The Case of the Missing $46 Million

One minute, Josh Jones had a fortune. The next, it was gone. Three months later, the FBI had a suspect: a ­­reclusive Fortnite-playing hacker kid from the GTA. The untold story of a historic crypto heist

Josh Jones had short brown hair, a dimpled smile and lots of money. He was a natural-born entrepreneur, the kind of guy who knew how to seize an opportunity at precisely the right moment. In 1996, before the internet blew up, he and three of his computer science classmates at Harvey Mudd College in Los Angeles County founded a company called DreamHost that operated servers and hosted websites. He also invested in Netflix before streaming took off. But he’s perhaps best known as an early adopter of cryptocurrency. In 2012, Jones bought more than $250,000 worth of bitcoin. At the time, the value of a single coin was less than $15. Before long, it hit $1,000, and his investment was briefly worth more than $15 million. Over the next two years, he stepped away from DreamHost, sold his shares and fully leaped into the lucrative if volatile world of crypto.

Back then, bitcoin was still relatively obscure, a niche obsession of tech enthusiasts and libertarians. The community of people who knew what cryptocurrencies were—and understood how they worked—was insular, and their infrastructure was crude. Roughly 70 per cent of all trades happened on a single exchange, a Japanese platform called Mt. Gox that was originally designed as an online market for trading collectible cards from the popular game Magic: The Gathering. As a bitcoin exchange, it was plagued with problems. In early February 2014, Mt. Gox announced that it had discovered “unusual activity” and halted withdrawals. Users could deposit and trade coins, but they couldn’t get their money out.

Jones spied an opportunity. He noticed that Mt. Gox users were panic selling their trapped bitcoins for a fraction of their worth. They might, for example, offer a full Mt. Gox coin in exchange for just 15 per cent of a regular bitcoin. Sellers got peace of mind and a bit of coin while buyers who trusted that the platform would resolve its problems believed they were making easy money. These trades were being negotiated haphazardly in online forums, and Jones wagered he could make some money of his own if he built a platform to match buyers and sellers, a sort of eBay for Mt. Gox.

The following weekend, he spent 12 hours creating a brokerage service to facilitate trades. As faith in Mt. Gox dwindled, his platform, Bitcoin Builder, exploded. Jones has said that Bitcoin Builder briefly processed more trades than any other exchange in the world. Taking two per cent off the top of every trade, he made up to $500,000 a day.

Mt. Gox didn’t last much longer. On February 28, its leadership announced that it had been breached by hackers who had, over time, stolen 650,000 bitcoins, then worth roughly half a billion dollars. The US Department of Justice later accused Alexander Vinnik, the founder of a Russian bitcoin exchange, of laundering some of the stolen funds, but it never pinpointed who was responsible for the attack. The news signalled the end for the long-ailing exchange, which filed for bankruptcy and shut down.


By one estimate, crypto criminals stole roughly $4 billion worth of digital currency last year alone

 

It was the biggest bitcoin debacle the world had ever seen, and Jones would spend the better part of the next decade fighting to get 44,000 coins, both his own and his clients’, back from Mt. Gox. Still, the collapse didn’t scare him away from cryptocurrencies. Six years later, he would be involved in another historic hack—only this time, he would be the target.

From the beginning, bitcoin had lofty goals. It was invented in 2008 by a person or group of people who went by the pseudonym Satoshi Nakamoto, and it was supposed to be the currency of the internet. It would transcend borders and central banks, relying instead on a special directory of users to keep track of coins and who held them. Its champions believed that it would be resistant to inflation and more secure than traditional money. An entire crypto ecosystem emerged, with thousands of coins that ran the gamut from legitimate to loony.

