For me the whole affair started with a message from my friend and fellow Monero developer Leo: "Can you believe it? Somebody promises a large bounty for the best proposal how to bring down Monero." The link he had included pointed to a website in the Darknet, so I needed to switch to the Tor browser to access it. After reading the announcement it became clear to me why hiding behind strong anonymity was probably a good idea: You could easily see this as preparation of a criminal offense.
"Monero, beware! I am Mo-Nero, and I will burn you down!
I hereby announce a bounty of 1 BTC for the best idea how to inflict any kind of substantial damage on the Monero cryptocurrency. Find a way to let its price on the exchanges tumble. Tell me how to scare away as many open-source developers as possible from working on it so further progress will halt. Come up with a mean trick to close down their subreddit so the community looses the most popular place for discussing their beloved coin. Or how about a credible rumor about a bug in the code running their blockchain to shatter confidence in the currency?
Send your proposal to mo-nero@protonmail.com. Don't forget to include a Bitcoin address in case you win.
But consider: This is not a joke. This is no "what if" scenario contest for some harmless creeps. I WILL EXECUTE THE WINNING PROPOSAL. Therefore only ideas have a chance to win that I can actually pull through with reasonable cost, effort and probability of success.
To prove that I am serious and not just some lunatic writing nonsense as a pass time I will start soon the largest denial-of-service attack against the network of Monero nodes that ever took place.
All in all, better sell your XMR before handing me your best idea how to burn down that coin. You have been warned."
People joked on Reddit about this and tried to outdo each other with nonsensical ideas they wanted to propose, until the announced attack against the network really took place and made Monero almost unusable for several hours. That was also the day my brain started to work in earnest and after a while came up with an idea how to strike back.
"Hey Leo! I want to win that Mo-Nero bounty, and I need your help there."
"What? You want to submit an attack idea? Are you crazy? Programmed too much C++? Debugged through too many nights? Pizza overdose?"
I laughed. "No, nothing like that. I think I found a way how to win the bounty first and then turn the tables on Mo-Nero."
"Interesting" Leo wrote back. "Tell me more."
My approach went like this: Fabricate fake but convincing evidence about something that would, if really true, undermine confidence in Monero a great deal, submit that, hopefully pocket the 1 BTC bounty, and after Mo-Nero made the evidence public demonstrate it to be fake and clearly without any merit, to embarrass them and damage their credibility.
Leo was skeptical at first: "Well, sounds dangerous and is not guaranteed to work. But anyway, what is that terrible, terrible secret about Monero that we will reveal?"
"The NSA created Monero."
Fact is that to this day nobody knows where the technology behind Monero really came from. Somebody with a pseudonym of Nicolas van Saberhagen had published a so-called "whitepaper" towards the end of 2012 describing the cryptography that makes Monero so powerful, more or less out of the blue. That design had allowed to build cryptocurrencies that were much more private than the pioneer Bitcoin, with Monero becoming the most popular among them over time. Van Saberhagen never revealed their true identity.
The background story I had invented: The NSA and other US agencies like the CIA wanted an additional way to transfer funds to agents and certain "friends of the USA" around the world and saw cryptocurrencies as a possible tool for doing so. Bitcoin was considered first but then rejected as not private and secure enough, so the NSA created its own cryptocurrency with much better privacy to make the flow of funds virtually undetectable.
In a way this invented story was similar to the fact that the US government helped fund the development of the Tor network with substantial sums of money: A network for completely anonymous communication and with watertight security was a very valuable tool for the US secret services, regardless of who else would use it beside them.
Leo liked my idea: "Hah, I almost start to believe that NSA origin :) But what's your idea for the fake evidence? How will that look exactly?"
"I was thinking about constructing some fake e-mail exchanges: First some NSA big shot and an NSA cryptography guru mail each other to discuss the desired properties of the cryptocurrency to design, and later the crypto guy mails with the head of the internal dev team that implements the whole thing."
"Alright, sounds good. I think we could construct the necessary e-mail conversations step-by-step quite easily by posing as the persons involved and write each other corresponding mails in turn. I will be Saberhagen, of course."
I laughed reading this. "Of course, Leo van Saberhagen. You know more about the actual cryptography than me anyway, so that fits. By the way, for maximum damage of these revelations to Monero it will become clear that the NSA director insisted on a backdoor or at least a kill switch for the network that was never detected and is still in there."
And so we went to work.
After a few days we almost got carried away and invented more and more explanations with an NSA spin for things that had happened in Monero's true and well-documented early days:
Monero had not been the first implementation of the van Saberhagen technology; that honor went to a cryptocurrency called "Bytecoin". Well, did you know? First Bytecoin really was on track for release as the NSA coin, but then some developers from their team became greedy, went rogue, published the currency early and created so many coins under their own control to enrich themselves that Bytecoin became forever tainted and too problematic to use for the NSA.
Enter act 2: A dev called "thankfulfortoday" derived a fresh cryptocurrency from Bytecoin and called it "BitMonero". You probably guess it by now: Also from the NSA of course! A little later they started to act like a true asshole on purpose until a team of 7 open-source devs that had nothing to do with any secret service took the currency out of their hands and renamed it to simply "Monero". That team overlooks development to this day, to the delight of the NSA in a very good way and towards even greater privacy.
Later we deleted all those story ornaments again that only diluted the core message.
Leo reminded me that a final puzzle piece was still missing however: "How will we later demonstrate to the world that the whole story is fake from start to finish?"
"I saved our collection of e-mails once each day as it was growing piece by piece. If we publish that archive it should become pretty clear that we wrote everything."
"Not bad. But I think I have something better. Look at this:"
He had appended one of our invented van Saberhagen mails to his message. Its text carried a cryptographic signature now. Such a signature can prove who wrote a piece of text, allows to check that the text was not modified in any way since it was signed (otherwise the signature would become invalid), and also contains a timestamp. It's not clear from the encrypted signature alone who signed however - before you can check with somebody's public key whether a signature is valid or not you need to know which key to use.
I was intrigued. "Who has signed here?"
"I could get one of the most prominent and famous people of the Monero universe on board. He will sign all the Saberhagen mails for us before we submit them. The signature will later prove beyond reasonable doubt that the mails are new and fake. The whole thing is much to his taste, he accepted to help almost without hesitation."
"Splendid idea, but who?"
"Fluffypony."
Soon after this a rumor started to circulate why Mo-Nero hated Monero and its community: There had been a period of a few months when a fleet of around 5000 special-purpose machines dominated the "mining" of new coins, so-called ASICs, until those suddenly became completely worthless because the Monero developers put a new mining algorithm into service.
It seemed Mo-Nero had financed those ASICs and had not been able to break even until they became very, very expensive paperweights by the algorithm change. It was unclear however why they had waited so long until seeking revenge.
We finally submitted everything to Mo-Nero and started to wait.
Nothing happened. No attack, no news from Mo-Nero, nothing for weeks.
Until that day when Leo and I both received a short private message on Reddit:
"Dear rbrunner7, dear monerocat,
I have read with quite some amusement all your fabricated e-mails I am supposed to have written 10 years ago. Mo-Nero told me he would probably have used them if we didn't intervene and convince him to never start any attack against Monero again. The reason should be obvious. I thus count on your silence as well.
Nicolas van Saberhagen"
The message carried a signature. Guess whether it was valid or not.