Link copied đź‘Ť

Chapter 02

The Hunt For E-money

The early 1990s were a fascinating era, technologically speaking. Tim Berners-Lee introduced the World Wide Web and set the stage for the mass adoption of the Internet. The new set of standards — HTTP, HTML, and URLs — allowed for user experience transformation through new browser interfaces. Handy tools such as Mosaic, Netscape Navigator, and others made retrieving data from the Web easy. Chaum and Berners-Lee both delivered keynotes at the first World Wide Web conference in CERN in Geneva in 1994, laying out visions for the rise of the online economy, electronic commerce, and knowledge distribution. As the Internet gradually made its way to the masses, technology companies were plotting the next big thing: e-money. Naturally, such a development raised a plethora of questions that early fin-tech pioneers were keen to answer. From where will the monetary value originate? Who will eventually back up the money? Whether it would be governments, banks, or payment processors such as Visa, what would be the business model behind it? Which regulations would apply to virtual money transactions? And, of course, how much privacy should be embedded into the payment systems? Banknotes and coins are anonymous by nature. Electronic cash, not necessarily. Chaum’s school was at one side of the spectrum, arguing for anonymous electronic money systems. The opposition was vocal as well. Some government officials, close to the IRS, were even talking about automatic fulfillment of tax returns. Traceable cash would make tax collection simple and smooth. But would this be worth sacrificing financial privacy?

It was in 1990 when the discussion on e-money became more serious, even though the hardware part of this riddle had been in development much sooner. The first smart card products were developed in the late 1970s, and the first microprocessor-based smart card combining processor and local memory was designed in 1979 by Bull CP8 — one of the three commercial manufacturers at the time. Multiple companies sought the holy grail of internet protocols. Kawika Daguio, a Washington, DC, representative for the American Bankers Association described the situation:

We may be in a situation analogous to the 1860s - in those days, before our current Federal Reserve system, bank checks backed by different institutions weren't as widely accepted - they circulated and were usually discounted. Chartered banks also printed private-bank notes. Now, we see that some institutions are interested in printing their own versions of electronic money and following their own rules.

But the concept of electronic money was not only explored within banks and corporations, but also in digital communities. In principle, there are three main design patterns within the e-money space that emerged in the 1990s and persist until today. The first one attempts to create a bridge between national currencies and the digital currency system in a reliable and verifiable manner, with Ecash being the most notable example in the pre-Bitcoin era. In the age of modern cryptocurrencies, such currencies are known as stable coins. Tether is the largest one by market cap at the time of writing. In the second pattern, commodities such as gold or silver are utilized as the underlying asset for a digital currency. While E-gold pioneered this concept, Digix Gold Token and Pax Gold could be considered its modern alternatives. The last category creates a new kind of asset that is not connected to any underlying asset in the physical world, such as Bitcoin, and could be considered intrinsically worthless. One of the objectives of this book, though, is to prove the opposite.


It took a few years of thorough cryptographic research until Chaum decided to act upon his vision of anonymous payments. By 1990, Chaum had moved to the Netherlands, became head of the cryptography department of the Centre of Mathematics and Information Science, and founded his company — Digicash. The product the company created was named "ecash", and it effectively became the first digital cash system. The company was on to something. The team behind Digicash consisted of excellent cryptographers and coders, many of which would later become well-known in their own right. To name a few: Nick Szabo for the inception of smart contracts and proposing Bitgold, Zooko Wilcox for creating Zcash, Hal Finney for creating RPOW and early involvement with Bitcoin, and Eric Hughes for hosting the Cypherpunks mailing list. We will explore all of their stories later in this book. It is important to mention that by that time, Chaum was already recognized as one of the most renowned cryptographers in the world.

Digicash translated Chaum’s vision into reality, allowing for anonymous transactions. As such, the system’s mathematical brilliance would make untraceability unconditional. The only situation that would violate this principle was a double-spend attempt, which was a useful design feature that would out any cheaters in the network. Ecash was essentially a piece of data with different signatures used for each coin denomination. It utilized RSA public-key cryptography and every user had his own key pair, and the prototype allowed smart cards to hold a certain amount of verified cash value. In practice it looked something like this:

Imagine Alice wants to send e-money to her friend Bob for the lunch she owed him. She has an empty smart card that she could load with money from her bank account. Alice would just need to insert the card into a slotted machine similar to an ATM in a machine at home, or on the street. The card’s chip would generate a random key, and send it "blinded" to Alice’s bank (that was part of the Ecash system). The bank verifies her balance, signs the data, and sends it back to Alice’s card. The card would produce a complex numerical code that would serve as anonymous cash. Her card is charged and now she can send money to Bob. She slips the card into Bob’s hardware wallet, and the numerical code is copied to Bob's machine which further attaches its own unique ID number. Such aggregated data is sent to Bob’s bank which subsequently credits his account. Note that the bank can’t trace back the transaction’s origin to Alice. Likewise, Alice could execute such a transaction on the Net, using her computer, and send the complex number representing her Ecash anywhere like an email. As long as the recipient’s bank was in the system, he could get the money credited to his account.

For quite some time, things went smoothly at the company, despite some employees leaving the company for other ventures. They let themselves be heard in various media, anonymously, that Chaum, who retained control over the company as its CEO, was very stubborn, did not want to delegate anything to anyone, and often changed his mind and direction of the company on a whim. According to the disgruntled ex-employees, this slowed research activities and caused infinite strife at the company.

Nevertheless, the digital payment system he invented was recognized by insiders as a technically perfect product, which Chaum had sought all along. Ecash gained traction and acquisition offers rolled in. Henderson Investment Management, ING, and even Microsoft sent in their bids. Microsoft proposed integrating Ecash into every copy of Windows 95. It is said that the offer was close to 100 million USD at the time. But Chaum insisted on a share from every single copy sold. Bill Gates could not accept such an offer.

Unfortunately, Chaum’s stubbornness turned out to be detrimental to the company’s interests as it killed negotiations with another giant, Netscape. This time, Chaum insisted that everyone sign an NDA before any negotiations were initiated, upping his paranoiac state. It was this same paranoia, however, that made Chaum an excellent cryptographer. At the same time, it also led him to bail out on deals and offers many in Silicon Valley could only dream of at that time. In 1996, the credit card company Visa offered him 40 million USD as an investment. Chaum demanded 75 million. The offer, not surprisingly, was rejected. That was the last straw for many within the company. They organized an internal coup and demanded that Chaum leave his position as the CEO. He faced an ultimatum: it was either him or them. He stepped down from active duties but remained on the board. Afterward, the company hired two new managers — Jelte van der Hoek and Wouter Habraken. Things seemed to be settled for the moment. As the new managers were more cryptographers than businessmen, however, the peace did not last long. Many employees left the company for other opportunities. From the outside, the company remained attractive, and several investors continued investing in the company. In 1997, new investors eventually joined the company and subsequently appointed a new CEO: Michael Nash, a former Visa employee. Soon after the appointment, Nash opened a new office in Palo Alto. The company’s operational costs skyrocketed and development was split up. Internal strife continued. American employees were enjoying higher salaries than their counterparts in the Netherlands. These factors once again contributed to the rising tension within the company.

Regardless of that, the company exhibited success as it managed to sign its first bank, The Mark Twain Bank. The American bank was the first to experiment with Ecash. Soon after, a few more banks followed suit, including Deutsche Bank and Credit Suisse. As conservative and robust banks, they were not in a hurry to innovate the products. Digicash had also been in a series of negotiations with CitiBank. The large American bank known for its aggressive policy and streak of innovation could have been a break dealer with its roughly seventy million global clients. Unfortunately for Digicash, the bank went through difficult times, resulting in decreased stock market valuation and a later merger. These business moves then became the sole focus of the management of the company. Digicash, as an idea and a project, became secondary. This turned out to be the final nail in the coffin. The company’s burn rate was too high, estimated at more than one million per month, reserves were eaten up, and there were no revenues to compensate for. The company officially went bankrupt in September 1998, just a few months before PayPal was founded.

