The Digital Gold Logs

Published: January 18, 2026

The “Digital Gold Logs”: hidden messages inside a mining pool database

This post is the second in a series explaining the RICO complaint that details how Barry Silbert and his company Digital Currency Group conducted a decade-long series of schemes to turn Bitcoin into "Digital Gold" and then cover up the crimes that were committed during its creation.

As with the previous article The Jefferies Claim Sale Scheme, this article is AI-assisted. Most of it was rewritten by humans and everything was checked to be 100% accurate. While we don't normally use AI to write blog posts, our goal here is to get this information out to the public as quickly as possible.

What are the “Digital Gold Logs”?

A key act in the case involves the sabotage of PROHASHING, a mining pool, for the purpose of preventing Bitcoin from increasing its block size, so that the Enterprise's "Digital Gold" investment scheme could be sold to the American public.

The “Digital Gold Logs” are coded entries embedded into PROHASHING’s internal payout ledger—specifically inside the mining balance history of a PROHASHING user account labeled “quasar.” According to the complaint, someone with administrative or root access to PROHASHING’s database inserted tiny, precisely chosen numeric balance values that can be decoded into letters using a simple cipher (A1Z26, where A=1, B=2, …, Z=26). Once decoded, the letters form short “initialism-style” messages—strings like “CCV BCH HT BIB GF” or “PCY I SPE GCI”—that the complaint interprets as shorthand references to events, actors, and alleged objectives connected to the larger “Digital Gold” narrative.

Why would anyone hide messages in mining balances?

If you’ve ever looked at a mining pool account, the balance history typically looks boring:

  • A pool tracks “shares” submitted by miners.
  • Those shares are converted into a running balance (what the pool owes the miner).

In PROHASHING's case, there were two sets of aggregated balances:  a total balance table (which increased or decreased when shares were submitted or payouts were sent) and a daily balance table (which never decreased and represented the total amount earned that day.)  The Digital Gold Logs were stored in the daily balances table.

A key point is that the “Digital Gold Logs” are not plain-text notes, emails, or internal comments that the hacker sent to PROHASHING. They’re steganography—hiding information inside other data that is expected to be numeric noise.

Why do that?

  1. It looks like ordinary accounting noise. A mining pool ledger is full of fractional numbers with many decimal places. That’s perfect camouflage.
  2. It’s durable. A database ledger tends to be kept indefinitely for accounting, audits, and customer support. PROHASHING stored 17TB of database rows for 12 years, and these rows contain the prices, difficulties, and mining history of thousands of coins.
  3. It can be private. The complaint alleges the encoded values were placed in the owed balance ledger (internal database).  That keeps the messages off public blockchains.

Because the messages were values worth as little as 10^-22 cents, they could not have been earned during normal mining.  A single submitted share is worth, at minimum, 0.001 cents.

The “Quasar” account: why it matters

The messages were found in a PROHASHING account named “quasar.” This account is important because its mining activity was not random.  The dates and times of mining were correlated with external events, like the Monero hard fork on March 9, 2019, MicroStrategy's bitcoin buy on August 11, 2020, and the onboarding of Cryptocurrency Management LLC, a shell company in front of other victims of the racketeering Enterprise, at Genesis around May 8, 2021.  Cryptocurrency Management LLC ("CM LLC") was a passthrough fund, and one of its lenders was PROHASHING, the target of the attacks where the Digital Gold Logs were stored.

There is one other detail:  besides the account being correlated with external events, "Quasar” is the name of a well-known remote-access malware family (“Quasar RAT”). The allegation is not that the account is malware, but that the name choice may be a “tell” or a hint of the access method, just like how the account encodes many other signals and messages.

Where the “logs” live: database ledger vs. blockchain payouts

This distinction matters.

Internal ledger (“owed balances”)

Mining pools keep an internal record of what they owe each account as shares arrive. PROHASHING used a PostgreSQL database with high-precision decimal fields (the complaint describes 24 digits to the right of the decimal).

Payout records (“what actually got paid”)

When the pool pays out, it creates an on-chain transaction. Those amounts are visible publicly on blockchains.

Why the difference matters

The coded messages appear in the internal “owed balances,” but the actual payouts do not match those coded message values, because payouts are aggregated across multiple days in many instances. That supports the idea that the author wanted the messages to be private—in the internal ledger—rather than permanently published on-chain.

The balances ledger is the notebook; the blockchain is the world. If you want a secret notebook, you write in PROHASHING's ledger.

Low value

With 24 decimal places, a hacker can use 21 of them for encoding and still only cost the pool fractions of a cent.  That suggests that the person who encoded the messages was an insider who disagreed with the Enterprise's sabotage, which cost millions of dollars and (more importantly) destroyed billions of value due to the customers who left or never joined.

How the encoding works

A1Z26: the “dictionary”

A1Z26 is a basic mapping:

  • A = 1
  • B = 2
  • Z = 26

If you encode the acronym “CODI,” you’d encode:

  • C = 3
  • O = 15
  • D = 4
  • I = 9

How do you hide those numbers in a balance?

