Untitled

GERMAN JEWLERY MAKER... OR GARLICOIN THIEF?
How a random German guy stole hundreds in cryptocurrency, and almost got away with
it.
A tale of garlic, jewelry, and vigilante justice.
By bush

The Stage

It was the perfect crime: capitalize on a budding cryptocurrency, gain the trust of
its community, then vanish with hundreds of dollars worth of... Garlicoin. An upstart
crypto, Garlicoin had been hyped up before its launch by a wave of internet memes on
Reddit. Intended as a joke and introduction to cryptocurrency mining, Garlicoin was an
overnight success. It wasn’t long before it developed a burgeoning community, and more
importantly, a veritable economy.
Cryptocurrencies have no intrinsic value; one garlicon is worth only as much as
someone will pay for it. The first trades were for sheer humor. A pizza delivered in
exchange for garlicoin was considered a landmark event. Then the odds and ends; extra
video game serial keys, Garlicoin decals, the occasional broken-down car. Suddenly,
people started buying it. Garlicoins were selling for as much as $3.50 just days after
launch. By the time it was listed on an actual exchange, a massive community had
developed on the chat platform, Discord. Users were trading garlicoins for other
cryptocurrencies, cashing out for USD, or bartering with random items. It wasn’t long,
though, until an undesirable element arrived on the scene.
Discord user “Qubit” founded the GarliXchange chat group not long after the
currency’s launch. It offered users a place to gamble their garlicoins in online dice
games, a lottery, refer friends for rewards, and most importantly, facilitate trade within
the group by offering an escrow service. Acting as a 3rd party they insure that buyers
and sellers don’t scam each other. In the world of crypto, they are a necessity. No one
wants to use a middleman they can’t trust, and Qubit knew this. He found escrows with
large amounts of verified trades and excellent rapport with the community. Up until its
demise, the GarliXchange was a reliable place to setup and execute trades.
Qubit also knew that he needed to gain the trust of these escrows, because that's
how he was going to rob them blind. With an escrow service, the middlemen send crypto
to other users as insurance in the event that they try to run off with someone’s money in
the middle of a transaction. If an escrow stole coin and disappeared, the person holding
the insurance could reimburse the victim. Escrows were expected to put up insurance as
it would prevent them from scamming users. On the GarliXchange market, Qubit himself
would hold the insurance payments.
He allowed his little empire to grow. The escrows became well-liked and trusted
by the community. They increased their insurance payments to Quibit as they processed

larger and larger transactions for the community. At one point I was referred to
GarlicRiver, an escrow that was eventually robbed by Qubit. I was trying to cash out and
was looking to sell around 45 garlicoin, or about $90 worth at the time. GarlicRiver told
me he had put 50 garlicoin into his insurance arrangement with Qubit, and the other
escrows had similar collateral in place. In total, Qubit was holding on to over 200
garlicoin that didn’t belong to him from his escrows.

The Heist

Garlicoin had only launched on January 21st. Qubit fled with the insurance
money a mere ten days later on February 1st. The first news was a shocking reddit post
from user “Jolteon” regarding Qubit scamming and then banning them from the
Garlixchange. A suspect user “fantasalad” had suggested Qubit act as the middleman in
their trade. When Jolteon sent his 100 garlicoin payment to Qubit, he was quickly
banned server. He made a reddit post detailing what happened, and within hours, the
server had been wiped from discord. Qubit had fled with hundreds of garlicoins from
both his escrows and at least one user.
By February 2nd, one of the victims had written an article chronicling the events.
“RoboShrimp” had been a recent addition to the Garlixchange escrow team, after one of
them, “Freeze,” had cashed out his insurance deposit from Qubit with no problems on
January 31st. Roboshrimp made an insurance payment to Quibit, who would vanish by
February 1st. In this article, he details how Qubit had gained the trust of the escrows and
community. No one seemed to see this coming. He had spent days putting hard work
into his exchange and forming pretend friendships with a community he had created in
order to rob.
● Jolteon scammed by Qubit acting as an escrow:
https://www.reddit.com/r/GarlicMarket/comments/7um2o3/meta_the_garlixchang
e_discord_server_is_a_hoax/
● RoboShrimp scammed by making insurance deposits to Qubit to become a new
escrow:
http://www.grlc.press/page.php?id=3

