New York Times claims analysis of Bitcoin transactions proves some Macron e-mails are fake. This analysis is 100% wrong.

in #macronleaks4 years ago (edited)

An article in the New York Times, "Hackers Came, but the French Were Prepared" by Adam Nossiter, David Sanger and Nicole Perlroth, states that e-mails in the Macron leaks have been proven to be fakes, citing experts who claim there were discrepancies with Bitcoin transactions that appeared in linked e-mails.

These 'experts' are dead wrong. I'm going to show you why they're wrong and tell you how to find the evidence yourself so you can verify my claims. I'm also going to provide a little glimpse into what happened when I notified the writers regarding these errors.

It began when one of my co-workers asked me if I'd seen that someone proved the Macron e-mails were fake by analyzing Bitcoin transactions.

My interest was piqued. I found the New York Times article and quickly skipped to the part about Bitcoin:

Other leaked documents appear to have been forged, or faked. One purported to detail the purchase of the stimulant mephedrone, sometimes sold as “bath salts,” by a Macron campaign staffer who allegedly had the drugs shipped to the address of France’s National Assembly. But Henk Van Ess, a member of the investigations team at Bellingcat, a British investigations organization, and others discovered that the transaction numbers in the receipt were not in the public ledger of all Bitcoin transactions.

I always double check these kinds of claims. Sure enough, Ars Technica had an article that repeated this claim

Multiple documents were proven to be forgeries, including one which appeared to be an invoice for a Bitcoin payment for mephedrone ("bath salts") to be sent to the French National Assembly. The Bitcoin wallet and blockchain transaction data was easily determined to be fake.

I was already familiar with these "bath salt" e-mails because @rebelskum had written about them here on steemit and had downloaded the torrent of the e-mails a few days earlier after WikiLeaks tweeted it.

If you want to download the e-mails, the magnet URLs are archived here. Don't know what magnet URLs are? Learn here.
Here's the magnet url for the torrent I'm referring to:


The torrent includes a folder with 4108 e-mail files.

The assertion that "transaction numbers in the receipt were not in the public ledger of all Bitcoin transactions" was a little unclear to me so I decided to check the e-mails and see if I could figure out what Mr. Van Ess was talking about.

Henk is technically correct in noting that there are no Bitcoin transaction IDs (TXIDs) in the receipt however it's unclear to me why one would expect "Bitcoin transaction numbers" in the receipt.

For the people who have never paid with bitcoin, here's the way payment appear to work(also how most other Bitcoin transactions work):

  1. You order some stuff on their website.

  2. They send you a Bitcoin address and instructions on how to pay. (I will call this address the 'payment address'.)(e-mail 3618)

  3. You send Bitcoin to the payment address from an address you control.
    Screenshot 2017-05-11 16.58.20.png

  4. They confirm that you sent the Bitcoin. (E-mail 3602)

  5. They send you a tracking number once they've mailed the drugs. (email 3402)

There are actually a few more e-mail updates as well (basically the same as e-mail 3602, notifying buyer of updates in shipping status) but this is the gist of it.

Bitcoin transaction IDs (TXIDs) refer to the specific transaction that occurred.
ie: if I send 1 Bitcoin to's payment address from my Bitcoin address, there will be a transaction with a unique TXID broadcast to the entire Bitcoin network that shows my address being debited 1 Bitcoin and being credited 1 Bitcoin. (If these words are too jargony for you, read up on how Bitcoin works here)

Back to Mr. Van Ess' statement that, "transaction numbers in the receipt were not in the public ledger of all Bitcoin transactions": presumably the e-mail in step 4 or 5 above is the 'receipt' that Mr. Van Ess is referring to. There are no Bitcoin transaction numbers in those e-mails. (Nor, to my knowledge, any of the other e-mails in the leak) There are some "order id" numbers in the e-mail which obviously correspond to numbers in's e-commerce payment system but these have nothing to do with the Bitcoin network.

The beauty of blockchains is that anybody in the world can confirm that the amount of Bitcoin in the receipt was sent. Because the leaked e-mails contain the payment address, I was able to check the history of transactions to the payment address. Sure enough, an amount of Bitcoin equal to exactly the amount requested by was sent to the payment address at the time of the e-mails.

Below are screenshots of the e-mails containing 3 Bitcoin payment addresses (There were 4 orders, 3 paid with Bitcoin, one apparently paid with Mastercard(e-mail 782)). And links to the transactions so you can verify yourself that the transactions are in the blockchain. (I'm linking to but there are dozens of other sites that allow you to explore the Bitcoin blockchain.)

E-mail #1690 | Bitcoin Transaction

E-mail #2714 | Bitcoin Transaction

E-mail #3618 | Bitcoin Transaction

As you can see, those transactions are 100% real and very much "in the public ledger of all Bitcoin transactions."

