Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- GERMAN JEWLERY MAKER... OR GARLICOIN THIEF?
- How a random German guy stole hundreds in cryptocurrency, and almost got away with
- it.
- A tale of garlic, jewelry, and vigilante justice.
- By bush
- The Stage
- It was the perfect crime: capitalize on a budding cryptocurrency, gain the trust of
- its community, then vanish with hundreds of dollars worth of... Garlicoin. An upstart
- crypto, Garlicoin had been hyped up before its launch by a wave of internet memes on
- Reddit. Intended as a joke and introduction to cryptocurrency mining, Garlicoin was an
- overnight success. It wasn’t long before it developed a burgeoning community, and more
- importantly, a veritable economy.
- Cryptocurrencies have no intrinsic value; one garlicon is worth only as much as
- someone will pay for it. The first trades were for sheer humor. A pizza delivered in
- exchange for garlicoin was considered a landmark event. Then the odds and ends; extra
- video game serial keys, Garlicoin decals, the occasional broken-down car. Suddenly,
- people started buying it. Garlicoins were selling for as much as $3.50 just days after
- launch. By the time it was listed on an actual exchange, a massive community had
- developed on the chat platform, Discord. Users were trading garlicoins for other
- cryptocurrencies, cashing out for USD, or bartering with random items. It wasn’t long,
- though, until an undesirable element arrived on the scene.
- Discord user “Qubit” founded the GarliXchange chat group not long after the
- currency’s launch. It offered users a place to gamble their garlicoins in online dice
- games, a lottery, refer friends for rewards, and most importantly, facilitate trade within
- the group by offering an escrow service. Acting as a 3rd party they insure that buyers
- and sellers don’t scam each other. In the world of crypto, they are a necessity. No one
- wants to use a middleman they can’t trust, and Qubit knew this. He found escrows with
- large amounts of verified trades and excellent rapport with the community. Up until its
- demise, the GarliXchange was a reliable place to setup and execute trades.
- Qubit also knew that he needed to gain the trust of these escrows, because that's
- how he was going to rob them blind. With an escrow service, the middlemen send crypto
- to other users as insurance in the event that they try to run off with someone’s money in
- the middle of a transaction. If an escrow stole coin and disappeared, the person holding
- the insurance could reimburse the victim. Escrows were expected to put up insurance as
- it would prevent them from scamming users. On the GarliXchange market, Qubit himself
- would hold the insurance payments.
- He allowed his little empire to grow. The escrows became well-liked and trusted
- by the community. They increased their insurance payments to Quibit as they processed
- larger and larger transactions for the community. At one point I was referred to
- GarlicRiver, an escrow that was eventually robbed by Qubit. I was trying to cash out and
- was looking to sell around 45 garlicoin, or about $90 worth at the time. GarlicRiver told
- me he had put 50 garlicoin into his insurance arrangement with Qubit, and the other
- escrows had similar collateral in place. In total, Qubit was holding on to over 200
- garlicoin that didn’t belong to him from his escrows.
- The Heist
- Garlicoin had only launched on January 21st. Qubit fled with the insurance
- money a mere ten days later on February 1st. The first news was a shocking reddit post
- from user “Jolteon” regarding Qubit scamming and then banning them from the
- Garlixchange. A suspect user “fantasalad” had suggested Qubit act as the middleman in
- their trade. When Jolteon sent his 100 garlicoin payment to Qubit, he was quickly
- banned server. He made a reddit post detailing what happened, and within hours, the
- server had been wiped from discord. Qubit had fled with hundreds of garlicoins from
- both his escrows and at least one user.
- By February 2nd, one of the victims had written an article chronicling the events.
- “RoboShrimp” had been a recent addition to the Garlixchange escrow team, after one of
- them, “Freeze,” had cashed out his insurance deposit from Qubit with no problems on
- January 31st. Roboshrimp made an insurance payment to Quibit, who would vanish by
- February 1st. In this article, he details how Qubit had gained the trust of the escrows and
- community. No one seemed to see this coming. He had spent days putting hard work
- into his exchange and forming pretend friendships with a community he had created in
- order to rob.
