Sam Williams was going about his business on Oct. 28, when he received a warning he has long anticipated. “We believe we detected government-backed attackers trying to steal your password,” an email from Google said about his work Gmail account.
Williams is CEO and cofounder of Arweave, a Berlin-based startup that has a censorship-resistant data storage network. “We’re trying to create a record of history that can never be altered or deleted, and will never be forgotten,” Williams told Fortune of his three-year-old tech project.
Arweave’s network today hosts nearly 350 applications, including blogging sites, social media services, and software code repositories. The venture, while tiny, has gained traction as an antidote to state censorship of online information sources, especially as some governments clamped down amid the coronavirus pandemic.
Arweave is, in other words, exactly the kind of venture that may find itself the surveillance crosshairs of a foreign intelligence agency. “I can’t say that it’s fantastically surprising that we eventually reached the point where authoritarian governments started to target the system,” Williams said.
Arweave’s chief technology officer, Jesper Noehr, received a similar red alert from Google on the same day as Williams. “Attackers may be attempting to compromise” your account, the notification read.
After receiving the alerts, Williams began piecing together a narrative, like a detective, about a recent series of unusual events spanning several months and continents. He said he believes the clues suggest who might be behind the hacking attempts.
While it may be impossible to learn the identity of the attackers with certainty—or whether they were, indeed, directed by an overseas regime, though Google reckons that to be the case—anecdotal evidence has Williams persuaded about the whodunnit.
“We can’t be sure that it’s China, but I’m telling you it looks to me an awful lot like it is,” Williams said.
Setting the Great Firewall aflame
As a mysterious virus tore through China starting at the end of last year, an outpouring of updates, hearsay, government criticism, calls to action, and other information—ranging from false to factual—about the disease known now as COVID-19 erupted across Chinese social media.
Government censors took notice. Almost immediately, services such as YY, a livestreaming site, and WeChat, Tencent’s so-called super-app, started blocking posts containing keywords and links to certain news sources, as Canadian researchers found.
Enter Arweave. Amid the tumult, some people used bots to crawl and copy posts likely to be banned on Chinese social networks, such as Sina’s Weibo, a Twitter-like service. Projects such as “Weibo uncensored” uploaded archives to the Arweave network.
Arweave debuted its “permaweb”—an indelible, tamper-proof version of the World Wide Web—two years ago. The technology is based on distributed computing and blockchains, the computer-engineering innovation behind digital currencies like Bitcoin. The network “spreads the data across tens of thousands of places in the world and then makes it available from those locations, like the web, except censorship-resistant and permanent,” Williams said.
The end result? Censors and authoritarian states “can’t memory-hole”—here, Williams borrows a term from the dystopian novel 1984 to mean “redact history”—”what people say.”
Arweave’s fanbase remains niche. Yet, the network is growing; more than a million pieces of data were added to it last month in total, up 23x from the same period last year. The development of even a small, passionate following could pose trouble to powers that be.
During quarantine, censorship-evaders weren’t the only ones taking notice of Arweave’s tech; venture capitalists paid attention too. Firms such as Andreessen Horowitz, Union Square Ventures, and the investment arm of Coinbase, the biggest U.S. cryptocurrency exchange, bought up $8.3 million worth of Arweave’s cryptocurrency tokens in March in hopes of their market value rising in time to come, as TechCrunch reported.
Arweave’s digital tokens underpin its business. Cryptocurrency rewards go to volunteers who run the project’s software on their computers, thereby bolstering the network’s capacity for data storage. Like many Bitcoin derivatives, the value of the speculative tokens is volatile. Their total market value today exceeds $91 million. (By way of comparison, the total value of all Bitcoin surpasses $250 billion; the entirety of Ethereum, another digital coin, is worth more than $40 billion.)
Everything was going smoothly until October. Suddenly, the team started to notice connectivity issues into and out of China that slowed data download speeds.
Then the situation got more serious. Williams said he learned that on Oct. 9, Chinese authorities quietly detained a prominent Arweave “miner,” a supporter of the network who lends computing resources in exchange for cryptocurrency. (Williams declined to reveal the person’s name, citing “physical security risks.”)
The Chinese agents apparently interrogated the miner and seized machines. Eventually, they returned the equipment on the condition that the miner abandon Arweave, Williams said.
That’s when the strange messages started to arrive.