The Hunt

In the aftermath of the theft, the escrows had been robbed of hundreds of dollars
in garlicoin. A friend of mine, known as “TheMeriff” on discord had introduced me to two
of them after inviting them to our group: “GarlicRiver” and “Rusti.” The two had a long

history of verified work, and were in no way implicated in the theft. We began talking
around 1:30 AM EST on February 2nd.
We discussed the situation, and how they as well as many buyers and sellers
has been quickly robbed by Qubit. I was reminded of a situation where TheMeriff got
scammed. He posted a warning regarding the user in question, and someone managed
to counter-scam that individual and return some of the lost garlicoin to him and other
victims- stealing from the thief and returning what was stolen. In the world of
cryptocurrency, there are no regulations, no laws, and no authority. There is no recourse
for the theft of a digital currency. Except perhaps, for some vigilantism.
Unfortunately for Qubit, he made a fatal mistake. The criminal mastermind used
the same username as his discord account all over the internet, and led us into a web of
intersecting clues. It took less than thirty minutes to find the bastard.
The Trail of Clues:
1. Searching for “Qubit” yielded nothing, except that a qubit is a quantum computing
term. I headed to twitter, and found “Qubit_mathangled,” who appeared to be
quite interested in mathematics, patterns, algorithms- definitely within the scope
of a crypto enthusiast. I asked the escrows if he expressed interest in these
topics in their chats together. “Yes.” was the answer. I noticed some images
pertaining to astronomy. I asked about it as well. I received the same answer. As
coincidental as it was there was no identifying information; just the suggestion
that Qubit might have used the same name in other places.
2. A reddit account was located by GarlicRiver that listed comments in garlicoin
trading threads. We figured this was most likely the thief, but had no way to prove
it, and still had some doubts. He noted that he had come across the account
earlier, and asked Qubit if it was his before the theft occurred. Qubit had denied
owning the account.
3. Rusti discovered a steam profile named “qu8it” on Steam. “Benjamin from
Germany” was the only information. The escrows began to wonder if Qubit was
German, and reasoned that it was possible considering the times he was
available to chat with them. We noticed that this account was active in trading on
the Steam marketplace, with positive reviews posted to the profile page. The
reddit account had been involved in trading garlicoin for steam game keys.
4. I had been looking at the “qubit” account on imgur.com. Imgur is generally tied to
reddit accounts, so I assumed they were related. But it threw me for a loop;
instead of garlicoin memes or mathematics pictures I found beautiful, handcrafted
jewelry made with ornate wood inlays. This didn’t add up. I asked Rusti and
GarlicRiver if Qubit ever said anything about jewelry. They laughed. Never,
apparently. Some of the images mentioned “Silvea-Aurea” and discussed sales.
5. Naturally, I headed to Silvea-Aurea’s website. It was the same jewelry as seen on
imgur. I visited the about section and found:
“Silva Aurea stands for exclusive hand-made jewelry, great attention to
detail and the seamless combination of precious metal with wood. The focus lies

