PYMNTS Crypto Crime Series: When Privacy Counts, Crypto Users Turn to Mixing Services

Welcome to PYMNTS’ new series on crypto crime. In it, we’ll be taking a look at the crimes that have not only been committed in the cryptocurrency industry but have defined it — especially Bitcoin — in many people’s minds.

We’ll give you a look at the realities and the myths, the methods and tools and the ways authorities and private securities are starting to break through the mythical anonymity that many criminals — and honest people — believe shields their transactions.

Along the way, we’ll tell you some great stories to illustrate. Some will be funny, some will be whimsical, some will be sad and a few will be horrifying. A whole lot of them will be hard to believe. But they’ll all be true — or at least what Watergate journalist Bob Woodward called “the best obtainable version of the truth.”

See also: PYMNTS Crypto Crime Series: The $612 Million Heist That Wasn’t

See also: PYMNTS Crypto Crime Series: In India Hacking Case, Bitcoin Trail Leads to Hamas

When hackers robbed the exchange Crypto.com on Jan. 17, they made off with almost $33.8 million in ether, bitcoin, and U.S. currency.

Then they went to Tornado.cash, which calls itself a “fully decentralized protocol for private transactions on Ethereum.”

What everyone else calls it is a mixing service or tumbler.

And depending on your outlook, mixing services, also known as anonymizers, are a vital way to preserve privacy or a tool used for little more than evading taxes and laundering money.

Most work in roughly the same way: Take all the crypto all clients send in, swirl it around, and send it out to users separately. That way, the blockchain loses the connection from one transaction to the next, effectively anonymizing the digital asset.

That’s what happened to at least half of the first $15 million of Crypto.com’s funds, according to crypto security firm Peckshield, which tweeted out the transaction data — the half going to Tornado.cash at any rate.

Why Bother?

In Crypto.com’s hack, the first goal was to lock down the site, halting withdrawals to stop further losses. The second was to figure out what happened and make upgrades to prevent it from happening again. The third was to communicate with customers.

After that, and in some cases right after step one, is to try and stop the funds from being spent. Seizing and returning them would be preferable — the FBI managed that with $2.3 million of the $5 million paid to reopen the Colonial Pipeline after the ransomware attack last May — but if that isn’t possible many exchanges can freeze the funds. It may be cold comfort, but at least the thieves don’t prosper.

The way cryptocurrencies work is that each one has two codes: A public one that is on most blockchains, including Bitcoin and Ethereum, viewable by anyone, so every transaction is traceable from one to the next — essentially following each link on the chain. But there are no names attached, only wallet addresses where the cryptocurrency was sent.

Without private key codes created anew after each transaction, there’s no way to transfer a cryptocurrency. It is, in the lingo, burned. By the same token, a lost password means a lost crypto coin, even if it’s still in your digital wallet.

This is why cryptocurrency is rightly called pseudonymous, not anonymous. Keep in mind, while tracking a bitcoin along the blockchain won’t help, at some point, that BTC has to be changed into USD and “off-ramped” to make it spendable. That’s what investigators are looking for — even if it’s a connection to a connection to a connection to an old wallet to which you once sent crypto to your bank account.

Mix it Up

There are a number of refinements in the bid to remain anonymous. One of the simplest is to wait before removing your cryptocurrency, as an immediate deposit and withdrawal is fairly easy to spot even if you can’t be certain it is the same cryptocurrency.

Another is to break up the amounts withdrawn. If a blockchain intelligence service — and increasingly, law enforcement specialists from agencies including the FBI, DEA, DHS and especially the IRS Criminal Investigations division — spot 23 bitcoin sent to a mixer and 23 bitcoin withdrawn, it doesn’t take a genius to figure out that it’s probably the same transaction they are tracing.

There’s a much bigger refinement than that — privacy coins such as Monero and Zcash being the most prominent — that claim to offer the same sort of privacy.

Privacy coins have had mixed success. In 2020, researchers claimed that most Zcash transactions were tracible because the coin’s privacy feature — essentially on-chain mixing — could be turned on or off. And almost nobody was turning them on, leaving the pool of shared funds used for mixing too small. Later that year, Zcash announced a new tool, which allowed users to burn coins and redeem new ones — severing the transaction links even more effectively.

On the other hand, the IRS handed out $1.25 million in contracts to crypto researchers in late 2020 to try and break Monero’s secrecy. Among its techniques: single-use “stealth addresses,” grouping genuine transactions with decoys, and hiding the amount of transactions. Its coins are private by default unless that is turned off, unlike Zcash.

Last November, an article in Slate called Monero the “Bitcoin competitor beloved by the Alt-Right and criminals.”

Still, it’s worth noting that plenty of people prefer to have their transactions remain private for perfectly valid reasons — all the same ones that are used when complaining about Amazon or Facebook harvesting your private data.

If you’re wondering how big a market this can be, consider this: Monero has a market capitalization of $2.6 billion, making it the No. 44 cryptocurrency. In the 24 hours proceeding this writing, the transaction volume was $208 million.

Transaction or Transmission?

If you’re asking yourself, how does a mixing service not qualify as a money transmitter and required, among other things, to collect know-your-customer (KYC) data for anti-money-laundering (AML) and countering the financing of terrorism (CFT) regulatory compliance? There’s a simple answer: It does.

As Larry Harmon of Akron, Ohio, found out the hard way on Feb. 3, 2020, when he was arrested and charged in Washington, D.C., federal court with “money laundering conspiracy, operating an unlicensed money transmitting business and conducting money transmission without a D.C. license.”

Specifically, the Department of Justice (DoJ) said he operated the Helix and Coin Ninjamixing service directly targeting the AlphaBay darknet market and specifically advertised the services as being able to prevent law enforcement tracking of transactions.

On Oct. 19, the Financial Crimes Enforcement Network (FinCEN) announced that Harmon had been fined $60 million for operating an unlicensed money services business (MSB) under the Bank Secrecy Act (BSA) — the first bitcoin mixer penalized by the agency for violating AML laws.

This included working with drug dealers, arms traffickers and child pornographers, FinCEN said.

In another example, on Apr. 28, 2021, the DoJ announced that the operator of the Bitcoin Fog mixing service had been arrested at Los Angeles International Airport for allegedly laundering $335 million in bitcoins for darknet operations including illegal narcotics, computer fraud and abuse activities, and identity theft. Operating since 2011, it alleged Roman Sterlingov had gained “notoriety as a go-to money laundering service for criminals seeking to hide their illicit proceeds from law enforcement.”

So, if you’re going to operate a bitcoin mixing service, maybe don’t change planes at LAX.