Forensic Experts Accuse Craig Wright of Manipulating Evidence To Support His Satoshi Claims

2. The BDO Image ‘Time Capsule’ “BDOPC.raw”

33. As already indicated, BDOPC.raw is presented by Dr Wright as a time capsule of his 2007 computer. The provenance of this drive is said to be that it was “created on 31 October 2007”. Dr Wright has confirmed (with a statement of truth) that “the files contained in the BDO Image date up to 31 October 2007 and Dr Wright has not edited or amended any documents in the BDO Image since 31 October 2007”. [Wright6 [4] E/21/3, confirming Field1 [25] E/24/9]

34. As a result of that claimed provenance of BDOPC.raw as a document in its own right, the documents taken from it are said to be “at least very strong evidence that Dr Wright is Satoshi Nakamoto”. [Wright6 [4] E/21/3, confirming Field1 [25] E/24/9]

(a) COPA’s Reasons for Alleging Forgery

35. In overview, the internal content of BDOPC.raw as a whole is not authentic to 2007 and it has been manipulated, with numerous forensic signs indicating that the manipulation took place at dates between 12 and 19 September 2023 [Madden4 [13.b-c] G/6/8]. Analysis revealed that in the days prior to 20 September 2023, substantial efforts were made to modify the contents of BDOPC.raw and to do so in a way to hide when that activity was occurring and make it appear as if it had occurred in 2007 [Lynch1 [72] I/5/19]. The content of BDOPC.raw as a whole is not authentic and has been actively edited between 17 and 19 September 2023, with the edits being consistent only with editing by a user [Madden / Lynch1 [6] Q/6/3].

36. BDOPC.raw is a product of a process beginning with a computer that was last shut down on 5 July 2007. A genuine image was captured of the content of that computer. That image, or a copy or version of it, was then subsequently edited in September 2023 to add, modify and delete files. This was done a time when it was attached to another computer and without the operating system in use [Madden4 [71], G/6/25]. The editing process resulted in BDOPC.raw.

37. The manipulation of BDOPC.raw was done with the computer clock set to 31 October 2007, so as to backdate the most obvious resulting digital artefacts. [Madden 7 [77], G/6/27] [Lynch1 [76] I/5/20]

38. In some cases, incriminating metadata relating to 2023 was overwritten and replaced with metadata dating to 2007. In particular, the metadata within BDOPC.raw records that a folder within it, “My Files”, was modified on 17 September 2023 at 13:18:17 and later backdated to 31 October 2007. [Madden4 [81-82], G/6/27]

39. The original BDO Image was created from a computer running Windows XP. Windows XP does not record Transaction Log metadata, which was introduced in a later operating system. However, BDOPC.raw does include Transaction Log data, indicating that it was used with a later version of Windows. Those Transaction logs contain extensive records showing editing of BDOPC.raw on 17 September 2023. Further, those Transaction Logs indicate other irregularities, such as files being backdated to appear as if created after they were last modified and accessed. [Madden4 [84]-[85] G/6/28] [Lynch1 [73]-[75] I/5/19]

40. All the documents among the 97 New Reliance Documents which appear to support Dr Wright’s claim to be Satoshi Nakamoto were added to BDOPC.raw in 17-19 September 2023, and were added using a different user account from that used in relation to preexisting files:

40.1. Windows NTFS file systems record an identifier, the Security ID or “SID”, connected with the user that edits the files. Of the user documents present on BDOPC.raw, over 99% (over 165,000 files) were apparently created with the correct Security IDs for the original BDO PC from which the original image was captured in 2007. By contrast, 71 of Dr Wright’s New Reliance documents were added later, using a different user account with a different SID (the “Manipulation User”) [Madden4 [93-98] G/6/30] [Madden / Lynch1 [12] Q/6/5]. These include all the documents among the New Reliance Documents which actually support Dr Wright’s claim to be Satoshi Nakamoto.

40.2. Windows NTFS file systems record Object ID metadata (ObjIDs) when some file manipulation operations are performed. The ObjIDs present on BDOPC.raw record that BDOPC.raw was edited in a series of sessions on 17, 18, and 19 September 2023. Those sessions were interspersed with other sessions backdated to 31 October 2023. [Madden4 [101-105] [G/6/31] 40.3. All of the ObjIDs from September 2023 were created with the SID of the Manipulation User.

41. There are multiple iterations of the drive image stored on the same Samsung Drive. Mr Madden has recovered two more which were deleted in September 2023, but which he has managed to recover: InfoDef09.raw and Image.raw. These are identical in content to 99.5% of BDOPC.raw. The remaining 0.5% is made up of data pertaining to New Reliance Documents, and previous edits of New Reliance Documents. These drive images are among hundreds of GB of data deleted from the Samsung Drive in September 2023. [Madden4 [13.d-e], G/6/8]

42. Further, there is a file still extant within the Samsung Drive called InfoDef09.zip, which is encrypted and password protected. InfoDef09.zip contains a hash-identical copy of InfoDef09.raw. [Madden4 [28] onwards, G/6/12]. It must therefore have been deleted after 17 September 2023.

