The $10 Billion Bitcoin Battle (Part 3)

Part Three – The Tulip Trusts



In part one (which you can read here) I covered some of the background about Bitcoin, Satoshi Nakamoto and Craig Wright’s related claims. In part two (which is here) I explored the Kleiman complaint against Wright. Here in part three, I’ll examine another area which has made this case stand out – Wright’s so-called Tulip Trusts.

On 3 March 2020, Judge Reinhart issued an Order relating to discovery. This document (found here) contains a great breakdown of the information (at page 3) relating to Tulip Trusts 1 and 2 – information on Tulip Trust 3 has only come to light more recently. But what are the trusts and what is their relevance in the case? To answer that, we take a step back – to Bitcoin addresses and, first, public key encryption.

Public Key Encryption and Bitcoin Addresses

Before I cover public key (asymmetric) encryption and why it is important to Bitcoin, it makes sense to talk about symmetric encryption first. If you are familiar with public key encryption, feel free to skip to the last three paragraphs of this section.

Symmetric encryption is often used when providing an encrypted file over email. Say Aric is sending a file to Bernice: he encrypts the file using a password, then sends the encrypted file to Bernice. Bernice then uses the same password to decrypt the file and read the content. This is called symmetric encryption, because the SAME password is used to encrypt AND decrypt the data.

In asymmetric encryption, there are two keys. These two keys are inter-related and built in a specific way such that OPPOSITE keys are used to encrypt and decrypt the same data. Say we have key1 and key2. If Aric encrypted the file with key1, Bernice would then need to decrypt the file with key2. Similarly, if Bernice encrypted a second file with key2, then Aric would have to use key1 to decrypt it. If a file is encrypted using a key, using the same key again to decrypt it won’t work – you need to use the opposite key.

To develop this idea further, let’s say every person creates their own two keys, let’s call them the public key, and the private key. Each person publishes their public key online – anyone can access it – hence the name. The private key in contrast is closely guarded and is not, or should not, be shared with anyone. Let’s say now Aric wants to send a file to Bernice so that only she can open it. Aric can access Bernice’s public key and encrypt the file using that. This means that the only way to decrypt the file is to use Bernice’s private key. Because no one else should know Bernice’s private key, she is the only person who can decrypt the file.

A second way that this system can work is to “digitally sign” something. You can use a mathematical one way function to create what is known as a hash for the file. If the file changes, even changing a single 0 to a 1, then that hash will change.

Let’s say Aric wants to sign a document so that everyone will know that it has legitimately come from him. He takes his document and calculates the hash. He then encrypts that hash, using his private key – the result is the digital signature. Aric then puts the document, together with the digital signature, online. Now Bernice wants to check that it actually came from Aric. She can take the document and calculate the hash – if the file has not changed, she will get the same hash value as Aric did. Now Bernice takes the digital signature. Using Aric’s public key, she decrypts the file – and receives the hash that Aric encrypted. If the hashes match then Bernice knows that the document has not changed since it was signed and (assuming he has kept his private key secure) that it was signed by Aric.

So, what does this have to do with Bitcoin?

Simplifying, when Bitcoin is transferred or mined (created) it is sent to a Bitcoin address. A different address should be used for each new transaction (for reasons that we won’t go into here). This means that to explain how much Bitcoin you hold, this would include considering the Bitcoin that was sent to all of the Bitcoin addresses that you control.

Bitcoin addresses are all actually public keys. To control the bitcoin which was sent to a specific Bitcoin address, you need the corresponding private key. If you have the private key, then you control the bitcoin at that address.

Wright’s Bitcoin Addresses

The main thrust of the Kleiman complaint is that Wright has fraudulently taken ownership of bitcoin, and related intellectual property, which was rightfully owned by the Kleiman estate. The amount of Bitcoin that this amounted to was unclear – as the Kleiman case stated:

“The exact number of bitcoins belonging to Dave’s estate will be determined at trial. That said, various documents including private emails and transcripts from 2014 Australian Tax Office “ATO”) meetings with Craig, his counsel, and his accountant evidence Dave and Craig owned and controlled over 1,100,000 Bitcoins.”

