That was interesting. At first it reads like it could have been a deep investigation. Then you realize that with the right 3 datasets, it's trivial to reveal this level of attempted obfuscation.
The initial account in the chain belongs to Sterlingnov. However where is the evidence that subsequent accounts belong to him? Maybe he was selling the BTC on Bitcoin-otc or some other random place that existed back in the days, and now he is wrongly linked to the guy.
Edit: sorry, missed the evidence about using same IP for both the mtgox and LR account. Weird using the chain of transactions and then doing that kind of rookie mistake.
> and included links to a clearnet website for BITCOIN FOG (www.bitcoinfog.com), the Tor onion site (http://foggeddriztrcar2.onion), and a Twitter feed for updates on the site (www.twitter.com/#!/@Bitcoinfog)
This is how many illegal services get decloaked. They have a clearnet domain, but ironically a darknet .onion too which is what they should just have, not a clearnet domain (if what you're doing is illegal or operates in a legal grey area). I am aware it's possible to get a clearnet domain anonymously with services like NJALLA[0], but you have to take extra special care, pay with crypto, do everything over Tor, use XMPP w/OTR etc
To me that process highlighted looks more to do with how to convert fake e-bucks back into real dollars via liberty reserve and less to do with any type of criminal structuring but I'm not IRS agent trying to hang a case on someone.
What purpose do you see served by opening three Mt. Gox accounts under three different names and sending bitcoin from the first, to the second, to the third before sending it out to Liberty Reserve?
I read it a few times but for me to pretend I understand why this person made three separate transactions to pay an $86 hosting bill speaks more to me of a lack of consistent revenue or source of funds.
Ocamm’s Razor doesn’t point me to malice. It’s just as easily a kid trading gift cards $20/time until he has the funds. This looks like an idea that starts small, and frankly when it was invented it wasn’t illegal at the moment of creation.
It’s the story laid out in the court case and the changing of regulations and laws that created the crime. Inception of an idea alone doesn’t lead me to believe the intent was malice; privacy, obfuscation, the lack of funds maybe.
Obfuscation can be as simple as protecting privacy.
As an example I can say the first day I stepped foot in a cryptocurrency community was on IRC about 13 years ago. I didn’t realize Freenode showed your hostmask by default and random people had IPwhois’d my netmask, asking about where I work, pulling up the address on street view…
I’ve exclusively used rented servers bouncers cloaks etc ever since. That’s the community I realized I was dealing with.
What ISPs provide this level of detail to people other than law enforcement? (And I'm pretty sure law enforcement need to follow an actual process too) Is it a US thing? Looking up my IP tells you... A different city, where presumably my ISP owns some infrastructure or office space
I think the most damning evidence would be when the government sent the site operator a message that says "hey this money is illegal and we've obtained it illegally" and the lack of response from the site operator is really what allows them to go after the operator for anti-money laundering evasion. The lack of action or response, but let's be realistic what good legal response could you give. Anyways if you're not doing AML you are basically a terrorist says the government of America.
KYC on the other hand wasn't set in stone until recently whether it was $10,000 or $600 and the Bank Secrecy Act is a bit of joke at this point if they really want us to KYC/AML every person we transact with in excess of $600 AND report that. Report it to who?
We're all criminals it would seem, but that email where they told him all the money was illegal will basically be the nail in the coffin.
I saw that and initially I thought it was pretty damning too until I noticed there doesn't appear to be any evidence anyone actually read the message they sent prior to the "illegal" transaction taking place.
Relevant text:
Re: United States v. Sterlingov, Case No. 21-cr-399 (RDM)
Dear Judge Moss:
As you know, we represent Ciphertrace, a wholly owned subsidiary of Mastercard International
Incorporated (“Mastercard”). Defense counsel engaged Ciphertrace as an expert in the matter
of U.S. vs. Sterlingov, 21-cr-399 (RDM). Ciphertrace prepared an expert report (the “Ciphertrace
Report”), and a Ciphertrace employee, Ms. Jonelle Still, testified at a Daubert hearing before the
Court in August 2023.