Having convinced myself the article was wrong, I decided to notify the journalists who wrote the NYT article via e-mail:

NYT E-mail #1:

Dear Adam, Nicole and David,
I read your story in the New York times titled, 'Hackers came, but the French were prepared'. As a citizen journalist and bitcoin enthusiast, I noticed a major error.
Specifically, this bit:"But Henk Van Ess, a member of the investigations team at Bellingcat, a British investigations organization, and others discovered that the transaction numbers in the receipt were not in the public ledger of all Bitcoin transactions."
Henk's analysis is simply wrong. The bitcoin transactions are in the public ledger (blockchain). I really don't understand how he could have made this mistake but here is the proof:
[Here I included screenshots of the e-mails and transaction links just like above, I'm not reposting it to save space]
As you can see, those transactions are very much real and a part of the blockchain. I think you really ought to correct your article as Henk's analysis is provably wrong.
Thank you,

Nicole Perlroth sent me a reply pretty quickly:
Perlroth Reply #1:

Thanks Chris. We'll look into this. Can you tell me who you are and how you came to this analysis?"

This irked me because I'd just provided her with all the proof that anybody who understands Bitcoin would have needed to prove their article was wrong, or at least needed more than "a look". Who I am shouldn't have anything to do with it... but I played ball, told her what prestigious institution I work at and explained why I was initially interested in the analysis.

Anyways, after that e-mail I get another reply that really confused me:

Perlroth Reply #2:

Thanks Chris.
While you are correct that the block chain 1BrRnkcr1MXJQQLhJRLuEcj6VGaXgfKRyF exists and is referred to in the leaked document, the block number is not in the same leaked message.
In one analysis of the leaked messages, the Bitcoin block chain were too high, and could not be found. Another reading of the Bitcoin number, formatted a different way, shows a Bitcoin number that does exist but shows no corresponding transactions. Mr. Van Ess clarified as much in his interview, but unfortunately his quote was condensed Mto only elaborate on the first explanation.
But in other words, the transactions may exist but not the block. i.e. We can prove that they used a dollar bill. We can prove that people pay with dollars. But we can't prove that this specific bill was used for this specific transaction.
That said, if you do find block numbers and transactions in the same message, Henk Van Ess said he would love to compare his files with yours, since he did his utmost to get the oldest version of the Macron leaks and is not aware of any document where the block and transaction ID are mentioned together.
His email is [redacted].

Mr. Van Ess also tweeted what looks like a screenshot of the above e-mail. Apparently this tweet proves he's not "an idiot".

If you're familiar with Bitcoin, you'll realize that a lot of that message didn't make sense. It uses some Bitcoin jargon but out of context in a weird way.

First, "the block number is not in the same leaked message" and the rest of the "block number" stuff really had me scratching my head.

There are no block numbers in the e-mails. And the bitcoin addresses are absolutely in valid blocks. Otherwise they wouldn't be searchable on the blockchain and I wouldn't have been able to link to the confirmed transactions above.

At this point, I'm wondering if I'm the one who's high on bath salts. I mean, it's 3 prominent journalists and 1 expert against me, they seem very confident and I can hardly understand what they're writing. So I check Henk Van Ess's twitter to make sure I didn't miss something.

Here's the part that ties it all together. This tweet:
Screenshot 2017-05-11 17.49.17.png
It took me a long time to figure out what was going on here.

This is a screenshot from some sort of wallet (for non-Bitcoin people, wallets are files that store the secret password that proves you control a Bitcoin address or another cryptocurrency address). This screenshot is not a standard Bitcoin wallet, that much is for sure.

I googled around and figured out that delegate_pay_rate is a variable in BitShares. BitShares is an alternative cryptocurrency (also called altcoins). BitShares and Bitcoin definitely aren't the same thing and I don't think any Bitcoiner would ever mix the two up. (also, BitShares is at block number ~16,500,000 right now, so I'm fairly certain block 2,811,358 is valid. source)

Ok. So Mr. Van Ess is tweeting about BitShares and trying to say that a Bitcoin transaction is invalid or something? I still didn't know where this mysterious screenshot came from. (And he didn't want to tell me.)

The answer is it came from a different part of the Macron leaks. Specifically from Pierre Person's files. Again, the magnet URLs that WikiLeaks tweeted are archived here.

The magnet with this file is:


The file in Mr. Van Ess' screenshot has the filepath: [email protected]\5.Divers\Cryptomonnaies\BTS Wall\BitShares Wallet Backup.json
Screenshot 2017-05-11 20.52.01.png

This file has almost nothing to do with Bitcoin. Nothing to do with the drug e-mails. And at first glance doesn't appear to be fake. (It could be, I haven't checked thoroughly. If it is fake, it's not for the reasons Mr. Van Ess gave.)

Ok. So there you have it, New York Times quotes someone who is blatantly wrong. In multiple ways. He references things in e-mails that aren't there. Doesn't understand that the transactions are real and in the blockchain. Mixes up BitShares and Bitcoin. The list goes on...

NYT is claiming that specific Macron e-mails are fake without showing any evidence, citing a guy who's evidence is completely wrong.

And when someone sends them clear evidence that they're wrong, they barely even acknowledge it, and clearly didn't understand it, then give a completely incoherent explanation to defend their statements.

I believe this shows that the NYT writers do not sufficiently understand Bitcoin. If they are unable to evaluate claims as ridiculous as the ones made by Mr. Van Ess, I believe they should refrain from writing about Bitcoin-related topics.