on turning your requests into the perfect custom jewelry. Silva Aurea jewelry is
made in germany by goldsmith Benjamin Werner.”
6. Benjamin Werner. “Benjamin from Germany.” Too many coincidences. In the top
right-corner of the site I found language options: English, or German. TheMeriff
did a WHOIS lookup, which tells you information about who owns a website. It
revealed that the Silvea-Aurea site was hosted by GoDaddy.com. Rusti located a
WHOIS service run by GoDaddy for its own servers, which listed Benjamin
Warner as the owner of the site, as well as revealing his location and personal
contact information.
We felt like we had done it. But we also wondered if we were about to ruin
some random German jeweler's life over sheer coincidence. Then again, how
likely was it that there were two users named “Qubit” both on Reddit and Discord
within the niche Garlicoin community? Not very likely, it turns out. We had missed
something. I had questioned the “qu8it” imgur account because it seemed like it
had nothing to do with garlicoin. When I revisited the reddit account in question, I
looked at the post history rather than the long list of recent comments regarding
garlicoin.
It was the smoking gun. There I found the imgur posts selling Silvea
Aurea jewelry. Right there, trading and discussing garlicoin on the very same
account, with the very same username as the thief that ripped off and then
deleted his own market exchange. This was 95% our guy, and it only became
more obvious from here on out.
Sources:
1. Qubit_mathangled or @qubit_entangled on twitter:
https://twitter.com/qubit_entangled?lang=en Mathematics, patterns, astronomy
https://archive.fo/rK6Zu (archive)
2. quBit or qu8it on Steam:
https://steamcommunity.com/id/qu8it “Benjamin from Germany”
https://archive.fo/X8NJk
3. qu8it on imgur:
https://imgur.com/user/qu8it/index/newest Silva-Aurea handmade jewelry
http://archive.fo/VHzff (archive)
4. Benjamin Werner/Silva-Aurea:
http://www.silva-aurea.com/#/ main site (German language option)
http://archive.fo/7aQmS (archive)
http://www.silvia-aurea.com/#/about/ Benjamin Werner
https://archive.fo/cMXda (archive)

5. GoDaddy WHOIS lookup of Silva-Aurea site:
Benjamin Warner - Germany, personal info
https://imgur.com/a/ZxbXq (image)
https://www.godaddy.com/whois/results.aspx?domain=silva-aurea.com
6. The Smoking Gun:
https://www.reddit.com/user/qu8it/posts/ - Silva Aurea jewelry
http://archive.fo/mGhJE (archive)
https://www.reddit.com/user/qu8it/comments/ - trading and discussing Garlicoin
http://archive.fo/eBXfm (archive)

The Confrontation

At this point, Rusti decided to poke the bear. He emailed the account listed on
the WHOIS lookup, and messaged the Steam account he had found earlier. He began
asking “qu8it” about Silva-Aurea rings. Surprisingly, he responded and attempted to
make a sale to Rusti. This confirmed that the Steam account (“Benjamin from Germany”)
did indeed belong to Benjamin Warner. Their conversation indicates that Warner has a
knowledge of crypto and even Garlicoin itself, willing to accept it for an engagement ring
when queried by Rusti. He even admits to mining it. The full transcript is posted below.
Some screenshots are provided to prove the authenticity of the chat.
Steam chat between Rusti (M) and Benjamin Werner (DB) (2/2/18)

M is Me, DB is DB
M: Hey, this is MIchael, from the email
DB: hi there
DB: so what did you have in mind?
M: I'm trying to propose to my wife
M: I need something really beautiful
DB: an engagement ring i suppose?
M: That would be correct
M: How much do you think it would be?
DB: Were there any on the website that you liked?
M: I'll go take a look again
DB: http://silva-aurea.com/images/rings/oculus_gems_1.png
DB: http://silva-aurea.com/images/rings/oculus_gems_2.png
M: I really love that one, but I was thinking a bigger gem
DB: you can also see prices after clicking on a picture on
the website
DB: do you like the wood at all or should it be one
without wood?
M: I think wood would be fine
DB: it doesn't have to include wood if you're not too keen
o on it
DB: not a problem
M: I like the way it looks
M: Do you accept any cryptocurrencies?
DB: So this one has a 2 millimeter diamond. If you make
the diamond bigger, you either
have less wood or a bigger ring head.
M: I'd rather have less wood
DB: Yeah, I'll accept crypto
M: Any specific types? I recently got into this coin
called garlicoin(Sounds stupid, I know)
If you wanna look at it, I'll pay extra
DB: Oh im mining garlicoin right now haha
DB: but I'd prefer a more established coin
M: Even if I paid extra?
M: I hate tradesatoshi, and I currently only have GRLC
DB: I guess I can exchange it myself then, sure
M: How much would it cost?
DB: so the one with the 2mm diamond is $440
M: How much would I have to pay in GRLC, I don't want you
to lose money to tradesatoshi fees
DB: at the moment, that's pretty much 440GRLC