It recently came to Mastercard’s attention that, contrary to the wording of the Ciphertrace
Report, some of the data relied upon may be unverifiable and unauditable. This issue was
unknown to Ms. Still at the time of the Report and appears to be due to data collection practices
originating prior to Mastercard’s acquisition of Ciphertrace. It also appears that at least some of
the data relied upon in the Ciphertrace Report may have come from other companies, including
Chainalysis. Mastercard has advised defense counsel of this matter and writes to bring it
directly to the Court’s attention.
As soon as Mastercard counsel learned about the potential data issues, Mastercard launched
an expedited, privileged investigation involving internal and outside counsel and an outside
forensics team. This investigation is ongoing, but we have learned enough to conclude that
parts of the Ciphertrace Report are unreliable.
We regret the unavoidable impact of this issue on the Defense, the Government, and, of course,
Case 1:21-cr-00399-RDM Document 239-1 Filed 02/04/24 Page 3 of 3
February 1, 2024
Page 2
this Court – especially with the fast approaching trial date. We stand ready to answer the
Court’s questions.
Respectfully,
A. Joseph Jay III
for SHEPPARD, MULLIN, RICHTER & HAMPTON LLP
There's a nice website, I've seen on HN before, that has a complete list of crypto scams and their total value. I wonder what the overall percentage of crypto transactions are for scams? 50%? more?
The only reason crypto is allowed is because it literally sucks money out of the real economy thus tamping down inflation.
> I wonder what the overall percentage of crypto transactions are for scams? 50%? more?
Less than 5% according to the companies like Chainalysis who have a vested interest in making crypto seem dangerous so they can hock their product (analysis tools) to law enforcement.
Money is (almost)* never sucked out of the economy with crypto, real or not because with every transaction, money comes out from the seller’s side. Same goes for real estate, stocks, and commodities.
*Exceptions:
-Broken stablecoin smart contacts or stablecoin wallets with lost private keys.
How can anybody even use BitCoin without mixing? Isn't this an equivalent of giving everybody all over the world permanent read-only access to your bank account?
But isnt that only for people who just speculate in bitcoin? People who use bitcoin to pay for everyday stuff will reveal it... or have we given up pretending people use bitcoin for everyday use?
You still need to do quite a bit of tracing; only the people who actually go digging and have access to internal data records of the KYC endpoints would be able to trace it.
For the uninformed, all transactions post to a separate address, so you'd have to correlate which addresses seem to be used together in various other transactions to tie transactions back to a single "wallet". (Ackchyually that's not entirely true; there are some low level details regarding UTXOs and HD wallets, but in practice you can assume it works like that).
And I don't think anyone (who is worth listening to) is advocating BTC for trivial transactions; it has already solidly cemented its role as a "wire" service for larger transfers.
> And I don't think anyone (who is worth listening to) is advocating BTC for trivial transactions; it has already solidly cemented its role as a "wire" service for larger transfers.
LTC apparently seems "a better BTC" for trivial transaction. Also Monero which supposedly doesn't even need mixing.
Why do people even care using BTC which needs mixing when there are Monero and ZCash?
> Isn't this an equivalent of giving everybody all over the world permanent read-only access to your bank account?
If you read early Bitcoin literature, you'll discover a number of very clear and vocal warnings against "address re-use".
The protocol was designed so that addies should not ever be used more than once or it would introduce vulnerabilities.
It's indeed kind of like giving everyone permanent read-only access to your bank account.
Except that, if Bitcoin was used as intended, there would only ever be one transaction per account and there would be a new account created for each new transaction, so who cares about the reveal.
It's too bad Satoshi didn't enforce the "one new addie for every new transaction rule) that at the code level (I guess the computational burden might have been an additional problem to solve).
I've used bitcoin in the past and never saw the reason for mixing. I don't really care if people track down my purchases. Anonymity is not why I use bitcoin.
2) Money laundering (so I guess the conspiracy succeeded?)
3 & 4) Failing to register a money transfer service
So the important steps are
a) demonstrating the defendant (Sterlingov) is the person running (and I guess profiting?) from the mixer. That's not a crime, just that it's a thing that they have to do, and I guess we're able to successfully show (sounds like some dumb "opsec" mistakes).
b) show that the defendant intended money launderers to use it, and that they did (charges 1&2)
c) show that the defendant did not register the service (charges 3&4)
So I'm going to leave (b) to the end, it's more complicated and IANAL, so let's look at (a) & (c).