The story of Digicash remains fascinating. It is a story of brilliant minds realizing their vision of digital privacy for everyone into a stellar product. Sadly, the brilliant minds became their own victims, and thus could not fulfill the dream of anonymous digital cash. Even though this entrepreneurial endeavor was eventually not successful, its legacy became one of the building blocks for what would come next. As the Dutch Magazine Next! would write in their extensive report on Digicash, in January 1999:

The rise and fall of DigiCash: a story of paranoia, idealism, amateurism and greed.

DigiCash was the first but not the only project in the field of digital currencies in the early 1990s. CyberCash was one of its most prominent competitors. The company’s team included high profile personas from different industries led by Bill Melton, the creator of Verifone system, a multinational multi-million company dealing in credit card transactions. Jim Bidzos, from RSA Digital Security Inc., was also involved. The company provided online wallet software for merchants to accept credit card payments, which became both successful and lucrative. In 1996, their IPO attracted a plethora of investors. It also had a slightly different business model when compared to competitors with transaction fees. The company was reaping interest rates on the money deposited by its users, similar to Facebook’s Diem (former Libra) design a few decades later.

At the start of the new millennium, the situation quickly changed for the worse. Their systems suffered from a software vulnerability that caused double spending of the payments. This was exploited by a teenage Russian hacker nicknamed "Maxus", which led to further financial problems the company could not weather. By early 2001, the company filed for bankruptcy. Their assets were acquired by VeriSign and then later by PayPal, which bought its payment services.

Elsewhere, in the mid-1990s, Visa began negotiations with several banks to create a consortium that would introduce "Electronic Purses" to the UK market. It was assumed it would be a direct competitor to Mondex, a smart card electronic cash system that launched in 1993, and was eventually acquired by MasterCard. It used tamper-resistant hardware that allowed for anonymous transactions. Its disadvantage, though, was similar to cash in that once the wallet was lost, so was the money.

NetCash and NetCheque were other projects in internet payment systems, developed at the Information Sciences Institute of the University of Southern California. Not to be outdone, Microsoft also formed a digital money group in 1990 and launched its program called Microsoft Money a year later. They later tried to acquire Intuit — a financial software company, but regulators eventually put it on hold due to antitrust concerns.

Magic Moneylink

It wasn’t only corporations tinkering around with digital coins and notes at that time. Marching towards the mid-1990s, there were several attempts to design electronic money via community bootstrapping. One such attempt was an experimental market called Hawthorne Exchange. Its participants could engage in the trading of units of reputation. The native unit was named thorne. The project became popular within micro-communities such as Extropians — believers in tech-enabled immortality — as well as the Cypherpunks, who we will cover in the next chapter. Some of their leading figures such as Timothy May, Nick Szabo, and Hal Finney took part in the experiment. However, as community interest faded, the project died out in 1994. Soon it had a successor in a digital cash system programmed by the pseudonymous "Pr0duct Cypher". The project was named Magic Money. It was announced on the Cypherpunk mailing list in February 1994:

Magic Money is a digital cash system designed for use over electronic mail. The system is online and untraceable. Online means that each transaction involves an exchange with a server, to prevent double-spending. Untraceable means that it is impossible for anyone to trace transactions, or to match a withdrawal with a deposit, or to match two coins in any way. The system consists of two modules, the server and the client. Magic Money uses the PGP ascii-armored message format for all communication between the server and client. All traffic is encrypted, and messages from the server to the client are signed. Untraceability is provided by a Chaum-style blind signature. Note that the blind signature is patented, as is RSA. Using it for experimental purposes only shouldn't get you in trouble. Digicash is represented by discrete coins, the denominations of which are chosen by the server operator. Coins are RSA-signed, with a different e/d pair for each denomination. The server does not store any money. All coins are stored by the client module. The server accepts old coins and blind- signs new coins, and checks off the old ones on a spent list.

Hal Finney welcomed the concept as warmly as he did Bitcoin a few years later — "Wow! Hot stuff!". Magic Money’s toolkit allowed for the creation of different coins. The mailing list archives reveal there were several of them circulating within the community. GhostMarks or DigiFrancs, or NexusBucks are just some examples.

Magic Money provided the geekery with amusement that kept them busy for some time, but that also eventually faded. Tim May saw the main source of failure of the system in the almost non-existent supply of items listed for sale with the electronic fun money, as well as the complicated and confusing process of sending them. He analyzed the patterns of bootstrapping problems that "crypto" faced in a lengthy post. Precinctly, these same patterns also would plague the cryptocurrency era that would come two decades later.

Hal Finney asks us to think about and comment on the important issue of why digital cash, in its myriad forms, is not in wider use. Especially on this list, where the Magic Money/Tacky Tokens experiment has not (yet at least) produced widespread use.
This question also goes to the heart of several related questions:
1. Why aren't crypto protocols other than simple encryption, digital signatures (both implemented in PGP as the de facto standard in our community), and remailings (implemented in Julf's remailer and in the various Cypherpunks remailers) being *used*? Why no DC-Nets, no data havens, no digital timestamping, etc.?
2. What *incentives* are there for creative programmers to devise and/or implement new crypto protocols if essentially everything for the past year and a half (since the fall of 1992, which is when PGP 2.0 and remailers became widely available) has languished?
3. What are the "killer apps" of crypto?
4. What platforms and user environments should would-be developers target? What machines? What networks? What languages? (An ongoing interest of mine. Objects, scripts, Visual Basic (!) VBX tools, TCL, perl, many platforms, etc. A tower of Babel of confusion is upon us.)

Twenty years later and the question "What is the killer app for crypto?" is often part of any conversation involving cryptocurrencies. May went on to elaborate on contemporary struggles of digital cash including Magic Money and Hawthorne Exchange:

Here is my first-cut analysis of the digital cash situation.
I. Why is Magic Money/Tack Tokens, in particular, not being more widely used?
- Nothing of significance on the List to buy, hence no incentive to learn how MM works. (Just because someone announces that their new article is available for 10 Tacky Tokens doesn't a demand make!)
- Semantic gap. I confess to not having the foggiest ideas of how to go about acquiring Tacky Tokens, how to send them to other people, how to redeem them (and for what), etc. Having nothing to buy (no need), and plenty of things to occupy my time, I've had no interest in looking at MM.
II. Other Experiences with Digital Cash in Some Form
- On the Extropians list a while back (I've since left that list), there was an interesting experiment involving reputations of posters and "shares" in their reputations. Brian Hawthorne introduced is "Hawthorne Exchange," HeX, with eventually a few hundred or so reputations trading. The unit of exchange was the "Thorne," with each new list member given 10,000 Thornes to trade with.
Trading was very sparse, with most people apparently never bothering to learn to trade (a la my own experiences with Magic Money). I downloaded the docs one night, tried a few trial trades, and then proceeded to make dozens of trades, trying to buy cheap and sell dear. Between my trades, the reputation attached to my posts (and to my "nom du humor," Klaus! von Future Prime) I amassed a sizable fortune in Thornes. I even offered to exchange real dollars (checks) for Thornes, the better to amass a fortune (for reasons I won't go into here). Edgar Swank offered to sell me his Thornes for $20, I think it was, and I sent him a check immediately. (No one else did.)

