015, I’ve been writing about crypto in all sorts of ways but mostly the sweet spot for me is where the two meet in terms of finance and improving efficiency for corporations, and supply chains, and stuff like that. 

Laura Shin:

And you mentioned that after you had written The Ether Thief article you used some of that to write your book proposal and get this book deal, but at what point did you realize that you wanted to write a book or that this could be a book?

Matt Leising:

I think I knew once the magazine story was done. I was like this is a great tale and it’s got tension in it, and there’s all these like funny mishaps, and I thought it would just be an amazing device to string throughout a book where you could keep the reader’s attention on this heist part and then in other parts of the book say this is cool, here’s Ethereum, and here’s Vitalik, and here’s Gavin Wood, and so it was really just like when I realized that this is a wonderful storytelling device to try bait the reader along with like there’s this crazy heist going on, and I’m going to lead you through it, and I think, you know, especially I was hoping I would find somebody who was behind it, which nobody has done that, you know, they’re still out there, and so once that sort of cemented in my mind, I knew that that was a great structure, and so I put the book proposal together. 

The funny thing is I couldn’t get an agent to save my life, I tried everybody, and I got nothing, and I’d given up, and out of the blue, I think in January of 2018, an agent just got in touch with me and asked if this was still available, and he became my agent. It was a tough sell, I think, for people because it’s a technical issue.

Laura Shin:

So, he had heard through the grapevine that you were shopping that book proposal because that doesn’t normally happen? 

Matt Leising:

No, no, I had sent it to him, and he just didn’t respond, you know, I don’t think he responded for months, and all the other responses I got were like this is pretty cool, but we’re not sure we could sell this, you know, that’s really what an agent cares about, and then so I’d gone through that with dozens of agents, and so anyway, I had given up, I didn’t think I could sell it, and then this guy came out of the blue, and we were able to get the proposal in shape and sell it to Wiley. 

Laura Shin:

Yeah, like I know normally journalists don’t do this, but you could’ve come to me and I would’ve tried to help you get an agent. 

Matt Leising:

All right, I’ll remember that. 

Laura Shin: 

Yeah, literally the woman who connected me with my agent just randomly emailed me right before this podcast recording, which I hadn’t talked to her a really long time, but I’m like ever so grateful to her. Anyway, so I did see at the end of your book that you thanked your sources, and you said that there were more than 70 sources for the book, how did you go about reporting this book? 

Matt Leising:

Well, so through The Ether Thief story, I’d gotten to know a lot of the guys in the Robin Hood Group, those are the good guy hackers. I’ve known Joe Lubin for a long time, I’ve known Vitalik and interviewed him a couple times over the years, and I think luckily that story in 2017 was well received, and I think people thought that I did a good job, so I think I had a bit of trust built up among people in the community, so when I started going out and asking if I could talk to people, pretty much everyone said yes, I got a lot of access, and it was great, so I just interviewed people over and over again over 2019 and just had dozens of notebooks that were filled and a huge file of research, and like with Vitalik, I think I interviewed him for about 10 hours total over several different times, I tend to just want to get in there and interview somebody for about an hour, you know, I record it on the record because after about an hour, I just kind of lose focus, so then I go back and do it again with them, you know, like a few days later sort of follow up on things and just to continue the conversation, and that’s sort of how I’ve been doing it for a long time, it’s just the method that works for me.

Laura Shin:

So, I know that the audience will want to know if you found out who the DAO attacker is, but before we dive into that whole part of your book, why don’t we just discuss the earlier part of it, the ancestry, and then we can get to that, so what are some of the things that you learned about Ethereum that you didn’t previously know or that you think a lot of people don’t know?

Matt Leising:

Well, I knew that the original group of people that Vitalik gathered around him were problematic, I guess you could you say, a lot of different personalities. It was very random how that group came together, there was really no rhyme or reason, it was just the people who reached out to him after he sent his whitepaper around and said, hey, I want to help, and so there were people who did that for wanting to help code, there were people who wanted to maybe get in on this and get rich, there were people who did it for a lot of different reasons, and it made for a very strange group.

As you know, within six months, people were fired, and there was a reorganization, and there was a lot of infighting and just clashing of egos, I think is the way to say it, so I had sort of known that generally, but what I didn’t know is that like that first sort of bloodletting in Zug, as I call it in the book, where Charles was fired and Amir Chetrit was fired.

Laura Shin:

Charles Hoskinson. 

Matt Leising:

Yes, Charles Hoskinson. 

Laura Shin:

Yeah, who’s gone on to found Cardano.

Matt Leising:

Correct. After that, it didn’t get any better. The Ethereum Foundation was just a mess sort of from the get go, and throughout the period of when I’m writing this book, you know, the infighting continued after that through 2016. There was a big part where they brought in a professional board of directors and hired an executive director, that whole process was really kind of loosey goosey, and one of my favorite stories in the book is right as Ming was hired, she was complaining on a text string about the board and how they were already being difficult, and she wanted to fire them. She thought she was texting her sister, and she was actually texting one of the board members, so they had a meeting coming up in a few days, and it was already just, you know, the knives were out, and so I think what’s fascinating is that Ethereum survived despite all of this. It’s such a good idea, and there were people around who were driving it and knew that the idea here was solid and that the coding could be done, and they just sort of put their noses down and did the work even though all this leadership and political stuff was going on the whole time, so that was fascinating when Vitalik started telling me these stories, I just was kind of like my jaw was kind of dropping. 