For all its theoretical promise, however, crypto has always had a practical problem: Where do you keep it? Crypto owners commonly store their coins in digital wallets, applications that they can access through private keys consisting of 64 random numbers and letters (or a simplified sequence of 12 random words). Without those keys, no government, bank or company can take away their coins. Enthusiasts see this as crypto’s defining feature, but it’s also its biggest bug. If you keep your key on a piece of paper, as many bitcoin owners do, you risk losing it. The same goes for those who store their keys on flash drives or other external storage devices. A man in the United Kingdom has spent the better part of the last decade fighting for permission to search his local dump for a hard drive that holds the key to half a billion dollars worth of bitcoin—he accidentally threw it away. Some crypto owners opt not to handle their coins themselves and instead leave them in the hands of exchanges like Binance or Toronto-based Coinsquare. But, in crypto circles, that’s considered risky too. As Mt. Gox proved, exchanges can break down, they can get hacked, they can implode unexpectedly. When the co-founder of Canadian crypto exchange ­QuadrigaCX was reported dead, 115,000 users lost their coins—apparently, he was the only who could access them. Chainalysis, a crypto research company, estimates that roughly a fifth of existing bitcoins, with a value of more than $175 billion, have been lost.

A lost bitcoin is usually gone for good. Misplacing a private key isn’t like losing a debit card. There is no bank to call, no bitcoin customer-service line to contact. And crypto transactions are generally irreversible, so coins that are stolen are often impossible to claw back. That’s partly what has attracted cybercriminals to this world. Chainalysis estimates that thieves stole roughly $4 billion worth of digital currency in 2021, more than five times the 2020 total.

Many of those bandits thought their crimes would be untraceable because digital wallets are usually untethered from individual identities. But, in recent years, law enforcement has become better at tying crypto crimes to their perpetrators thanks to a deeper understanding of digital currencies and their underlying technology, blockchain. Whereas cash is typically overseen by a central bank, crypto is usually created and coordinated through a process called mining, which involves millions of purpose-built computers across the globe. Anyone can buy such a computer and become a miner. In bitcoin’s case, miners record all new transactions in a so-called block every 10 minutes or so. Together, those blocks create a ledger, or blockchain. Once blocks are on the chain, they’re final and unalterable. You can add one, but you can’t take one off.

That means, for every stolen bitcoin, there is a digital trail revealing which wallet it came from and where it went. In some instances, the funds can be linked to an account with a known owner. In others, courts can subpoena who owns what, because some countries, including Canada and the US, require exchanges to log that information. Sometimes, police can determine a criminal’s identity through investigative work. But, as Jones would discover, stolen crypto can be moved through multiple accounts multiple times, making the guilty party extremely difficult to pin down.

On the evening of February 21, 2020, Jones lost service on his cellphone. At first, he must have been confused. He couldn’t make a phone call or send a text. Then he became suspicious. What if this wasn’t a glitch but an attack? He checked his digital accounts, where he kept more than $46 million worth of bitcoin and an offshoot currency called Bitcoin Cash. He panicked. The money was being drained out of his accounts right before his eyes. All he could see were the strings of random characters indicating where the coins were being transferred. They could belong to anyone, anywhere in the world.

Jones eventually reported the theft to the local branch of the FBI. The US Secret Service also got involved, trying to figure out who had committed the crime—the largest amount of cryptocurrency that anyone had ever stolen from an individual owner. But, for all their power, expertise and resources, none of the investigators yet knew whom they were hunting: a Fortnite-obsessed 17-year-old kid from the GTA.

The boy thought to be responsible for the heist was born in 2002 and spent his childhood moving around southern Ontario. Life was not easy for Rodney, as I’ll call him. (He cannot legally be named because he was a minor when the crime occurred.) His parents were under constant financial strain and broke up when he was a baby. His mom, who had custody, moved into cheaper accommodations and borrowed money from her parents to get by. She later experienced depression and struggled with an autoimmune disease and chronic pain that limited her ability to get around and hold a job. She claims that Rodney’s father occasionally failed to pay child support. He also flouted an agreement that allowed him to see his son every other weekend. In the summer of 2013, when Rodney was 10, his father refused to return him to his mother. His parents and their families fought over the matter for days until Rodney’s mother submitted a handwritten complaint to the court. Finally, a judge ordered police to bring the boy back home.

