“For greater privacy, it's best to use bitcoin addresses only once” - Satoshi Nakamoto
In the previous chapter we imagined a billion lockers in a public space where one of them had your savings. Our reasoning was that the more lockers there were, the more secure your savings would be; because the number is too large for a burglar to get lucky. But how would you find your locker each time without relying on luck yourself? The simple answer is a bitcoin address. It solves this problem with a unique pointer to the locker that holds your savings. So out of an infinite possibility of lockers, you will always arrive at the right one against astronomical odds. As a bonus, you can own as many as you like because, in theory, they are inexhaustible.
A bitcoin address has two parts; a private and a public key pair. You need both to open your locker. This is the magic of public key encryption. When you create a new address, it has strong privacy and perfect security. But when you use it over and over again, it leaves a trail of your spending habits with everyone associated. Anyone can look up your address on a block explorer1 and paint a picture of your financial habits. This not only erodes your privacy but the privacy of everyone you deal with.
Another reason you shouldn’t reuse an address is that it weakens some of the cryptographic algorithms that protect your bitcoin. Some experts fear that future quantum computers might be able to steal your bitcoin if you they are weakened over time by address reuse.
You should always create a new address when you receive bitcoin. You can have as many as you like. You could use a different one to insure every grain of sand on every beach, or every lark of hair on every woman and we’d still be closer to 0% than any other number. In this case, more is better.
If we could only use one address for all our financial activities, bitcoin would be the most dangerous surveillance tool in existence. You MUST vehemently reject any transactions where you recognize the recipient or sending address. While that sounds extreme, here are some scenarios to help put things in perspective:
CASE 1: THE SINGLE WALLET SPENDER
In early 2013, you had too little of a social life so you spent a lot of time on technical talk forums. There you learned about bitcoin and made friends with likeminded misfits. You downloaded a wallet and built your savings over the years. However your traditional training compelled you to want to see all your coins in one place. As a result, you spent and saved to a single address.
REKT
That single address is public on the blockchain and all your spending has created a long history of transactions. Anyone can watch the the flow of bitcoin in and out but most importantly, they can see the balance. But who would want to check ? Well, everyone you transact with. If you paid your landlord in bitcoin, he would notice that all your transactions came from the same address and that they were now worth a lot. Your landlord, armed with this information, decides to increase rent. Your financial privacy is compromised. He tells his wife over pillow talk. Normally she never says “hi” in the elevators but now she smiles at your wife. She wants to sell her home made dumplings. Just kidding, you don’t have a wife. Anyway, your landlord’s wife indulges harmless gossip at the hair salon. Now every woman within a 2 mile radius knows that you are a rich awkward nerd. Your social acceptance starts to go up. This is not bad at first. Women wink at you and one day you come home from a date with one of your new admirers to find your apartment ransacked. The neighborhood burglars now know too.
CASE 2: THE SINGLE WALLET TRADER.
In 2018, you learned about bitcoin because everyone was getting rich except you. You didn’t care about anything else but trading. So you bought bitcoin and loaded up in a single address wallet. You trade with size because you’re a chad.
After doing research, you find one exchange that matches your risk tolerance and liquidity requirements. It is run by a vegan loving young billionaire. You send a few hundred bitcoin to trade for a dog coin. It’s been going up for weeks now, there’s no reason it wont continue. Two weeks after your first trade, you are down to double digit bitcoins in value. Everyone is still getting rich because the media says so. You load another hundred bitcoin because you trade with size. This time, you heard about a new coin that would revolutionize supply chain. By the end of the year, your entire trading portfolio is worth less than your laptop.
You didn’t get to where you were in life by quitting early. So you load up some more from the same wallet. This time, you hear about “DeFi” and life changing yields from a Korean kid. It makes more sense to you and there is a possibility of recouping all your losses in one trade. A few years later, the young vegan billionaire is on the news. He wants to give away all your wealth and the young Korean is on the run from interpol.
REKT
Every exchange operator has a team of analysts that monitor capital flow, in and out, of their platforms. They also oversee the trading books. Their job is to make sure the house always wins.