Laura Shin:

And you said that most people spoke to you, but I do remember there were some points in the book where you said so-and-so declined to talk to me or did not respond, so how did you deal with those parts of the story where that person was a central character but you did not have their perspective? 

Matt Leising:

So, the one that really applies there is Ming Chan. I tried for months to get her to talk to me, but she just didn’t, and you know she’s a divisive figure in the industry, and a lot of people have a range of opinions on her, and I told her that, so I really wanted to get her thoughts on it, and unfortunately, I wasn’t able to, so that had an affect where I think the book would’ve been much stronger with her voice in it, but you know, as a reporter, you can only ask people to talk to you, and people sometimes don’t for lots of good reasons, so there was that, and then the other only one was Jeff Wilcke, he didn’t respond, and I guess I should say Amir Chetrit didn’t respond to me either. 

As you probably know and your listeners might know, they’re sort of out of Ethereum and have been for a long time, so I think some people just didn’t want to revisit the past, and so I would say though that the majority of the book, I had on the record people in the room like almost like 95% of the time, so as a writer, that’s what you hope for, and I was really happy that I did get that access and that people did trust me to tell this story and to get it, hopefully, right.

Laura Shin:

And just to clarify for people, Jeff Wilcke was the lead on the Go Ethereum client for a long time, and Amir Chetrit was a co-founder who was removed from the project at the same time as Charles Hoskinson, and I think we already said Ming Chan was the executive director of the Foundation. 

So, now let’s talk about your quest to find the DAO attacker. I could see just from the way the book was written that that was a real driving force for you, so how did you go about doing that? 

Matt Leising:

Well yeah, it was, it always bugged me that people just sort of got away with that, and I know it’s a twisty and turny story, and then the money was returned and all that, but…

Laura Shin:

Wait, what do you mean the money was returned? Not from the hacker?

Matt Leising:

The stolen Ether was returned to people, you know, everybody got their money back, who had money in the DAO, and then the hacker made some money with the Ether Classic chain.

Laura Shin:

Oh, oh, right, right. 

Matt Leising:

Right, but the big haul there was the Ether that was stolen from the DAO in the first place, and it was put back by the hard fork. 

Laura Shin:

Right. 

Matt Leising:

So, you know, I don’t know, it was such a compelling story on the good guy hacker side like with ABSA, and Griff Green, and Lefteris, and Jordi Baylina, and all those guys were doing was so fascinating, I really wanted to match that up with like who is this attacker because the hack is brilliant, really it’s a beautiful piece of code, it’s actually longer than the DAO itself, like the contract to attack, it’s a two-step thing, and so as a storyteller, I just wanted to try to find that side of the story, and I knew…I heard a name or not a name, but I’d heard of people in Switzerland who were rumored to be involved, and I thought if I had a book in front of me, and a lot of times, as you know, as a reporter, Laura, people will open up to you about a book in ways that they might not if you’re going to have a story out in a day based on what they said, and that did turn out to be true because previously in 2017, I had only heard, oh, there’s these people in Switzerland, and nobody would tell me a name because it was pretty much a rumor, there wasn’t a lot of hard proof, so I started there, and I got names, and I started doing some work, and I found somebody who was very good at forensics on the blockchain and just started really digging in and asking for help and doing homework and talking to people, and what was interesting was it turned out that in 2016 the forensics that was available to a lot of people were not very sophisticated. 

In 2019, when I was doing the reporting for the book, it was a lot better, and things were integrated more, you could see a lot more, and so the one big tip I got was that there was this encrypted message sent from one of the attackers to the Robin Hood Group, and what I should say here is that there wasn’t just one DAO attack, there were several. There was the big one on Friday when 55 million dollars was stolen over the course of that day, I think everybody knows that. The second biggest one was on Tuesday, four days later, and that was the second largest, it was about 3.5 million worth of ether, and that’s actually the attack that made the Robin Hood Group push the button and like drain the DAO themselves. They had been set up to do that but were worried about is this illegal, are we going to go to jail, is everybody going to believe us that we’re going to give it back, and so they were sort of on the fence, then the second attack happens on Tuesday, and they said, okay, we got to go because otherwise everything is going to get stolen because there was still a lot of ether left in the DAO. So once they did that, the attacker on Tuesday, who I believe is a different person than the Friday attack, they sent an encrypted message to the Robin Hood Group, they also sent the same message to the Child DAO, the Friday attacker, and so somebody sent me the unencrypted form of that, and it was this really weird message about the DAO wars are a waste of time and don’t do this, don’t you want to give the money back, and if you do, I’ll give my money back, and so as a writer, you’re like, wow, an encrypted message on the blockchain, that’s awesome, and now I knew an address that was linked to that account, and I could see that that address that had sent the message had also launched the attack contract on Tuesday. So, I started sharing that with people, who were helping me on the forensics side, and that attack, there was only a few short hops from that funding of that attack back to ShapeShift, and then the real breakthrough I had was that a source had helped me by naming the person who had the Poloniex account where the withdrawals of Bitcoin were made that were sent to ShapeShift that then went over a few hops and jumps to that attack address, and so now because I had the source who was inside and you know exchanges are one of the only places that really know people’s identities, and then even then, of course, some crypto exchanges don’t, but this one was Poloniex, they knew identities, and so the source was able to link that withdrawal to the ShapeShift, and then I knew that it went to this attack address, and so now I had a chain, and I had a person, and so I got in touch with him and went to Tokyo to interview him. 

