Cryptocurrencies suffer from a reputation of being a tool for criminal activity. This stems partially from the fact that one of the first real-world use cases of Bitcoin was its use for payments on the infamous dark web marketplace Silk Road, where anonymous users could buy almost any banned product, ranging from illegal drugs to weapons. The authors of ransomware also have a tendency to hide behind Bitcoin’s anonymity.
However, what most people do not realize is that the early use of Bitcoin for illegal activities only succeeded due to a lack of knowledge on the side of law enforcement. Most cryptocurrencies are, in fact, much less anonymous than commonly thought and transaction history is actually more traceable than in fiat currencies.
A number of protocols and techniques have emerged to improve the privacy of cryptocurrency transactions and obfuscate transaction history. In this article, we look at ways one might try to launder “dirty” coins. We also highlight the limits of these techniques and how blockchain analytic software, such as Parsiq can still be used to trace laundered funds in many cases.
The Difficulty of Staying Anonymous
Blockchains are transparent public ledgers. This means that every transaction made can be read by anyone and remains on the ledger forever. Most blockchains that support cryptocurrencies can be classified into two categories: account-based, such as Ethereum, or UTXO-based (unspent transaction outputs), such as Bitcoin. In the former, balances are maintained for each account. The latter is slightly different, in that what is actually stored is a set of unspent transaction outputs. Each transaction has a number of inputs and outputs. Outputs are made out to an account number, which is derived from a public key. Unspent transactions can be unlocked with the corresponding private key, to be used as an input in new transactions.
It is easy to see how in both, account- and UTXO-based models, transaction history can be followed back to gain significant knowledge over an individual’s financial affairs. Imagine, for example, that I am paid by my company monthly in Bitcoin. If I now use this unspent transaction output as an input to buy a tennis racket of a friend, this friend can follow the transaction history back to figure out my salary. He can also do some further investigation and learn information on my employer’s other financial interactions. In general, this system provides a lot less privacy than fiat transactions.
Of course, cryptocurrencies are pseudonymous, in that accounts are just numbers that do not provide any information on the account holder. However, this anonymity is lost, as soon as cryptocurrencies are to be moved out of the system, for example by spending them to buy goods or convert into fiat currencies. This leaves potential criminals with the interesting conundrum that they have the perfect tool for keeping moving money around anonymously but cannot use that money for anything, because as soon as they do they can be identified and traced back to some illegal activity.
Imagine you have just hacked a cryptocurrency exchange and stolen an important amount of money from the exchange’s hot wallet. In order to try to spend this money without identifying yourself as the person responsible for the attack, you have to find a way to clean these dirty coins. Let’s now look at how you may try to achieve this.
The simplest way users try to make use of dirty coins is by moving them around manually, spitting large accounts up into smaller chunks and mixing dirty coins with other transactions. The main idea is to mix transactions of various people in a way that it is not clear anymore what the origin of each participant’s funds is. Manual approaches might confuse the casual observer trying to do manual tracking, but tracing is still possible.
And since cryptocurrency exchanges are now very strict about their KYC procedures, selling cryptocurrencies privately, for example, off-chain through services, such as LocalBitcoins, is the only way to convert dirty coins into fiat currency. Recently, the aforementioned service has removed the cash payment option, in order to prevent such untraceable activities.
Centralized Mixer Services
A more sophisticated but by no means safer option to launder dirty cryptocurrencies can be found specialized mixer services. These services, which are also called tumblers, are centralized services that offer mixing transactions with other users’ transactions using an algorithm, in order to obscure transaction history.
The idea is quite simple: Funds are transferred from multiple sources to an account and then split again. By chaining together a lot of transactions of different amounts to and from different addresses, it should be hard to tell which addresses the actual dirty coins have gone to. If you pay x BTC to a mixer, you would receive back x BTC (minus a fee) after a certain time, hopefully in multiple smaller payments to new addresses. The new addresses are created by the user and have to be submitted to the mixer service. Mixer services usually promise to delete all off-chain data on the transaction history set up for a user after a certain time period.
Due to the nature of the business offered by mixer services, they are often only available as unlisted “darknet” websites. This means that they are anonymously hosted on the tor network and not listed on public search engines.