Charges 3&4, and C is very simple - it does not matter that it's online, it does not matter that it's crypto, and it does not matter whether or not you care about privacy or laundering. The law requires all money transfer services to be registered, and this service was demonstrably not registered, so it's a very clear cut that whoever operated the mixer was breaking the law. That the prosecutors had to prove Sterlingov was running the service further demonstrates that it was not registered, and given they apparently were able to prove he was running the service I hope we can all see that he is guilty of this crime, even if you may not like the law requiring you to register your service (if you think a law is illegal you would use the courts to prove it is illegal and invalidate the law).
To me it seems plainly obvious, that given they apparently had sufficient evidence to show that Sterlingov was running the service, that he's guilty of not registering it, even if he had actively prevented any laundering using it.
So that leaves the money laundering charges. Once you're transferring money US law has a variety anti laundering regulations, and the fact that some, or even most of your users are legitimate isn't a requirement. Afaict they just have to show that you could be reasonably aware you were processing illegal transfers and were not actively trying prevent those transfers. This applies to banks as well as mixers. A bunch of forum posts by the operator specifically talk about how other "legitimate, visible businesses" would be forced to reveal info about your funds to authorities (directly comparing its secrecy to SilkRoad), posted links about needing a mixer to evade taxes, and how you needed to use a tor based mixer (e.g. their's) to avoid law enforcement taking down the mixer. It doesn't take a giant leap to see even from what's in the government's statement of facts here that this was being advertised as a service to hide transactions that would otherwise be required to be reported. The government does not need to point to them explicitly saying "hey, use me for your laundering needs".
Note that it does not matter if you think you should not have to report those transactions, the law says that you do, and that a service that facilitates you hiding those transactions is breaking the law. It does not matter if you think some transactions should not be illegal, the law says they are illegal, and that a service that facilitates those transactions if breaking the law. This case is not "bitcoin fog made illegal sales" or "hid its income from the IRS" (though I'd be curious if they did that), it's that they facilitated others doing so in a manner that was illegal.
If you want to run a mixer, it's very clear you will be running a financial transfer entity and need to register it, or you are committing a crime. Again it does not matter if you think it should not be a crime, the law says that it is. If you don't like it, you need a court to rule it's invalid, or you need to get people who agree with you elected.
If you want to run a mixer, it's similarly clear you are not subject to completely new rules (or lack thereof) vs other financial transfer services so you have to try to prevent illegal uses of your service, not just not promoting it for that purpose, but actively preventing such transactions as much as reasonably possible, including identity verification, just as required by any other financial service.
Zero evidence? Can I skip the hour+ video and someone just explain here how the evidence didn't make it into court (I'm most curious about the Mt. Gox and Liberty Reserve accounts records)? Was it not even submitted, thrown out, what?
I don't really want to waste my time if it's just a crypto youtuber Surprise Pikachu facing that circumstantial evidence doesn't follow the same rules as the "I'm not touching you" game.
Thanks for the video though. It's over an hour, but I'll watch it.
Edit: So you're asserting that there's zero evidence by taking his own defence lawyers at their word? Saying their client is innocent is literally their jobs.
And they do acknowledge evidence (so not nothing) but they (his lawyers) are unconvinced.
This defence sounds more baseless than the Free Kevin campaign, where once all the dust settled and he could write a book about it, yeah he did do most of that shit.
None of what Bitcoin Fog did appears to be money laundering according to the definition on that page, since it requires an "intent to promote the carrying on of specified unlawful activity".
The people using Bitcoin Fog might be engaged in money laundering if they were using it for something otherwise illegal, but I don't see how you could argue the service itself was unless they somehow knew the purpose behind every transaction occurring on their platform.
The indictment claims that Bitcoin Fog engaged in money laundering because they knowingly processed transactions that:
"knowingly conduct ... financial transactions ... involving property represented to be the proceeds of specified unlawful activity, ..., knowing and intending the the transaction was disguised in whole and in part to conceal and disguise the nature, location, source, ownership, and control of property believed to be the proceeds of specified unlawful activity, and intended to promote the carrying on of the specified unlawful activity."
> I don't see how you could argue the service itself was unless they somehow knew the purpose behind every transaction occurring on their platform.
The indictment states that the US government did an undercover operation in 2019 in which Bitcoin Fog was told that a transaction was from illegal activities and Bitcoin Fog accepted it anyways. If the person sending you Bitcoin says "I did a crime to get this", it is hard to claim you didn't know it was from criminal activity.