M: Ok, how long do you think it would take to get done,
and how much is shipping?
DB: where are you located?
M: Eastern US
DB: thats $20 insured shipping
M: Ok, I can do that
DB: i'm fairly busy this month.. when did you plan to
propose?
M: I plan on doing it in June, that's her birthday
DB: oh ok, that's plenty time
DB: Within the next month then if that's fine
M: That's perfect
DB: do you know her exact ring size?
DB: that's very important
M: I have it written down somewhere, give me a few seconds
M: She has a size 10 ring finger
DB: left or right hand?
M: Right hand I believe
DB: it depends which hand you later want to wear the
wedding ring on
DB: the engagement ring should fit for the other hand
M: So you need her left hand ring finger size? One sec
DB: if you want to wear the wedding ring on the right
hand, yes
M: It is also size 10, lucky I guess lol
DB: how do you know the size?
M: I got it measured before Christmas for a holiday gift I
got her
DB: Did she have her fingers measured at a jeweler or did
you take one of her rings to have it measured?
M: I took her to a jeweler
DB: It's just important to get this very exact, because
changing ring size afterwards will be tricky
M: I understand
DB: i can do half sizes, quarter sizes, etc. as well
M: I think a 10 will be fine
DB: alright
DB: As for the wood, did you like the light wood in the
picture or would you perhaps prefer something else?
http://silva-aurea.com/#/wood
M: I think #7 would fit her
M: It looks really nice
M: matches her personality

DB: here are some more not on the website:
https://i.imgur.com/5kdXS3k.jpg
M: Actually, Hawaiian Koa looks better
M: I'll do that
DB: that picture is actually way overexposed, so it's
really a fair bit darker.
DB: 1sec
DB: the colors are more accurate here:
https://youtu.be/fHSIdMtgsZM
M: Yeah, I'll still do Hawaiian Koa
DB: also have a look at 3:30 and 2:15
DB: the 3:30 comes close to the color from the picture
DB: and 2:15 just has a nice dense pattern which will be
good since the wood surface in that ring is already so
tiny, you won't see much of the pattern from other woods
M: Yeah, I like the look of it
M: I'm ready to pay I guess
DB: its a learning process for me too
DB: just make sure that in case grlc crashes you will
still have the funds to pay the other half later
M: I will
DB: im very skeptical about grlc stability but that might
jsut be me
M: Ok, I'll send rn
DB: ok let mek now the transaction id
M: garlium is being weird
DB: its the worst
M: I know
M: It isn't sending one sec
M: This all started happening after this guy scammed me
for some GRLC yesterday, goddamn him
DB: aw
DB: gotta be careful with that stuff
M: Yeah, I deposited GRLC to him to be an escrow about a
week ago, and he deleted his discord server Garlixchange,
and took all of our deposits
M: My friend GarlicRiver and I both worked hard for him
and he just scams us
DB: its very close to fall another 10% right now
M: Wouldn't you hate a guy like that?
DB: yeah that sucks
DB: there are middlemen/escrow on /r/garlicmarket working
for free/tips

M: I know, I reported him in garlicmarket
DB: i hope you didnt loose too much
M: So, why don't you have a discord?
M: His report is the top post on there wow
DB: i do have the program installed i just dont like using
it much
DB: and im always available on steam so thats best
M: True
DB: oh, where did you find out about my work btw?
M: Reddit
DB: recnetly or longer ago?
M: Recently
DB: oh thats awesome
DB: i didnt post in a long time
M: Yeah
DB: found an old post by chance?
M: A friend told me about you
DB: oh is it someone who bought from me before?
M: Unsure, he just said your stuff is good
M: So, where is the name DB from?
DB: thats really cool
DB: tell him grettings =)
M: I will
DB: oh i did the whole 8bit/chiptune music thing at one
time and was looking for a name, thats what i found and
liked
M: Nice
M: You know any coding languages?
DB: i saw you mail address says something about youtube,
you have a channel?
M: Used to
M: My main channel now is rusti, haven't used it in a
while though
DB: i dont know much about coding at all. i jsut do a
little bit learning by doing on my website, editing html
files and such
(I ramble on here about Garlium not working, which is what
he did to us)
[3:15:23 AM] DB: garlium still not working?
[3:15:27 AM] M: yeah
[3:15:34 AM] DB: damn
[3:16:16 AM] M: Why did you send me a brand new address?