- ● Jolteon scammed by Qubit acting as an escrow:
- https://www.reddit.com/r/GarlicMarket/comments/7um2o3/meta_the_garlixchang
- e_discord_server_is_a_hoax/
- ● RoboShrimp scammed by making insurance deposits to Qubit to become a new
- escrow:
- http://www.grlc.press/page.php?id=3
- The Hunt
- In the aftermath of the theft, the escrows had been robbed of hundreds of dollars
- in garlicoin. A friend of mine, known as “TheMeriff” on discord had introduced me to two
- of them after inviting them to our group: “GarlicRiver” and “Rusti.” The two had a long
- history of verified work, and were in no way implicated in the theft. We began talking
- around 1:30 AM EST on February 2nd.
- We discussed the situation, and how they as well as many buyers and sellers
- has been quickly robbed by Qubit. I was reminded of a situation where TheMeriff got
- scammed. He posted a warning regarding the user in question, and someone managed
- to counter-scam that individual and return some of the lost garlicoin to him and other
- victims- stealing from the thief and returning what was stolen. In the world of
- cryptocurrency, there are no regulations, no laws, and no authority. There is no recourse
- for the theft of a digital currency. Except perhaps, for some vigilantism.
- Unfortunately for Qubit, he made a fatal mistake. The criminal mastermind used
- the same username as his discord account all over the internet, and led us into a web of
- intersecting clues. It took less than thirty minutes to find the bastard.
- The Trail of Clues:
- 1. Searching for “Qubit” yielded nothing, except that a qubit is a quantum computing
- term. I headed to twitter, and found “Qubit_mathangled,” who appeared to be
- quite interested in mathematics, patterns, algorithms- definitely within the scope
- of a crypto enthusiast. I asked the escrows if he expressed interest in these
- topics in their chats together. “Yes.” was the answer. I noticed some images
- pertaining to astronomy. I asked about it as well. I received the same answer. As
- coincidental as it was there was no identifying information; just the suggestion
- that Qubit might have used the same name in other places.
- 2. A reddit account was located by GarlicRiver that listed comments in garlicoin
- trading threads. We figured this was most likely the thief, but had no way to prove
- it, and still had some doubts. He noted that he had come across the account
- earlier, and asked Qubit if it was his before the theft occurred. Qubit had denied
- owning the account.
- 3. Rusti discovered a steam profile named “qu8it” on Steam. “Benjamin from
- Germany” was the only information. The escrows began to wonder if Qubit was
- German, and reasoned that it was possible considering the times he was
- available to chat with them. We noticed that this account was active in trading on
- the Steam marketplace, with positive reviews posted to the profile page. The
- reddit account had been involved in trading garlicoin for steam game keys.
- 4. I had been looking at the “qubit” account on imgur.com. Imgur is generally tied to
- reddit accounts, so I assumed they were related. But it threw me for a loop;
- instead of garlicoin memes or mathematics pictures I found beautiful, handcrafted
- jewelry made with ornate wood inlays. This didn’t add up. I asked Rusti and
- GarlicRiver if Qubit ever said anything about jewelry. They laughed. Never,
- apparently. Some of the images mentioned “Silvea-Aurea” and discussed sales.
- 5. Naturally, I headed to Silvea-Aurea’s website. It was the same jewelry as seen on
- imgur. I visited the about section and found:
- “Silva Aurea stands for exclusive hand-made jewelry, great attention to
- detail and the seamless combination of precious metal with wood. The focus lies
- on turning your requests into the perfect custom jewelry. Silva Aurea jewelry is
- made in germany by goldsmith Benjamin Werner.”
- 6. Benjamin Werner. “Benjamin from Germany.” Too many coincidences. In the top
- right-corner of the site I found language options: English, or German. TheMeriff
- did a WHOIS lookup, which tells you information about who owns a website. It
- revealed that the Silvea-Aurea site was hosted by GoDaddy.com. Rusti located a
- WHOIS service run by GoDaddy for its own servers, which listed Benjamin
- Warner as the owner of the site, as well as revealing his location and personal
- contact information.
- We felt like we had done it. But we also wondered if we were about to ruin
- some random German jeweler's life over sheer coincidence. Then again, how
- likely was it that there were two users named “Qubit” both on Reddit and Discord
- within the niche Garlicoin community? Not very likely, it turns out. We had missed
- something. I had questioned the “qu8it” imgur account because it seemed like it
- had nothing to do with garlicoin. When I revisited the reddit account in question, I
- looked at the post history rather than the long list of recent comments regarding
- garlicoin.