43. BDPOC.raw (including each file from within it) was not properly disclosed:

43.1. The file was not disclosed at the time for initial disclosure, nor extended disclosure. Further, it was not disclosed at any time in the intervening period up to 17 November 2023, during which Dr Wright provided no fewer than 12 more rounds of disclosure. Dr Wright has sought to explain away his failure to disclose the files by blaming his former representation and the e-disclosure provider Alix Partners. [Wright5 [11] onwards, E/20/5]. Dr Wright’s account is implausible and false.

43.2. When attempts were made to investigate the matter with Alix Partners, Dr Wright sought to frustrate those efforts [Macfarlanes’ letter to Alix Partners dated 5 December 2023; Shoosmiths’ letter to Alix Partners dated 16 January 2024].

43.3. It is to be inferred that the file was not disclosed at that time because it did not yet exist at that time.

44. The tampering took place across at least 8 different sessions spanning three days and was the result of user activity [Madden4 [104, G/6/33] [Madden / Lynch1 [6] Q/6/3]. It was not the result of automatic processes taking place on a single occasion as Dr Wright has suggested [Wright5 [22], E/20/7]. The software mentioned by Dr Wright in Wright8 does not work in the way he suggests [Madden3 [160-165] G/5/53]. His evidence in Wright8, Wright9 (Appendix A), Wright10 and Wright12 does not explain any of the anomalies found by the parties’ experts (and summarised above) [Madden4 [160] G/6/54] [Lynch1 [122-129] I/5/37] [Madden / Lynch Joint Report1 [9] Q/6/3].

(b) COPA’s Reasons for Inferring Dr Wright’s Knowledge / Responsibility

45. Dr Wright was the Manipulation User and/or was responsible for editing the drive in 17- 19 September 2023:

45.1. Paragraph 40 above is repeated.

45.2. Dr Wright has stated that BDOPC.raw was protected by encryption, that he was the only person who interacted with the Samsung Drive in September 2023 prior to it being imaged by KLD and that his only interaction was to check that the data diode software was available. [Wright5 [22] E/20/7]

45.3. Recovered deleted files in connection with InfoDefo09.raw and BDOPC.raw record information about the username of accounts used to edit documents within them. These include the username “Users\CSW” [Appendix PM46 [23] H/278/7] and the username “Craig S Wright” [Madden4 [55.b.] G/6/20].

45.4. Dr Wright has not permitted forensic inspection of the computer connected with the Manipulation User SID.

46. The effect of the tampering is to enable Dr Wright to put forward the BDOPC.raw image as if it was a time capsule of authentic material proving his claim to be Satoshi Nakamoto, contrary to fact.

47. Dr Wright has stated that this drive has been in his possession at all material times. Further, Dr Wright has stated that the relevant content on the Samsung Drive would have been invisible to anyone but him, due to the encryption used. [Wright5 [20-21] E/20/7]

48. The Madden Report (Madden1) was served on Dr Wright on 1 September 2023. BDOPC.raw was created following that date. Dr Wright then served a further ‘Chain of Custody’ document K/11 in which he stated that preferable versions of his Reliance Documents would be found in a newly-discovered drive image. In all the circumstances, it is to be inferred that the creation of BDOPC.raw was Dr Wright’s reaction to receipt of the Madden Report.

49. Paragraphs 41 and 42 above are repeated. In respect of InfoDef09.zip:

49.1. Dr Wright has stated that InfoDef09.zip dates from 2009 and that he could not access the image [Wright5 [8], E/20/4].

49.2. When asked for the password. Dr Wright stated that “he was hacked in 2020 and his password files were lost” [Shoosmiths’ letter of 11 January 2024]. That is implausible.

49.3. When asked for details of the alleged hack, Dr Wright stated that he had actually been hacked at least 10 times [Shoosmiths’ letter of 15 January 2024]. That is at least 10 times more implausible.

49.4. InfoDef09.zip contains a hash-identical copy of InfoDef09.raw. [Madden4 [28] onwards, G/6/12]. It must therefore have been deleted after 17 September 2023.

49.5. It is to be inferred that the reason Dr Wright withheld access to the password for InfoDef09.zip is that he knew the content of the file, and that it contained the incriminating evidence of BDOPC.raw being a recent creation, contrary to his story.

50. Dr Wright has provided a series of further technical explanations in respect of how BDOPC.raw was handled. These explanations do not affect the conclusions drawn by the experts and do not accord with the technical detail of the image itself in any event. Paragraph 44 above is repeated.