Laura Shin:

So, before we get to that, I know everybody wants to know what happened then, but I just need to ask because exchanges are pretty well known for wanting to keep their customers private information secure and not disclose that and because, obviously, employees can get in trouble for revealing that, how did you find somebody at Poloniex to reveal customer identifying information to you?

Matt Leising:

Well, you know, I was asking around, and I knew names of people who were good at this and who had been involved with it from the beginning, from the 2016 hack, and so you know sources have lots of different reasons for talking to reporters. I think this person who helped me wanted to…you know, I think they felt like this was a malicious thing that happened, and the fact that I was willing to go talk to these people, I think was something that made this source want to help me because these people who know this information are not going to do that, but it’s my job to go talk to them and ask what’s your side of the story, and once I started doing that, first, I went to Switzerland and talked to some people there, and then that was a dead end, you know, I think just my willingness to kind of like do the work to try to figure this out, I think helped them want to help me, if that makes sense. 

Laura Shin:

And one other thing I was curious about and maybe this is more of like a writer question, but why did you even reveal that like it was somebody at Polo who helped you, do you know what I mean, like why would you say, oh, this information that I got for my book came from this place?

Matt Leising:

Well, I want to be as transparent as possible, so I want to always have as many details to back up the story and to give you a sense of this is why I think this is worth reporting, so I thought that using the name of the exchange wasn’t going to give anyone away, in my opinion, and it lent more weight to what I was saying and reporting, so you know there’s always a balance when you’re using unnamed sources, you want to give as much information to the reader as possible so that it seems credible while still protecting the person’s identity who’s helping you.

Laura Shin: 

And it sounds like that source kind of had already made up his or her mind to help you, but I wondered, you know, did it take any convincing because I would imagine the threat of them losing their job would be a deterrent, so I just was curious to know if you like had an argument that you used or if this person, if it wasn’t necessary? 

Matt Leising:

Well, I think the other thing that happened was I got put on this wrong trail and went to Zurich to talk to somebody who didn’t have anything to do with the attack, and that was because I got bad information from the source, and that happens from time-to-time, and that was a strange conversation I had with the person in Switzerland, and it’s all recounted in the book, so I think it ended up being kind of lucky for me I think in a way that this person I think they felt bad because they had sent me on to the wrong person, but then they also saw that I was willing to travel to Europe and do the work to go try to figure this out, and then, on top of that, like I said before, there was more information to work with in 2019, and when I knew that address that sent the encrypted message, I sent that to the person and said, hey, can you help me trace this, and it was a lot easier to trace that back to the source than anything having to do with the Friday attacker. That’s one big reason I think they’re different. 

The Friday hack where 55 million were stolen, those tracks were covered really, really well. It’s pretty much impossible from the blockchain evidence to say where it came from. They used mixers, some that don’t even exist anymore, hops all over the place, and if you see the stuff that I have on that transaction, it’s crazy, it’s like one of those things where they’ve got the boards and the strings and things are going all over the place, and it’s like if I’m not the FBI, forget it, right?

Then on the Tuesday attack, they were a lot less careful, and I mean, I figured it out, I back traced it, and I was able to do it just looking at Etherscan, and so you know, sorry, that’s not very good, in my opinion, and so we’re talking about two different things here, so I just want your readers like…I don’t know who did the big Friday hack, I’m not sure anybody will know that unless it’s Europol or the FBI or somebody like that, this Tuesday attack was more sloppy and easier to track. 

Laura Shin:

Yeah, so we’re going to talk a little bit more about these two people that Matt potentially figured as DAO attackers, but first, a quick word from the sponsors history of make this show possible. 

This episode is sponsored by Gods Unchained, the digital card game that offers true ownership to players. Cards are minted on Ethereum, meaning users can trade, sell and program their assets however they like. A new expansion set has just released, with limited edition cards and ERC-20 chests available for sale. If you miss out? You can hunt down these down, or previously sold-out chests, on third-party sites like Uniswap. This game is the real deal: helmed by experienced TCG legend, Chris Clay of Magic the Gathering: Arena fame. It’s fun, engaging, competitive and has more NFTs than any other Ethereum game on the market. You can try out the game at  https://playgu.co/unchainedpod. For the DeFI heads out there looking for a new opportunity, why not go grab some chests?

How much in fees are you paying for your crypto purchases? Crypto.com is waiving the 3.5% credit card fee for all crypto purchases, which means you can buy crypto with a 0% fee. Apart from your crypto purchases, you can also get a great deal on food and grocery shopping. You get up to 10% back on Uber Eats, McDonald’s, Domino’s Pizza, Walmart, and many more when you pay with your MCO Visa card. On the Crypto.com app, buy gift cards and get up to 20% back from merchants like Whole Foods, Safeway, Burger King, Papa John’s and Domino’s. Download the Crypto.com app today and enjoy these offers until the end of September.

