Stealing bitcoins is easy, but laundering is difficult
Stealing cryptocurrencies and its subsequent laundering require different skills. “The skills required for initial exploitation and the skills required for subsequent laundering are very different,” Elliptic blockchain analyst Arda Akartuna told Fortune.
The blockchain ecosystem isn’t built to manage big sums of money in an anonymous manner. The options for laundering stolen cryptocurrencies are extremely restricted, especially when large sums are involved. In the case of the recent attack of the blockchain game Axie Infinity, for example, Akartuna claims that the hacker “would have practical and logistical issues if he tries to take the entire stolen amount of $600 million all at once.”
“Hacking is the easiest part,” Jonah Michaels, communications lead at Web3 bug bounty platform Immunefi, told Fortune. “The hardest part is planning enough in advance to make sure that cashing out the funds is successful. Moreover, the larger the hack, the more unlikely it is that hackers will be able to make off with all the funds.”
In the pretext of combating criminality, law enforcement is strengthening control over cryptocurrency. They require exchanges and exchangers to do KYC verification and AML checks on deposits. Then, using blockchain analytics, they deanonymize the owners of questionable wallets. Although blockchain research aids in the detection of criminals, honest bitcoin users dislike having their wallets monitored. Crypto enthusiasts utilize bitcoin mixers to maintain their anonymity.
On the market, there are dozens of bitcoin mixers. They use various mixing methods, funding sources, and working conditions.
Clearing bitcoins manually
The task of bitcoin mixers is to give the user clean coins that meet two conditions:
Broken chain. Analyzing the chain of transactions of pure coins will not lead the blockchain analyst to the user’s previous addresses. This will not allow you to identify the owner of the wallet;
No dirt. The chain of transactions of pure coins does not include risky addresses: scam projects, mixers, hackers, darknet marketplaces. The exchange will not block the user’s account during AML scoring.
Laundering cryptocurrency can be done manually or with the help of an automated services. ZCash, Dash, and Monero are the anonymous coins used in the manual solution. In transactions, their blockchains do not keep the sender and recipient addresses, as well as the value of the transfer.
Manual laundering looks the following way:
The user exchanges bitcoins for ZCash, Dash or Monero.
User then creates a new bitcoin address.
Exchanges anonymous coins for bitcoins again and receives them to a new address.
As a result, the user receives bitcoins that are not associated with his old wallet. Such coins meet the first condition of purity – breaking the chain. But at the same time, the user pays commissions for transactions and services of exchange platforms several times, and also risks receiving dirty assets.
Automatic laundering of bitcoins using mixer services
Bitcoin mixers automatically shred users’ coins, mix them with the coins of other clients, and deliver them to different clients in a random order. This approach complicates blockchain analysis and makes determining the true owner of bitcoins harder.
Automatic coin laundering mixers use three basic technologies:
Classical. Mixer mixes user coins;
Peer-to-peer. Users mix bitcoins themselves using the CoinJoin protocol;
Exchange. The mixer accepts the user’s coins and sends him bitcoins from the wallets of exchange users.
The laundering technology affects the size of commissions, the speed of work, the quality of cleaning and the risk of the user getting dirty coins. Bitcoin laundering services can use several technologies.
When blockchain explorer blockchain.com introduced a public taint analytics service in 2011, the first mixers arose. It provided users with a complete summary of transactions at a selected address. The use of taint analytics by law enforcement authorities to detect bitcoin holders has begun. The concept of bitcoin mixers was then established by crypto enthusiasts.
The initial mixers took client transactions to a single wallet, mixed bitcoins, and distributed the funds to random users. This approach destroyed the link between addresses and provided users with basic anonymity.
In 2012, blockchain researchers invented a technology for analyzing similar transaction volumes. This technology established a connection between the addresses of mixer users, based on the assumption that the same person sent an outgoing and incoming transaction with the same volume.
Mixer developers struggled with the analysis of similar volumes: they assigned a random cleaning fee, delayed the return of coins, and sent bitcoins in several transactions.
However, it was discovered that active users of mixers occasionally received their own bitcoins back. Services have introduced mixing codes to combat this. When cleaning, the mixer assigned a unique identifier to incoming bitcoins and issued the user coins with a “foreign” code. Classic mixers are still in use. Their creators keep track of cryptonalysis tools development and take precautions. While such mixers are effective in breaking chains, their customers risk receiving dirty bitcoins from criminals.
In 2013, developer Greg Maxwell published the CoinJoin peer-to-peer mixing concept:
Participants simultaneously send the same amount of bitcoins to a shared wallet.
The Bitcoin protocol automatically combines their transfers into one transaction.
CoinJoin mixes coins and returns equal amounts to participants in a single transaction.
Combining bitcoins in a CoinJoin generates two large transactions on the blockchain. This method protects the transaction’s participants from taint analysis because proving the relationship between addresses is challenging for analysts.
However, there are certain drawbacks to CoinJoin:
participants must manually send coins at approximately the same time, otherwise the protocol will not process transactions;
the amount of the transaction must match for all participants;
users risk getting dirty coins from one of the participants
Following the publication of Maxwell’s paper, blockchain developers constructed a number of peer-to-peer mixers based on CoinJoin. Until blockchain monitoring service Neutrino revealed a transaction snapshot of the JoinMarket peer-to-peer mixer in 2016, they were considered as trustworthy by the community. The section indicated the amounts of transactions, the exchangers used, and the geographic location of the participants in the transaction. Nevertheless, peer-to-peer mixers continue to be popular.
Cryptocurrency exchanges excel at removing dirt from coins. If the trading platform accepted bitcoins to your wallet, then after the withdrawal they will receive a legal status in the taint-analytics services. But anonymity cannot be ensured in this way: exchanges identify clients under KYC and collect data.
Exchanges are used as a source of clean currencies by centralized exchange mixers. The user transfers bitcoins to the mixer and receives money from exchange users’ wallets. Users earn a portion of the service commission in exchange for supplying liquidity.
The user does not risk losing his money or receiving “dirty” bitcoins when using exchange mixers. However, the commissions charged by these services are larger than those charged by other types of mixers.
Top of the list mixer
One of the most popular mixers is Tornado Cash. Typically, Tornado Cash is hackers’ first stop after a theft, Akartuna said. For example, the hacker who hacked Axie Infinity transferred the stolen millions of dollars in cryptocurrency through Tornado Cash.
“Without mixing, it’s too easy to follow the trail, and no matter how much time passes, all of that information is still publicly viewable on-chain,” Michaels said. “Even years later, people can set alerts to ping them of any movement of those funds.”
Most modern mixers can break the chain of transactions and provide the user with anonymous bitcoins. At the same time, classical and peer-to-peer cleaning services cannot guarantee the purity of coins. Their clients often receive dirty assets and, when making a deposit on the exchange, risk having their account blocked.
According to Akartuna, hackers may find withdrawing stolen coins to be such a tough chore that they decide to return the money. Some people return the money because they are afraid of being arrested. In the case of the Poly Network DeFi protocol, the hacker who stole $611 million eventually returned the funds, claiming that the hack was only for fun, that he was not interested in money in general, and that he had no intention of leaving it from the start.