The Captured Chain: The Cypherpunk Response to Bitcoin's Worst Case

The worst case begins with a custodian, not a hacker

Roughly four-fifths of the Bitcoin held inside United States spot exchange-traded products sits with a single custodian, in a single jurisdiction. One company holds the keys to the largest concentrated pool of Bitcoin ever assembled, on behalf of funds that together own something on the order of a million coins, and a single public treasury company holds close to another three percent of the entire supply on top of that. None of those coins runs a validating node. None of them rejects a block. They sit as balances on ledgers that someone else controls, and they grow every quarter, because the people who own the claims have decided that the yield and the convenience are worth more than the keys.

This is the raw material of the worst case, and it is worth taking the worst case seriously rather than waving it away with the standing defenses. Those defenses, the separation of powers, the reproducible builds, the diffuse funding, the nodes that refuse to upgrade, are real and they have won before. They can also be overwhelmed. An attacker with enough money and enough patience does not have to beat all of them at once. He has to erode them faster than the people defending them notice. To plan a defense against that, you first have to build the attacker out of parts that already exist, and then ask what is left when the early lines have fallen.

Build the adversary out of parts that already exist

The antagonist is not a villain in a chair. It is a coalition, and every piece of it is sitting in plain view today. Start with money that does not run out, a sovereign treasury or a central bank or the largest asset managers acting in concert, because the entity that wants to capture Bitcoin is the entity whose monopoly Bitcoin threatens. Give it the four levers it would actually pull.

The first lever is the developers. Not bribery in a parking garage, but the slow social capture Jeff Booth described, befriending the maintainers, funding the work, sympathizing with how hard the job is under constant attack, and over years nudging the default implementation toward changes that sound like maintenance and quietly relax a property that mattered. The second lever is the coins, already half-pulled. A controlling share of liquid supply migrates into custodians and funds, and because around eighty percent of the exchange-traded coins sit with one custodian, the attacker does not even need to seize them. It needs to lean on the company that already holds them. The third lever is the miners. Two pools have crossed half the network's hash power together more than once in recent years, and they sit in the two rival jurisdictions a state-level attacker would lean on first. The fourth lever is the law: a modern Executive Order 6102 that does not confiscate keys it cannot reach, but mandates identity at the custody layer, freezes coins that will not comply, and declares the dissenting software's chain the illegal one.

The goal is not to kill Bitcoin. The attacker knows there is no throat to choke. The goal is to capture it, to leave the ticker and the price and the brand intact while hollowing out the properties underneath, until the thing called Bitcoin is a surveilled, permissioned, inflation-compatible settlement rail that happens to keep the old name. That is the worst case. It is not death. It is a forgery wearing the corpse's clothes.

The capture ships as a compatibility upgrade

The attack does not arrive as a fifty-one percent assault, because a hash majority is useless for this. It arrives as a patch. A reasonable-sounding change lands in the dominant client, justified by efficiency or institutional compatibility or regulatory clarity, and the default-update population runs it because they always run the default. The 2025 fight over a relay parameter most people had never heard of was a small, live rehearsal of exactly this dynamic, and the covert ASICBoost episode of 2017 was another, the moment the network learned that miner hardware economics could quietly drive a governance fight from underneath. Greg Maxwell's disclosure that April, that a major manufacturer's chips contained an undocumented optimization worth a claimed twenty to thirty percent of energy cost, and that the optimization was incompatible with the upgrade the miners were stalling, showed that the motive to shape Bitcoin's rules can hide inside the silicon. The lesson is that the attacker rarely announces himself. He ships.

The first counter is the cheapest and the most underrated. Do not run the patch. Run a different implementation, or run the old one, and keep validating. This is what the node population did in 2025 when a derivative client that kept the strict defaults went from a fraction of a percent of reachable nodes at the start of 2024 to past a fifth of them at the peak. No permission was required. The vote that matters in Bitcoin is not cast on a forum. It is cast by choosing which software enforces your copy of the rules, and a change that the economically relevant nodes decline to run is not a change to Bitcoin. It is a proposal that failed.

The repository is not the protocol

Suppose the early line fails. Suppose a malicious change is merged, signed, and shipped, and the maintainers who would have blocked it have been replaced or worn down. This is the scenario the attacker is paying for, and it is also the scenario the architecture was built to survive, because the repository was never the protocol.