When you make your first deposit, they are curious and want to inspect your wallet closer. Imagine their delight when they see that you are a high roller on steroids. Every time you deposit bitcoin, there is speculation from in-house analyst and traders. They want to see if you have any inside information on what you are buying or if you are simply exit liquidity for smarter traders. The operators wait for you to trade and then front-run you. This means they perform the trade ahead of you with their algorithmic bots so you get less than you originally calculated. They repeat the process as many times as it takes while giving you a few occasional wins to keep you motivated. You will chase that carrot until you fall into a financial hole.
CASE 3: THE SINGLE WALLET DONOR
You are anti-establishment guy or gal and decide you can support any cause you like with bitcoin. After all, nobody can stop your transactions. You hear about truck drivers on a nation wide strike in a foreign country, so you send them $100 worth of bitcoin. You hear about a war in Eastern Europe and send another $100 worth of bitcoin. It’s not about the money, it’s about sending a message. You are on the hunt for the next current thing so you can make a statement with your wallet. All this while, you’ve been using the same address. One day, you try to send some coins to an exchange but you discover you can’t. Your address has been blacklisted. Then you get a call from your local police.
REKT
Governments are slowly figuring out the advantages and disadvantages of the bitcoin blockchain. They have analysts of their own and I.T teams that keep them in the know albeit behind latest trends. Savvy governments now love bitcoin especially when people don’t use it correctly. It provides breadcrumbs to the doorsteps of would be dissidents.
When governments realize that a certain address is donating to all the things they don’t like, they communicate that address to exchanges and forbid any transactions in the future. That’s all they can do. But they have reach, which means they can limit your financial activity. Anyone who deals with you becomes tainted by association. Your financial world has become a little smaller because you supported the controversial current thing from a single wallet.
CASE 4: THE SINGLE WALLET CON ARTIST.
You get a few cons going and then your wins start to snowball. You start to post pictures to instagram like a teenage influencer. Your money needs to be safe and you heard that bitcoin is anonymous money. With zero research, you get one wallet and use it to launder all your money. Then one day, the police knock on your door and catch you with your Gucci pants down.
REKT
If you are posting pictures to instagram then you shouldn’t be stealing other people’s money in the first place. Even though that gets you on law enforcement’s radar, it’s the money trail that does you in. When you send all your stolen coins to the same bitcoin address, it’s like robbing a bank and driving straight home with a trail of dollar bills to your garage.
MR. WOODBERY
THE EMAIL CON ARTIST
In March 2019, a young Nigerian, sporting a red and blue Balenciaga jacket, danced in his new Rolls Royce Dawn as his friends congratulated him. He had just purchased two super cars including a 2019 Lamborghini Urus. He parked them side by side to take a picture as he thought about the perfect instagram post:
“Just Copped ❗2019 URUS X 2019 RR DAWN BLACK BADGE …Sky is the Limit✌🏼”
Olalekan Jacob Ponle had arrived. He went from being a nobody to becoming popular online and in his home country, Nigeria. Even though he was famous, only a few people knew his real name. Everyone knew him by his infamous Instagram handle Mr. Woodbery; a nickname that stuck in high school because he was a comedian. Young Nigerians wanted to be him. After all, how often does a regular Joe buy two luxury cars in one day?
His wealth was suspect but nobody openly dared question its legitimacy lest you got cutoff. Any inquiries were treated as an act of jealous hostility. However, there was discrete speculation, with no evidence, that he was a Yahoo boy2. And if you don’t know what that means, then you are likely to be an easy target for Nigerian scam artists. When asked what he did for a living, Woodbery would sometimes say "international marketer". On other occasions, he was an international real estate developer based out of Dubai. He wore different professional hats depending on who was asking. So where did his money come from? What did he do for a living?
Woodbery had figured a way to trick businesses into sending him money under false pretense. First, he infiltrated their corporate email through social engineering, but on rare occasions he had a hacker friend who could exploit vulnerabilities in infrastructure. Once he was in the corporate system, Woodbery and his crew observed communications for as long as it took. They watched for emails that signaled an intent of money transfer; usually in the form of a corporate invoice.