Laura Shin:

Okay, great. Back to my conversation with Matt Leising. So, one thing that I noticed back in the winter was that you had tweeted that you’d met the DAO attacker above a footlocker in Zurich, and I remember this tweet because I forwarded it to somebody and said, oh, Matt found the DAO attacker, this means I should be able to, but I went back to search for it, and you’ve since deleted it, so I’m going to give a spoiler, which is that that person that you seemed to have tweeted about, you know, you’ve mentioned here in the show that they were not the DAO attacker, so then why did you end up including that person in your book? 

Matt Leising:

I wanted to tell this part of the story chronologically, and so as I went through it and reported on it, that’s who I thought it was, and I had the best information I had at that time, so that’s why I went to Zurich and spoke to him, then it turned out that it was wrong, and so then I go through that in the story, as well, it’s like that was a real hard thing for me to hear, but it sort of made me take the…so, I was off there, but now it made me sort of like rethink what I had and what I knew to be true, and that was this attack address, and so I started digging into that to try to figure out what can I know about this from like Etherscan records, and that’s where I realized that, oh, I can trace how these accounts were made, and that led to the breakthrough of this person in Tokyo, so you know I say it at the end of the book, I have qualms about using a term like ether thief because I don’t know that these people actually did it, I do believe this person I interviewed in Japan is associated with it, but I don’t have a smoking gun, and I lay it out for the reader as straight as I can with a lot of quotes directly from our conversation, and I want to leave it up to readers to make the determination for themselves. So again, it was kind of a narrative device on my part, and at that time I was excited about that part of the book. I don’t think I knew at that moment that it was wrong, and so I think once I realized it was wrong, I went back and deleted that tweet, but it’s all just a string.

Laura Shin:

Oh. 

Matt Leising:

It’s a string, it’s like my journey in trying to find the hacker, and in a book format, it’s really nice to be able to do that because this was over about a year’s worth of work, so it was an arc.

Laura Shin:

Okay. Now, I get it. Okay, so when you tweeted that, at that time, you thought that the person was the DAO attacker, and then you deleted it. Oh, now I understand. And then, you kept that part of the narrative sort of to make it like the quest part of the book? 

Matt Leising:

Right. 

Laura Shin:

Oh, okay. 

Matt Leising:

Right, and that’s why I don’t name the person in Switzerland because there’s no need to do that, but I wanted to tell that story, and he was a character in my quest, in my journey, for that part of the story. 

Laura Shin:

I see. Okay, so now let’s talk about the person that you do name, which I saw you also excerpted this part of the book for Bloomberg online, so I’m sure by the time this comes out people will be chattering about this person, but this person that you named as a possible copycat DAO attacker is a man named…why am I doing air quotes, his real name is Tomoaki Sato, and you can feel free to correct that if I pronounced that wrong, who is he?

Matt Leising:

So, he’s been involved with Ethereum in Japan for many years. He started, it was called Smart Contract Japan, he had gone to DevCon1 in London, I think, in 2015, and had met all the co-founders there, and then went back to Japan and blockchain wasn’t really a big deal there, at that point, but it started to grow, and he was like one of the people who had helped developers learn how to write smart contracts, and he did consulting for corporations as well as who were interested in Ethereum or smart contracts, and then later, he started a company called Starbase, which was a way to help startups go through the ICO process to raise funds, so initial coin offerings. He’d also made changes to the Go Ether client according to his GitHub, he helped people recover their Bitcoin passwords, so you know these are tough things, like he has some chops as far as I’m aware. And so, my source was able to say, okay, there were two withdrawals from a Poloniex account, both of Bitcoin that went to ShapeShift. One was changed into ether and one was changed into DAO tokens. Both of those withdrawals came from Polo, went to ShapeShift, and landed in the same Ethereum address. I’ll just call it 4FAE for short, so that’s the main link, and I was told that it was Tomoaki’s Poloniex account that those withdrawals were made from, so now I had a link from him at Poloniex through ShapeShift to the Ethereum blockchain, and the attack contract that was used in a Tuesday hack. 

Laura Shin:

And so, why don’t you now describe the conversation that you had with him, and actually, before you do that, I just wanted to ask one thing because you said it so fast, but I was like what, you said he helps people recover their Bitcoin passwords, do you mean that he helped them crack their private keys like if they’d lost them or what does that mean?

Matt Leising:

Yeah, I’m sorry. Yeah, private keys.

Laura Shin:

Oh my gosh. Okay. I think that’s…

Matt Leising:

Yeah. 

Laura Shin:

Yeah, extremely…

Matt Leising:

Which is very, very difficult. Yeah. 

Laura Shin:

Wow. Okay. 

Matt Leising:

Yeah.

Laura Shin:

Okay. I’m not even sure if I knew that was possible.

Matt Leising:

Yeah.

Laura Shin:

All right, so yeah, tell me what your conversation was like and how you approached it, like before you went kind of what were you thinking about how you should conduct this interview to extract a confession? 

Matt Leising:

Yeah, that would’ve been the best. What I did here is the same thing I did with the man in Zurich, I talked to a person beforehand, while I was still in the United States, I set up a phone call, said, hey, I’m writing a book about Ethereum, I’d love to talk to you about it, and so kind of like get the ball rolling and say, oh and then I’m going to be in Tokyo, you know, I’d love to meet you, so that’s how we met. He didn’t know at that point what I wanted to ask about, but I knew that I had to have an in-person meeting with him. Otherwise, you know, you start asking questions like this over the phone, and they’re going to hang up on you, so it’s just a way of getting in front of people and showing them what you have and getting their side of the story, so that’s how I did that.

