The Tulip Trust is fake.

Sam Williams
5 min readSep 4, 2019

--

Here are 3 reasons why.

Craig Wright’s story involves a Trust document between himself and David Kleiman created in June, 2011. This Trust was supposedly superseded by more formal Trusts, but this article will only focus on this first Trust document. This original Tulip Trust has recently been defended by Eli Afram as not sufficiently proven to be a fake. I will show that it is undeniably a fake, and Afram is either complicit in the lie or just a willing pawn.

The original documents are available at this link. The file called “requested_attached..rar” contains the same .msg file submitted by Wright’s team as part of discovery. That file includes three attachments: the original Tulip Trust PDF (Tulip Trust.pdf), a PGP signature for that file (Tulip Trust.pdf.asc) and a PGP-encrypted .tar file (Tulip Trust.pdf.tar.asc). The PDF’s signature correctly validates the PDF file against “David A Kleiman”’s public key. While there are no obvious errors with dates and times, there are several undeniable mistakes that prove this is a forgery.

The Tulip Trust PDF was actually signed by “David A Kleiman”’s PGP key, but not actually in 2011.

Reason Number 1: the GnuPG version headers indicate the document was signed after 2013

Dr. Matthew Edman described how the GnuPG software would include the full version number during the time period when the Tulip Trust was supposedly signed. For example: “Version: GnuPG v2.0.22”

The change to emit only the major version was made in late November, 2013, and released in mid-2014.

Change to only emit major version (eg — Version: GnuPG v2)

The armor version in both .asc files contains only the major version.

GnuPG v2 would have been emitted after late 2013

While the version number itself is not signed, it is unbelievable that someone would manually edit the number to remove the minor version. This shows that the signature was not actually made until at least late 2013, and the key did not belong to David Kleiman.

Reason Number 2: three of the PGP keys referenced in the Trust document are backdated

Wright’s keys were not updated.

This argument has been around for a while. However, the rebuttal given by Craig Wright has been thoroughly debunked. In a nutshell, the evidence is that the keys referenced in the Tulip Trust have certain algorithms in a certain order that were incredibly unlikely to have been present at the time they were created. Wright’s paper argued that the keys could have been updated at a later time. However, updating a PGP key to include a different set of those algorithms would re-sign the key, and update the timestamp to match when they were updated and re-signed. This did not happen with Wright’s key, so we know they were not updated. They were just backdated to 2008.

Additionally, Wright’s key includes a signed User ID Packet:

Email with domain integyrs.com supposedly signed in January 2008.

The signature was supposedly created on January 17, 2008 using an email address of craig@integyrs.com.

However, the domain integyrs.com did not exist until April 26, 2009.

domaintools history for Integyrs.com

The business itself was not registered until May 11, 2009.

Integyrs business registration

Either Wright somehow knew that he would use that email address almost a year and a half before he bothered to register it, or the key was not actually created in 2008.

Reason Number 3: the emails and PDF files containing the Trust files were forged

As part of the discovery process, Wright turned over a number of PDFs and emails relating to the Tulip Trust. These have all been shown to be forgeries. An excellent detailed summary of the recent court proceedings can be read here. Basically, the PDFs contained metadata that included email headers which showed the message was actually sent from Wright to himself in 2014.

In addition, the PDFs also had metadata showing the PDF document itself was modified to change the text to indicate the message was sent in 2011 instead of 2014.

From wizsec.

Finally, Dr. Edman analyzed a .msg file and found it, too, had been forged.

Unix Timestamp (with milliseconds) highlighted.

It includes a Unix timestamp on the receiving SMTP server ID. The timestamp is October 24, 2012 in UTC. This indicates this .msg file was simply modified from an existing .msg file around late 2012.

However, Eli Afram’s version of the .msg file does not seem to include that timestamp.

Eli Afram’s version seems to be a truncated and modified version of the ‘original’ .msg file

His version does not include many of the header fields from the .msg file submitted by Wright. Also, the Message-ID is completely different. Finally, the timezone of the Date field indicates a UK timezone, when the ‘original’ .msg header indicated a timezone consistent with Florida, where Kleiman lived.

The question is, why is Afram talking about this new .msg file and throwing around accusations that Wright did not get a chance to submit it as evidence?

Is he lying or is he simply a willing pawn?

Many thanks to @jimmy007forsure and @wizsecurity

--

--