How to launder Bitcoins?
Updated: Sep 2, 2020
Image Source - Hacker
Who needs Privacy?
A citizen might want to keep her transactions hidden from say an authoritarian government or a smuggler might want to keep her transactions hidden from the Interpol. The right to privacy can sometimes be misused but a few bad apples should not take away our right to privacy.
Do Bitcoins provide Privacy?
Not exactly! They are pseudonymous. Anyone can see the bitcoin address that receives and sends coins. But it does not disclose the real-world identity of the person who controls the address. The Bitcoin protocol does not ask for information like name, address, country of residence etc. However, every time one transfers funds, one leaves a digital fingerprint. By observing the behaviour of the address holder, it is possible for forensic investigators to associate the address to a person. Further, while the real-world identity of the holder may be complicated to find (requiring the use of sophisticated surveillance techniques), the journey of any coin can be easily followed. By design, all past bitcoin transactions are open to inspection. Therefore, if a coin gets highlighted by either the blockchain community or law enforcers for any reason (illegal exchange, associated with politically connected persons etc), then that coin can be labelled “bad” and any addresses containing traces of those coins can be blacklisted. This would mean that people would refuse to accept payment with the tainted coins.
Any recent cases where someone wanted to hide their identity and law enforcement went after them? Recently, in the famous twitter hack, hackers gained control of 130 high profile twitter accounts (including Joe Biden, Bill Gates, Barack Obama and Elon Musk) and used 45 of those accounts to request unsuspecting followers to send bitcoin to a particular bitcoin address controlled by the hackers. The tweets said that “They (say Bill Gates) wants to give back to the community. If you sent x bitcoin to his wallet address then he would send back 2x bitcoin to the sending address”.
I know what you’re thinking. Do people still fall for such scams? Roughly 12 bitcoins worth US$123,000 were sent from roughly 400 addresses. Coinbase (a crypto exchange) claims that it quickly blacklisted the address and stopped at least 1,000 transactions totalling over $280,000 from going through. So yes, people do still fall for this. Anyway, cashing out the stolen bitcoin was not going to be easy for the hackers. It was immediately possible for investigators to look at the past activities of the bitcoin address. Samourai Wallet found that the address had been previously used on Bitmex. Elliptic reported that the addresses used were part of a wallet that had previously received $65,000 in the previous 3 months. Law enforcement can subpoena information including IP Addresses. It is also possible to track where the coins are moving. All this meant that hackers weren’t able to simply spend the stolen coins.
Image Source - Elliptic
So how does one maintain anonymity and use the coins? One solution is to use Coin Mixers. Coin Mixers are third parties that take your coins and return coins that have no link to the sent ones. The problem with Coin Mixers is that you lose ownership of the coins when you pass them to Mixer. You need to trust that the Mixer will not run away with your coins. Further, if the Mixer does return coins to you then you can’t be sure if the coins that you have received are not tainted in some way. CoinJoin is a superior technology for mixing as it does not require one to lose custody of funds. In CoinJoin, inputs and outputs of several transactions are combined into one transaction. i.e, you jumble the inputs and redistribute the outputs. For example, if Alice sells to Bob, Carol sells to Dennis and Fiona sells to Gabriel. Then these 3 separate transactions are combined as one transaction where Alice, Carol and Fiona receive coins from Bob, Dennis and Gabriel. This way a forensic investigator can’t know who sent coins to whom. The largest-ever CoinJoin transaction was executed in mid-2019 when Wasabi Wallet brought together 100 people to execute a CoinJoin transaction. CoinJoin transactions are clearly controversial
Going back to the Twitter hackers mentioned above, 2.89 BTC was transferred to a Wasabi Wallet 2 days after the attack. Further funds have been split into smaller amounts and passed through mixing services (ChipMixer, Wasabi Wallet) or cashed out at exchanges, merchants and gambling services.
Governments don’t like them as it makes it difficult for them to track financial flows. In December 2019, Binance froze an account of the user called Catxolotl because of his use of CoinJoin through a Wasabi Wallet. Governments are enforcing Know Your Customer (KYC) and Anti-Money Laundering (AML) controls on centralised exchanges which they must comply with. In this case, Binance was trying to comply with policies of the Monetary Authority of Singapore (MAS) ZzkSNACKS (the firm that makes Wasabi Wallet) has said that while it is sad that dishonest people are using their product, for every 1 person who uses the wallet for malevolent purposes, there are another 100 using it for the right reasons. Wanting privacy isn’t necessarily a sign of guilt. CoinJoin protects users from being spied upon by governments, extortionists, stalkers, competitors References:
Twitter Hacker Is Mixing Bitcoin Loot Using a Wasabi Wallet- https://www.coindesk.com/twitter-hacker-is-mixing-bitcoin-loot-using-a-wasabi-wallet-elliptic-says
Binance Returns Frozen BTC After User ‘Promises’ Not to Use CoinJoin- https://cointelegraph.com/news/binance-returns-frozen-btc-after-user-promises-not-to-use-coinjoin
Elliptic Identifies Likely Use Of Wasabi Wallet Service To Launder Twitter Hack Bitcoins- https://www.elliptic.co/our-thinking/elliptic-identifies-likely-use-of-wasabi-wallet-service-to-launder-twitterhack-bitcoins