So, I arrived in Tokyo, and I was nervous. I wasn’t as nervous as when I interviewed the man in Zurich because that was the first time and I didn’t know how it was going to go, so I’d kind of been through it already a little bit, and I felt like this time in Tokyo, I had better evidence and I was a little more confident.

So, we sat down and spoke for over an hour on the record. He allowed me to record it, and so I started going through it, and I said, I want to show you something about the DAO, and so I started with the encrypted message, and I showed it to him, and I said, did you send this, and he looked at it and laughed and said, no, I don’t think I sent that, and I said, okay, and I had like Etherscan records up on the computer, and I said, I want to show you what I think happened here, and I showed him this is where the encrypted message is, and here’s how I link this back to ShapeShift and went through the whole thing with him and said, you know, and I was told that this account at Poloniex belongs to you and is that true? And he said, you know, he couldn’t remember the addresses, which is fine, you know, who can remember an Ethereum wallet four years later, it’s just a string of random characters and numbers, so that didn’t surprise me. So, when we got the Poloniex part, he said, eventually, I asked him if other people had access to his account, and he said, yes, that they did, and that was because he was acting as a broker for people who weren’t able to buy and invest in crypto for themselves, so Tomoaki would do it for them, and he used Poloniex to do that, and he told me that he had given them access to that Poloniex account because it was their money. So, it’s like in the book I say, if you had a Charles Schwab account and didn’t have access to your money, you know, you wouldn’t do that, you want to have access, you want to be able to withdraw it, shut it down, do whatever you want, so that made sense to me, and so we went back and forth, and I said, well, you know, eventually I said, could somebody else have made these withdrawals and sent the money to ShapeShift, and he said, yeah, that’s possible, and I said, well, do you think that…did you know that they were doing this, and he said, maybe, and we went on, and I said, okay, well so, I just want to make really clear here, what you’re saying to me is it’s possible that somebody made these withdrawals from your Poloniex account to ShapeShift without your knowledge, and then they could’ve transferred that money over on the blockchain and launched this attack, and he said, yeah, it’s possible. And I said, well, how can somebody who doesn’t even know how to buy crypto launch DAO attack, it’s very complicated, right? It’s an obvious question, and he said, well, the person I was brokering for didn’t know how to do this, but they had a friend who did, and I said, okay, so it’s possible that this friend of the person you were doing this for could’ve done this, and he said, yeah, it’s possible, and then, at the very end, he said, you know, this attack, it’s actually not that difficult, and that was almost where we left the conversation, which, you know, probably, and this attack is very difficult, it’s a very elegant, hard thing to know how to do.

At this point, I guess I would say I think it was a copycat, so the attack contract was out there, anybody who knew what they were doing could grab it, cut and paste it, and launch it again, but you know I think it’s interesting that he said that this attack is not that difficult, so then I left Tokyo and came back to the US, and I wasn’t really sure what I had, it sort of felt…it felt odd to me that he never denied being involved, he didn’t deny it was his Poloniex account, I was kind of linking him to a pretty major hack, and he never pushed back, he never got angry, and then so when I came back to the states, I emailed and I said, hey, just to back up your story, can you show me like login records that like maybe this other person would have a different IP address and your Polo account should show that, and can you show me your withdrawal history at that time of that Sunday and Monday right up before the attack, to sort of, you know, I want to believe you, but just show me…can you back it up with some other evidence, and he checked, and he had closed his Polo account in 2018, so he couldn’t send anything like that to me. ShapeShift, at the time, didn’t keep records on anybody’s identity, only the transaction records, so that was a dead end. I emailed him many times and said this is what I’m planning to report and to say, I want to make sure you’re aware of it, and now is your chance to say I misspoke, no that’s not what happened. I gave him several opportunities to do that, as I always do when I’m doing this kind of thing, and he didn’t respond to any of those, so as I said, I laid it out as straight as I could in the book, and I really want to leave it up to readers to make up their own mind. I’m happy with it that I’m pushing the ball forward here as much as I can, and you know it was a fun and exciting thing to do, and I hope people think it makes the book more interesting. 

Laura Shin:

Yeah, one thing I realized is maybe important for people who are newer to the space and less familiar with some of these exchanges is that that sequence of events going from Polo to ShapeShift, and then after that doing the attack, the ShapeShift stop is a way of doing an exchange of tokens, crypto-to-crypto exchange without having that being attached to your identity because, as you mentioned, ShapeShift didn’t take identifying information, and that was a behavior that the original DAO attacker had also used where they had taken I think it was Bitcoin from an exchange, converted it to ether via ShapeShift, and then after that commenced the attack, so yeah…

Matt Leising:

Yeah, lots of mixers were used, and yeah, definitely a very common thing. 

Laura Shin:

And one other thing I wanted to say about his comment about how it wasn’t that difficult is that because it was a copycat attack, you’re right that like one way to interpret his comment is that it was known. I mean, in fact, the vulnerability was known even before the attack, it’s just that the way that this one was conducted used like combining basically the vulnerability across two different contracts to exploit it, so that was maybe the tricky part, but regardless, it was something that had been discussed before, and then, by that point, it was known how it was being done, so I mean, did you think that that was what he was saying, like it wasn’t that hard because everybody knew how to create such an attack?