On that basis, understanding the amount of bitcoin Wright actually held would be helpful, not least to identify the universe of Bitcoin that was potentially mined by Kleiman and Wright. In March 2019, the court agreed that the claimants were entitled a list of Wright’s Bitcoin holdings (as of 31 December 2013).

Wright Claims He Cannot Provide Bitcoin Details

In response to a deadline set for 19 April 2019 for him to file a sealed production of his Bitcoin holdings (Since 31 December 2013), Wright filed a sealed motion, about which Judge Reinhart (as here) stated :

“Dr. Wright incorrectly framed the issue as, “The Court has ordered Dr. Wright to identify all public addresses that he owned as of December 31, 2013 or, if he cannot do so, explain why identification is unduly burdensome””

In that “incorrectly stated” filing (which you can a redacted copy of here) Wright provides a limited number of public addresses (which are redacted in the publically available copy). Wright also states that:

“In 2011, Dr. Wright transferred ownership of all of his Bitcoin into a blind trust… as of December 31, 2013, all of Dr. Wright’s bitcoin had been transferred to the blind trust, and therefore are owned by the trusts, not by Dr. Wright.”

Wright was subsequently ordered to provide information on the trust.

In a declaration signed on 8 May 2019, Wright explains that he transferred all of the encrypted files controlling access to the bitcoins that he mined to a trust formed in 2011/2012 in the Seychelles, called Tulip Trust I. Wright also refers to a further trust set up in 2014, also in the Seychelles, called Tulip Trust II.

Tulip Trust I

What is particularly interesting about the Tulip Trust, is that all of the information held by it (including, apparently, the files to control all of Wright’s Bitcoin), was then encrypted using what is known as a Shamir scheme.

This is essentially an encryption where many sets of keys (or “keyslices”) are created and a minimum number of these are required to decrypt the data.

Wright claims that these keyslices were split out and entrusted to each of the trustees of Tulip Trust I, and that he did not have access because he did not have the minimum number of keyslices needed to access the data – “The key shares were then distributed to multiple individuals through the trusts” and “he alone does not have ability to access the encrypted file and data contained in it.” (from this document).

According to information summarised in one of the orders of the court Wright later testified that:

“A controlling number of the key slices were given to Mr. Kleiman, who distributed them to others through the trust. Today, Dr. Wright does not have access to a sufficient number of the key slices to decrypt the file. Therefore, he cannot produce a list of his bitcoin holdings”

The Bonded Courier

While Wright was facing questions from Judge Reinhart on 28 June 2019, journalist Carolina Bolado reported from the courtroom:

“Wright explained that he gave some keys to Dave Kleiman and directed him to give them to bonded couriers. Some of the keys won’t be made available until 2020”

Essentially Wright claimed that in January 2020, a courier might arrive to supply him with the keyslices that he needed in order to access the encrypted file held by Tulip Trust I.

Judge Bloom subsequently decided to give Wright time for his bonded courier to arrive:

“In light of the Defendant’s representations that the bonded courier is scheduled to arrive in January 2020, the Court will permit the Defendant through and including February 3, 2020, to file a notice with the Court indicating whether or not this mysterious figure has appeared from the shadows and whether the Defendant now has access to the last key slice needed to unlock the encrypted file. In the event this occurs, and further if the Defendant produces his list of Bitcoin Holdings as ordered by the Magistrate Judge, then this Court will not impose any additional sanctions”

An Interlude – The Curious Case of CO1N

Before discussing the potential appearance of the “mysterious stranger from the shadows” (the Tulip Trust bonded courier), it is worth talking about one of the companies that was listed as a trustee of the Tulip Trust.

The deed of trust for the Tulip trust can be found here.

This includes a list of the trustees of the trust (including redactions) as below;

zzz_Tulip Trustees

It may strike you as a little odd that Panopticrypt Pty Ltd and Savanah Ltd are both companies listed by name, but that the first trustee on the list is just identified by the UK company registration number.

Looking up this company in Companies House (here), we find that it is listed as CO1N Ltd and there are a number of points of interest.

If you look at the “People” tab for CO1N, you can see that David Kleiman is listed as a Director, appointed on 14 October 2012 and resigned on 26 April 2013.