- It was the smoking gun. There I found the imgur posts selling Silvea
- Aurea jewelry. Right there, trading and discussing garlicoin on the very same
- account, with the very same username as the thief that ripped off and then
- deleted his own market exchange. This was 95% our guy, and it only became
- more obvious from here on out.
- Sources:
- 1. Qubit_mathangled or @qubit_entangled on twitter:
- https://twitter.com/qubit_entangled?lang=en Mathematics, patterns, astronomy
- https://archive.fo/rK6Zu (archive)
- 2. quBit or qu8it on Steam:
- https://steamcommunity.com/id/qu8it “Benjamin from Germany”
- https://archive.fo/X8NJk
- 3. qu8it on imgur:
- https://imgur.com/user/qu8it/index/newest Silva-Aurea handmade jewelry
- http://archive.fo/VHzff (archive)
- 4. Benjamin Werner/Silva-Aurea:
- http://www.silva-aurea.com/#/ main site (German language option)
- http://archive.fo/7aQmS (archive)
- http://www.silvia-aurea.com/#/about/ Benjamin Werner
- https://archive.fo/cMXda (archive)
- 5. GoDaddy WHOIS lookup of Silva-Aurea site:
- Benjamin Warner - Germany, personal info
- https://imgur.com/a/ZxbXq (image)
- https://www.godaddy.com/whois/results.aspx?domain=silva-aurea.com
- 6. The Smoking Gun:
- https://www.reddit.com/user/qu8it/posts/ - Silva Aurea jewelry
- http://archive.fo/mGhJE (archive)
- https://www.reddit.com/user/qu8it/comments/ - trading and discussing Garlicoin
- http://archive.fo/eBXfm (archive)
- The Confrontation
- At this point, Rusti decided to poke the bear. He emailed the account listed on
- the WHOIS lookup, and messaged the Steam account he had found earlier. He began
- asking “qu8it” about Silva-Aurea rings. Surprisingly, he responded and attempted to
- make a sale to Rusti. This confirmed that the Steam account (“Benjamin from Germany”)
- did indeed belong to Benjamin Warner. Their conversation indicates that Warner has a
- knowledge of crypto and even Garlicoin itself, willing to accept it for an engagement ring
- when queried by Rusti. He even admits to mining it. The full transcript is posted below.
- Some screenshots are provided to prove the authenticity of the chat.
- Steam chat between Rusti (M) and Benjamin Werner (DB) (2/2/18)
- M is Me, DB is DB
- M: Hey, this is MIchael, from the email
- DB: hi there
- DB: so what did you have in mind?
- M: I'm trying to propose to my wife
- M: I need something really beautiful
- DB: an engagement ring i suppose?
- M: That would be correct
- M: How much do you think it would be?
- DB: Were there any on the website that you liked?
- M: I'll go take a look again
- DB: http://silva-aurea.com/images/rings/oculus_gems_1.png
- DB: http://silva-aurea.com/images/rings/oculus_gems_2.png
- M: I really love that one, but I was thinking a bigger gem
- DB: you can also see prices after clicking on a picture on
- the website
- DB: do you like the wood at all or should it be one
- without wood?
- M: I think wood would be fine
- DB: it doesn't have to include wood if you're not too keen
- o on it
- DB: not a problem
- M: I like the way it looks
- M: Do you accept any cryptocurrencies?
- DB: So this one has a 2 millimeter diamond. If you make
- the diamond bigger, you either
- have less wood or a bigger ring head.
- M: I'd rather have less wood
- DB: Yeah, I'll accept crypto
- M: Any specific types? I recently got into this coin
- called garlicoin(Sounds stupid, I know)
- If you wanna look at it, I'll pay extra
- DB: Oh im mining garlicoin right now haha
- DB: but I'd prefer a more established coin
- M: Even if I paid extra?
- M: I hate tradesatoshi, and I currently only have GRLC
- DB: I guess I can exchange it myself then, sure
- M: How much would it cost?