Matt Leising:

No, I took it as he was saying like that…I took it at face value that this wasn’t that big a deal, and that’s how I read it, and that’s what I still l think to this day, and I think another point is there were a lot of vulnerabilities that had been identified in the DAO, but the actual exact spot where you needed to attack it had not been made public by anybody until the Friday hack exploited it. Emin Gün Sirer and Phil Daian at Cornell, they had found it, but they didn’t tell anybody about it, and then it was too late. 

This didn’t get in the book, but I thought, you know, this is really interesting me, when I was like triple checking this, I had some people help me, and we looked at the attack contract on Friday, and that attack, it’s clean, it’s like really well done, and then we looked at the Tuesday attack, and it’s like all over the place. It’s got all these line breaks and it’s like sloppy, and that’s another reason why I think this was a copycat, and so I just thought that that’s really cool that even the code looks different, you know, it’s like the person who showed…like when I first, when we were doing this, they’re like, oh god, look, this code is terrible, you know, aesthetically, like it really bothered this person that the lines are going over, and it’s just like it looked like if a writer didn’t know how to use a tab function and the page was just all over the place, so that was just fascinating to me. And it’s also just another point that’s so fascinating is all of this is still out there, it’s all in the public record, and you know the things that you can find in the blockchain space like it never forgets anything, so I find that one of the more amazing parts of this new field. 

Laura Shin:

And did you look into any of Tomoaki’s business associates to see if there were any people who seemed plausible as the person who he could’ve been dealing with, who had access to the account, who could’ve perpetrated the attack?

Matt Leising:

No, I did a little bit of research, but you know it wasn’t very fruitful, and the way I understood it from him, this wasn’t necessarily a business contact, it was just somebody he was doing this for. 

One point, I think, in one of the quotes he said to me was that this person who he was brokering for couldn’t do it in their local area, and so afterwards, I thought about that and reading between the lines, maybe they were in a part of Asia where crypto was being suppressed or total wild speculation. North Korea is a tough place to do crypto, right, so if…I’m just making that up, but I think parts of China, you know, there are…

Laura Shin:

Yeah, it’s more likely. 

Matt Leising:

Yeah, there are places where you can’t really get online to do that, so I feel like it maybe wasn’t necessarily that this person didn’t know how to do it, it’s that they were excluded because of where they lived from doing it, and if that’s the case, then it could be somebody who’s very good at this but is hindered because of that issue. 

Laura Shin:

Yeah, and that’s how I read that part of your book that it had to do with some kind of jurisdictional issue. 

Matt Leising:

Yeah. 

Laura Shin:

So, one other thing is at the end of your book as Ethereum Classic emerges, you write “some of the ETC, Ethereum Classic supporters were bad people, but I never planned to write about this part of the story anyway. From the outside, I wanted to stop after the hard fork.” Why was that your intended stopping point? 

Matt Leising:

Because that is a whole new era, in my opinion, in Ethereum. The ICO craze had already started, and it obviously got going really in 2017, and so I knew that I was going to be picking up the story from Vitalik in 2013, and I went even back further in his life and wrote about his upbringing and his high school, so I knew I was going to have a lot of years to cover, and I wanted to cover them in detail, and so I felt like that was a natural stopping point because I feel like that’s the next point where somebody could write a whole new book on that chapter that started with the Ethereum Classic and then went on to the ICO craze and Bitcoin hitting $20,000 and Ether going to $1200, and then here we are, you know, with three years later like the DeFi stuff, you can draw a direct line from that to now, and I also like getting into the Ethereum Classic and stuff, it’s complicated, you know, I like complicated things, but it gets really complicated, and then you don’t have an Etherscan for Ether Classic, you know, you don’t have the tools that are there, like the Ethereum community has created all these amazing tools to keep track of things and to investigate, and so I just knew it would be even harder to do any work on that chain, and so for those reasons, I felt like that’s where I wanted to stop. 

Laura Shin:

And you did also say that you felt that was a whole other story to tell and a whole other book, and you said, you’re not going to include that story, but I was curious, do you want a hint as to what happened there with Ether Classic coming on the scene?

Matt Leising:

You mean why I said there were bad people involved? 

Laura Shin:

Yeah, yeah, I’m now paraphrasing the rest of that quotation, but you were talking about the early months of Ether Classic and you were saying that’s like almost a whole other book.

Matt Leising:

Yeah. Well, so many different people who I knew on the dev side are still like seriously traumatized by that period. I think there were…like one person I know, I think was battling with suicidal thoughts and people were coming after the…so the Robin Hood, you know, had helped take care of the DAO issue, that group changed into the White Hat Group that went forward and some of the members were different, and the White Hat Group was sort of involved with when Ether Classic came on the scene because, now suddenly, they had all this Ether Classic on their hands, and they didn’t know what to do with it, and I think there were threats being made, I think that there might’ve been some major criminal elements involved throughout the world. You know when I talk to some of the guys about this, they get really upset, so it just struck me that, you know, these guys have been doing this for free for months, and they were exhausted, and then they had this whole new problem on their hands, and people were like coming after them, coming after their families, legally threatening them and doing other things, you know, that you probably just…nobody would want to go through, and so that’s what’s sort of informing me on that point.

Laura Shin: 

And what would you say overall the significance of the DAO and the hard fork has been for Ethereum?