Rodney was eventually diagnosed with ADHD. Apart from a handful of childhood acquaintances, he had few friends—at least in real life. He spent much of his time online, often immersed in video games. In the digital realm, he wasn’t bound by the circumstances of reality: his parents weren’t fighting, his mom wasn’t ill, he didn’t feel alone. On Facebook, he met another young gamer, whom I’ll call James, through a community of people who modified PlayStation 3 consoles. They bonded over their favourite games, including Fortnite. Rodney occasionally bought rare “skins,” graphics that changed the appearance of his characters, and resold them for as much as $900.

At some point, he graduated from selling skins to the world of cybercrime. His online friends introduced him to SIM swapping, which involves fraudulently transferring a victim’s cellphone number to a SIM card that the perpetrator controls. “Simmers,” as they call themselves, typically employ one of a few techniques. They might call a telco posing as their target, claim they lost their phone and ask that their number be assigned to a new SIM card. They might bribe a telco staffer. Or they might break into the system and make the swap themselves.

To steal a phone number is to steal an identity. Once a hacker gains control of a victim’s number, they can change passwords—to bank accounts, social media profiles, photo-sharing apps and more—by requesting one-time reset codes, which are often sent via text message. They can then impersonate their victims online, access their private information, take their money and swipe rare usernames. Some OG names—for example, the handle @6 on Twitter—can sell for thousands of dollars, if the hackers don’t opt to keep them for themselves as trophies. Sometimes, simmers attack just to prove they can—“for the lulz,” as they say.

As Rodney delved deeper into the simmer-sphere, he got to know a collection of notorious figures from the hacking world, almost all of them males in their teens and 20s. His friend Nima Fazeli, a Floridian better known as Rolex, was charged in 2020 for his alleged role in hijacking more than 100 high-profile Twitter accounts, including those belonging to Joe Biden, Bill Gates and Elon Musk. The perpetrators tweeted out links to a bitcoin account, promising to double any money that people sent in; the scam reportedly netted them more than $100,000 before they were caught. (Fazeli denies the charges.) Police say that another of Rodney’s contacts, Joseph O’Connor, a baby-faced recluse who went by PlugWalkJoe, participated in the same scheme and also hacked the accounts of TikToker Addison Rae Easterling and actor Bella Thorne, threatening to release nude photos of the latter if she didn’t give him and his friends a shoutout on social media. (Thorne released the photos herself to thwart them.) Rodney also got to know an Iowan named Colton Jurisic (a.k.a. Forza) and UK resident Corey De Rose, two members of a hacking collective called the Community who were charged for reportedly stealing tens of millions of dollars through SIM swaps.

Eventually, Rodney connected with the Chuckling Squad, a simmer ring that would break into the accounts of A-listers like Mariah Carey, Adam Sandler and Twitter founder Jack Dorsey. Rodney’s chat logs show that, on August 24, 2019, the squad enlisted him to help them hack their next “targ,” as they called their victims: Adam Dahlberg, an American YouTuber and video game streamer better known as Sky Does Minecraft. The Squad would handle his telco while Rodney’s job was to get a blank SIM card, put it in a phone and, once they’d gained control of Dahlberg’s number, share the codes that appeared on his screen so they could reset his passwords.

All went according to plan at first. But, shortly after the members of the Chuckling Squad gained control of Dahlberg’s number, they ran into a problem. Dahlberg used two-factor authentication, an added security measure. To break in, they’d need access to a special app on Dahlberg’s device, like Google Authenticator. As the hackers fumbled to break into his accounts, Dahlberg probably noticed something was amiss and called his service provider to regain control of his number. Within minutes, the squad lost access. The heist was a bust.

Rodney was bitter and frustrated. In the squad’s group chat, he wrote, “yall really wasted my time.” He’d watched his acquaintances earn riches and prestige by pulling off flashy hacks. He no doubt dreamed of the same thing—a big score that would make him somebody in his online world.