He concludes with a list of use-cases and markets that would be crucial for development and bootstrapping any forms of digital money in the years to come:

III. What Markets Might Make Use of Digital Cash
- phone cards, subway cards, parking garage cards...all are examples. But these are mainly to reduce the need for customers to carry coins and bills, to reduce the dangers of theft of coins and bills (and the need to collect them frequently from payment points), and to speed up processing by not having customers fumble for change, etc.
- toll roads...this is a market that Chaum's DigiCash company has been targeting for several years now. Privacy is a concern (don't want Big Brother tracking your movements), and the infrastructure may allow considerable investments in remote sensing of IDs and pseudonymous IDs, online clearing, etc. Read the Chaum stuff for details on this.
- illegal markets, for transferring wealth in fairly large amounts. Not at all clear how this will happen, and it sure won't happen with some fly-by-night hackers and/or students offering a new service.
- betting markets, the "Internet Casino in Cyberspace," etc. Nick Szabo was once championing this, and I think it could be an interesting, and very real, market. Lots of issues here.
- Digital Postage. This remains my favorite. There's a _need_ for untraceable payments (else why use a remailer?). I've written about this extensively, as have others.
IV. Is there Any Hope for Cypherpunks Software Use?
The remailers (of Hughes and Finney, with other contributions) came in the first few _weeks_ of existence of the Cypherpunks group. Julf's system already existed.
Remailers were the "low-hanging fruit" that got plucked fairly easily (not taking anything away from Eric, but he himself says he learned enough Perl in one day to write the first, crude remailer the _next_ day!).
Later protocols have not fared as well. Why this is so is of great importance.
That's a topic unto itself, and one which I hope to write about soon. Lots of important questions and interesting issues.

Perhaps the issue with some crucial parts of the Magic Money system was that it was patented, and thus illegal for wider usage. Or perhaps it was just bad timing. Just a few months after its launch, Chaum’s Digicash announced its trial period during which it was handing out cyberbucks to early adopters and participants of the network. The community’s focus and interest, unsurprisingly, shifted to the shiny new toy, and for some time corporate-led efforts for digital cash took over again.

Commodity-backed Digital Currencieslink

By the second half of the 1990s, the first commodity-backed digital currencies emerged. In his book, The History of Digital Currencies in the United States, Philip Carl Mullan compiled an extensive and detailed overview. While they differed in their team hierarchy, level of transparency, as well as some other features, there were some things they shared. Most of them were backed by gold or silver, and they could have been bought, sold, and exchanged for other digital currencies through third-party independent agents. Moreover, transactions within their systems were usually irrevocable.

Similar to modern cryptocurrencies, in the first few years when these novel currency systems emerged, they were not identified or recognized as financial products. There were no laws defining or legislating digital currency systems, exchange agents, or commodity-backed tokens. While US banks and money service businesses were subject to Internal Revenue Service (IRS) reporting, anti-money laundering (AML), and know-your-customer (KYC) rules, digital currency operators were able to side-step these regulations. Added to that, these digital currency systems did not have to restrict themselves in terms of the territories they served nor the nationality of their customers, even those with severe government-imposed sanctions.


In 1996, the company Gold & Silver Reserve, founded by Douglas Jackson, launched its product called e-gold. e-gold was a digital currency backed by physical gold. The system behind it was quite advanced, as it had an SSL encrypted connection, immediate settlement, and API for third parties to build on. Note here that the company launched two years before PayPal came on the scene. In 2000, the company saw its first spike in its traffic volume and the trend continued for several years. Payments within the system were anonymous, irreversible, and final. Moreover, for entities selling big-ticket items, such as airline tickets, the direct cost of receiving payment in e-gold was less than one-tenth the cost of a credit card payment. The company was also known to strictly adhere to a high level of transparency regarding their gold reserves.

The whole model appeared to work quite well, and competition soon came calling. E-Bullion, GoldMoney, OSGold, Standard Reserve, Pecunix, and INTGold are just a few of the companies that entered the market of gold-backed digital currencies. By 2005, e-gold, though, remained the most popular. During its heyday, it served accounts over $5 million, had over 3,5 metric tonnes of gold in reserve, and an annual transaction volume nearing $2 billion. In the online payments industry, it was second behind PayPal. Interestingly enough, e-gold achieved all this with quite modest funding. The company was initially bootstrapped with $1 million, and cumulatively raised only $3.5 million. The amount raised by its competitors was well over $300 million combined. One of the reasons for e-gold’s success was the ability to find a good balance between usability and security of their services. In his post from 1997, Jackson argued that the emergence of SSL-enabled browsers allowed for adequately secure and user-friendly transactions.

The way I see it, SSL has rained on the Digicash parade. SSL is the reason we at G&SR didn't shell out big bucks to Digicash (or license the RSA algorithm ourselves). It's got the same session key RSA blah-blah whatever, but folks get SSL-capable browsers for free and a secure server is dirt cheap. And fairly big bucks people are keeping it all up to date so you don't need to bother with expensive proprietary crypto.

SSL, or Secure Sockets Layer, is a standard technology used for safeguarding sensitive data sent between two systems, such as an e-shop and browser. According to Jackson, secure communication was the missing tool needed for the transmission of payment instructions and notifications. This changed in 1996 when Netscape implemented SSL 3.0, enabling a web browser to serve as client software for secure client-server communication. The solution offered a secure service that Jackson deemed fit for his purpose. He considered the Cypherpunks to be overly concerned about perfect security.

The emergence of e-gold had been the final nail in Digicash’s coffin. Then, for the decade during which e-gold was operational, though there was a continuous succession of one crypto scheme after another, nobody cared.
e-gold exposed the disutility of crypto-based monetary schemes and as long as e-gold was active, none of them could get a foothold.

Eventually, e-gold became a victim of its own success as it drew unwelcome attention and was used in various Ponzi schemes, phishing attacks, and broader scams. US authorities began to investigate the company on the grounds of it being an illegal money transmitter. This began a spiral in which e-gold lost a large part of its user base and eventually closed down. Jackson envisioned it as a private, international currency that would float across borders freely, and would provide a remedy to the illness of the modern monetary system. He wanted to make digital sound money mainstream, but instead ended up with an electronic tracking device strapped to his ankle.

"It's supposed to be jail, only it's self-administered", he said to magazine Wired in 2009 during his first in-depth interview after pleading guilty to money laundering-related crimes and for operating an unlicensed money transmitting service. e-gold being seized by authorities resulted in numerous convictions of some of the most sought-after credit card thieves and hackers. The meteoric rise of a maverick and visionary such as Jackson came rather unexpectedly, as initially there were no indications that anyone had a problem with his entrepreneurial activities, including the Federal Reserve. He repeatedly reached out to intelligence agencies personally, but was ignored. Later, when they contacted him, he was cooperative and helped them track account owners suspected of illicit activities. Even this, however, did not prevent him from being arrested and treated like a criminal, even though eventually the judge spared Jackson of jail time as it was proven that he did not intend to engage in illegal activity. Initially, Jackson faced up to twenty years in prison and a $500,000 fine. In the end, he was sentenced to 36 months of supervision including six months of house arrest, and 300 hours of community service.

His company was fined hundreds of thousands of dollars and forced to submit to the process of compliance by applying for the appropriate licenses related to money-transmitting services. Those same licenses and regulations were those he initially believed he should be exempt from — the faulty assumption made by several internet payment services during the early years of the internet, including PayPal. e-gold did not recover from the fatal shake-up and slowly dwindled down for a few more years until they closed down. In our interview, Mr. Jackson admitted that the absence of rigorous customer identity verification turned out to be a big mistake:

The biggest challenge though, what turned out to be our fatal flaw, was my failure to marshal the resources to implement rigorous customer identity verification and due diligence as prerequisites to granting system privileges.

Today, Jackson has maintained a rather critical tone when speaking about the Cypherpunk movement, which he blames for causing financial damage. He is equally critical towards Bitcoin, which he labeled as an ecological devastation, and cryptocurrencies in general which he called a "pointless wasteland".

GoldMoney & WebMoneylink

GoldMoney officially launched in 2001, though the company’s founder, James Turk, envisioned the concept of gold used for retail payments back in 1979. His grand vision, however, has still not become reality. The company’s updated mission from 2011 suggested GoldMoney dropped its grand plans for gold to be used in online payments, and pitched the service mainly as a tool to preserve purchasing power via ownership of precious metals. Regardless of its mission, the company has always adhered to stricter rules related to its customers’ identity than any other private currency operator. Perhaps that is also one of the reasons while it remains in operation as of 2021. In retrospect, this strategy turned out to be decisive and kept the company operational, even during the period of the financial crisis in 2008 when distrust of the financial system shifted consumer preferences towards precious metals. Even though e-gold was never shut down by the government, the absence of AML and KYC rules resulted in legal issues that caused the company to miss out on this spike in demand that accompanied the crisis.