Matt Leising:

I think a big lesson was that there should’ve been a cap on a DAO. It shouldn’t have been allowed to pull in 150 million and then go to 250 million when Ether went up in price, I think that was a mistake. I think there should’ve been a sort of an emergency break or some sort of way of stopping what was going on when a problem came out. They certainly knew that there were a lot of bugs, many different people had gone through and found different problems with it, but nobody was willing to say, well, we should not do this, we should take a break. There were calls for that, but what I mean is that the community wasn’t willing to go along with it. I think that comes down to everybody had money in the DAO, you know, like everybody, it was the only thing really going at that point for Ethereum, and so think that those are the lessons. Unfortunately, I don’t think they’re being heated very well. You could see in a DeFi moment we’re in right now projects like Yam are collecting over 100 million dollars in mere hours, and that had no audit, and so it’s a crazy space, you know, people are going to do what they want to do, and the reason why is because that’s what Vitalik wanted, you know, his original idea was I want to give people a platform for creating whatever they want to create using this system of distributed global computers, and so when that’s the goal and the reason for it, you’re going to get everybody on the spectrum from doing really well audited and security-wise projects to people just throwing stuff, you know, cutting and pasting basically, forking Uniswap, to all these things, so that’s just…people in this space have to make peace with that because I think that’s just what it is.

Laura Shin:

You also talk a little bit in your book about corporate adoption of Ethereum, and here now, you’ve been talking about how DeFi is also taking off on Ethereum, in general, where do you expect Ethereum’s next chapter to go, and what are you looking for as this plays out?

Matt Leising:

I think if we’re following the 2017 script, there’s going to be a big boom and bust here with DeFi projects. We’ve already seen a few. People are going to get hurt, people are going to lose a lot of money, but what’s going to come out of that is a whole new sort of Lego piece to this environment that is now going to work, and even though, like there were bad actors and people got greedy, I think the lending and the collateralization part of this ecosystem is going to be battle tested and be ready to go forward kind of like the fundraising piece was battle tested and shown to work in the ICO boom even though the vast majority of those projects were scams, but it showed that now, for the first time, people can raise money directly from their users, that’s an amazing advance in how people can raise capital.

Here, we’re seeing really interesting developments with lending and earning interest and incentives to lend people your crypto. Of course, nobody should think that 1,000% API is ever sustainable, but maybe for two hours it is, so good luck getting in and out of that, but what I find fascinating is I think that these people are building, and it’s kind of a cliche, but people kept building through the long bear market after the ICO craze, and here we are, and we have a whole new chapter in ETH, so it seems like that’s how really important pieces of this ecosystem are getting created. 

Laura Shin:

For your coverage going forward, do you expect to stay focused on Ethereum in particular or will you branch out because, obviously, Ethereum has these scaling issues, although I mean it is transitioning to 2.0, so it’s unclear how dominant it will remain, but do you expect that you’ll stay focused on this one blockchain or cover all of crypto generally?

Matt Leising:

Well, I think I’ll stay focused on Ethereum, but also if there’s an ETH killer, as people always say, that will get my attention, as well. I think it’s fair to say that so far there isn’t really a competitor. That doesn’t mean there won’t be, and of course, seeing how ETH 2.0 plays out will be really interesting, and whether that does solve some of the scaling issues, and I think, you know, I’ll also be covering the things like Metamask going mobile and now having a browser so people can start interacting with Web 3.0 stuff is fascinating, and I think has the potential to really start driving some crazy disruption in innovation. Like that’s another piece of the puzzle here and something I wrote about for Bloomberg a couple weeks ago was another promise of Ethereum was that…we didn’t get into this, but I think it’s really important, it’s to help people get their privacy back online and to have control over their data, and to be in charge of what they do and who sees what. That’s been completely lost in Web 2.0, and it’s pretty much by design because there wasn’t a payment method embedded in the web, so data now became the currency, and your data about where you’re clicking and shopping and all that became really valuable and is why the web experience is so terrible, and so I’m hopeful that a lot of really good ETH devs are working on this stuff all the time to make that new sort of web where users have much more choice and privacy becomes a reality.

Laura Shin:

And you gave a few hints about this in your book, and so I just wanted to ask, you know, crypto journalist-to-crypto journalist, but in general, how would you say covering crypto is different from covering other industries?

Matt Leising:

It’s very different from Wall Street. I think it’s much more idealistic in a lot of ways, much naiver in some ways, and I think those go together in a lot of cases. I think people in crypto tend to be much nicer and usually have a more interesting background than some of the people I’ve known on Wall Street, over the years. There are definitely some great people on Wall Street, who I know and have known, but they’re in the minority, and I would say in crypto, it’s the flip side of that, there are a lot of great people, and then there are some terrible people, but I’d say 80 to 90% of the people I’ve gotten to know in crypto are great people, and they’re very helpful, especially to a reporter who, you know, I need to ask a lot of dumb questions to try to figure stuff out, you know, it’s nice, and they’re open, and you don’t have to jump through the hoops. Try to go get a quote out of JP Morgan, you know, it’s going to take you a week of PR emails and stuff, and so that’s very refreshing to me. The pace of it is also just off the charts. I mean, it puts Wall Street to shame. They have like an annual year about every three weeks.

Laura Shin:

I would agree with that. 

Matt Leising:

Yeah. 

Laura Shin:

So, I saw you tweeted we’re also doing a blockchain linked special edition of the book that will prove the rarity of 1,000 copies with an amazing new startup, can you tell us about that? 