[3:16:18 AM] DB: so did you got all that grlc through
mining?
[3:16:53 AM] DB: its just the address it displays in the
'receiving address' field in garlium right now
[3:17:00 AM] M: oh
[3:17:05 AM] M: i did
[3:17:22 AM] DB: it might make a new one everytime you
start the program, im not sure
[3:17:36 AM] M: I think it just switches the receiving
address
[3:17:49 AM] M: I'm gonna leave it sending overnight, I'll
pm you tomorrow
[3:18:45 AM] DB: i can only go by the exchange rate of the
time i receive the payment
[3:18:58 AM] DB: and i need to be online, else i cant
exchange it immediately
[3:19:02 AM] DB: so please dont do that
[3:19:14 AM] M: ok
[3:19:17 AM] DB: thats risky
[3:19:34 AM] M: ill pm you tomorrow, ive got work
[3:19:51 AM] DB: ok
[3:20:01 AM] DB: oh
[3:20:15 AM] DB: what you can do is to send all your coins
to yourself
[3:20:42 AM] DB: that will put them all in one place
rather than being scattered all over the place likey they
are from mining
[3:21:29 AM] DB: view - show coins
[3:21:51 AM] DB: tools - preferences - use dinamic fees
and edit fees manually
[3:22:23 AM] DB: then click on the coins tab, select all,
rightclick - spend,
[3:22:37 AM] DB: pay to your own address and amount 'max'
[3:23:33 AM] DB: that helped for me when the pools still
payed out in 0.01g amounts. its like garlium has to
'consolidate' all the coins into one place, its weird
At this point there are far too many coincidences. What are the odds that a
German jewelry maker who accepts, mines, and trades garlicoin would have the same
account name as an entirely different individual within the same community who formed
the GarliXchange and robbed its users? Absurdly low. As you can see Rusti even
revealed himself and mentioned being robbed. Werner plays dumb, and has poor

answers as to why he provided a new wallet address for payment. It appears that he is
hoping the lack of a clear accusation means he is still safe from being identified.
Note the mention of “consolidating” coins into on place. This process can be seen
by investigating the wallets linked to the reddit account. This account used many wallet
address to combine payments and send them back to the same wallet.

Further Revelations

We had connected all of the accounts together apart from the Discord profile.
Each of these mentioned Silva-Aurea as well garlicoin and other crypto. The Silva Aurea
twitter account even followed several cryptocurrency profiles. At the very least, the
Benjamin Werner was more invested in crypto than he wanted to let on.
We tried cross-referencing the wallet address the Discord user had used to steal
the escrow insurance with the wallet addresses used by the reddit user when he was
buying games. Qubit was careful here. The wallet involved in the theft had been sitting
on the stolen coin since the crime was committed on February 1st. The reddit account
was using separate addresses for each new transaction, so we couldn’t establish a link.
If these two were the same individual, they were using many wallets and addresses in
order to prevent leaving a paper trail.
● Qubit (Discord) (addresses provided by escrows who had their insurance stolen)
Escrow wallet:
GWmRQQ4W4xB1BQqMnGQeMRnnbA4n3p9E1B
Alternates:
GNPShV6uwKB34DpaFHwKMJ88pne3m2v4Ae
Known mining wallet:
GPGSBC8HFt6Lqt4NNgHjBQjG2HJNx4Ldxk
● Qu8it (reddit) transaction IDs and wallets:
https://archive.fo/DtIWo
Wallet:
1. 1.5 sent twice on accident; requested return to
GaMSUqUiQBkXyCdDxw7T34Pv69es8T1cSU
1.5 sent from GR5DX26ucCbSAJL9UNTZV7tHgKnQi4e1Lv
(one-time use; transferred to himself)
1.5 sent from GY74dsvU6wBahDxRpdnSwvb1PAdpyW3p6M
(one-time use; transferred to himself)
2. 2 sent from GfRaUVomWr8rCrdPLz7bEp9bXnA6LWkaJn
(one-time use; transferred to himself)