Please note that in that case with undercover transactions, there is no evidence that the message sent by an agent was read by the administrator, because the agent didn't receive any reply. It is possible that the mixer was fully automated and performed the exchange before the administrator had a chance to read the message and stop the transaction.
This was the first thing I thought of. Why the heck would the admins read random notes sent by users? Obviously there is the potential for abuse for this kind of service, so from a liability perspective you'd be better of deliberately ignoring all messages.
Or rather, even if the admins were knowingly facilitating crime, from a liability perspective they would be better off reporting/rejecting any users that say they're committing a crime and only do business with criminals smart enough to wink wink nudge nudge.
I can only think of two scenarios where someone would tell a mixer the money is dirty:
1. They are law enforcement
2. They have already been caught by law enforcement and are being used as bait, either knowingly or not
Or, and this is the most likely in my opinion, but it is just a guess. The undercover said they had a lot of illegally sourced coins to mix, asked the Mixer admin to help them mix such a large amount and offered them an additional reward in exchange. That said, we should not jump to any conclusions until evidence is presented. The government could be fronting a strong case in the indictment and then it turns out to be much weaker when presented.
Using a bitcoin mixer is money laundering in the same sense that turning off the public feed on Venmo is money laundering.
Yes, it potentially makes it harder for the authorities to track your activity, but it's also the only way to stop any random person in the entire world from seeing your transaction. Privacy is not inherently money laundering.
I agree that privacy is not inherently money laundering deep in my bones. I spent three years of my life attempting to improve Bitcoin mixers.
The issue is that if you run a mixer and someone says "please launder my drug money" you reject that person's coins unless you like Federal prison. It is like if you run a gun store and someone comes in and asks for a gun "to rob a bank", that person is a Federal agent and if you sell them a gun an indictment is forthcoming.
People are doing life sentences for giving their friend a ride when their "friend" decided to hold up a liquor store.
So hypothetically, if they ask you with a checkbox whether your funds are legitimate, and only process transactions that say they are, would that absolve them of liability?
I can't imagine anybody reads private messages on such a service or could be expected to, with any significant volume.
When the transactions come from marketplaces specialised in selling illegal substances you need implausibly suspended disbelief to think your obfuscation service is only used for benign purposes.
Then consider that most of the transactions processed by the fog came from places like silk road.
How would Bitcoin Fog know the transactions were coming from those marketplaces? Bitcoin addresses are just strings of random numbers. Maybe if they were performing a careful inspection of the source and destination of each transaction they could have discovered something that would have obligated them to act to block those addresses, but the whole point of a privacy service is that you don't do that kind of careful analysis of your customer's private data.
The law doesn't require you to know affirmatively that the service is only used for benign purposes. Just about every public service in existence probably gets used to support illegal activity at some point or another. You just can't be knowingly assisting with a crime.
I wonder if the same people would argue like this if it was about VPNs - should they be liable and forced to keep logs? Or is this another example of HN's strong anti-crypto bias?
VPN providers aren’t financial institutions so they don’t have to worry about these laws. This will be very interesting legally as more states add things like age verification laws if those are worded to prevent VPNs from being used to circumvent them.
But you can use the same argument for if you take a bag of cash from a local drug dealer with instructions to obfuscate the source of the money and return them to him. How would you know it isnt legit money?
Not a lawyer, but as far as I know its only criminal if you know or at least have a strong reason to believe you're participating in a money laundering scheme. That wouldn't apply to a privacy service that has legitimate uses, particularly an automated one where there's no opportunity to use common sense to reason about which customers are legit.
If you were trying to run a signicant and profitable business, would you expect to know who your customers are? You need to be able to get your product in front of them right? Market to them somehow? And you must get outreach for support or partnerships now and then, even if you try to make yourself hard to identify or reach.
They may have avoided collecting identifying information on specific individual people, but it's absurd to think that they could have reached the scale they did with no knowledge of where and for what purpose their service was being used.
The startup engineer's fantasy is that you can build something useful and users will flock to it through no further involvement of your own, but that's almost never a thing -- and certainly not here.
Is there any evidence Bitcoin Fog was marketing their service specifically to criminals?