His tactics were rudimentary yet genius. There was always one of two likely scenarios; if he infiltrated the receiving company’s account, then he would spoof an email to the payee but change the bank account with an apology for the mix up. But if he infiltrated the payee’s account, then he would spoof an internal email to the CFO with a cloned invoice carrying a new bank account. In each scenario, he borrowed the skin of the receiving company to redirect funds into a bank account he could access. He never used an account tied to his identity. He was always careful to employ lower level operatives, called mules, who worked with him for a cut. This was intended to keep his name clear if things went wrong.
Once the money was in a mule account, Woodbery laundered it into society as best he could. He had created a bitcoin wallet in 2014 and like most uninitiated, assumed it was perfectly anonymous. He was convinced that once he bought bitcoin the money could never be traced back to him. And so he conned many businesses while converting the proceeds to bitcoin.
Sometime in early February 2019, Woodbery and his crew hacked into the corporate email of a Chicago based company. They monitored communication for days, occasionally making fun of the internal company dialogues but mostly, they were looking for patterns and money flow. They shared screenshots of promising leads with each other so they wouldn’t miss a thing. This is how they learned that the company they infiltrated was a subsidiary of larger company in Chicago, and that the email belonged to the Chief Accounting Officer. Big titles are often privy to big decisions and soon enough their patience paid off. The Chief Accounting Officer was expecting a $2.3 million check from his parent company when he sent an invoice to the Vice President and Controller. Woodbery and crew intercepted this email. They knew they had little margin for error and little time, so they rehearsed a plan to make sure they would succeed.
First, Woodbery used his access to send an email to the Vice President requesting payment. He was meticulous about the content. Everything had to be just right; the same header, same footer, same style, same grammar and same routing numbers. The only thing that changed was the recipient bank account. The money had to make its way to him so he used a newly created bank account with the same name as the receiving company (It is not uncommon for different bank accounts to have the same name in the United States). When the Vice President saw the invoice, he had no reason to be suspicious. He made payments like that all the time. He approved and forwarded to the finance department who filed and processed the wire transfer. On February 14th, 2109, Woodbery sent a message to his mule account handler.
“Hey can you check if the funds arrived now.”
“It’s in!!!”
They had successfully conned a business out of $2.3 million. All it took was a hacked account, some reformatted emails, a new bank account and non-billable man-hours of monitoring communication.
As soon as the money was deposited, the mule transferred all of it to another account online and then to a Silvergate Bank account belonging to Gemini Trust, a notoriously compliant bitcoin exchange. Gemini is thorough about who they do business with. They collect detailed ID and store it for whenever law enforcement requests. Woodbery knew this. He didn’t plan on registering his name on the exchange nor did he plan on leaving his money there. Once again, he employed the services of his mule to achieve a degree of separation from Gemini. While the exchange provided liquidity, his mule kept his anonymity in tact until the bitcoin arrived his personal wallet.
“The money is in the exchange …..We are going to send you 500k at a time until you have it all.”
“Wallet is 16AtGJbaxL2kmzx4mW5ocpT2ysTW
xmacWn”
“I got the first one”
“I got the second one just waiting for remainder”
Mission accomplished. It was time to go shopping and spend this new money. Woodbery didn’t know how to be rich but he knew how to be loud. In march of the same year, he went to the dealer and paid cash for a Lamborghini Urus and a Rolls Royce Dawn. That is when he put out his first instagram post.
Just Copped❗️ 2019 URUS X 2019 RR DAWN BLACK BADGE ....Sky is the Limit ✌🏼
It was a flawless execution from start to finish but that wasn’t their first job by any means. According to the FBI, in the beginning of 2019, Woodbery and crew defrauded a company in Iowa using a similar M.O. They compromised the corporate email through a phishing attack. After spying for a while, they learned it was a supplier company waiting for payments for a shipment. And in the same way, they emailed the relevant party on the paying end, then opened a matching bank account with the recipients name while they waited for payment. This con was for $188,000. They converted it to bitcoin and sent to the same wallet: 16AtGJbaxL2kmzx4mW5ocpT2ysTWxmacWn.
Woodbery and his crew had momentum after the first few jobs. They scored almost every month like working class hustling for a salary. Sometime in May 2019, they broke into the corporate email of what turned out to be their most audacious attempt. It was the month of Woodbery’s birthday and he was feeling lucky so he fired out an instagram post.