A mining balance is a decimal number. A database might store it like:

  • 0.123456789012345678901234

PROHASHING used decimal (not floating-point) fields, which makes it possible to control digits precisely.

The “Quasar Insider” described in the complaint had direct database access, not simply access through mining equipment.  Therefore, he could make any change to the database he wished, including the insertion of values so small and so precise that:

  • they would never arise from real share calculations, and
  • their last digits could be chosen to encode letters.

The “tell”: impossibly tiny values

One can prove that the messages were encoded intentionally and with direct database access because on a specific date (March 9, 2019), the ledger contains values as low as:

  • 0.000000000000000000000003

In a normal pool, a single share is worth far more than that (because even the smallest share is a measurable fraction of a cent). The only plausible way to create such an “astronomically low” owed balance is direct database insertion.

That date contains a four-part message:

  • 0.000000000000000000000003 → “C”
  • 0.0000000000000000000000015 → “O” (interpreting “…0015” as 15)
  • 0.000000000000000000000004 → “D”
  • 0.000000000000000000000009 → “I”

Put together: “CODI.”

Why “Decimal” matters (and why floating-point would be harder)

Many systems store decimals as floating-point values, which are approximations based on a base and mantissa. If you try to set a floating-point number to an exact set of trailing digits, the stored value often shifts because it can’t represent that exact decimal.

But if the database stores values as high-precision decimals, you can set exact digits and preserve them—making steganography feasible.

Why messages look like acronyms

After decoding digits to letters, the results often appear as short letter clusters. These entries often contain only the first letter of each word, meaning the author encoded initials rather than full sentences.

That design is practical:

  • Shorter messages are easier to hide.
  • Initialisms are easier to deny.
  • They can be interpreted later using context.

What the “Digital Gold Logs” contain: examples from the complaint

Below are several entries specifically described in the complaint, with likely interpretations.

The “first record” entry (September 26, 2017)

The first payout record in the Quasar account is an encoded entry:

  • “H DDE HHH DB FG Y PH DC HHE”

The complaint’s example interpretation:

  • “Header / Data Definition Entry / [Unknown] / Discard Block / Fake Gains / [Unknown] / PROHASHING / Digital Currency [Group] / Header Hash End.”

One point is especially notable: “PH” and “DC” appear adjacent, suggesting a deliberate “from day one” log connecting PROHASHING (“PH”) with “Digital Currency” (“DC”) as shorthand.

“CCV BCH HT BIB GF” (February 18, 2018)

The second entry was encoded on February 18, 2018:

  • “CCV BCH HT BIB GF”

The complaint’s interpretation:

  • “Chinese Capital Vehicle / Bitcoin Cash / Hashrate Theft / Bitcoin Investment Bank / Grayscale Fund.”

The complaint frames this as an evolution into a money-laundering structure: Chinese capital used to fund hashrate theft; Bitcoin Cash paid out; and that BCH might then be used to seed the Grayscale Bitcoin Cash Trust (which launched weeks later) or a different fund.

“HEIHE UF SS W J DT DX” (December 3, 2018)

The complaint describes an entry on December 3, 2018:

  • “HEIHE UF SS WJ DT DX”

“HEIHE” is a location in China near the Russian border, which was a mining hub due to cold climate and surplus electricity.  This record is significant because it definitively links the mining activity to China.  While no explanation was offered for the remainder of the message, after the complaint was originally posted, AI-assisted analysis indicated a possibility that the remaining values might be initials of the people involved in the mining operation in Heihe.

“CODI” (March 9, 2019)

As described above, March 9, 2019 includes four tiny ledger insertions that decode to “CODI.”

One likely interpretation:

  • “Cancellation of debt income” (a U.S. tax concept relating to debt forgiveness).

The complaint ties this date to the Monero fork that changed mining economics, and suggests the log may be pointing to intercompany debt forgiveness at that time, the purpose of which was to bail out a subsidiary which now owned millions of dollars of bricked Monero mining rigs.

“PCY I SPE GCI” (August 11, 2020)

The complaint describes an entry associated with Binancecoin on August 11, 2020:

  • “PCY I SPE GCI”

The complaint’s example interpretation:

  • “Public Company / Is / Special Purpose Entity / Genesis Capital Incorporated.”

The complaint emphasizes that the Quasar account barely mined in 2020, and this single entry lands on a specific date with no mining activity for six months on either side of the date.

It then notes that August 11, 2020 is the same day the complaint says Strategy (formerly MicroStrategy) publicly announced its first major Bitcoin treasury purchase.  Strategy is not a defendant in the case and we weren't able to determine why someone would infer that Strategy was related to PROHASHING or Genesis, or why the company would be a "special purpose entity."

“CC BIC GGD GCC AGREED GHD” (May 20, 2021)

The complaint describes an entry associated with XRP on May 20, 2021:

  • “CC BIC GGD GCC AGREED GHD”

The complaint’s example interpretation:

  • “Crypto Currency [Management] / Borrower Inter Company / Genesis Global Debt / Genesis Capital Corporation / Agreed / Genesis Holdco Debt.”