The formation of WebMoney was a great example of the importance of good timing. The company was founded in 1998 in Russia at the time of the ruble crisis. Not only was the national currency severely devalued, but the Russian government also defaulted on domestic debt. Several large Russian banks closed down and those that remained functional were deemed untrustworthy and unsafe for deposits. People stopped using banks, and cash took over. WebMoney allowed for sending and receiving cash via postal services, convenient for millions of Russians with no access to electronic money. This situation contributed significantly to the tremendous growth the company experienced since its infancy. By early 2020, WebMoney is a multi-billion company with roughly 200,000 transactions per day, and through its services offer several national currencies, and gold, it also offers cryptocurrencies such as Bitcoin, Litecoin, and Bitcoin Cash.

Liberty Dollar, E-Bullion, and otherslink

Liberty Dollar was a private currency project launched by Bernard von NotHaus in the late 1990s. Like many others in the digital currency space, he disagreed with aspects of the monetary system of the United States and decided to take action in the form of an entrepreneurial venture. The company issued currency in the form of coins, gold and silver certificates as well as an electronic currency. The US government seized company assets in 2007 and convicted the founder of conspiracy and counterfeiting. Eventually, despite the zealous requests of the prosecutors, he was sentenced to six months of home detention and three years of probation.

E-bullion was another gold-backed digital currency service, similar to e-gold, that operated between 2001 and 2008. It was founded by James M. Fayed. Perhaps most notably, one innovation the company came up with was allowing withdrawal on the value of their digital tokens through ATM debit cards in cash. Even though the company was one of those more popular, its fate was similar to the rest of its competitors. It also received significant negative media attention as its founder, James Fayed, was convicted of hiring hitmen to murder his estranged wife. Though his alleged crimes made him eligible for the death penalty, California Governor Gavin Newsom’s moratorium on the practice means he will likely be on death row for the remainder of his life.

There were a few other similar companies with smaller volumes and fewer customers to note, such as IntGold or OSGold. IntGold was a similar service that served roughly 300,000 accounts by the time it was shut down. In the case of OSGold, there was supposedly no proof that the company had gold reserves whatsoever.

In 2001, George W. Bush signed the Patriot Act, which included new techniques and measures to obstruct money transfers that could be funding terrorist activities. This was also related to Hawala transfer systems that operated outside of traditional banking or even telegraph or computer networks. In developing countries, Hawala has been a popular transfer system based on honor and performance of a massive network of money brokers called hawaladars. It followed Islamic traditions, but it is not limited only to Muslims. While the network spans all over the world, it is most dense in the Middle East, North Africa and India. In this respect, Hawala transfers have operated similarly to digital currencies. As a result of the act, violations related to unlicensed money transmitting were to be prosecuted by the federal government, instead of individual states as was the case beforehand.

The year 2006 was the year in which digital currencies stopped being unnoticed by regulators and law enforcement agencies. From that point forward, starting with the e-gold case, many other companies operating their own digital currency in the United States, usually backed by gold, were prosecuted and essentially sidelined by the government for violating laws related to breach of the Money Transmitter Licensing and Money Service Business statues. The only exception to this was GoldMoney and WebMoney, which decided to voluntarily implement internal rules of adhering to KYC and AML. At some point in 2009, however, when FinCEN (Financial Crimes Enforcement Network) introduced a new set of regulations, even these two large companies decided to transition out of the US market as compliance costs became enormous. This fact just underlined that for a true digital currency to prosper, decentralization would be an inevitable prerequisite.

Building The Chain Of Blockslink

As described above, cryptocurrencies emerged as a next (r)evolutionary step building on the efforts in computer science spanning through many decades. Indeed, development of cryptography primitives was essential not only in efforts to design electronic cash, but to build secure computer systems in general. By the 1990s, all crucial building blocks were created, and the contours of a "chain" started to form.

The prospect of a world in which all text, audio, picture, and video documents are in digital form on easily modifiable media. raises the issue of how to certify when a document was created or last changed. The problem is to timestamp the data, not the medium. We propose computationally practical procedures for digital time-stamping of such documents so that it is infeasible for users either to back-date or to forward-date. his document, even with the collusion of a time-stamping service. Our procedures maintain complete privacy of the documents themselves, and require no record-keeping by the time-stamping service.

This is how Scott Stornetta and Stuart Haber introduced their paper "How to Time-Stamp a Digital Document" in 1991. The two met and worked together at Bell Communications Research, or Bellcore, and they aimed to design a solution that would allow time stamping of documents that could not be tampered with. Their aim was an improvement over what they called a naive solution utilising "digital safety-deposit box", where a document is simply transmitted to a time-stamping service (TSS). They came up with a more sophisticated solution that would not compromise the document's privacy, save the bandwidth and storage, and mitigate a possibility of fault at TSS’s side (even though TSS was still trusted). Utilizing secure collision-free hash functions and digital signatures, they assembled a data structure simulating a chain of blocks. A year later, the two were joined by Dave Bayer and improved their concept by incorporating Merkle trees into their design in a paper called "Improving the efficiency and reliability of digital time-stamping". Little did they know what kind of buzz such a data structure would cause two decades later. Both of the papers are referenced by Satoshi Nakamoto in Bitcoin’s white paper, and both Stornetta and Haber have been called "Fathers of the blockchain". In our conversation, Stuart Haber reminisced on the beginnings of their work with Stornetta:

I was a young cryptography researcher at Bellcore, when Scott arrived I'd been there for a couple of years maybe. Scott was a new arrival at the lab, he had just finished his PhD and this was fall of '89, and he came to me with what he thought was a very important problem, and it was in fact the title of our first paper -- how to timestamp a digital document.
And by a digital document we meant, of course, any bit-string whatsoever - digital record of any kind. We weren't limiting ourselves at all to particular kinds of records. It was clear that all of the world's records were going online from the physical world.
We weren't there yet, of course, back in the '89; but it was clear that was the direction things were going quickly. Scott was especially worried about being able to verify the integrity of digital records. So we came up with a reasonable solution that is the data structure, now commonly called the blockchain.

Today, many Bitcoin aficionados would likely argue that the blockchain has become much more than just a data structure and that Proof-of-Work is an inevitable part of what we call blockchain in 2021. Other tribes in the crypto community would not necessarily agree, arguing that PoW will be replaced by something more efficient and secure. It is safe to say that when we talk about blockchain we mean more than just data linked in a particular way. As the term implies, it is the presence of a robust consensus mechanism that accommodates thousands of nodes. Indeed, Stornetta acknowledges this too:

Well, I am happy to take credit for being the co-inventor of the early blockchain, but I am a little reluctant to call myself the father of blockchain. Simply because blockchain has come to mean a lot more than it originally did. Just due to the many contributions that others have made.
What we did create, Stuart Haber and I, was an attempt to create an immutable record. And we did it by cryptographically linking blocks of records together in a chain and then widely distributing the information, so that there was no ability for a central party to corrupt the record.
Now, that sounds like what you'd call a blockchain, and we certainly invented that. The only reason I am hesitant, is that for some people, blockchain has come to mean everything that was done by Satoshi as well as Vitalik (Buterin), as well as other people.

The two managed to convince Bellcore management to spin off a commercial enterprise to offer timestamping services in the form of Surety, deployed commercially in 1995. The service utilized the technology of linked Time-Stamping Authority (TSA), and most interestingly, instead of a global distributed ledger that we know from blockchain-based technologies today, the first and and longest running blockchain in the world utilized a newspaper, as Haber explains:

Now, in order to enable worldwide agreement on values of our chain, remember, this is 1995, when the internet was relatively new and there was much less interest in there than there is now in cryptographic verifiability of authentication of records. What we did, we'd once a week build another Merkle tree out of all the hash, the block hash values, and publish that hash value as a classified ad in the national edition of the Sunday New York Times.