“Everyone has different perspective about what is right and what is wrong. Just believe in yourself, and let God be your guide ✨🔵”
The operation started out like all the others, by infiltrating corporate email, but they learned that this company paid out quarterly dividends to shareholders. A new kind of bounty than they were used to. The board of directors had already approved the amount of $19,292,690.30 which was to be distributed through a third party. Woodbery spoofed an email, pretending to be that third party while requesting the full sum to be paid into his account. The sheer audacity!
“Please approve the attached Dividend payment (including postage) of $19,292,690.30 set for June 20th. I have reviewed the funding letter from 22 [Redacted Company] for accuracy and validated the share count included in the payment amount.”
To think that a semi educated crook could employ this level of language is both funny and scary. It almost worked. The company tried to make payment but the receiving account was flagged for fraud. They were saved by an unholy algorithm likely from Palantir. Woodbery was undeterred so he regrouped and tried again with a different bank account. The company was saved a second time by that unholy fraud detection algorithm.
If you are wondering how any of the previous companies could lose millions and do nothing about it, it is because they were too embarrassed to pursue any recourse in public. While they may have gotten results, the aftermath would have been damaging to their respective reputations. It was bad for business. How do you explain to investors and shareholders that you accidentally paid millions to the wrong account? For this reason, most of them often took the losses in silence.
By this time, the FBI had taken an interest in the series of email frauds. As the jobs got bigger so did the crew. A bigger crew meant a bigger attack surface with more weak links to exploit. The FBI found one weak link and infiltrated Woodbery’s network. That’s how they turned the tables and started spying on Woodbery in July 2019. The details are not clear, but the FBI picked up one of his account mules. Some people speculate that it was either for an unrelated charge or that the culprit was apprehended while trying to cash out their share. Woodbery was disappointed with the $19 million deal gone wrong and he felt something was not right. He fired another instagram post:
“A smile on my face doesn’t mean my life is perfect, it means I appreciate what I have and what God blessed me with.”
Unknown to Woodbery, the FBI repossessed his mule’s phone and started communicating with him. Woodbery went about business as usual, requesting new bank accounts and trying to fill them up with other people’s money. And in the process helping the FBI build a case against him.
On Woodbery’s instructions, the undercover agent opened a few new bank accounts. Nothing changed about the methods. It was as close to perfection as anything within his control. Every time, they ran their play it ended with the same lines.
“What is your wallet address?”
“Same one I being using”
This time around, no money was paid into any of his accounts despite doing everything right. It was as if a guardian angel was looking out for those companies. On June 10, 2020, Dubai police stormed the Palazzo Versace where they apprehended Mr. Woodbery along with a handful of associates.
REKT
Many intangibles led to the inevitable arrest of Woodbery on June 10th of 2020 in the Palazzo Versace, Dubai. He was careful within the limitations of his knowledge, but he didn’t know a lot about cybersecurity or bitcoin. He played with technological fire for the better part of his adult crime life and it burned him in the end.
Special Agent Ali Sadiq of the FBI, who lead the covert operation, was the Head of Cybersecurity in Chicago. When he got on the trail, he knew that, given enough time, Woodbery would provide all the rope needed to hang himself. Woodbery communicated through un-secure applications that were not end to end encrypted. This meant the FBI could get warrants that forced the operators to show them his messages. And so they did.
The FBI got a warrant for Dingtone; an app Woodbery used to make phone calls over a wifi connection with new phone numbers. The records showed that a South African number paid for the service through the Apple Appstore. Now that they knew what kind of device he used, the FBI started piecing together Woodbery’s International network.
The next warrant to drop was for Apple. In the records, they learned that the device was registered to Jacob Olalekan Ponle, a.k.a Woodbery, with the gmail account hustleandbustle@gmail.com. They found pictures of his passport, U.A.E visa and resident ID card in his iCloud account. There was no doubt as to who this individual was anymore but just to be sure, Special Agent Ali cross-referenced it with the U.S visa database. There was a match. They had their man but they didn’t stop there. They got into his WhatsApp and snapchat accounts where they uncovered some of his associates. Everything was in plain text with occasional code words and phrases that were easy to decipher by cross-referencing with Nigerian urban street language .
