Anonymity Cost Tops $4 Billion For Hacker

Feds shroud ID of criminal who stole Bitcoin

View Document

Bitcoin Forfeiture

APRIL 12--Thanks to the ballooning value of Bitcoin, the U.S. government could liquidate more than $4 billion in cryptocurrency confiscated from a hacker whose identity--despite an array of felonious conduct--is mysteriously being shielded by federal prosecutors.

In November, the Department of Justice announced the forfeiture of 69,370 Bitcoin from a wallet that had been dormant for more than five years. The Bitcoin, prosecutors say, had been stolen from Silk Road, the notorious darknet drug marketplace that was shut down by federal investigators in October 2013. Silk Road’s founder, Ross Ulbricht, was subsequently convicted of an assortment of crimes and sentenced to life in prison.

Since last year’s seizure, the value of Bitcoin has quadrupled. With the cryptocurrency now trading for about $60,000, the stolen Silk Road coins could become the most lucrative forfeiture by an individual in United States history. By comparison, Purdue Pharma, as part of a plea deal to criminal fraud and conspiracy charges related to its marketing of the opioid OxyContin, agreed last year to a $2 billion criminal forfeiture (along with a $3.54 billion fine and a $2.8 billion civil settlement).

The Bitcoin address known as “1HQ3Go3ggs8pFnXuHVHRytPCq5fGG8Hbhx,” or “1HQ3” for short, was long the subject of online speculation due to the account’s inactivity and its perennial spot in the top ten of richest Bitcoin addresses. Additionally, the prospect that “1HQ3” was connected to Silk Road--and represented proceeds from the criminal operation--only increased interest about the account’s owner.

The Silk Road connection to “1HQ3” was confirmed in the forfeiture complaint filed by Department of Justice lawyers in U.S. District Court in San Francisco. While the contents of “1HQ3” have been transferred to a wallet controlled by federal officials, a judge still has to approve the government’s liquidation of the Bitcoin (the proceeds from such a sale would end up with the U.S. Treasury Department).

As part of the forfeiture process, parties that contend they have a legal interest in all or part of the asset in question can file a formal claim with the court. While several entities have done just that with regard to “1HQ3,” one claimant seeking to enjoin the liquidation claims to know the identity of the Bitcoin thief, who is identified only as “Individual X” in government filings.

In a series of heavily redacted documents submitted over the past several weeks, the claimant, a Las Vegas entrepreneur named Jay Bloom, states that the court records he has filed “contain references and information related to the identity of Individual X.” The hacker’s name is shrouded in Bloom’s filings, his lawyers explain, since “confidentiality of the individual is designated by the [Department of Justice] in this action.” Judge Richard Seeborg has approved Bloom’s filing of the documents in a redacted form.

But while not publicly outing “Individual X,” it is clear that the 53-year-old Bloom has fingered a former business associate as being connected to the “1HQ3” account. Bloom’s suspect is Raymond Ngan, a mysterious 49-year-old fraudster and serial fabulist who has claimed all manner of business and educational exploits, from graduating MIT with a computer science and engineering degree (and then from Wharton with an MBA) to handling billion-dollar investments for multiple Middle Eastern sovereign wealth funds.

After a business deal with Ngan fell through, a Bloom company sued the purported financier and eventually won a staggering $2.2 billion summary judgment from a state judge (the 2017 award is the largest ever recorded in a civil action in Nevada). After being hit with the ten-figure judgment, Ngan filed for bankruptcy, prompting Bloom’s legal team to launch a multiyear effort to identify and seize what one bankruptcy court filing termed “various valuable assets they knew Ngan owned.” However, nowhere in the bankruptcy case’s extensive public record is the claim that Ngan--or his associates--were linked to a Bitcoin stash, let alone “1HQ3.”

In a brief interview, Bloom declined to answer TSG questions about his entry into the “1HQ3” forfeiture case, which came in mid-March, four months after the initial government filing revealing the seizure. Bloom’s claim on the Bitcoin has been made in the name of three of his firms, including Battle Born Investments Company, LLC.

According to filings in the Ngan bankruptcy case, Battle Born was formed as a “special purpose entity” to specifically acquire “certain assets of the Estate and thereby further Creditors’ collection efforts with respect to” the $2.2 billion judgment. In May 2018, a bankruptcy judge approved the acquisition by Battle Born of all of Ngan’s assets, with the exception of exempt items like clothing and other personal possessions.

In an April 5 filing in the Bitcoin forfeiture case, attorneys for Bloom made an oblique reference to the outstanding judgment against Ngan (pictured above). The “1HQ3” Bitcoin is not subject to forfeiture, the lawyers argued, because Bloom’s firms hold “judicially-declared superior property interests in those assets.” In layman’s terms, Bloom (seen below) is calling first dibs on the seized Bitcoin since his judgment against Ngan remains unsatisfied (and predates the government’s forfeiture complaint).

During Ngan’s bankruptcy proceeding he was jailed twice on contempt charges for failing to turn over documents and appear for depositions. The last lawyer to represent Ngan in the case withdrew last January, citing his client’s refusal to “reasonably communicate, cooperate or otherwise fulfill the terms of representation.”

