Cracking the Code: A Forensic Approach to Identifying Satoshi Nakamoto

The identity of Satoshi Nakamoto, the pseudonymous creator of Bitcoin, remains one of the greatest mysteries of the digital age. While many attempts to unmask Satoshi have relied on linguistic analysis or social engineering, a new technical approach suggests that the answer might be hidden in plain sight—specifically, within the metadata of the original Bitcoin whitepaper.

By leveraging forensic artifacts left behind by legacy software, researchers are attempting to reverse-engineer the environment in which the whitepaper was created to extract a potentially identifying Windows username.

The Forensic Premise: OpenOffice and PDF Metadata

The core of this investigation rests on a specific quirk of the OpenOffice PDF exporter. When OpenOffice exports a document to PDF, it includes a hash in the metadata that incorporates the file path where the PDF was saved.

Historically, it was believed that cracking this hash was an intractable problem. To successfully guess the hash, one would theoretically need to know:

• The exact file destination path.
• The specific version of Windows used (e.g., XP vs. Vista), as directory structures differ.
• Whether the file was saved in a user directory.
• The exact millisecond the file was saved.

However, recent analysis suggests that the search space is significantly smaller than previously thought.

Narrowing the Search Space

To make the brute-force attack viable, researchers have applied several constraints based on evidence found in Satoshi's early releases.

1. The OS and Software Environment

There is overwhelming evidence that Satoshi used Windows XP Service Pack 2. This is supported by screenshots in early Bitcoin releases and Satoshi's own mentions of the lack of testing on Windows Vista. Furthermore, analysis of the .rar files used for early Bitcoin releases indicates they were produced by a version of WinRAR older than 3.62 (released December 2006), suggesting the environment predated the official start of the Bitcoin project.

2. The Millisecond Problem

While the timestamp includes milliseconds, the researchers discovered that Windows XP hardware typically uses a 64-tick timer via SYSTEMTIME. This reduces the number of possible millisecond values from 1,000 down to 65, providing a 15x speedup in the cracking process.

3. The Path Name Shortcut

One of the most critical breakthroughs is the realization that OpenOffice does not hash the final destination path provided by the user. Instead, it hashes the path of the temporary file created during the export process.

On Windows XP, these temporary files are stored in the %TMP% directory. Because of how Windows handles long filenames (the 8.3 filename convention), paths are truncated and simplified (e.g., C:\Documents & Settings\... becomes C:\DOCUME~1\...). This truncation drastically reduces the entropy of the username, making it much easier to iterate through potential candidates.

The Technical Execution

To execute the search, the researchers utilized a high-performance computing stack:

• Custom Kernels: A modified Hashcat MD5 kernel optimized for this specific path structure.
• LLM Assistance: ChatGPT was used to generate template instantiations for realistic username combinations in a CUDA port.
• Distributed Compute: The use of vast.ai interruptible GPU instances to process millions of potential usernames.
• WebGPU Implementation: A WASM blob was created to allow the solver to run in any browser supporting WebGPU, potentially crowdsourcing the compute power.

Counterpoints and Ethical Considerations

Despite the technical feasibility, the project has sparked debate within the community. Critics argue that the effort is fundamentally flawed or ethically questionable:

• The Privacy Paradox: Some argue that someone as privacy-conscious as Satoshi would never have used their real name as a Windows username, likely using a pseudonym or a random string to avoid exactly this kind of forensic leak.
• The Right to Anonymity: Several observers question the motivation behind the search, suggesting that Satoshi intentionally remained anonymous and that uncovering their identity could put them in danger.

"Someone aware of computer security will not use their name as windows user."

Current Progress

To date, the search has ruled out several possibilities. The researchers have confirmed that Satoshi did not use Linux and that the Windows username is not four characters or shorter, nor is it a common name found in standard dictionaries or the 2009 Wiktionary.

While the search has not yet yielded a name, the methodology demonstrates how legacy software artifacts can be weaponized to uncover identities from decades-old files, turning a forgotten PDF export quirk into a digital manhunt.