This message suggests that the deposits of Cryptocurrency Management LLC, a company that was created at the suggestion of Genesis employees, were used to service intercompany obligations rather than being lent out at a higher interest rate as the Genesis employees had told the CM LLC depositors.

“Couldn’t this be coincidence?” The probability argument

A skeptic’s first reaction is reasonable: “Big datasets create patterns.”  However, there are a number of reasons why that is unlikely.

  • The entire database isn't being analyzed for patterns; only this specific account is.

  • All of the payouts in this account aren't being analyzed; only the ones that are small in comparison to surrounding payouts are.

  • The same cipher algorithm is being used for every entry.

  • The very first balance entry decodes to meaningful data.

Additionally, an analysis was performed to determine what the odds were that the entries could have been produced as a result of random chance.  This analysis:

  • treats the ledger as a collection of many high-precision fractional strings.

  • allows for flexible “human” encoding patterns (including padding and shortcuts).

  • uses digit-frequency distributions observed in the dataset.

  • uses an “anywhere in the dataset” assumption (making coincidence more likely, not less), ignoring the actual blatant correlations described in the previous bulleted list.

Even under these conservative assumptions, the complaint claims the probability that random ledger entries would contain the full observed set of meaningful A1Z26 strings is no greater than 1 in 3.23 × 10^158.

For public readers: that number is so extreme that the practical takeaway is simply this—the “random coincidence” explanation is mathematically implausible.

Why encode messages at all? Plausible motives (without assuming the conclusion)

These entries were made by an insider within the Enterprise, and they associate activities with external events. If we accept that (a) an insider inserted them and (b) they are meaningful, there are several plausible motivations.

Communication among a small group

Steganography can function like a “dead drop.” If two people know where to look and how to decode, they can communicate without emails or chat logs.

A signature (“I was here”)

Some insiders leave “markers” to prove authorship, assert status, or keep leverage. A hidden message can later be used to claim:

  • credit,
  • authority,
  • or insider knowledge.

Psychological pressure or taunting

The Quasar account appears to be a “signaling” account. One interpretation of signaling is simple intimidation: making it clear to the victim that the attacker is present, persistent, and capable of manipulating internal systems.

A hedge against betrayal

In criminal organizations, participants fear being scapegoated. A hidden diary can function as “insurance”: if one person is blamed, the log can point elsewhere.

Why not just write an email?

Because emails are discoverable, chat systems are monitored, and logs can be wiped. A hidden message in a ledger is unexpected evidence.

How a reader can think about “meaning” without overreaching

The Digital Gold Logs have strengths and weaknesses:

  • Strength: The messages are real, definitively encoded in A1Z26, created by database access, and are intended to be messages because they are impossible to have been created due to chance.
  • Weakness: The messages' acronyms can be interpreted multiple ways.

A disciplined way to evaluate interpretation is:

  1. Treat the decoded string as a constraint.

  2. Ask what meaning best explains:

    • the date,
    • the coin associated with the entry,
    • the broader sequence of entries,
    • and the non-randomness evidence.

Because there is some ambiguity, the readings must be evaluated as “most likely” in context.  This is how, for example, "CCV" is more likely to refer to "Chinese Capital Vehicle" than something like "Corporate Capital Vehicle."  The word "HEIHE" in a different message favors the Chinese interpretation, and the "CCV" entry was recorded during a period when China was banning cryptocurrency exchanges.

Why this matters for the broader “Digital Gold” narrative

The phrase “Digital Gold” refers to the idea that Bitcoin should be treated primarily as a long-term store of value rather than a medium of exchange.

The core story, which is told in full in the complaint and which these articles are exposing in pieces, is:

  • A “Digital Gold” narrative was promoted,
  • the media, reddit, and forums were manipulated to influence public opinion and censor opposition,
  • and that a parallel layer of sabotage, theft, and laundering against PROHASHING, one of the largest mining pools at the time which mined Bitcoin Cash and supported a block size increase, financed or supported that outcome.

The “Digital Gold Logs” are a rare kind of evidence: a hidden, time-indexed set of internal markers written by an insider with privileged access, embedded in otherwise mundane payout-accounting data.

Someone inserted the Logs to be found someday so that this story could be revealed and those who hijacked the protocol and sabotaged PROHASHING to do it could be held to account.

Conclusion

The block withholding attacks against PROHASHING would not have been detectable but for the Digital Gold Logs, which is why the attacks were not discovered until December 7, 2025. The Digital Gold Logs cracked open the entire scheme, and the timing correlations suggest that Silbert's Enterprise was involved all along.

The Digital Gold Logs are provided in the complaint as Exhibit Q. We'll be posting a call to arms to help identify any further messages soon, but those who are technically inclined and want to get started on their own can try doing so right now.

← Back to Sokolowski v. Digital Gold