Listen up, super-villains and laboratory mice!

Outlined in this post is a masterplan for how to “take over the world!” — by compromising Zcash.1

Potential Consequences

The potential consequences of compromising Zcash’s trusted setup range from the fairly benign (someone buys themselves a private island) to the cartoonishly evil. The worst-case scenario is literally people dying. Maybe even a lot of people.

For those who understand, this is not news:


But to most people this is news, and it is wrong to advertise a cryptocurrency without informing them of the potential consequences. Don’t expect the existence of our posts to be sufficient, for our voice has limited reach.2

If it’s ever discovered that Zcash’s trusted setup was compromised, the entire blockchain would probably be thrown out (and/or lose its value) because it would mean the whole thing is full of funny-money and nobody knows who has it or how much there is.

In the event of compromise, loss of money ($) following discovery of compromise is the best-case scenario. The worst-case scenarios occur when nobody finds out.

In the rare instance this problem is mentioned, it is referred to as “secret inflation” — a notion misleading to the point of being wrong. If the U.S. Government prints $1 trillion dollars in secret (meaning: nobody knows about it), then sure, technically “monetary inflation” occurs, but it has no immediate effect on the value of the dollar, and it might never have a noticeable effect. Those dollars are just as capable of financing wars as all other dollars, and their impact on the value of the token can be masked by any growth in the value of the currency.

It’s also very important to understand that compromising the trusted setup grants one the general power to create certain types of false proofs that are accepted as true, of which counterfeit coins are but one result.

So please: don’t just call it “secret inflation”. Call it what it is: a potential “calamity” or “weapon of mass destruction”—not some euphemism but something that gets across the worst-case potential.3

Step-By-Step Instructions For World Domination

Don’t let fancy whitepapers fool you, the “at least one honest participant” thing in Zcash’s trusted setup is security theater.

This is all it takes to compromise everyone involved:

  1. Task a few professional saboteurs with infiltrating the Zcash team (governments were potentially aware early on), or conduct surveillance of the team’s communications.
  2. Learn their plans for the trusted setup.
  3. Use one or more of a variety of available methods to compromise the setup. This is by no means comprehensive:
    • Insert a vulnerability into the code or one of its dependencies (since everyone will be running the same code).
    • More sneaky: compromise one of the tools that’s used to build Zcash, that way the code looks fine but the binary has a “surprise”.
    • Modify the binaries after they’ve been generated and verified.
    • Use a hardware backdoor in the CPU (or a handful of 0-days) to root everyone’s machine and sabotages all attempts at detection.
  4. Assist in the advertising of the now-permanently-compromised magic internet money. “Trust us. It’s private. And it’s safe—we’ve got Matthew Green!”
  5. Profit!

Congrats, you are the proud new owner of a fancy new form of anonymous digital cash that people think is safe and is advertised as being decentralized. Obviously, now that you control pretty much the entire monetary supply it’s not really decentralized, but nobody has to find that out if you play your cards right. Zcash’s crypto-magic will do its best to keep your little secret.4 🙂

Zcash developers acknowledge these risks:


Auditing Isn’t Enough

I have to admit that I failed to make adequately clear in our previous post that an audit is not enough. That post was written before I realized the (now obvious) central point of failure in Zcash’s trusted setup, and that was before I watched as multiple experts looked and failed to detect the bug that caused the fallout from Ethereum’s “The DAO” DAO.

This situation, however, is far more serious than The DAO. Zcash’s code is several orders of magnitude larger and more complicated, and the consequences of failure are several orders of magnitude bigger.

In Zcash’s current state: it is impossible to know whether a successful attack occurred. Unless a saboteur turns whistleblower, we’ll know it was compromised only after damages have occurred. And the more valuable Zcash is, the more dangerous it is. There is no “Undo” button.

There are some things you simply cannot audit sufficiently for. This is one of them.

Why Nation States Are Most Likely Targeting Zcash

Zcash’s potential value and its trusted setup creates a very strong incentive for nation-states to attack it. If you’re a nation-state and one of your adversaries might get their hands on a dangerous weapon, then you have three choices:

  1. Prevent anyone from getting it.
  2. Get your hands on it first.
  3. Develop your own version of the same thing (or worse).

Make no mistake: as long as Zcash is considered valuable, whoever compromises Zcash holds the key to a very dangerous weapon.

Zcash Team On Defending Against Targeted Attacks

Before they decided to take on targeted attacks from nation-states, some of the current members of the Zcash team had this to say about attempting that very thing:

Zooko’s thoughts

“a targeted attack on a user would probably defeat any encryption tech available today.”

“It does not help if you are specifically targeted.”

Matthew Green’s thoughts

“You can’t secure against targeted attacks.”

Both agree, you shouldn’t trust it:

Show's Zooko liking Matthew's tweet: "I don't trust encryption to prevent targeted surveillance either. Doesn't mean plaintext is the answer."

Privacy Without Calamity

All of this is worth it though because there’s no alternative, right? (Right??)

There are a bunch of fantastic new privacy solutions out there and in the works, some of which can be used to fix Zcash, and some that can be implemented today on top of the existing Bitcoin blockchain:5

What there is not enough of is the common sense to use those instead.

There Are Some Things Responsible Adults Don’t Do

These include:

  • Tossing a loaded gun into a school yard.
  • Operating heavy machinery while intoxicated.
  • …[a million other items]…

It feels strange having to re-emphasize this last one:

  • Begging nation-states to take invisible control of your no-longer-decentralized magic internet money to secretly finance their dirty business… for no good reason.

When a digital weapon falls into the wrong hands, what does Matthew Green have to say?

One More Thing…

It’s interesting to see Zooko publicly acknowledging these sentiments:

Shows Zooko liking a bunch of my tweets where I'm saying pretty much the same stuff.