Every clone of the source code is a complete copy of its history and its signed tags. Compromising the hosting account destroys nothing; any clone reconstitutes the whole project. The recovery is mechanical. Take the last commit whose cryptographic signatures verify cleanly, because signed merge commits have been checkable by any developer since 2015, host it on new infrastructure, have independent builders reproduce the binaries, and re-establish a signing key set. Reproducible builds make the captured binary detectable, because an honest reproduction from the clean source produces a different hash than the tampered release, and there is no auto-update mechanism through which anyone can push code a node operator did not choose to run. Jameson Lopp's account of who controls Bitcoin Core lands on the only defensible conclusion: no one does, and the GitHub repository is a focal point of convenience rather than a point of command. Forking the code is trivial. The hard part, as Lopp puts it, is shifting the focal point, convincing the people who matter that their time and their machines belong on the clean fork. That is a social problem, not a technical one, which is why the attacker fights on the social layer and why the defense has to win there too.

The precedent that this is survivable is not theoretical. When the Bitcoin Foundation collapsed financially in 2014 and 2015 amid the Mt. Gox failure, the funding home of the lead developers simply moved to MIT's Digital Currency Initiative without anyone forking the protocol. When the longest-serving lead maintainer relinquished his commit access and his release-signing key in 2023, he named no successor, on purpose, so that authority would diffuse rather than transfer. A system that planned for the departure of its most trusted person has already priced in his capture.

The economic majority assigns the name

When a fork becomes contentious enough that two chains exist, one question decides everything. Which one is Bitcoin. The answer is not chosen by developers and not chosen by miners. It is chosen by the economic majority, the exchanges, custodians, wallets, and the holders they represent, who must all converge on a single answer because the entire point of money is that everyone agrees what it is. The historical record on this is unambiguous and worth holding onto, because it is the empirical core of the entire defense.

In July 2016, Ethereum split after the DAO hack. The chain backed by the foundation, the developers, and the exchanges kept the name and the ticker; the unaltered original chain became Ethereum Classic, listed by Poloniex within days at a minority price it never escaped. The social layer, not the code, decided which chain was the real one, and the minority chain survived as a permanent reminder rather than a winner. In August 2017, Bitcoin Cash forked away over block size, and despite the New York Agreement marshaling north of eighty percent of hash power behind the rival roadmap, every major exchange kept the Bitcoin ticker on the original chain, and the Bitcoin Cash to Bitcoin ratio decayed structurally from its early peak to roughly three-thousandths of a coin today. In November 2018, Bitcoin Cash split again into a hash war, two camps pointing mining power at each other and threatening to reorganize the loser into oblivion. The side with the early hash-power edge lost anyway, because exchanges had pre-announced which chain would keep the ticker and listed the other separately, and months later a coordinated delisting across Binance, Kraken, and others finished the minority coin off. Hash power did not pick the winner. The market did.

Two technical choices make this survivable rather than chaotic, and a defending fork must ship both. Replay protection, done forcibly the way Bitcoin Cash did it with a new signature-hashing scheme, ensures a transaction signed on one chain cannot be replayed on the other, which lets holders deliberately sort their coins onto the chain they endorse instead of having momentum decide for them. Wipeout protection ensures the majority chain cannot later reorganize and erase the minority chain, which is what lets a deliberate split become permanent. Ethereum in 2016 shipped neither at first, and exchanges were drained by replayed withdrawals as a result. The defense learned that lesson on someone else's chain.

A hash majority orders blocks, it does not write the rules

The miners are the loudest lever and the weakest one, because of a distinction the attacker cannot escape. Hash power decides the order of valid blocks. It does not decide what counts as valid. A coalition holding the entire network's hash power can censor transactions, reorder them, orphan competing blocks, and double-spend its own coins by reorganizing recent history. It cannot mint a single coin beyond the schedule, cannot lift the twenty-one-million cap, cannot forge a signature it lacks the key for, and cannot make a node accept an invalid block no matter how much work sits behind it. Every real-world fifty-one percent attack, against Bitcoin Gold, against Ethereum Classic, has been a double-spend of the attacker's own coins, never a change to the rulebook, because non-mining full nodes enforce the invariants and discard anything that violates them. Satoshi's own argument was that a majority attacker profits more by playing honestly than by destroying the value of the wealth and the hardware he just spent billions to acquire.