Now the fun part: Do I think the bath salt e-mails are real or fake?

I think they're probably fake because I don't think anybody could possibly be stupid enough to order bath salts to the French National Assembly using their Gmail address and Mastercard.

That's my analysis/opinion. Not a fact. I haven't seen any irrefutable evidence one way or the other.

If they are fake, it's a very elaborate fabrication with a LOT of attention paid to detail. Hell, even the tracking numbers for the 'drug packages' in the e-mails appear to be valid.

It is, however, totally plausible that the Bitcoin transactions and tracking numbers are all of the hoax. (As well as metadata other oddities people are identifying in the Macron leaks.) For example, somebody could have sent packages to the same zip code in France in order to have verifiable tracking numbers in the e-mails.

Anyways, evaluate the facts for yourself. Make up your own mind. And don't just believe things because they're written in the New York Times.

If you want to read the "bath salt" e-mails, here's the e-mail numbers for the ones I found (with help from a few friendly redditors).

685 | 748 | 779 | 780 | 782 | 783 | 1528 | 1529 | 1607 | 1608 | 1658 | 1689 | 1690 | 2427 | 2428 | 2517 | 2518 | 2572 | 2573 | 2713 | 2714 | 3401 | 3402 | 3479 | 3526 | 3599 | 3600 | 3601 | 3602 | 3615 | 3616 | 3617 | 3618

If you have any questions or comments, please post them in the comments or e-mail them to wh1sks at keemail dot me.
If you want to collaborate on a project, please e-mail me.
If you liked this post, please donate to the Courage Foundation.
If you hated this post and want to frame me, please mail real drugs not that bath salt crap.

P.S. NYT should probably issue a correction.

At about 11AM EST on May 12 I sent the NYT writers and Mr. van Ess e-mails outlining the major problems I found with their analysis as well as a link to this post. As of 7:18 PM EST they have not replied.

Update: Mr. van Ess sent me an obvious non-reply via e-mail:

Tnx, meanwhile in Europe,

I lol'd when I saw this tweet. It directly conflicts with Nicole Perlroth's recent article. The first sentence of which is, "Hackers are discovering that it is far more profitable to hold your data hostage than it is to steal it."
Nicole. Please stop writing about Bitcoin and hacking.

Someone just pointed out that Foreign Policy cited a security researcher who said the Bitcoin transactions appeared genuine on May 5th. Beating me to the punch by about 6 days.

Update: Before publishing this post I exchanged several text messages with Sean Gallagher, who's story also wrongly claims that, "The Bitcoin wallet and blockchain transaction data was easily determined to be fake."

He seemed receptive, acknowledged that van Ess and the NYT writers "don't understand the difference" between Bitcoin and BitShares, and said he would verify my assertions so I took the time to send him instructions to find everything he needed in an e-mail.

Gmail screenshot:
Screenshot 2017-05-18 08.25.05.png

I was confident that Sean would eventually verify what I sent him and correct his story. After all:

Ars Technica innovates by listening to its core readership. Readers have come to demand devotedness to accuracy and integrity, flanked by a willingness to leave each day's meaningless, click-bait fodder by the wayside. source

It has been a week since I sent that e-mail to Sean. He hasn't replied and hasn't corrected his story.

I'll give Sean the benefit of the doubt and say the delay is because he's been busy. However, this is a matter of historical record and Sean has a duty to his readers to follow up on this.


Absolutely awesome! Glad to see you here on Steemit as well, and a follow to you!

Yep! Thanks, it was your posts that attracted me here!

Gotta say steemit left a great first impression. The UI is fantastic and it was easier to write/format a long post here than it would've be on reddit.

great work. i think you are correct and that the NYT has absolutely not idea how bitcoin/blockchain tech works.

henkvaness ʜᴇɴᴋ ᴠᴀɴ ᴇss tweeted @ 10 May 2017 - 22:11 UTC

My quote in @nytimes was edited… Some may think I’m an idiot :) I’m not. Here’s why:

henkvaness ʜᴇɴᴋ ᴠᴀɴ ᴇss tweeted @ 07 May 2017 - 17:46 UTC

#macronleaks claims drugsdeal in bitcoins. Proof is nonsense: block #2811358 doesn’t exist / latest block is #465304

Disclaimer: I am just a bot trying to be helpful.

Now please prove wrong he statement that the transaction are forget that are visible in a block from 2062. Or somewhere around that time. ;)

Who the heck cares if he bought that stuff anyway?

I did prove that statement wrong if you read the post carefully. The block he is referring to is a BitShares block, not a Bitcoin block.

And I don't particularly care whether or not he bought it. I care about accurate reporting in the media...

Congratulations @wh1sks! You have completed some achievement on Steemit and have been rewarded with new badge(s) :

Award for the number of upvotes received

Click on any badge to view your own Board of Honnor on SteemitBoard.
For more information about SteemitBoard, click here

If you no longer want to receive notifications, reply to this comment with the word STOP

If you want to support the SteemitBoard project, your upvote for this notification is welcome!

Good stuff. Did Ars ever get back to you?