This links with Wright’s narrative, who claimed in his declaration that:

“The trustees for Tulip Trust 1 are:

  1. The company in the UK registered by #[REDACTED], which is CO1N Ltd. This company was dissolved on July 4, 2017”

And then:

“The contacts at CO1N were Dave Kleiman and Ms Nguyen”.

But things are not necessarily as they seem.

A Ready Made Shelf Company

If you look at the documents for CO1N, when it was incorporated on 11 October 2012 there was a single Director – Mr Bryan Thornton, and an external secretarial company was named as company secretary. The company itself was called “Design by Human Ltd”.

On 15 October 2013, the company name was changed to “Moving Forward in Business Limited”.

Everything in the listings suggests that this is actually a “ready made shelf company” for someone to buy and use. Indeed, according to documents in the case (see this document  at Para 92) the Australian Tax Authority has confirmed that CO1N “was a Shelf Company which was purchased from CFS on 3rd January 2014”.

All Change

Then on 7 January 2014 in the company listings, we see several changes:

  • Company name changed to CO1N Ltd
  • Bryan Thornton terminated as a director
  • Termination of CFS Secretaries Limited as a director
  • Appointment of Dr Craig Steven Wright as a director
  • Appointment of Dr Craig Steven Wright as a secretary

This would be consistent with the company being a “ready made shelf company” which was then purchased for use as CO1N in January 2014.

Panopticrypt and the 2013 Accounts

On 22 February 2014, Panopticrypt Pty Ltd was made a Director of CO1N. Although the filing was made on 22 February 2014, the date of appointment is listed as 1 January 2013. So the appointment has been backdated by over a year, and would appear to be backdated beyond the ownership of the company by Wright.

On the same day as Panopticrypt being added as a director (22 February 2014), abbreviated, unaudited accounts were filed, signed by Panopticrypt in its capacity as Director.

These accounts are also interesting, because they are for the year to the end of June 2013 – a period when the company appears to have still been a shelf company (prior to its reported purchase in January 2014). The accounts include called up share capital, of which there is nearly £40m in preference shares, included as current assets on the balance sheet. The preference share capital appears on the annual return received for filing on 22 February 2014, but they do not appear on the annual return dated 3 January 2014 – which would typically be expected if the amount was included on the accounts for the year ending in June 2013.

Dave Kleiman as a Director

As above, Wright claimed that Dave Kleiman was one of two contacts at CO1N. However, the company never had that name while Dave Kleiman was alive.

A look at the appointment documentation for Dave Kleiman shows that the document appointing him as a Director was filed on 13 April 2014. Nearly a year after his death. The document backdates, by 18 months, his appointment as a Director to 14 October 2012 and to a period when the company appears to have been ‘on the shelf’ prior to its purchase.

Dave Kleiman was then terminated as a Director the following day (15 February 2014), but the termination was backdated to 26 April 2013 – the day that he died.

This information was commented on by the Australian Tax Authorities, who stated (in this document):

“…information obtained from Her Majesty’s Revenue and Customs (HMRC) confirms that your Director, Craig Wright, only obtained control of DBH [Design by Human – the name of the company prior to its purchase when it was renamed CO1N Ltd] in January 2014 (after the ATO issued its private ruling) and had no prior involvement with the company. It also suggests he backdated the Directorship of Uyen Nguyen and Dave Kleiman. He would therefore have been aware that the company could not have entered into the Deed of Loan on 23 October 2012 and as a result, that the purported rights could not have been transferred as consideration.”

Put together, this suggests that a company which was (according to the Australian Tax Authorities) a shelf company until early 2014, could not be named as a trustee for the Tulip Trust in a document in 2012.

The Bonded Courier Delivers?

On 14 January 2020, Wright filed a notice of compliance to the court, stating that:

“Dr. Wright notifies the Court that a third party has provided the necessary information and key slice to unlock the encrypted file, and Dr. Wright has produced a list of his bitcoin holdings, as ordered by the Magistrate Judge, to plaintiffs today.”