- DB: so the one with the 2mm diamond is $440
- M: How much would I have to pay in GRLC, I don't want you
- to lose money to tradesatoshi fees
- DB: at the moment, that's pretty much 440GRLC
- M: Ok, how long do you think it would take to get done,
- and how much is shipping?
- DB: where are you located?
- M: Eastern US
- DB: thats $20 insured shipping
- M: Ok, I can do that
- DB: i'm fairly busy this month.. when did you plan to
- propose?
- M: I plan on doing it in June, that's her birthday
- DB: oh ok, that's plenty time
- DB: Within the next month then if that's fine
- M: That's perfect
- DB: do you know her exact ring size?
- DB: that's very important
- M: I have it written down somewhere, give me a few seconds
- M: She has a size 10 ring finger
- DB: left or right hand?
- M: Right hand I believe
- DB: it depends which hand you later want to wear the
- wedding ring on
- DB: the engagement ring should fit for the other hand
- M: So you need her left hand ring finger size? One sec
- DB: if you want to wear the wedding ring on the right
- hand, yes
- M: It is also size 10, lucky I guess lol
- DB: how do you know the size?
- M: I got it measured before Christmas for a holiday gift I
- got her
- DB: Did she have her fingers measured at a jeweler or did
- you take one of her rings to have it measured?
- M: I took her to a jeweler
- DB: It's just important to get this very exact, because
- changing ring size afterwards will be tricky
- M: I understand
- DB: i can do half sizes, quarter sizes, etc. as well
- M: I think a 10 will be fine
- DB: alright
- DB: As for the wood, did you like the light wood in the
- picture or would you perhaps prefer something else?
- http://silva-aurea.com/#/wood
- M: I think #7 would fit her
- M: It looks really nice
- M: matches her personality
- DB: here are some more not on the website:
- https://i.imgur.com/5kdXS3k.jpg
- M: Actually, Hawaiian Koa looks better
- M: I'll do that
- DB: that picture is actually way overexposed, so it's
- really a fair bit darker.
- DB: 1sec
- DB: the colors are more accurate here:
- https://youtu.be/fHSIdMtgsZM
- M: Yeah, I'll still do Hawaiian Koa
- DB: also have a look at 3:30 and 2:15
- DB: the 3:30 comes close to the color from the picture
- DB: and 2:15 just has a nice dense pattern which will be
- good since the wood surface in that ring is already so
- tiny, you won't see much of the pattern from other woods
- M: Yeah, I like the look of it
- M: I'm ready to pay I guess
- DB: its a learning process for me too
- DB: just make sure that in case grlc crashes you will
- still have the funds to pay the other half later
- M: I will
- DB: im very skeptical about grlc stability but that might
- jsut be me
- M: Ok, I'll send rn
- DB: ok let mek now the transaction id
- M: garlium is being weird
- DB: its the worst
- M: I know
- M: It isn't sending one sec
- M: This all started happening after this guy scammed me
- for some GRLC yesterday, goddamn him
- DB: aw
- DB: gotta be careful with that stuff
- M: Yeah, I deposited GRLC to him to be an escrow about a
- week ago, and he deleted his discord server Garlixchange,
- and took all of our deposits
- M: My friend GarlicRiver and I both worked hard for him
- and he just scams us
- DB: its very close to fall another 10% right now
- M: Wouldn't you hate a guy like that?
- DB: yeah that sucks
- DB: there are middlemen/escrow on /r/garlicmarket working
- for free/tips
- M: I know, I reported him in garlicmarket
- DB: i hope you didnt loose too much
- M: So, why don't you have a discord?
- M: His report is the top post on there wow
- DB: i do have the program installed i just dont like using
- it much
- DB: and im always available on steam so thats best
- M: True
- DB: oh, where did you find out about my work btw?
- M: Reddit
- DB: recnetly or longer ago?
- M: Recently
- DB: oh thats awesome
- DB: i didnt post in a long time
- M: Yeah
- DB: found an old post by chance?
- M: A friend told me about you
- DB: oh is it someone who bought from me before?
- M: Unsure, he just said your stuff is good
- M: So, where is the name DB from?