The affidavit[1] another user linked elsewhere in this thread says:
> BITCOIN FOG was publicly advertised on Internet forums and well-known web pages promoting darknet markets as a tool for anonymizing bitcoin transactions.
But it doesn't really go into detail. "well-known web pages promoting darknet markets" might just mean "Reddit".
And I think you might be underestimating the impact of word-of-mouth advertising. I don't recall Tor or Mullvad having to extensively advertise to criminals in order to get as popular as they are now.
Tor and Mullvad are definitely tools for criminals, I am aware that they are often used to access illegal information which is legitimately censored by the government. And some news media outlets openly promote using these services to bypass the legitimate censorship.
We call this due diligence, and it's an essential banking practice. Willful ignorance is not a defense, particularly when large amounts of money are involved.
The law has a variety of "know your customer" rules, but in addition has a bunch of laws the constrain your behavior if you can reasonably know that you are handling criminal proceeds.
Anyone operating a crypto mixer knows that people will endeavor to use it to illegally launder funds, and to as I understand it if you know that, you have to implement _effective_ methods to prevent that illegal mixing. It does not matter that there are legal transfers, you have a legal duty to not carry the illegal ones, and if you are not actively trying to prevent those illegal transfers you are liable.
A more day-to-day analogy would be that it is illegal to knowingly buy, sell, or accept stolen property. If you do buy stolen property but there's no reason for you to have thought it is stolen you haven't done anything wrong (though the purchase or sale is invalid, so you've lost the money). If however police can show that you knew or could reasonably know the property was stolen it they could chose to charge you with a crime, and your defense would presumably be some variation of why it was reasonable for you to believe the property was not stolen.
The problem is specifically that everyone running a mixer knows that people attempt to launder their funds through mixers, and so therefore should have mechanisms in place to ensure that they are not accepting transfers that can reasonably related to criminal enterprises, just as you would have to when buying/selling property in the real world. Given that most crypto is trivially auditable there are very few arguments that would support not having at minimum automated rejection of transactions involving any known wallet, and moreover constantly updating the list of known bad addresses.
Certainly if I were on a jury, and the person running the mixer could not show their reasonable actions to prevent laundering, that the system was constantly tracking, updating, and expanding the disallowed wallets precisely because that can be done almost entirely automatically, that would count against their claims to not be intentionally supporting laundering.
Again, the issue here is not running the mixer, it's not that occasional illegal transactions go through - that's unavoidable - it's the failure to take reasonable steps to stop plausibly illegal transfers. The way banks handle this is they block suspicious transactions pending receipt of the actual sender and recipient, and documentation of the origins of the funds. Which is what a mixer would need to do.
> I don't see how you could argue the service itself was
Regular banking has piles and piles of AML/KYC regulation that they need to follow in order to not become guilty of money laundering, or aiding money laundering.
Are you saying Bitcoin Fog followed all this regulation, or are you saying Bitcoin Fog can unilaterally can declare itself exempt from AML/KYC laws?
Sorry if this sounds like a confrontational question. I don't mean it to be. Just intend for it to be a clear question.
There's a separate U.S. code for that which is not related to money laundering. The affidavit[1] another user linked accused the defendant of violating 18 U.S. Code § 1960[2], and D.C. Code § 26-1023[3] in addition to the money laundering law previously linked.
Those two laws make it illegal for businesses to transmit money without requesting all sorts of private information from their customers, and providing that information to the government under some circumstances.
In other words, under current U.S. law, yes, privacy is indeed a crime.
No. You can launder money using anything that works as a transferable, divisible store of value. You just have to be able to break it down into smaller pieces and exchange the "dirty" pieces for "clean" ones. The bitcoin is just the vehicle for the laundering, and the mixer is basically just a money laundering machine. (You can use it to exchange clean assets for other clean assets, but if you start with dirty ones, you're money laundering.)
I'm not a lawyer, but yeah it certainly does seem that way based on how the law is worded. I wonder if Sterlingov's lawyers tried that argument in court.
Actually he used liberty reserve, a popular centralized service at the time. Yes he also used BTC but I think that doesn't matter a lot, since he was using an LR account registered with his personal details to pay for the domain.
For anyone else curious, it's described in this affidavit, page 8: https://storage.courtlistener.com/recap/gov.uscourts.dcd.230...