He’s a great guy and part of me wonders if those notifications are an indication of a cry for help, but whatever the case, one thing is clear: we cannot be the only ones talking about this.6 So please speak up, demand better, and ask the Zcash team to follow their own advice.

Thanks to John Light, Andrea Devers, and Simon Grondin for reviewing this post. You can follow the author and the turtles.

Donating = Loving!
Writing these posts takes time and money!
Please support our work by donating.

  1. Success not guaranteed, especially in the case of laboratory mice. 
  2. In part because journalists have been disappointing failures when it comes to covering Zcash’s trusted setup, in part because the Zcash team has done their best to avoid the topic or use jargon to obscure and downplay the risk and consequences of what they’re doing, and in part because our blog post and tweets on the topic have likely been censored and throttled on social networks. 
  3. It’s incredible how the media manages to sensationalize the inappropriate, and then downplay the sensational. 
  4. Worth noting that this situation also places your life in danger. 
  5. These likely have tradeoffs of their own. We haven’t reviewed any in enough depth to give our full endorsement, but we include them to invite further review, encourage outside-the-box thinking, and to illustrate the many options for addressing blockchain privacy. 
  6. Kudos to those who start threads like this, but it is not enough. We need more people, and especially the cryptocurrency/news media, to step up and point out that these serious problems must be fully addressed before Zcash launches. Don’t complain about how “the world is messed up” if you could do something about this but choose to sit on your butt instead. Failure to act says we’re incapable of regulating ourselves and are therefore in need of “adult supervision”

15 thoughts on “How To Compromise Zcash And Take Over The World

  1. Reply


    Zcoin ( ) and ZCash are the only two cryptocurrencies that use zero-knowledge proofs to guarantee complete financial anonymity. ZCoin and ZCash seem to supplement each other quite nicely, and a good way to describe it would be sibling cryptocurrencies.

    They are related in the sense that the academic community often see ZCoin as the stabler, more secure, and more proven cryptocurrency – whereas ZCash is seen as the more experimental coin using more dangerous and risky cryptography. For example, ZCoin uses the Zerocoin paper, which has been cited about 200 times by academic scholars, according to Google Search. And ZCash is cited about only half as many times. So ZCoin has about twice as much support from cryptography scholars as ZCash, because it’s based on much more stable and proven cryptography. On the other hand, ZCash has a lot fewer cryptography citations because it is based on something called ZK-Snarks, which only a few people in the world have researched.

    Because ZCash is based on more risky cryptography, ZCash has this critical problem that ZCoin doesn’t face. ZCash attempts to conceal the amount of money sent in a transaction. By doing this, if ZCash has a major bug or double-spending problem, it would be unnoticed and someone could drain tens or hundreds of millions of dollars away from the ZCash market cap without anybody noticing a double spend.

    Any project that involves new cryptography, including projects like ZCash, faces vulnerabilities. As we’ve seen with the Ethereum DAO project, about two hundred million dollars was drained away. Luckily, that money was recovered through a bailout because it was noticed and viewable on the public blockchain. But if ZCash faced a bug, it could potentially see hundreds of millions of dollars drained from its market cap and ZCash would be worth a lot less for speculators. In terms of practical differences, the only main differences are that zerocash is a version of the zerocoin protocol that conceals the amount in the transaction.

    It uses different cryptographic schemes, but the end result is that the other information is all completely hidden through zero-knowledge proofs. Which guarantee 0 information about transaction recipient and sender.

    However, that hiding of quantity sent in a transaction has the vulnerability of speculators potentially losing a lot of money through double-spends / other bugs that go unnoticed because of the hidden quantity. So I think ZCoin ( ) could be a good supplement investment / hedge to ZCash.

    1. Reply

      Greg Slepak Post author

      Hi robert,

      While I’ve heard of Zerocoin, this is the first time I’m hearing about “ZCoin”.

      The project mysteriously appeared on GitHub only a few days prior to this post, the reddit is a ghost town that appears to have been created today, and yet Zcoin is apparently launching in a few days on September 28th.

      I would strongly advise people to stay clear of ZCoin based on that alone. This is not how you launch a blockchain.

      1. Reply


        Hi Greg,

        The reddit appears to have been launched recently, but they have a very active community on Slack.

        Also, they’ve received funding from Roger Ver.

        1. Reply

          Greg Slepak Post author

          Evaluating, reviewing, and testing a cryptocurrency requires a lot of lead time. Normally there is a testnet, opportunities for community review and feedback, etc.

          1. robert

            From what I understand, they’ve been running a testnet for over a year now.

          2. Greg Slepak Post author

            > From what I understand, they’ve been running a testnet for over a year now.

            Who is “they”? The code has been up for only a few days. How is it possible for people to run a testnet without the code?

  2. Pingback: Battle for Online Privacy | BitMEX Blog

  3. Pingback: 网络私隐之战 | BitMEX Blog

  4. Reply


    They rebranded from another project called Moneta apparently

    1. Reply


      has the Moneta testnet been running for over a year now as Robert claimed?

  5. Pingback: Zcoin and Zcash: Similarities and Differences - ZCoin Blog

  6. Pingback: Turtle Status Letter #2 — Group Income + DPKI + More! » okTurtles Blog

  7. Pingback: Tezos Token Sale: A smart contract platform with formal verification and a self-amending protocol – Pertubuhan Crypto Republik – THE FUTURE IS NOW

  8. Pingback: Tezos Token Sale: A smart contract platform with formal verification and a self-amending protocol – IcoWeb

  9. Pingback: 9 reasonable cryptocurrencies to invest in – Paul Miller … – Cryptocurrencies News

Leave a Reply

Your email address will not be published. Required fields are marked *