Haber and Stornetta are not the only cryptographers that today enjoy the "popularity" of being cited by Satoshi. As we will discuss, Satoshi could have easily mentioned more names in the bibliography of the famous Bitcoin White paper. More likely than not, that’s due to Nakamoto not having been an academic, and not being fully aware of all the work done in the area of cryptography and distributed systems.

Jean-Jacques Quisquater is one of the few other names that do appear in Bitcoin's bibliography, and is sometimes associated with the origins of blockchain. In the early 1990s, Quisquater worked for Philips Research Lab in Brussels, where he and a team worked on producing a system where the digital signatures of notaries would be used to timestamp documents that were communicated across a distributed network. In 1996, he started work on a project called Timesec that aimed to introduce standards of secure digital timestamping for the International Organization for Standardization (ISO) and Internet Engineering Task-Force (IETF). As he commented for Cointelegraph in May 2020:

The first blockchain, by Stuart, was using NYTimes to publish hash values ( It still exists. We used blocks (the real idea of Merkle) chaining with 2 secure hash functions (in case one is broken) and a secure pseudo-random generator.

Quisquater and his colleagues wrote five papers related to the project. Eventually, one of them called "Design of a secure timestamping service with minimal trust requirements" ended up referenced in the Bitcoin white paper.

All of the blockchain "fathers" are still active in the industry as of 2021. While Stornetta is a chief scientist at a venture capital firm focused on blockchain technologies, Haber has advised several projects not only in the blockchain space but also in the area of multi-party computation. Quisquater advises a company manufacturing hardware wallets.

It is important to mention that none of the work of the aforementioned gentlemen included aspects of Proof-of-Work as we know it in Bitcoin. This piece of the great crypto puzzle had yet to appear.


The concept that would later turn out to be of elementary importance for the inception of Bitcoin (and referenced by Satoshi) — Hashcash — was proposed in 1997 by Adam Back, though he only released the paper in 2002. He proposed it as a "non-interactive, publicly audible, trapdoor-free cost function with unbounded probabilistic cost". It was a cost-function designed to deter undesired emails, such as spam, as well as limit denial-of-service attacks. In simple terms, it was meant to allow the sender of an email to prove to the receiver that when sending the email he took a certain amount of CPU time to perform some work on a cryptographic puzzle, and thus signal that the email is not spam. The idea was that while such CPU work performance is negligible for users sending a regular email, a spammer sending a vast amount of such emails would exhaust a significant time and resources of his CPU. The sender proved his "honesty" by working on a puzzle. Hence inception of Proof-of-Work. One of the conditions for such a system was that while the computed puzzle is moderately hard to produce, it is easy to verify for the sender (or anyone else). In the case of emails, a hashcash stamp would be added to the header of an email.

It is worth noting that a similar idea was proposed by Cynthia Dwork and Moni Naor in 1992 in their paper "Pricing via Processing or Combatting Junk Mail". Over time, Proof-of-Work construction turned out to be quite effective as a tool of mitigation and prevention for denial-of-service attacks, including the Sybil attack (essentially performed by a large amount of malicious nodes), formalized in 2002 by John Doucer.


As one of its potential applications, in his Hashcash paper Back referred to an electronic cash scheme called b-money, proposed by Wei Dai in 1998. In a quite short post, Dai proposed two protocols that share some similarities, including the notion of a shared ledger as well as pseudonymous identities based on public key infrastructure:

In the first protocol, every participant maintains a (separate) database of how much money belongs to each pseudonym. These accounts collectively define the ownership of money, and how these accounts are updated is the subject of this protocol.
1. The creation of money. Anyone can create money by broadcasting the solution to a previously unsolved computational problem. The only conditions are that it must be easy to determine how much computing effort it took to solve the problem and the solution must otherwise have no value, either practical or intellectual. The number of monetary units created is equal to the cost of the computing effort in terms of a standard basket of commodities. For example if a problem takes 100 hours to solve on the computer that solves it most economically, and it takes 3 standard baskets to purchase 100 hours of computing time on that computer on the open market, then upon the broadcast of the solution to that problem everyone credits the broadcaster's account by 3 units.
2. The transfer of money. If Alice (owner of pseudonym KA) wishes to transfer X units of money to Bob (owner of pseudonym KB), she broadcasts the message "I give X units of money to KB" signed by KA. Upon the broadcast of this message, everyone debits KA's account by X units and credits KB's account by X units, unless this would create a negative balance in KA's account in which case the message is ignored.

Dai had a clever idea of turning electricity spent on computing into the function of money creation. Indeed, the same feature would later be a revolutionary breakthrough in Satoshi’s brainchild. The difference between the two is that Wei’s intention was to keep creation of monetary units directly proportional to the costs of computing. As he admitted in the appendix of the same paper, this was rather problematic as it implied that peers would need to agree on the cost of particular computations. That would be complicated by the fact that such a cost would be based on an ever-changing variable of knowledge that is asymmetric in nature across the spectrum of market/network participants. Satoshi solved this problem by hardcoding the unit emission rate whatever the costs of the production of blocks, and thus coins. The same appendix proposes, however, an alternative protocol for money creation which consists of periods divided in fours phases:

1. Planning. The account keepers compute and negotiate with each other to determine an optimal increase in the money supply for the next period. Whether or not the account keepers can reach a consensus, they each broadcast their money creation quota and any macroeconomic calculations done to support the figures.
2. Bidding. Anyone who wants to create b-money broadcasts a bid in the form of <x, y> where x is the amount of b-money he wants to create, and y is an unsolved problem from a predetermined problem class. Each problem in this class should have a nominal cost (in MIPS-years say) which is publicly agreed on.
3. Computation. After seeing the bids, the ones who placed bids in the bidding phase may now solve the problems in their bids and broadcast the solutions.
4. Money creation. Each account keeper accepts the highest bids (among those who actually broadcasted solutions) in terms of nominal cost per unit of b-money created and credits the bidders' accounts accordingly.

Dai’s notion of miners declaring their willingness to mine (and thus participate in the system) at given costs of production units, designed an organic ecosystem of miners constantly joining and leaving the network, and thus demonstrating their economic calculations inherently. It is worth noting that as much as b-money looks like a blueprint for Bitcoin’s design, according to the email conversations available on the Internet, Satoshi was not aware of Wei’s work until shortly before publishing the white paper, when being notified of similarities by Adam Back.

Also, interestingly, Wei in his second protocol proposed a tweak in the system’s architecture, while introducing subsets of partially trusted nodes that keep copies of the ledger. In many cryptocurrencies using Delegated Proof-of-Stake, this could be described as a Delegated Proof-of-Work system. Furthermore, he brought the idea of the validating nodes having to deposit money in special accounts for fines in case they misbehave. This might be considered similar to "slashing" conditions being implemented in Proof-of-Stake models in some networks after 2014, including Ethereum 2.0.

Nonetheless, Wei Dai sketched out the idea of b-money on paper, and did not pursue implementation of his ingenious idea. He has not been active in the crypto sphere since, even though some theories suggest there might be a certain overlap in his identity with that of Satoshi. Their mutual proficiency in C++ is not the only indication of that. There are also contraindications, however. In another forum, LESSWRONG, Dai conveyed his conviction that Bitcoin has "failed with regard to its monetary policy" as well as regret that he had not dissuaded Satoshi from implementing deflationary policy when Nakamoto reached out to him for comments.