Now the FBI knew who he was, they followed the money to uncover more detail about the frauds. Their investigation revealed some recurring patterns. The most glaring was an infamous bitcoin address that kept turning up: 16AtGJbaxL2kmzx4mW5ocpT2ysTWxmacWn. It was at the center of everything. All the money flowed in and out through that singular wallet address, like a Central Bank account. Special Agent Ali and his team analyzed the address on the blockchain. While their analysis may look like rocket science to the uninitiated, the tools are available to anyone with a modern web browser. You could simply copy and paste any bitcoin address into a blockchain explorer and see its history. Even the infamous address.
The analysis told the story of the wallet in its entirety but for the sake of brevity, we confine ourselves to the bare essentials. For example, the infamous address was generated through Bitpay and the earliest transaction occurred on the 1st of November 2014. This meant that it could not have been created at a later date. It also raised the question of whether or not Woodbery started email fraud before then.
After receiving a warrant, Bitpay opened up customer registration to the FBI. The wallet containing the infamous address was registered to the Gmail account hustleandbustle@gmail. It matched the registration email tied to Woodbery’s iCloud account. Now things were adding up. But what kind of criminal uses one email tied to his real name for the purpose of committing related crimes? One who doesn’t know much about cybersecurity.
As they followed outgoing transactions, the FBI traced payments to Localbitcoins3 and Huobi4 amongst others. The evidence was clear that Woodbery used these less compliant exchanges to buy cash. He did it in small enough tranches that it wouldn’t draw administrative scrutiny. That’s how he financed the purchase of his super cars and other acquired tastes . There were a few questionable purchases traced to a Russian run market place for stolen credit cards. All the money in the world couldn’t hide this leopard’s spots. Perhaps being a criminal is exciting even after making all that money.
The FBI had him dead to rights. He was not on U.S jurisdiction, but that never stopped them before. On June 10, 2020, Woodbery was apprehended in the hush of the night. He was charged with multiple fraud counts after a raid by the Dubai crime unit. He was in good company that night. Less intelligent but good company nonetheless.
LESSON
Would you commit a crime knowing that every thing you did was being recorded and displayed in public for everyone with a browser to inspect? In the future, every detective in the world will be looking to make a name for themselves by bringing your actions to light. Bitcoin is a global and permission-less network. Sherlock Holmes or your local sheriff have the same access to it. There are no special privileges. To make matters worse, you decide to facilitate the investigation by using a single address. Perhaps the criminal life is not for you. You are better off living an uninteresting life.
Bitcoin’s unique privacy features were not designed to protect criminals. They were designed to protect a law abiding majority who choose to use it correctly. If everyone uses a new address for every new transaction, then we become like a colony of penguins flocking to the water simultaneously. It becomes expensive for predatory governments or hackers to single out one individual. We swarm the network with a torrent of new addresses and bask in the safety of pseudonymous numbers. If you won’t do it for yourself, do it for the people you transact with.
We hope our fictional examples and the real life story of Mr. Woodbery make it painfully obvious why you should never reuse bitcoin addresses. Next, we explain why you should not use your phone number for 2FA. Get ready to learn about SIM swapping in “CHAPTER 5”. Don’t forget to comment and tell your friends. Lord Thoth appreciates you.
A block explorer is a blockchain search engine that allows you to search for a particular piece of information on the blockchain.
An internet fraudster who uses social media and email to perpetrate dishonest business online. While it could be anyone from any country, the term has been popularized to label Nigerian scam artists. In the early 90’s, they operated out of internet cafes and predominantly used yahoo chat messenger, hence the name.
LocalBitcoins is a peer-to-peer bitcoin exchange platform based in Helsinki, Finland, founded in June 2012. Its service facilitates over-the-counter trading of local currency for bitcoins.
Huobi is a Seychelles-based cryptocurrency exchange. Founded in China 2013, but now has offices in Hong Kong, South Korea, Japan and the United States.
Good Book. An eye opener. Many lessons learnt. I would highly recommend this book to everyone