A month before dumping Ngan, the attorney provided the bankruptcy court with a letter from a Las Vegas doctor who claimed Ngan “presented with complaints of alcohol addiction...anxiety, depression, and suicidal ideations.” Additionally, the letter reported, lab results showed that Ngan was “suffering from a chronic viral condition.” All these maladies, Dr. Daniel Royal wrote, left Ngan unable physically or mentally to be further deposed. Royal added that he recommended Ngan be placed under 30 days of constant observation--either in-patient or out-patient--to ensure that he “becomes physically sober and mentally stable in that his suicidal ideations have abated.”

Ngan did not respond to TSG messages sent to more than a dozen email accounts he has used, and texts and calls to his cellphone have gone unanswered. The only address information Ngan’s last bankruptcy attorney had for him was a P.O. box in Lodge Grass, Montana (pop. 428), a town on the Crow Indian Reservation.


As detailed in the government’s forfeiture complaint, the person identified as “Individual X” succeeded in hacking into Silk Road and stealing “the illicit cryptocurrency,” which was then moved into “wallets that Individual X controlled.” The theft of 70,411 Bitcoin occurred in early-May 2012, about 15 months after Ulbricht launched the site.

Ulbricht, investigators say, “became aware of Individual X’s online identity and threatened Individual X for return of the cryptocurrency.” However, the thief did not return the purloined Bitcoin, “but kept it and did not spend it.” At the time of the theft, Bitcoin traded for $5.10, making the total value of the heist about $359,000.

Until the theft was disclosed in the forfeiture complaint, the hacking of Silk Road was not known. It seems likely that Ulbricht would not have wanted to disclose such a significant breach since it could have spooked security-conscious vendors and customers (on whose transactions Silk Road collected a commission). Pictured below, Ulbricht, locked up in a federal penitentiary in Arizona, did not respond to a TSG letter seeking comment about the 2012 hack and the Bitcoin forfeiture action.

The stolen cryptocurrency was channeled into two wallets, from which a total of 941 Bitcoin--worth about $5000--was transferred in the weeks following the theft. The remaining Bitcoin stayed in the two wallets until April 9, 2013, when the balances in both accounts were transferred to the “1HQ3” address. On that day, Bitcoin jumped nearly 23 percent to a record high of $230, making “1HQ3” worth nearly $16 million.

The next transfer from the “1HQ3” account would come two years later, in April 2015, when Bitcoin worth $23,700 was sent to BTC-e, an unlicensed digital currency exchange popular with money launderers. In 2017, Alexander Vinnik, the Russian national who owned BTC-e, was charged in a 21-count federal indictment with money laundering, conspiracy, and engaging in unlawful monetary transactions. Vinnik, now serving five years in France for money laundering, will likely face U.S. extradition proceedings upon completion of his current sentence.

While federal agents have not been forthcoming about what prompted their recent probe into “1HQ3,” the forfeiture complaint notes that “Individual X” “was determined to have been involved in a transaction that related to” the address. The complaint does not provide further details of the transaction in question, though the U.S. government’s seizure of records from BTC-e could have provided investigators with fresh insight into the $23,700 sent from “1HQ3” to the cryptocurrency laundromat (which the Justice Department shut down in July 2017).

After an investigation by Internal Revenue Service agents and the U.S. Attorney’s Office in San Francisco succeeded in identifying “Individual X,” the Silk Road hacker signed a two-page Consent and Agreement to Forfeiture on November 3, 2020. The document, which uses the pronouns “he” and “his” when referring to “Individual X,” notes that the hacker had agreed to forfeit all cryptocurrency in “1HQ3.”

In response to a Freedom of Information Act request, the Justice Department provided TSG with a copy of the agreement, but blacked out the names of signatories, citing FOIA exemptions covering unwarranted invasions of personal privacy. The agreement’s eight paragraphs do not include any provision stating that the names of the parties would be kept confidential.  

A TSG appeal of the document's redactions is pending with the Justice Department’s Office of Information Policy.

By its own account, the Justice Department has accused “Individual X” of computer hacking and conspiracy to commit computer hacking, both felonies. Additionally, the use of the stolen Bitcoin could expose “Individual X” to money laundering charges.

So, why have prosecutors opted to cloak this criminal’s identity?

A spokesperson for the U.S. Attorney’s Office for the Northern District of California, Abraham Simmons, said he was unable to answer a series of questions submitted by TSG regarding the forfeiture proceeding since he was limited to addressing information only in the public record. So there is no explanation for why “Individual X” was granted anonymity in the largest cryptocurrency seizure in Justice Department history. Or if the hacker has been charged in connection with the theft of proceeds from Silk Road, which the prosecutor’s office calls “the most sophisticated and extensive criminal marketplace on the Internet.” Ditto as to whether “Individual X” has entered into a non-prosecution or deferred prosecution agreement with government lawyers.

Adam Gasner, the San Francisco defense lawyer who represented “Individual X,” was similarly reluctant to entertain TSG questions about the Bitcoin forfeiture. In an interview last year with Litigation Daily, Gasner said that, “Privacy and freedom are worth more than money.” He added, “My client will continue to live a quiet, anonymous life in the comfort of his own home.” Gasner also remarked that the forfeited Bitcoin was swiped from a “drug-trafficking website that made money on the addictions of people worldwide,” and that “Individual X” was a “modern-day Robin Hood.”

Asked by TSG if he was being facetious when comparing “Individual X” to a heroic outlaw, Gasner allowed that he was being a bit hyperbolic. (5 pages)