Bit Goldlink

Similar legends have also been told about Wei’s friend — Nick Szabo. While in the media he is often portrayed as the inventor of smart contracts, it should be noted that in 1998 he also came up with the concept he called Bit Gold. From the time he worked with David Chaum, he was skeptical of the centralized nature of money systems, including Digicash. He elaborated on pitfalls related to trusted third parties in his essay "Trusted Third Parties are Security Holes". Bit Gold was Szabo’s endeavour to get rid of them. He worked on the concept over the years and released the fully fledged version of the paper in 2005. As is custom, proponents of the Austrian School of Economics are often gold aficionados, and Szabo too contemplated a monetary system based on digital currency that would imitate properties of gold, mainly scarcity, and was not dependent on any single third-party. General sympathies towards gold are shared by most notable personalities in the libertarian philosophical fold. But they did not generally support decoupling dollars from gold. From their perspective, the gold standard indeed prevented governments from responding quickly to monetary crises, but its abolition allowed governments to create them.

Thus, it would be very nice if there were a protocol whereby unforgettably costly bits could be created online with minimal dependence on trusted third parties, and then securely stored, transferred, and assayed with similar minimal trust. Bit gold.

Note the key expression Szabo used — costly bits. He envisioned the system based on the following steps:

1. A public string of bits, the "challenge string," is created (see step 5).
2. Alice on her computer generates the proof of work string from the challenge bits using a benchmark function.
3. The proof of work is securely timestamped. This should work in a distributed fashion, with several different timestamp services so that no particular timestamp service need be substantially relied on.
4. Alice adds the challenge string and the timestamped proof of work string to a distributed property title registry for bit gold. Here, too, no single server is substantially relied on to properly operate the registry.
5. The last-created string of bit gold provides the challenge bits for the next-created string.
6. To verify that Alice is the owner of a particular string of bit gold, Bob checks the unforgeable chain of title in the bit gold title registry.
7. To assay the value of a string of bit gold, Bob checks and verifies the challenge bits, the proof of work string, and the timestamp.

Szabo essentially conceived of a chain of digital signatures where any user that wants to claim new units of the costly bits needs to put some work into finding it and compute a hash that is sent to timestamping services thereafter. One’s ownership of newly acquired golden bits is recorded on a distributed ledger that Szabo named a property title registry. Subsequently, a rush for bit gold mining began again. This time, though, the cryptographic puzzle derived from the latest hash would be added to the chain of signatures. He also noted the fungibility provided in such a system:

Thus, bit gold will not be fungible based on a simple function of, for example, the length of the string. Instead, to create fungible units dealers will have to combine different-valued pieces of bitgold into larger units of approximately equal value. This is analogous to what many commodity dealers do today to make commodity markets possible. Trust is still distributed because the estimated values of such bundles can be independently verified by many other parties in a largely or entirely automated fashion.

Szabo is a prolific thinker and essayist.. One of his most famous essays is "Schelling Out: The Origins of Money" and can be found on his personal blog called Unenumerated, along with all his other work. It is worth mentioning that Bitcoin’s creator himself acknowledges Szabo’s contribution in one of Satoshi’s posts on Bitcointalk forum in 2010:

Bitcoin is an implementation of Wei Dai’s b-money proposal […] on Cypherpunks […] in 1998 and Nick Szabo’s Bitgold proposal,


At the dawn of a new millennium, a phenomenon took the internet by storm — peer-to-peer file sharing. With the release of file sharing services, Napster, Gnutella, Limewire, and others hit the mainstream and started a new chapter for the Internet. Despite their rising popularity, there has been always a great asymmetry between the two main user groups of these services: givers and takers. While plenty of people enjoyed the privilege of downloading virtually anything that the Internet has ever produced, merely a handful were willing to contribute to the network and hosting of the files themselves.

In 2002, a group of three students from Cornell University attempted to design a system that would incentivize people to contribute to the ecosystem and do good. They named it Karma. Their goal was to cut down on freeloaders. In their system, a peer's activity — the amount of resources contributed and consumed — was tracked, and resulted in a single scalar value called, like the system itself, karma. Upon joining the network, everyone was assigned a default amount of karma that was further adjusted reflecting the peer’s activity, downwards when consuming data, and upwards when contributing resources. If one’s karma sank too low, below the amount of karma needed to perform a transaction, the transaction would not happen.

That way, users were incentivized to maintain proportionality between consuming and contributing. The records of everyone’s karma balance were kept by a group of nodes called "bank-sets". Each peer was assigned multiple nodes that maintained their karma balance as well as the transaction log. The system used a peer-to-peer distributed hash table (DHT) to map nodes and bank-sets. As each node within a bank-set acted independently and no Byzantine consensus protocols were implemented, the system allowed for temporary inconsistencies such as negative karma balance. The risk of Sybil attacks, the attack where adversaries create a large number of pseudonymous identities to gain disproportionally large influence in the network, was mitigated through a feature that forced every new node to join the network to solve a cryptographic puzzle. Karma never gained much traction, but one of the protocol co-creators, Emin Gün Sirer, would later contribute to both Bitcoin and Ethereum, and would found the company AVA Labs, which designed a protocol that went under the name Avalanche. In our interview, almost two decades after the attempt, Sirer looked back to evaluate why Karma did not take off:

I did not have an extended vision like Satoshi did. Karma was designed for facilitating resource sharing and peer-to-peer networks. It's incredibly well-cited academically; it's foundational material for a lot of other people who tried to build on it, but compared to let's say Bitcoin, it was too small a vision, so there's that.
The second and biggest issue is I didn't push it. I didn't push it because everybody counseled me and said, look, the entire world in 2002 is united against terrorists. Everybody is concerned about terrorist financing and you will never find any funding for this. They were right. I would not have been able to find any source for funding peer-to-peer cash at the time, so I in fact gave up on the idea. I said this is not going to go anywhere. Banks are not going to want this, and regular people are not going to fund its development, and they didn't at the time. It took the 2008 crash for people to realize that we need alternatives, and Satoshi's timing was impeccable.


Between the time Szabo thought of Bit Gold for the first time in late 1990s and published an elaborated description of the system in 2005, Karma was not the only new layer added to the mosaic of digital cash attempts. RPOW was another. The author was yet another terrific coder and engineer whose significant contribution to the development of Bitcoin is not questioned — Hal Finney. Finney was a member of the Cypherpunks mailing list from its early inception. He worked for the PGP Corporation along with Phill Zimmermann and was a noted cryptographic activist. In August of 2004, at a time when the heyday of Cypherpunks was long-gone, he posted a message to the mailing list with an invitation to the project he has been working on for last months:

I’d like to invite members of this list to try out my new hashcash-based server, This system receives hashcash as a Proof of Work (POW) token, and in exchange creates RSA-signed tokens which I call Reusable Proof of Work (RPOW) tokens. RPOWs can then be transferred from person to person and exchanged for new RPOWs at each step. Each RPOW or POW token can only be used once but since it gives birth to a new one, it is as though the same token can be handed from person to person.
Because RPOWs are only created from equal-value POWs or RPOWs, they are as rare and valuable as the hashcash that was used to create them. But they are reusable, unlike hashcash.
The new concept in the server is the security model. The RPOW server is running on a high-security processor card, the IBM 4758 Secure Cryptographic Coprocessor, validated to FIPS-140 level 4. This card has the capability to deliver a signed attestation of the software configuration on the board, which any (sufficiently motivated) user can verify against the published source code of the system. This lets everyone see that the system has no back doors and will only create RPOW tokens when supplied with POW/RPOW tokens of equal value.

Like many of the early Cypherpunk members, he too was inspired by the work of David Chaum and the idea of Mixnet, and thanks to his efforts, a similar system was integrated into the remailers in the early 90s. Over a decade later, he had made himself familiar with the work of Adam Back as well as Nick Szabo. One disadvantage of Back’s Hashcash that he recognized was that a computer’s Proof-of-Work token could be used only once. Building on his idea, Finney designed a system — RPOW — where it could be reusable. Or that is at least how it appeared from the user’s perspective. Technically, every time such a token was transferred from one person to another, it was exchanged for a newly created RPOW token. Therefore, even though a token was used only once, the user’s experience was equal to passing it to another party. But from the system architecture perspective, we could distinguish between POW and RPOW tokens.