An example of a mixer service available on both, the Clearnet and the Darknet, is Bitcoin Laundry. The service provides a user interface which asks the user to specify up to 5 output addresses and send the funds to an input address. It is also possible to configure a delay between 1 confirmation and 24 hours before the funds are returned. A session id allows keeping track of the ongoing process, although the service claims not to keep any logs. Others services are not as user-friendly in terms of the interface but provide very similar functionality. Usually, someone interested in maximizing privacy will send coins to a darknet wallet first, before sending them to a darknet-hosted mixer, and will probably add another indirection before getting back to Clearnet services, if at all.
While it may be harder to trace coins passed through a hosted mixer service for both human analysts and blockchain analytic software, privacy is not complete. Academic studies have analyzed a number of mixer services and found them to be less sophisticated than advertised. A paper published in 2017 found that the algorithms of mixer services have a tendency to follow repeated patterns and re-use certain addresses.
CoinJoin / CoinShuffle
Mixer services require trust in a centralized service. You may actually end up sending your coins to an address expecting to receive them to another address after mixing but never hear anything again.
The CoinJoin technique is a trustless approach for Bitcoin that does not rely on a trusted service. This is made possible by the way UTXO-based blockchains are designed. Transactions may actually take outputs from different owners as inputs, as each unspent transaction output has to be signed with the corresponding private key. The individual inputs may be owned by different keys. Therefore, a transaction with inputs from different users can be created with any number of outputs to different accounts. This mixes the coins in a way in which it is difficult to tell which output addresses correspond to which inputs. The technique is trustless in that the transaction needs to be signed by all users involved to be valid. If a single user does not agree with the setup the transaction does not proceed.
Bitcoin UTXO Model – Source: Matthäus Wander – Creative Commons License
The above image illustrates the UTXO model. The transaction has three inputs, that add up to a single output. In order to perform a laundering operation, these inputs would be from accounts owned by different people. The transaction would then have a number of smaller outputs to new addresses, each of which belonging to the same users so that the totals of each user’s output match up to their input. This process can be repeated several times, chaining transactions. The grade of obfuscation in CoinJoin depends on the number of users involved, but so does the difficulty of setting up the operation.
Vanilla CoinJoin still requires a party to set up the transaction or chain of transactions for the mixing process. The system is only trustless in that the party performing the setup cannot run off with the funds. CoinShuffle is a system built on top of the CoinJoin idea that defines a protocol to automate the process of creating the mixing transactions in a decentralized manner. This makes it possible to implement privacy wallets that provide user-friendly interfaces for coin shuffling between different users.
Smart Contracts and Zero-Knowledge Proofs
The CoinJoin technique works on Bitcoin, because of the UTXO model, in which transactions can have multiple inputs and outputs associated with different accounts. However, this method does not work on account-based blockchains, such as Ethereum, as balances are kept on a per-account basis and transactions are always from one account to another.
Sending money from multiple sources to a single address and re-distributing to other addresses relies on controlling the intermediary account’s private key. In a manual setup, this can only be done through a trusted third party.
Ethereum, however, does support smart contracts that can take on the role of this intermediary in a decentralized manner. This solution has a privacy problem: smart contracts are completely transparent and mixer contracts are easily identified as such. A smart contract could easily receive funds from different addresses. Anyone making a deposit could withdraw the funds after random waiting time in different amounts to different addresses. However, to avoid anyone withdrawing more than they have deposited, the contract would have to keep balances for each user. This balance would have to be decreased somehow on each withdrawal. This process would be fully transparent and withdrawals could always be linked to deposits.
This means that anyone following the trail of transactions can figure out that a mixer is involved and can monitor all deposits and withdrawals easily.
Vitalik Buterin, Ethereum’s founder, has recently suggested a high-level design for a mixer contract that avoids the transfers being visible on-chain. The complex scheme involves off-chain transactions and zero-knowledge proofs and does not seem ready for implementation yet.
Mixers of the types described above work reasonably well to obscure transaction history from the eyes of blockchain analysts performing manual tracing, with the caveats identified above.
Software assisted blockchain analytics can do a much better job in tracing funds. Sophisticated blockchain analytics tools, such as Parsiq, can trace funds through a mixer service. In addition to following complex links, known addresses and repeated patterns can be detected accurately.
At the very least, it is possible to detect whether certain coins have passed through some form of laundering process. This allows exchanges, for instance, to blacklist certain addresses and reject business from dubious sources.