In crypto circles, people often paraphrase Fight Club: the first rule of having lots of crypto is that you don’t talk about having lots of crypto. Josh Jones, who has described himself as having a huge ego, ignored that advice. He openly discussed Bitcoin Builder’s success in the Wall Street Journal, and he’s been publicly labelled a “bitcoin billionaire” on multiple occasions. That was evidently enough to attract the attention of a hacker in search of a mark.

Police claim that, roughly six months after the failed ­Dahlberg hack, Rodney launched a SIM swap on Jones, gaining access to his phone number and initiating a series of transactions that would transfer $46 million worth of crypto out of his accounts. Jones, who quickly pieced together what was happening, thought there was a chance, however slim, that he could intercept the transfer. When crypto moves from one account to another, it usually needs six “confirmations” to be considered finalized—that is, five more blocks need to be added to the block containing the transaction. When Jones caught wind of the cyberattack, at least one of the transfers wasn’t yet final. He believed there was still time before his money was whisked away.

Jones began posting a series of frantic messages in the niche crypto corners of Reddit, appealing to the community of people who operated crypto-mining machines to stop the transactions. He shared the address of his digital wallet, along with proof that he owned it, and hoped that someone would find the offending transfer and intervene. “Help help help,” he wrote. “Big reward obviously.”

Within minutes, however, the transactions went through. Jones’s desperate Reddit posts, intended to solicit assistance, instead elicited ridicule. Commenters pointed out that Jones could have stored the keys to his crypto offline, where they would have been safe. Instead, he’d evidently chosen to store them in a way that was accessible via the internet and vulnerable to hackers. “Imagine doing this despite many similar stories of people getting fucked,” one Redditor wrote. Jones had struck gold capitalizing on the fact that people had stored their crypto in risky, hack-prone locations like Mt. Gox. Now, he’d lost millions making a similar mistake.

Soon after the heist, Rodney moved out of his mom’s place and into the basement unit of a red-brick semi in Mississauga with his gamer friend James. James took the bedroom by the front entrance; Rodney moved into the room at the back. Over the next several weeks, his life became a cliché of teenage boyhood: smoking weed, playing video games and ordering UberEats. It was, in its own way, a peaceful existence.

Something, however, was amiss in Rodney’s world. He had pissed off someone, and in the weeks following the hack, Rodney was exposed to the cruel whims of the internet. In early 2020, someone, perhaps a rival hacker, “doxxed” him, publicly posting his personal information online. Later, he was “swatted”—a tactic in which someone reports a fake crime at a specific address so that police raid the location. The point is to intimidate or inconvenience the target. Last year, two teens swatted a 60-year-old grandfather after he refused to relinquish his coveted Twitter handle, @Tennessee; he had a heart attack and died when the cops descended on his home. In Rodney’s case, the unknown caller accused him of beating his girlfriend. At 2 o’clock one morning in late April, two police officers arrived at Rodney’s apartment. When James let them in, they found no girlfriend, just two guys in their man cave. The officers spent 53 minutes talking to Rodney and James, drew a map of the apartment, and then left without making any arrests or laying any charges. If Rodney was indeed the one who stole Jones’s crypto, he must have breathed a sigh of relief. The police seemed to know nothing about it.


Police say Rodney used some of the stolen funds to buy the PlayStation username “God.” That gave them the lead they were waiting for

 

To keep such a colossal heist under wraps, a hacker needs to be disciplined. Surely, investigators would be tracking the funds flowing out of Jones’s accounts for clues that might reveal the perpetrator’s identity. Cybercriminals often put stolen coins through money-laundering tools called “mixers,” which pool ill-gotten funds with other people’s cryptocurrency over and over to obscure their owners and origins. But there comes a point in every crypto theft when the culprit has to decide whether to start spending the spoils. After all, why steal $46 million if you’re never going to use it?