Matt Leising:

Yeah, yeah, this is really cool. So, LUKSO is the blockchain. It’s started by Marjory Hernandez and Fabian Vogelsteller. Fabian was one of the core devs on Ethereum, and they’ve created a new blockchain, and it’s basically based on Ethereum and smart contract, and what they are doing is one of their first appeals is to the fashion industry where you want to be able to prove that your Gucci handbag is real and not a fake, right, so you can register it on the blockchain, and if you want to sell it or you just want to show somebody that, no, I didn’t buy this on Hudson Street, it’s actually a 20 thousand dollar handbag, that’s the provenance, you know, of it, and sometimes, they even…they’re using chips to do that, but the blockchain is great for that because it has an immutable record, and so what we thought with the book is, you know, I played around with like an NFT kind of idea, but that doesn’t seem to really work with a book, but we’re going to be making a special edition, it’s going to have a new cover, and then there’s going to be a QR code on the back, and that’s going to be the public key, and then inside the book for people who order this, there will be a notecard with your private key so that you can now register your book on the LUKSO blockchain, and you know it will probably have a number, and then it’s yours, and it’s kind of cool or you can go and sell it if you want, and so we just…I was really…there’s so many great things in this industry to get involved with and to kind of prove that this is interesting with a book, so we messed around with a lot of ideas, and this is where we landed, and so I’m hoping to have that in a couple of months, so I’m really excited about that. 

Laura Shin:

And will you sign that or is the special edition part of it the key on the back? 

Matt Leising:

Yeah, so you’re going to sign it with the private key that’s in the book itself, and we’re still working this out, so I apologize if I screw it up, but the QR code is going to have to be the same for every 1,000, that will take you to the LUKSO blockchain, and then you’ll have a private key that I’m going to make and put into the book for you to then link up and say, okay, now, I’m signing this transaction proving that this is my special edition number 55 or whatever. 

Laura Shin:

Oh, I see, and then if they want to trade it, then they have to physically mail the copy like an eBay-type thing? 

Matt Leising:

Yeah, I guess so. Yeah, and we’re hoping to get some of the co-founders to sign a few of these and auction them off for charity, you know, and do stuff like that just to have fun with it, so I’m hoping that’s going to be ready in a couple months, like I said.

Laura Shin:

Cool. I’m filing this away for my book, I’m like, hmm, I should think of something fun.

Matt Leising:

Oh yeah, I’ll be your guinea pig. 

Laura Shin:

Okay. Great. Thank you for signing on. And is there anything I didn’t ask you about the book that you wanted to say before we go? 

Matt Leising:

Well, you know, I don’t want to leave the impression that it’s just about the DAO, I think there’s way more than that in the book, and one thing that I liked that I didn’t necessarily set out to do but that I think came across well is I think I got a really nice picture of Vitalik and his life and where he came from, and you know I think, obviously, people know a lot about him, but I think there’s a lot that they don’t know, and so there’s that aspect to it that I was really happy with, and you know like the DAO, if you buy this thinking it’s just about the DAO, you’re going to be disappointed. It’s in there, but it’s definitely not the majority of the book. 

Laura Shin: 

And when you say his backstory, how would you say he changes over the course of the book? 

Matt Leising:

Well, I think, what I liked is that I thought I was able to…or it seemed to me that I was able to show him from a lot of different sides. I was able to show him when he was vulnerable, when he was cocky, when he was being whimsical. You know, he shared emails with me that he was writing home, as he was going on his journeys through Europe in 2013 when he was coming up with the idea for Ethereum. He wrote this amazing thing when he was 7 called The Encyclopedia of Bunnies. I’ve got several entries in there, and they’re just hilarious, and I think funnily enough like that really opened him up to me as a person that you know he’s brilliant, but then you see this whimsical funny side to him in that, you know, a 7-year-old is writing this 20-page document all about bunnies and all these different entries on like how many men and women bunnies are there, and you know there’s these jokes, and I don’t want to give them away, but you know I just found that really great, and you know, as a writer, you want to try to get people and make them into rounded real people, and I think over the course of the book, I was happy with how that came out. 

Laura Shin:

Yeah. I have to make one comment here because one thing about reading your book for me was like, oh, oh, since Matt revealed all these things, now people will think I got them from his book even though I have them for my book. 

Matt Leising:

Yeah.

Laura Shin:

But it’s okay. It’s okay, people. It’s all right. 

Matt Leising:

Sorry about that. 

Laura Shin: 

All right, well, where can people learn more about you and Out of the Ether? 

Matt Leising:

I’m on Twitter, it’s just @mattleising. I’m on Bloomberg, you know, you can find me on the web, and Out of the Ether, you can preorder it now, it’s going to be out I think next week or the week after, and so Google is your friend. 

Laura Shin:

Great. Well, thank you so much for coming on Unchained. 

Matt Leising:

Thank you, Laura, for having me, it was really nice talking to you. 

Laura Shin:

Thanks so much for joining us today. To learn more about Matt and Out of the Ether, check out the show notes for this episode. Don’t forget you can now watch video recordings of the shows on the Unchained YouTube channel, go to youtube.com/c/unchainedpodcast and subscribe today. Unchained is produced by me, Laura Shin, with help from Anthony Yoon, Daniel Nuss, and the team at CLK Transcription. Thanks for listening.