The document that Wright provided to the Kleiman team was apparently a list of over 16,000 Bitcoin addresses, but no information on the courier or the information that they provided was given.

The news that Wright had filed his compliance resulted in a huge increase in the value of Bitcoin SV (A Bitcoin variant led by Wright) which doubled in value on the day – from approximately $194 to a high of nearly $450. See for example this NewsBTC article.

Even though Wright claims to have been provided with the keys to unlock the encrypted file, it appeared to not be all good news. In an interview with Decrypt on 17 January 2020 Wright’s lawyer, Andres Rivero, revealed “The file that he’s received did not include private keys”.

This means that although he claimed that the keyslices which the bonded courier was to deliver would give him access to the private keys, they have not. He now apparently has no access or control over the fortune in Bitcoin that the addresses apparently hold.

The Signed “Fraud” Message

In further bad news for Wright, the list of Bitcoin addresses was made available to the public, apparently inadvertently.

As a result, 145 of the addresses were used to sign a message using their associated private keys. That messages read:

“Craig Steven Wright is a liar and a fraud. He doesn’t have the keys used to sign this message. The Lightning Network is a significant achievement. However, we need to continue work on improving on-chain capacity. Unfortunately, the solution is not to just change a constant in the code or to allow powerful participants to force out others. We are all Satoshi.”

By using the private keys to sign the documents, the authors must have access to these keys and control the Bitcoin addresses. So either Wright has shared the private keys, or he does not own the public addresses that he has disclosed to the Kleiman team.

For further information see this article from Coindesk.

There was also an instance in which a transfer of bitcoin was reportedly made from one of the addresses which was supposedly included by Wright in his list. This could also cause difficulties for  Wright who claimed not to have access to the private keys, so could not have made the transfer. Additionally, if the address was included on the list that Wright claims ownership to, no one else should be able to transfer the Bitcoin at those addresses.

You can read more about this incident here and also here.

Tulip III

On 6 January 2020, Wright provided a third Tulip Trust document to the Kleiman team. According to a filing made by Kleiman’s lawyers “Plaintiffs received this document for the first time on January 6, 2020, amongst a production of 428 other documents, without any explanation as to its late disclosure, or even an email pointing out this document had been produced.”

I am not aware if the document itself has been provided to court, or if it is publically available, however, information is provided in a sanctions motion put forward by the Kleiman team (see page 13 of this document).

The sanctions motion identifies that Tulip Trust III was ostensibly a replacement for all of the previous Tulip Trust documents. The motion raises the question as to why this was not disclosed, or even referred to, especially given that now, if the document is to be believed, the previous trust documents that Wright has produced are actually obsolete, and this document should have been produced instead.

An apparent explanation for this is in that the trust contained an express condition that the document be “kept from Wright until December 2019”. However, as with many of the documents that Wright has provided or sought to rely upon, there are reportedly issues with the document metadata indicating it is not authentic, and also includes a company as an asset which did not appear to exist at the time the trust was executed.


The Tulip Trust documents that Wright have relied upon have a number of issues which potentially expose them as fakes.

In order to produce a list of his Bitcoin holdings, Wright apparently had to wait several years until a bonded courier delivered the encryption keys to access the information. When those keys were supposedly delivered, the list of addresses that Wright produced appear to not actually be in his control, with others signing a message using the related private keys, alleging that Wright is fraud. Further Wright has admitted that the courier did not provide the private keys, and so he cannot perform any action with the Bitcoin related to those public addresses.

Tulip Trust I includes as a trustee a company that was, at the time the trust was made, a shelf company. Records were later backdated by 18 months to make it appear that Dave Kleiman had been a director of that company.

Tulip Trust III apparently replaced all previous trusts, but the information for Tulip Trust III was not disclosed until 6 January 2020 and was never referred to previously. There are also questions over the authenticity of this trust.

With the case now not due in court until October due to the Coronavirus pandemic, it will be interesting to see what other facts and documents come out of the shadows before then. One thing is for certain – even if this case settles before it reaches the court, anything that Craig Wright produces or says is likely to face considerable scrutiny in the cryptocurrency community for the foreseeable future.


One thought on “The $10 Billion Bitcoin Battle (Part 3)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.