Police claim that, in the months following the hack, Rodney bought the PlayStation Network username “God”—a very OG handle—which is said to have cost him $50,000. He didn’t know that law enforcement was still following the money. They had also received numerous tips about the heist. Mixers may have obscured the money trail, but they’re not a sure-fire method of evasion. According to police reports, the purchase finally gave investigators the lead they had been waiting for. The PlayStation Network account was linked to one of Rodney’s previous addresses.

At dawn on May 14, 2020, a tactical team from the Hamilton Police Service banged on Rodney’s door, stating that they had a search warrant. There was no time for Rodney or James to answer—police rammed the door in, sending shattered glass across the apartment floor. Then came a stun grenade, loud and blinding. They ordered James to lie face down with his hands behind his back. Then they sent in dogs and apprehended Rodney. The officers confiscated their electronics and took the young men away.

By the time police left the scene, the apartment was in shambles. The front door was caved in, and the outer screen door was shredded. A broken doorknob lay on the floor, not far from a black mark left by the stun grenade. Altogether, the landlord estimated that the unit would need $10,000 in repairs. Hamilton police, who declined to be interviewed, refused to pay for the damage, stating that they cover costs only if a suspect is not present when they execute a search warrant. It’s unclear why they employed such a heavy-handed approach against a minor being investigated for nonviolent offences. Perhaps, after the earlier complaint of domestic abuse, they didn’t want to take any chances.

Rodney is just one of many accused hackers and crypto criminals who have been arrested in recent years. Between 2019 and 2021, his online acquaintances—Rolex, Forza, PlugWalkJoe and others—were all separately charged or convicted. In a civil suit that echoed Rodney’s case, a 15-year-old hacker from New York was accused of stealing $30 million worth of digital currency from another crypto tycoon. Many of these perpetrators probably thought they were uncatchable: anonymity was one of cryptocurrency’s great promises. Their arrests shattered that myth.


Police have recovered only $7 million, a fraction of the stolen bitcoin. If Rodney has access to it, he’s sitting on a fortune that he can’t spend

 

Rodney faces two charges: theft over $5,000 and possession of property obtained by crime. His case has meandered through the courts for two years with no conclusion, and he is currently out on bail. If convicted, he faces up to 10 years in prison unless a judge decides to go easy on him because of his age.

Regardless of whether Rodney is convicted, it will be difficult for Jones to retrieve his money. Police chose not to announce Rodney’s arrest for a year, reasoning that disclosing details of the hack would hinder their investigation into the stolen funds. In November 2021, they said that they had so far recovered only $7 million, a fraction of the $46 million that was stolen. I asked Blockchain Intelligence Group, a Vancouver-based firm that traces crypto transactions, if it could find out where the rest of Jones’s fortune is located. It confirmed that the funds went through at least two mixers and hundreds of transactions, but it could offer no further information with any certainty.

Police are most likely trying to recover the missing funds, monitoring suspicious accounts in case they are used again. If Rodney has access to them, he’s sitting on a fortune that he can’t readily spend, and he isn’t the only one. In Germany, authorities are watching the accounts of an imprisoned hacker who refused to hand over his crypto keys. Like Rodney, he may never be able to safely cash out. If Rodney is convicted, he may one day have his youth record sealed, but he will always be a marked man.

Jones, who did not respond to multiple interview requests for this story, seems to have moved on. He bought an airline as well as the animated film rights to Groo the Wanderer, a fantasy comic book series he’d loved since he was a kid. He also purchased a $34-million mansion in Santa Monica from the CEO of Playboy after Justin Bieber passed on the place; it’s Jones’s fifth property, along with a plum oceanfront home and a Cape Cod–style house, both also in Santa Monica. Apart from his original Reddit posts, which he has since deleted, he has never spoken publicly about the hack. He seems to be lying low, finally abiding by the first rule of having lots of crypto.


This story appears in the July 2022 issue of Toronto Life magazine. To subscribe for just $24.99 a year, click here. To purchase single issues, click here.