Something smells phishy
On Oct. 20, two weeks after the detainment, Williams received an email purporting to be from the chief operating officer of a cryptocurrency exchange in China.
The message cited a “listing service agreement,” the kind of deal a cryptocurrency company may strike to get its token listed on a particular marketplace. “Please check out reviewed agreement,” the prospective business partner urged. “Our legal team made one change on redline and added our company name.”
Below that prompt, the email thread contained a message appearing to originate from Jesper Noehr, Arweave’s chief technology officer. “Could you update our agreement and send to” Williams?, the note asked alongside a document attached via Google Drive.
Something about the note seemed “slightly off,” Williams told Fortune. “The phrasing just wasn’t completely professional. It didn’t necessarily read like perfect English. The sentence structure didn’t feel quite right.”
So, Williams took no action.
But a couple hours later, Williams received another odd request. An email appearing to come from Sebastian Campos Groth, Arweave’s chief operating officer, asked “How does this work for us?” next to an accompanying Google Drive document.
The original message purported to be from one of Arweave’s most prominent investors. It claimed to contain a “partnership mutual NDA form.”
Williams, already feeling suspicious about the earlier note, again didn’t bite. But he wondered about the elaborate campaign.
The lures were highly tailored and targeted, designed to impersonate executives within and outside Arweave. The hackers used SendGrid, an email marketing tool owned by Twilio, to make the emails appear as though they were originating from people’s real email accounts.
A spokesperson for SendGrid told Fortune the company is “aware that bad actors” misuse its platform for phishing, and that it is “invest[ing] heavily in technology and people focused on combating online abuse.” After Fortune shared details of the phishing emails with SendGrid, the team said it “identified the traffic as malicious and immediately shut down the account” of the sender.
“We had theories at that time that this might be a more significant state actor potentially,” Williams said. “But we didn’t have anything that really tipped us over the edge at that point.”
Eight days later, Williams and Noehr received the government-backed hacking notifications from Google.
Falling down the memory hole
It’s unclear whether the alerts received by Arweave’s executives are related to the phishing attacks they detected on Oct. 20, or whether they’re the result of some other, unrelated scheme.
But the timing is highly suggestive. A spokesperson for Google declined to comment on individual cases related to its government-backed hacking alerts. However, guidance from Gmail’s official “help” forum notes that if a person receives such a warning, then Google believes attackers made attempts at account or computer compromise “within approximately the last month.”
Google sends more than 10,000 such alerts every quarter, the company said in another blog post.
An initial analysis of the phishing emails revealed a connection to a computer server in Pakistan, Williams said, while acknowledging, “that doesn’t really tell us anything.” Hackers typically launch attacks from compromised machines across various jurisdictions to obscure their tracks.
In Williams’s mind, all of the recent activity involving China seems more than just a coincidence. From the development of the Weibo uncensored project to the detainment of a miner, signs appear to point to Beijing as the culprit.
The attribution is, of course, based on purely circumstantial evidence. There’s no proof.
Oren Falkowitz, cofounder of Area 1 Security, a cybersecurity firm that specializes in anti-phishing tech, noted that being targeted by nation-state attackers can generate paranoia. Victims and investigators alike should never jump to conclusions, he said.
“Individual cyberattacks are never ‘snowflakes,’ they’re always part of larger campaigns,” said Falkowitz, a former U.S. National Security Agency hacker. “You’re one of 10,000 things that they care about, you just ended up on the list.”
The Chinese embassy in Washington, D.C., categorically denied any involvement in targeting Arweave. “The Chinese government’s position on cybersecurity is consistent and clear,” a spokesperson at the embassy told Fortune in an email. “We firmly oppose and combat cyber attacks of any kind. China is a staunch defender of cybersecurity.”
China isn’t the only country with a plausible reason to subvert Arweave’s network. The startup’s indelible databases contain records of articles that could upset the Kremlin. Iranian and North Korean hackers are, generally, known cryptocurrency looters who may be seeking to rob Arweave’s coffers. And there is no shortage of cryptocurrency scammers angling for financial gain by similar means.
Whoever is to blame, Williams isn’t surprised about becoming a target. “Frankly, we’ve always been expecting something like this to happen along the way,” he said.
Now Williams wishes to get the word out so people affiliated with the project can be on the lookout for future attacks and protect themselves. “The network is a threat to anyone that wants to censor history—and that’s basically it,” he said.