- DB: thats really cool
- DB: tell him grettings =)
- M: I will
- DB: oh i did the whole 8bit/chiptune music thing at one
- time and was looking for a name, thats what i found and
- liked
- M: Nice
- M: You know any coding languages?
- DB: i saw you mail address says something about youtube,
- you have a channel?
- M: Used to
- M: My main channel now is rusti, haven't used it in a
- while though
- DB: i dont know much about coding at all. i jsut do a
- little bit learning by doing on my website, editing html
- files and such
- (I ramble on here about Garlium not working, which is what
- he did to us)
- [3:15:23 AM] DB: garlium still not working?
- [3:15:27 AM] M: yeah
- [3:15:34 AM] DB: damn
- [3:16:16 AM] M: Why did you send me a brand new address?
- [3:16:18 AM] DB: so did you got all that grlc through
- mining?
- [3:16:53 AM] DB: its just the address it displays in the
- 'receiving address' field in garlium right now
- [3:17:00 AM] M: oh
- [3:17:05 AM] M: i did
- [3:17:22 AM] DB: it might make a new one everytime you
- start the program, im not sure
- [3:17:36 AM] M: I think it just switches the receiving
- address
- [3:17:49 AM] M: I'm gonna leave it sending overnight, I'll
- pm you tomorrow
- [3:18:45 AM] DB: i can only go by the exchange rate of the
- time i receive the payment
- [3:18:58 AM] DB: and i need to be online, else i cant
- exchange it immediately
- [3:19:02 AM] DB: so please dont do that
- [3:19:14 AM] M: ok
- [3:19:17 AM] DB: thats risky
- [3:19:34 AM] M: ill pm you tomorrow, ive got work
- [3:19:51 AM] DB: ok
- [3:20:01 AM] DB: oh
- [3:20:15 AM] DB: what you can do is to send all your coins
- to yourself
- [3:20:42 AM] DB: that will put them all in one place
- rather than being scattered all over the place likey they
- are from mining
- [3:21:29 AM] DB: view - show coins
- [3:21:51 AM] DB: tools - preferences - use dinamic fees
- and edit fees manually
- [3:22:23 AM] DB: then click on the coins tab, select all,
- rightclick - spend,
- [3:22:37 AM] DB: pay to your own address and amount 'max'
- [3:23:33 AM] DB: that helped for me when the pools still
- payed out in 0.01g amounts. its like garlium has to
- 'consolidate' all the coins into one place, its weird
- At this point there are far too many coincidences. What are the odds that a
- German jewelry maker who accepts, mines, and trades garlicoin would have the same
- account name as an entirely different individual within the same community who formed
- the GarliXchange and robbed its users? Absurdly low. As you can see Rusti even
- revealed himself and mentioned being robbed. Werner plays dumb, and has poor
- answers as to why he provided a new wallet address for payment. It appears that he is
- hoping the lack of a clear accusation means he is still safe from being identified.
- Note the mention of “consolidating” coins into on place. This process can be seen
- by investigating the wallets linked to the reddit account. This account used many wallet
- address to combine payments and send them back to the same wallet.
- Further Revelations
- We had connected all of the accounts together apart from the Discord profile.
- Each of these mentioned Silva-Aurea as well garlicoin and other crypto. The Silva Aurea
- twitter account even followed several cryptocurrency profiles. At the very least, the
- Benjamin Werner was more invested in crypto than he wanted to let on.
- We tried cross-referencing the wallet address the Discord user had used to steal
- the escrow insurance with the wallet addresses used by the reddit user when he was
- buying games. Qubit was careful here. The wallet involved in the theft had been sitting
- on the stolen coin since the crime was committed on February 1st. The reddit account
- was using separate addresses for each new transaction, so we couldn’t establish a link.
- If these two were the same individual, they were using many wallets and addresses in
- order to prevent leaving a paper trail.