If a hostile majority does persist in attacking, there is a final lever, and it should be described plainly because that description is also its critique. The community can change the proof-of-work algorithm, bricking every existing mining machine at once and erasing the attacker's hash advantage overnight. There is no formal proposal for this and never has been; it lives as a deterrent invoked mainly by Luke Dashjr, who put it plainly in 2023: you cannot fire a single miner, but if a majority are attacking, you can fire them all at once by changing the algorithm and making their hardware useless. The trouble is that the cure is close to the disease. It bricks the honest miners too, resets the network's security to nearly zero while new hardware is built, and all but guarantees its own contentious split. It is the option whose entire value lies in never having to be used, the threat that keeps the mercenaries rational. It belongs in the arsenal precisely because it is too terrible to reach for casually.

There are exactly two cases where the defense itself must touch the rulebook, and both are dangerous for the same reason. The proof-of-work swap is one. The eventual migration to post-quantum signatures, which would force coordinated change on a quarter of the supply sitting in exposed or reused keys, is the other. The power to make a necessary change is the same power an attacker wants, which is why both fights are maximally contentious and why neither can be settled by decree. They can only be settled the way everything in Bitcoin is settled, by the economic majority adopting software it has independently chosen to trust.

The defense reduces to one person who verifies and refuses

Strip away the forks and the hash wars and the contingencies, and the entire architecture rests on a unit so small it is easy to miss. One person, running one node, verifying their own rules and rejecting everything that violates them. Nick Szabo's framing is that Bitcoin spends enormous resources to buy something more valuable than efficiency, social scalability, the ability to coordinate across a vast number of mutually distrusting strangers by minimizing how much anyone has to trust anyone else. The mechanism of that trust minimization is local verification. Each node checks every rule for itself and trusts no other node's verdict, and the sum of all those independent refusals is the rulebook, enforced by no one in particular and therefore capturable by no one in particular.

Hasu and Su Zhu called the result Bitcoin's social contract, and its terms are the properties the attacker is trying to hollow out: only the owner of a coin can spend it, there will only ever be twenty-one million, anyone can transact without permission, and every user can verify the rules. The software only automates that contract. The contract itself lives on the social layer, which is also where its value lives, because a number in a ledger is worth nothing except as a shared agreement among people who will defend it. This is the part that cannot be outsourced. The coins in custody have delegated their refusal to someone else. The coins held by people who run their own nodes have not. When the worst case arrives, the size and the conviction of that second group is the whole ballgame, and it has to be built before the crisis, by people who would rather have the yield, because it cannot be assembled in the week the patch ships.

The worst case is a spinoff, not a funeral

Here is the outcome the defense has to reckon with. In the genuine worst case, the attacker may win the things that are easiest to capture. He may keep the ticker, the price quoted on the screens, the brand, the institutional plumbing, and the great migrated pile of custodied coins. The captured chain becomes what it was always meant to become, a compliant settlement layer indistinguishable in spirit from the system it was supposed to replace, surveilled and permissioned and quietly inflatable through the claims layered on top of it. That is a real defeat on every axis the legacy world measures.

It is not the end of Bitcoin, because Bitcoin was never the ticker. The clean fork continues, carrying the properties intact, priced at first by a minority that the screens will call irrelevant and the captured chain will call illegal. The difference between this minority chain and Ethereum Classic is the only difference that matters: the cypherpunk chain is the one holding the actual proposition, the fixed supply and the censorship resistance and the keys that no order can reach, and those properties are the entire reason the asset was ever worth anything. A surveilled chain with Bitcoin's name is just a slower dollar. A fixed-supply, permissionless chain with a smaller market is the thing itself. Markets re-price truth slowly and then all at once, and the holdouts who validated their own coins through the capture will be holding the version with something left to re-price.

The plan, in the end, is not heroic and not centralized. It is a fork of the code that anyone can make, a split of the chain that the economic majority adjudicates, a deterrent against the miners that works by never firing, and underneath all of it a population of people who hold their own keys and run their own nodes and will not accept a block that breaks the rules, no matter who signs it. Booth is right that the attack will be patient, social, and richly funded, and right that most people will hand over their agency for a story and a yield. The answer was never that the attack would fail. The answer is that there will always be a chain for the people who refused, and that refusing, in the end, is the only act the system was ever built to protect.