(c) Dr Wright’s Explanations and COPA’s Rebuttal

51. Dr Wright claimed to have discovered the BDO Drive in September 2023, with the drive image having originally been captured on 31 October 2007. He claimed to have cloned the machine and then done the capture later. He explained away the copying inconsistences by saying that he used XCopy which, he claimed, changes file dates. He also claimed that the image was taken from a computer using a virtual machine at BDO.

52. He accepted that the metadata showed that items had been modified in September 2023, but said that this had been done by Mr Ager-Hanssen or someone associated with him and that he had let this happen because he had his guard down against insider hacking. He claimed that access to his machine had been enabled by a group policy update pushed from nChain that contained a backdoor into his system (getting around his two-factor authentication), but that he hadn’t noticed he was hacked until some point in December: see {Day5/58:9} and following.

53. He claimed that Mr Ager-Hanssen had been monitoring his computer, all of his emails, all of his communications and all of his WhatsApp messages, and that he was screenshotting everything that Dr Wright did. Dr Wright also claimed that all of his discussions with Mr Ager-Hanssen were recorded/videoed: see {Day5/89:2}.

54. COPA submitted that this explanation should be rejected as dishonest for the following reasons:

54.1. Dr Wright’s story of ‘discovering’ a hard drive that just happened to have documents that helped his case, in circumstances where he has been involved in a series of cases to which this material would have been highly relevant (including the McCormack and Granath cases where he had to identify primary reliance documents) is simply not credible. The fact that this discovery happened just after the service of the damning Madden1 report is also highly suspicious.

54.2. The BDO Drive is not a time capsule and its contents have been manipulated. The drive contains deleted files (in InfoDef09.raw) that demonstrate how Dr Wright created his forged documents which he then seeded onto the part of the BDO Drive that he disclosed. Mr Madden and Mr Lynch agreed that the BDOPC.raw image was not authentic and that it had been actively edited in the period 17-19 September 2023 {Q/6/3}.

54.3. Mr Madden found 145 files in BDOPC.raw which post-dated 6 July 2007, being the last date that the computer from which the image was taken was used. He also found that for 71 new reliance documents among these 145 files, the timestamps were consistent with them being copied to the raw image when the computer clock was set back to 31 October 2007: see Madden4 {G/6/26}.

54.4. Mr Madden also found that the transaction logs included dates as late as 17 September 2023 (Madden4 {G/6/28}) and that 44 ObjIDs were dated later than 6 July 2007, with 17 of them being timed to 19 September 2023 (Madden4 {G/6/32}).

54.5. The deleted image file (InfoDef09.raw) contains 17 of the 97 new reliance documents, but with the documents in slightly different form. This was recovered by Mr Madden, and it shows Dr Wright creating the forgeries {Madden4 {G/6/41}}. The deleted files contain evidence of changes being made to documents to create potential precursors to the Bitcoin White Paper, by removing what would otherwise be anachronisms. For example, where a precursor document contained a reference to a paper published in 2016, the version disclosed by Dr Wright had that reference date removed and replaced by a question mark: see PM46 [112b] {H/278/39}. This course of editing is set out more fully in subsequently pleaded forgeries set out later in this Appendix.

54.6. The edits made to documents between InfoDef.raw (the deleted version) and BDOPC.raw were also changes specifically in support of Dr Wright’s case that he is Satoshi, such as changing the words “the original Bitcoin White Paper” on InfoDef.raw to “the proposed Timecoin system” on BDOPC.raw.

54.7. Dr Wright accepted that many of the files appeared to be modified, but claimed that this had been done by Mr Ager-Hanssen or someone associated with him. There is simply no evidence that such hacking occurred, and it is a fantastical excuse. For the avoidance of doubt, the fact that Mr Ager-Hanssen posted in October 2023 some pictures of a computer screen showing Dr Wright’s BDO Drive files does not prove that he gained access through hacking. These are files which Dr Wright presented to Mr Ager-Hanssen and others in September 2023 to encourage their continued support of him.

54.8. It is also implausible that Dr Wright also did not appear to notice this alleged hack at the time, even though Mr Ager-Hanssen had published in October the pictures of a computer screen containing Dr Wright’s BDO Drive files which Dr Wright now (wrongly) claims are conclusive evidence of the supposed hack. Dr Wright never mentioned this hack by Mr Ager-Hanssen in his statements, even though he says he worked out that it had happened some time in December. His ninth statement was served on 21 December 2023, so he had the opportunity to address the issue squarely in that and later statements.

(d) Conclusion

55. I reject Dr Wright’s allegation of having been hacked. In my judgment, the evidence clearly demonstrates that the BDO Drive was seeded by Dr Wright with all the New Reliance Documents in September 2023 and that he was responsible for all the manipulations identified by Mr Madden.