In this fashion, records of transactions formed up a chain of RPOWs. They were, however, stored on a central server that kept track to ensure that no one cheats and no RPOW token was exchanged twice, effectively being double-spent. While the word "centralized" would naturally trigger an alert on every Cypherpunk radar, there was a mitigation in place that would make it almost impossible to tamper with the data, even by the server’s owner. This was due to a special high-security server utilizing secure cryptographic IBM 4758 processor cards. These servers had embedded systems that prevented any change of their content to be made by anyone, including the owner.

As Finney explained the security features of the server on the project’s website, it contained several classes of memory. While some of them were cleared upon reboot, there was a dedicated region of flash memory and battery-backed up RAM (BBRAM) that preserved persistent data even after a reboot. This feature was useful as it allowed for the ability to reload a program and retain persistent data. But not for RPOW system, however. As Finney’s goal was to eliminate any need to place trust in him as the developer, operator and owner of the program, it was crucial that no one, especially the server’s owner, had access to the persistent memory of the program, because that was where the signing keys and other sensitive data was stored.

Fortunately, the IBM 4758 processor also had defined a class of data within persistent memory that was not preserved upon certain circumstances. Among these were RSA secret configuration keys generated on the machine. The configuration keys were guaranteed to be cleared upon any change made to the software configuration on the processor card. It was exploitation of this feature that significantly reduced trust in the idea of a central server. Any private data that were encrypted by the secret keys before being stored in flash memory could be decrypted by the same keys upon reboot. If the owner of the processor attempted to tamper with the data, reload the operational system or the application, the secret keys would be deleted, and thus the data retained made inaccessible.

Even though tampering with data was mitigated by the use of the secure processor, and resistance to token forgeability was achieved by the system design, a system failure could still erase the account balances, and Finney stated this right away in his initial message announcing the system:

This system is in early beta right now so I'd appreciate any feedback if anyone has a chance to try it out. Please keep in mind that if there are problems I may need to reload the server code, which will invalidate any RPOW tokens which people have previously created. So don't go too crazy hoarding up RPOWs quite yet.

Finney was, of course, foreseeing that the system architecture would have to become more robust should it be successful and become popular in the future, and designed it with this in mind. He anticipated that multiple servers would need to host the RPOW system, and elaborated on it in the "Clustering" section of the project’s website. He also mentions a challenge to synchronize all the servers so they could prevent double spending, and suggests a database that would be shared between the servers as a possible solution. He rejected such a solution eventually because it would "add tremendous complexity" to the RPOW system. Instead, he proposed an approach where each of the servers maintained its own copy of database with "seen" RPOW tokens. This eliminated the necessity for a server to synchronize with other peers, and ensured that each token could not be exchanged more than once as there was just one server where it could be done. The RPOW network would be effectively divided into shards performing record-keeping independently. This would be done via matching of a "cardid" parameter that was unique to each server. Whereas tokens had this parameter embedded in them, generated by the client software based at exchange time. Therefore, both POW and RPOW tokens could only be spent at one particular server whose "cardid" parameter corresponded with the value embedded in tokens.

While the system was not intended to function as money, but rather a transferrable representation of computational work, Finney imagined it could serve as "play money" for online games or peer-to-peer file exchange systems. Nonetheless, Finney had long contemplated money in the electronic space. Already in 1994, he wrote about monetization of remailers and examined which payment mechanism would be the best solution for that aim, including Digicash. Over the years, he kept track of development in the space, and as it happened, four years later from publication of RPOW, he ran into Satoshi in 2008 and became very supportive of his idea of an electronic cash system. He would eventually become one of the first people to download the software, play around with it and mine, as well as the very first person who received a transaction on the Bitcoin network, from Satoshi himself.


Even though the word "Ripple" has become highly unpopular in the Bitcoin world, I’d argue it hasn’t received a fair evaluation from Bitcoiners. Ripplepay was a company founded in 2004 by Ryan Fugger, a web and decentralised system developer from Vancouver, Canada. The company was founded to offer "a financial service that allows you to extend credit lines to your friends, family, and associates and make secure payments in traditional and online currencies". It essentially created a network of nodes transferring IOUs. The Ripple service tracked obligations between individuals and a social network while using a distributed infrastructure. It was inspired by LETS, local exchange trading systems that were flourishing in the 1990s but waned afterwards. In an email exchange with one of the early Bitcoin developers Mike Hearn, Satoshi Nakamoto himself acknowledged the system’s proposition:

Ripple is interesting in that it’s the only other system that does something with trust besides concentrating it into a central server.

The project was later on passed over to Jed McCaleb, Chris Larsen, Arthur Britto and David Schwartz who built up on the work of Fugger, now under a different branding — OpenCoin. They worked on a protocol that would allow for instant P2P transfers, attracting investors such as Andreessen Horowitz, Roger Ver, Google Ventures and the Bitcoin Opportunity Fund (later rebranded to Digital Currency Group). OpenCoin later became Ripple Labs in 2013, and then just Ripple in 2015. The branding, as well as the various product names, have long been a source of confusion. The company had rebranded from Ripplepay to Ripple Labs to then Ripple. The international payment system it developed is called RippleNet, and it utilises XRP as a settlement asset. RippleNet also consists of a number of different products such as xCurrent, xRapid or xVia. While XRP may be used for settlement within RippleNet, it isn’t a requirement.

The XRP Ledger, an open source public ledger, and XRP as an asset, operate independently of RippleNet and even the company itself — Ripple. The XRP token came into existence in 2013 and was used for a number of giveaways and community airdrops. Over time, Ripple has attained a reputation as that of a "bankers coin" as it focuses on integration and partnerships with a number of banks worldwide. But it also has been criticized as it operates with a different architecture model that is much more centralized compared to other cryptocurrencies — even though the plan is to gradually decentralize it further.

In 2017, Mike Hearn compared the original Ripple to an attempt to create something similar to the Lightning Network as a decentralized netting of debts. Debts could be denominated in any currency. As he noted, when implemented, the attempt turned into an ordinary centralized web application. Though the system turned out to be very different from the original idea, he too acknowledged its innovative potential at the time:

Before Bitcoin, Ryan’s Ripple was really the only project trying to do anything innovative with money on the internet. I first found Ripple in 2006 and had significant email communications with Ryan starting around 2007. Satoshi was obviously well aware of it, which did not surprise me. It was a tiny community back then. My interest in digital money goes back a lot further than most people’s does.

Liberty Reservelink

Perhaps the latest notable attempt for creation of digital currency in the pre-Bitcoin era was Liberty Reserve. The company was established in 2006 in Costa Rica by Arthur Budovsky. He fled to the country after being indicted in the United States for operating an illegal financial business with this company Gold Age, one of the first independent E-gold exchanges that began operations in 1999. Liberty Reserve was founded as a centralized digital currency service that had over a million users at its peak. The company was put on the radar of Costa Rican authorities by 2009 when it was accused of operating an unlicensed money transmitting business. Their license application was denied in 2011 due to lack of transparency about the company's funding. The authorities launched a criminal investigation against the company the very same year, a case that spread to 17 countries. Eventually, U.S. prosecutors filed a case against Liberty Reserve in 2013, accusing it of money laundering activities resulting in multi-billion fraud.

Of note was the company’s business model. The company allowed only for deposits in its own currency, also called Liberty Reserve. To do so only a (possibly fake) name and email was required. On-ramps were provided by the layer of intermediaries called "exchangers" who were typically unlicensed money transmitters in countries like Vietnam, Nigeria, or Malaysia. A user could buy Liberty Reserves from them for dollars, and they would credit their account. The process worked in reverse as well. This scheme resulted in a situation whereby Liberty Reserve had no identifying data on its customers. Reportedly, a vast amount of the company's volume was from hacking, credit card frauds and Ponzi schemes. The currency itself was pegged to the US dollar even though there was no legally binding clause that guaranteed the exchange rate. Operating with no licenses and beyond the scope of financial regulations, the company operated in a grey area. Eventually, in 2016, Budovsky pleaded guilty to laundering more than $250 million dollars and was sentenced to 20 years of prison.

