Sam Williams was going about his business on Oct. 28, when he received a warning he has long anticipated. “We believe we detected government-backed attackers trying to steal your password,” an email from Google said about his work Gmail account.
Williams is CEO and cofounder of Arweave, a Berlin-based startup that has a censorship-resistant data storage network. “We’re trying to create a record of history that can never be altered or deleted, and will never be forgotten,” Williams told Fortune of his three-year-old tech project.
Arweave’s network today hosts nearly 350 applications, including blogging sites, social media services, and software code repositories. The venture, while tiny, has gained traction as an antidote to state censorship of online information sources, especially as some governments clamped down amid the coronavirus pandemic.
Arweave is, in other words, exactly the kind of venture that may find itself the surveillance crosshairs of a foreign intelligence agency. “I can’t say that it’s fantastically surprising that we eventually reached the point where authoritarian governments started to target the system,” Williams said.
Arweave’s chief technology officer, Jesper Noehr, received a similar red alert from Google on the same day as Williams. “Attackers may be attempting to compromise” your account, the notification read.
After receiving the alerts, Williams began piecing together a narrative, like a detective, about a recent series of unusual events spanning several months and continents. He said he believes the clues suggest who might be behind the hacking attempts.
While it may be impossible to learn the identity of the attackers with certainty—or whether they were, indeed, directed by an overseas regime, though Google reckons that to be the case—anecdotal evidence has Williams persuaded about the whodunnit.
“We can’t be sure that it’s China, but I’m telling you it looks to me an awful lot like it is,” Williams said.
Setting the Great Firewall aflame
As a mysterious virus tore through China starting at the end of last year, an outpouring of updates, hearsay, government criticism, calls to action, and other information—ranging from false to factual—about the disease known now as COVID-19 erupted across Chinese social media.
Government censors took notice. Almost immediately, services such as YY, a livestreaming site, and WeChat, Tencent’s so-called super-app, started blocking posts containing keywords and links to certain news sources, as Canadian researchers found.
Enter Arweave. Amid the tumult, some people used bots to crawl and copy posts likely to be banned on Chinese social networks, such as Sina’s Weibo, a Twitter-like service. Projects such as “Weibo uncensored” uploaded archives to the Arweave network.
Arweave debuted its “permaweb”—an indelible, tamper-proof version of the World Wide Web—two years ago. The technology is based on distributed computing and blockchains, the computer-engineering innovation behind digital currencies like Bitcoin. The network “spreads the data across tens of thousands of places in the world and then makes it available from those locations, like the web, except censorship-resistant and permanent,” Williams said.
The end result? Censors and authoritarian states “can’t memory-hole”—here, Williams borrows a term from the dystopian novel 1984 to mean “redact history”—”what people say.”
Arweave’s fanbase remains niche. Yet, the network is growing; more than a million pieces of data were added to it last month in total, up 23x from the same period last year. The development of even a small, passionate following could pose trouble to powers that be.
During quarantine, censorship-evaders weren’t the only ones taking notice of Arweave’s tech; venture capitalists paid attention too. Firms such as Andreessen Horowitz, Union Square Ventures, and the investment arm of Coinbase, the biggest U.S. cryptocurrency exchange, bought up $8.3 million worth of Arweave’s cryptocurrency tokens in March in hopes of their market value rising in time to come, as TechCrunch reported.
Arweave’s digital tokens underpin its business. Cryptocurrency rewards go to volunteers who run the project’s software on their computers, thereby bolstering the network’s capacity for data storage. Like many Bitcoin derivatives, the value of the speculative tokens is volatile. Their total market value today exceeds $91 million. (By way of comparison, the total value of all Bitcoin surpasses $250 billion; the entirety of Ethereum, another digital coin, is worth more than $40 billion.)
Everything was going smoothly until October. Suddenly, the team started to notice connectivity issues into and out of China that slowed data download speeds.
Then the situation got more serious. Williams said he learned that on Oct. 9, Chinese authorities quietly detained a prominent Arweave “miner,” a supporter of the network who lends computing resources in exchange for cryptocurrency. (Williams declined to reveal the person’s name, citing “physical security risks.”)
The Chinese agents apparently interrogated the miner and seized machines. Eventually, they returned the equipment on the condition that the miner abandon Arweave, Williams said.
That’s when the strange messages started to arrive.
Something smells phishy
On Oct. 20, two weeks after the detainment, Williams received an email purporting to be from the chief operating officer of a cryptocurrency exchange in China.
The message cited a “listing service agreement,” the kind of deal a cryptocurrency company may strike to get its token listed on a particular marketplace. “Please check out reviewed agreement,” the prospective business partner urged. “Our legal team made one change on redline and added our company name.”
Below that prompt, the email thread contained a message appearing to originate from Jesper Noehr, Arweave’s chief technology officer. “Could you update our agreement and send to” Williams?, the note asked alongside a document attached via Google Drive.
Something about the note seemed “slightly off,” Williams told Fortune. “The phrasing just wasn’t completely professional. It didn’t necessarily read like perfect English. The sentence structure didn’t feel quite right.”
So, Williams took no action.
But a couple hours later, Williams received another odd request. An email appearing to come from Sebastian Campos Groth, Arweave’s chief operating officer, asked “How does this work for us?” next to an accompanying Google Drive document.
The original message purported to be from one of Arweave’s most prominent investors. It claimed to contain a “partnership mutual NDA form.”
Williams, already feeling suspicious about the earlier note, again didn’t bite. But he wondered about the elaborate campaign.