Addison Cameron-Huff, Cryptocurrency Lawyer

Craig Wright is an individual who claimed to be the rightful owner of billions of dollars of bitcoin, which he said he lost the keys to when he deleted his files. He wanted the crypto back, but without the keys this should be impossible. Mr. Wright came up with a rather unique strategy, that the rest of this blog explains, which should be studied by everyone who writes code for public blockchains or manages a protocol. So far as I know, Mr. Wright is the first person to seriously attempt this method. The basic idea is to ask a court to require the developers to change the code so that bitcoins would be given to him.

Most People Would Say Blockchain Assets Can't Be Seized

Public blockchains like Ethereum or Bitcoin make it impossible to seize control of assets on-chain because there is no centralized authority to ask to seize an asset, unlike a bank account or an account with a crypto dealer. The cryptography that underlies these systems is effectively unbreakable (which we know, because they're worth around two trillion dollars, which is a large prize for any hacker!). Many people have lost their private keys/backup phrases over the years, resulting in huge losses of cryptocurrency. But there is a very creative individual named Craig Wright, who recently lost a major lawsuit in the UK, who came up with a plan to use the legal system to try to take control of billions of dollars of bitcoin. His plan didn't work, but it's a fascinating case study that every developer should know about.

Mr. Wright's Approach

Craig Wright claimed he was the owner but a legal claim doesn't do you much good if there's no company to enforce against. There's no one in a position of power to take bitcoins and give them to Craig Wright (because if there was, it would mean there's a fatal flaw in how they work). Or maybe there is! Mr. Wright realized that there's one group of people who control the code for the main Bitcoin node software, which is used by almost everyone in the world. Only a few people have the permissions to submit new code to Bitcoin Core. Mr. Wright sued those people, and demanded that they make changes to the codebase so that the bitcoins he claimed were his would be awarded to him. A few developers quit the project in response because they had to personally pay these legal defence costs, and they realized that there was a type of personal exposure that was underappreciated before. No one had sued them before, despite the many wild events in the world of bitcoin over the last many years. Craig Wright was the first to test this concept.

Every blockchain protocol has just a few key people who can modify the software, for security reasons. But also there's just not that many people that volunteer their time for these things. All of the Bitcoin Core developers work without pay (although some are paid by companies they work for). Like other open source software, these are passion projects. Some of the developers who quit noted that they are not rich people because they didn't obtain bitcoin years ago, they just wrote software. They don't have deep pockets to defend themselves.

Craig Wright's targetted attack was a very smart move because it was the only way that bitcoins could be taken by him. Since he didn't have the private keys, there would be no way to access the bitcoins he claimed were his. In reality, the court recently ruled that they didn't believe most of what he said, and he won't be getting a court order that Bitcoin Core change its code, but it was a fascinating idea. If he had won, it's an open question as to what would have happened to Bitcoin Core, and if he had actually managed to get bitcoins changed over to him by a change to the code, it would surely have destroyed much of the value of bitcoin because there'd be a new vulnerability not previously recognized. That didn't happen, but it doesn't take away from the potential for others to follow in his footsteps.

What Developers Can Do

Blockchain protocols should consider whether they have money set aside to indemnify the key people who have write access to repositories, because these people might become legal targets using Craig Wright's method. Developers should consider whether they have appropriate legal representation to be able to deal with a potential attack, and ought to consider the potential costs of defending against an action like this, which could take place in any country. Craig Wright sued in the United Kingdom, but potentially anywhere is fair game for this kind of legal action.

Anonymity may also be helpful, in the same way as Satoshi Nakamoto has managed to avoid being sued (or doxxed) by anyone. This hasn't been very popular for protocols, and there are good reasons not to do it, but it might be a mitigation strategy that smaller projects could consider. There's no obligation to disclose your name as a developer of open source software (although there might be if there's an assignment/CLA for the project).

The principal defence against baseless attacks using the legal system is money, because money buys lawyers, which if you have a good case, means you'll likely eventually dispose of the baseless case. Projects run by corporations/foundations should apportion some of their budget as a legal reserve in case of a lawsuit like this (or other actions, like regulatory action.)

Everyone should keep in mind this potential attack. It didn't work this time, but it's a creative and new idea that could work. So it's now a part of the threat landscape for blockchain developers.