3. 1.5 sent from GMoGL5eQ3KaENZCr2WZRnoKS5KTuBptyWq
(looks to be a mining wallet)
Hashes:
1. D36e1c707e60e3b21c39046d5806ad47680381c8cf6422b29acf803f7bc2d
477
5b8eda6785267ab3d69fa49b145f374380ae36c58700f17ed8ec5e2e619ab
ba3
2. f155135b5bd6f427431edd2ff07685ea435d95f618b2bb1de3193fda15d6eb
4e
3. C96e716b2033b5ba607fec3b2930357da8152cefc06afd2a690802957f199a
13
Many addresses tied to the reddit account were used only once to facilitate
payment for goods while also returning excess coin to other owned wallets within the
same transaction. For instance, looking at a 1.5 GRLC payment to a user for a video
game serial key, the account might pay 8.7 GRLC overall, sending 1.5 GRLC to the
seller and 7.2 GRLC back to himself through another owned wallet address.
Further digging revealed that this account is linked to a web of personal wallet
addresses that exist only to recieve X and send X to another wallet and so on. Each new
wallet has seemingly only one deposit and withdrawal, indicating they are simply being
used to launder garlicoin and obfuscate wallet ownership. Going deeper results in finding
a web of familiar wallet addresses moving small sums of GRLC back and forth from one
wallet to the next. Eventually, you might find a transaction where these coins are finally
consolidated (as detailed by Werner himself in his Steam chat with Rusti in the previous
section) with other laundering wallets and finally sent to mining wallets (evidenced by
hundreds of small payouts) with strange lump deposits and withdrawals of hundreds of
garlicoins. It is possible that Werner paid into the mining wallets of others, but in my
digging I wound up in the same wallets no matter where I branched off my search from
his reddit transactions.
No matter how far I went through the one-time use wallets, I’d always end up in a
loop with the same wallet addresses. He was paying himself over and over. I encourage
you to investigate the above reddit wallets and hashes and see how they send coin back
and forth to each other. When these addresses would finally consolidate, they’d take me
to the same mining addresses with hundreds of garlicoins being listed as received and
paid out.
I still didn’t have a link between the discord account’s wallets and the reddit
accounts wallets. But I could see clearly that the person I could identify as Benjamin
Werner, German jeweler, was going to great lengths to hide his trading behavior with
garlicoin. Publicly, he was only buying Steam games via reddit for 1.5 to 2 GRLC. It
appeared to me that he was using these transactions to help clean GRLC from other
wallets.

----------------------------------------------------------------------------------------------------------------------

Archive of web pages:
Twitter https://archive.fo/rK6Zu
Steam https://archive.fo/X8NJk
Reddit Account http://archive.fo/mGhJE
Reddit Comments http://archive.fo/eBXfm
Imgur http://archive.fo/VHzff
Silvia-Aurea http://archive.fo/7aQmS
Youtube account http://archive.fo/oT5yF
Youtube video http://archive.fo/AnmGi
Whois http://archive.fo/GDkKs
GoDaddy WHOIS http://archive.fo/YDxxv

http://globalnewsconnect.com/he-left-his-old-life-behind-to-create-something-absolutely-
beautiful/

https://twitter.com/Silva_Aurea_Art/following
https://silva-aurea.deviantart.com/ birthday
https://www.youtube.com/user/SettleDownPLS (from reddit)