Other Virtual Economies and Currencieslink

While these examples were some of the most notorious, there exists a plethora of other projects related to digital money, or credits as they were often dubbed, that appeared in the beginning of this millennium and were run by different companies. These include Flooz, which raised $35 million in venture capital, operated for around three years and closed shortly after it was revealed that the currency was being used fraudulently to launder money. Around the same time, another company named Beenz raised even more money, approximately $80 million. The premise was that their digital currency would serve as a reward mechanism for online behavior. Despite the company’s partnership with MasterCard, it was forced to cut costs in the light of the bursting of the tech bubble, and eventually shut down. Facebook's experiment with Facebook Credits could also be included in the category of virtual currencies. The project's short lifespan and restrictive design did not allow it to develop into something beyond the social network's walled garden. Added to that, there are also examples of virtual currencies that began as one idea and became another.

In the early 2000s, Tencent, a mainland China tech conglomerate now known to be one of the largest in the world, launched a messaging app called Tencent QQ with its own virtual currency — Q coin. Each Q Coin was equal to 1 yuan, or approximately $0.15, and was designed to pay for online services and games within the Tencent ecosystem. Every user using the currency could also customize their avatar by purchasing various accessories, which significantly drove demand for the Q coin.

As the currency became more popular, it began being accepted by other digital services, including gaming, gambling and the adult entertainment industry, though none were affiliated with Tencent. By 2010, the system claimed to have more than 600 million active users. For a good segment of these users, Q coins had evolved into money that could be used to purchase a wide spectrum of goods.

This resulted in fierce tension between the company and China’s central bank. The banking authority imposed initial restrictions and limits on the volume of coins allowed in commercial interactions, and eventually ordered that Q coin could only be used for the purchase of virtual goods. Despite these restrictions, the commerce powered by Q coins continued to boom. Users found clever ways to circumvent the restrictions by exchanging account credentials instead of coins. The virtual currency is still used in 2021 even though the crackdown has prevented it from achieving mainstream adoption.

The case of Q coins and emergence of a new currency in the form of accounts is far from the only example that highlights how virtual assets can diverge from the projected trajectories of its designers. The popular messenger ICQ, launched in 1996, is another project that fits that mold. In ICQ, every user had an unique identifying number. Early users were assigned five-digit numbers. As the popularity of the service grew, so did the number of people using it. Later, the company introduced six-digit, seven-digit, eight-digit, and even nine-digit IDs to its users. As the original five-digit numbers became very rare, they naturally became the subject of trading, and some were listed on eBay for hundreds of dollars. As the demand grew, people started to produce — create accounts — and hoard them even more. The value of ICQ accounts caused them to become their own unique market and economy.

It shouldn’t be surprising that similar trends arose in the gaming industry, a huge potential marketplace for digital trade. Most of the literature in cryptocurrency ignores virtual economies and currencies in games, but it is my objective to provide readers with as big a picture as possible when it comes to the space of digital currencies. As Edward Castronova, an economist focused on the research of virtual economies stated in many of his books related to this topic, understanding virtual economies is important to economists, social scientists, business people, and policymakers. Exclusion of virtual gaming currencies from cryptocurrencies is justifiable to most as they were created with a different vision, purpose, and design. That said, many games managed to gain a tremendous amount of popularity, and thus became a breeding ground for parallel economies maintained by users. This is especially true when it comes to the world of massively multiplayer online role-playing games (MMORPGs).

This genre, as defined today, was popularized by games such as Ultima Online and EverQuest in the late 1990s. The games and their economies thrived in the days of the Internet reaching the masses. Millions of players participated in these early virtual economies, and they grew to an unprecedented scale. According to Castronova's research, EverQuest and its fictional country of Norrath achieved a Gross National Product of $135 million in the early 2000s. Calculated proportionally to the number of users, roughly one million, the value resulted in $2,266 per capita. This catapulted Norrath to equal the figures of the 77th place richest country at the time.

The successful titles that appeared later could boast even more impressive numbers. Eve Online, launched in 2003, is famous for its utilization of libertarian philosophy inspired by novelist Ayn Rand. This space-based persistent world allowed hundreds of thousands of players to engage in massive commerce interactions involving all kinds of commodities in highly sophisticated in-game marketplaces. Players could even choose to optimize their skillset in a way that allows them to exploit market inefficiencies via arbitrage on the commodity markets. More importantly, epic battles among thousands of user-generated battleships happened in a virtual world designed to maximize play-to-player interactions. Eve Online, developed by CCP Games, a company based in Iceland, uses a currency called InterStellar Kredits (ISK). Similarity with Iceland's national currency is of course purely coincidental. In 2021, more than 18 years since its launch, the game still counts tens of thousands daily active players.

This number is similar to the active daily players of Second Life, another popular virtual world released in 2003. Second Life was based on the similar principles of open and market-driven economies where users are free to create and monetize their content in P2P interactions. This was the main driving force behind the success of Second Life, which hosted millions of users in an environment resembling real life. Second Life residents use Linden Dollars as the currency of choice in countless commercial transactions conducted over the course of almost two decades.

Other massive multiplayer online games (MMOs) such as World of Warcraft and Minecraft have also been able to amass millions of players using in-game virtual currencies on a daily basis. These virtual currencies were centralized in terms of architecture, and did not contribute significantly to the evolution of the technological stack behind Bitcoin and cryptocurrencies. However, there is much to learn from these experiments when it comes to designing virtual economies and currencies. The art of designing scarce systems later evolved in the realm of cryptocurrencies as a subfield called tokenomics, and subsequently accelerated market exchanges with non-fungible tokens and crypto collectibles.

Getting back to the discussion about "real" virtual currencies, one may wonder about the differences between the virtual money and economies and the physical one. Logistically, there isn’t much difference between buying a t-shirt for your avatar from a vendor in Second Life using Linden Dollars and buying a t-shirt using American dollars. Both transactions happen in similar frameworks perhaps governed by slightly different rules. The goal of the designers of these worlds, often because of regulations, have been able to keep these worlds separate. Cryptocurrencies, though, allow for permissionless bridge between the two. Instead of thousands of walled gardens, Bitcoin, Ethereum, and other cryptocurrencies bring foundational protocols that allow for frictionless communication across the entire digital realm.

As has been alluded to, the centralized nature of previous digital currency projects turned out to be a major issue for their creators. It was far too easy for regulators to step in and restrict these services because they had a central location and server. The same problem, though, applied to file sharing systems as well. While File Transfer Protocol (FTP) emerged around the same time Usenet did, the first decentralized file sharing protocols emerged and were actively developed in the 1990s. Instances include Napster, Gnutella, eDonkey2000 and later also BitTorrent and others. Initially, even though their users interacted in a peer-to-peer manner, the network architecture relied on centralization as much of the data was stored on local servers of the companies behind the networks. Naturally, they too faced the wrath of regulators’ crackdowns. Napster is the best known example, but others had similar problems as well. As a result, it became clear to many that an absolute freedom of digital exchange would only be possible in a truly distributed network resistant to the legal pressure and censorship efforts of governments.

A lot of people automatically dismiss e-currency as a lost cause because of all the companies that failed since the 1990's. I hope it's obvious it was only the centrally controlled nature of those systems that doomed them. I think this is the first time we're trying a decentralized, non-trust-based system.

This is what Satoshi Nakamoto wrote as a reply to the comments on his new project. In heroic fashion, he released it on the website of the P2P Foundation website, fulfilling the prophecy of economist Milton Friedman:

The one thing that’s missing, but that will soon be developed, is a reliable e-cash, a method whereby on the Internet you can transfer funds from A to B, without A knowing B or B knowing A.
Chapter 02
00 — Intro