- ● Qubit (Discord) (addresses provided by escrows who had their insurance stolen)
- Escrow wallet:
- GWmRQQ4W4xB1BQqMnGQeMRnnbA4n3p9E1B
- Alternates:
- GNPShV6uwKB34DpaFHwKMJ88pne3m2v4Ae
- Known mining wallet:
- GPGSBC8HFt6Lqt4NNgHjBQjG2HJNx4Ldxk
- ● Qu8it (reddit) transaction IDs and wallets:
- https://archive.fo/DtIWo
- Wallet:
- 1. 1.5 sent twice on accident; requested return to
- GaMSUqUiQBkXyCdDxw7T34Pv69es8T1cSU
- 1.5 sent from GR5DX26ucCbSAJL9UNTZV7tHgKnQi4e1Lv
- (one-time use; transferred to himself)
- 1.5 sent from GY74dsvU6wBahDxRpdnSwvb1PAdpyW3p6M
- (one-time use; transferred to himself)
- 2. 2 sent from GfRaUVomWr8rCrdPLz7bEp9bXnA6LWkaJn
- (one-time use; transferred to himself)
- 3. 1.5 sent from GMoGL5eQ3KaENZCr2WZRnoKS5KTuBptyWq
- (looks to be a mining wallet)
- Hashes:
- 1. D36e1c707e60e3b21c39046d5806ad47680381c8cf6422b29acf803f7bc2d
- 477
- 5b8eda6785267ab3d69fa49b145f374380ae36c58700f17ed8ec5e2e619ab
- ba3
- 2. f155135b5bd6f427431edd2ff07685ea435d95f618b2bb1de3193fda15d6eb
- 4e
- 3. C96e716b2033b5ba607fec3b2930357da8152cefc06afd2a690802957f199a
- 13
- Many addresses tied to the reddit account were used only once to facilitate
- payment for goods while also returning excess coin to other owned wallets within the
- same transaction. For instance, looking at a 1.5 GRLC payment to a user for a video
- game serial key, the account might pay 8.7 GRLC overall, sending 1.5 GRLC to the
- seller and 7.2 GRLC back to himself through another owned wallet address.
- Further digging revealed that this account is linked to a web of personal wallet
- addresses that exist only to recieve X and send X to another wallet and so on. Each new
- wallet has seemingly only one deposit and withdrawal, indicating they are simply being
- used to launder garlicoin and obfuscate wallet ownership. Going deeper results in finding
- a web of familiar wallet addresses moving small sums of GRLC back and forth from one
- wallet to the next. Eventually, you might find a transaction where these coins are finally
- consolidated (as detailed by Werner himself in his Steam chat with Rusti in the previous
- section) with other laundering wallets and finally sent to mining wallets (evidenced by
- hundreds of small payouts) with strange lump deposits and withdrawals of hundreds of
- garlicoins. It is possible that Werner paid into the mining wallets of others, but in my
- digging I wound up in the same wallets no matter where I branched off my search from
- his reddit transactions.
- No matter how far I went through the one-time use wallets, I’d always end up in a
- loop with the same wallet addresses. He was paying himself over and over. I encourage
- you to investigate the above reddit wallets and hashes and see how they send coin back
- and forth to each other. When these addresses would finally consolidate, they’d take me
- to the same mining addresses with hundreds of garlicoins being listed as received and
- paid out.
- I still didn’t have a link between the discord account’s wallets and the reddit
- accounts wallets. But I could see clearly that the person I could identify as Benjamin
- Werner, German jeweler, was going to great lengths to hide his trading behavior with
- garlicoin. Publicly, he was only buying Steam games via reddit for 1.5 to 2 GRLC. It
- appeared to me that he was using these transactions to help clean GRLC from other
- wallets.
- ----------------------------------------------------------------------------------------------------------------------
- Archive of web pages:
- Twitter https://archive.fo/rK6Zu
- Steam https://archive.fo/X8NJk
- Reddit Account http://archive.fo/mGhJE
- Reddit Comments http://archive.fo/eBXfm
- Imgur http://archive.fo/VHzff
- Silvia-Aurea http://archive.fo/7aQmS
- Youtube account http://archive.fo/oT5yF
- Youtube video http://archive.fo/AnmGi
- Whois http://archive.fo/GDkKs
- GoDaddy WHOIS http://archive.fo/YDxxv
- http://globalnewsconnect.com/he-left-his-old-life-behind-to-create-something-absolutely-
- beautiful/
- https://twitter.com/Silva_Aurea_Art/following
- https://silva-aurea.deviantart.com/ birthday
- https://www.youtube.com/user/SettleDownPLS (from reddit)
Add Comment
Please, Sign In to add comment