On February 13, 2020, Larry Harmon, of Akron, Ohio, was charged with three counts: (1) conspiracy to commit money laundering, (2) operating an unlicensed money transmitting business and (3) conducting money transmission without a DC license.
According to the DOJ, Harmon operated “Helix,” which was also known as a “tumbler” or “mixer,” without registering as a money services business or money transmitter. These technologies allow a user to obfuscate the origin of their bitcoin.
Regulations on Bitcoin Privacy
Per the Bank Secrecy Act (BSA), exchanging virtual currency (among other things) is a FinCEN-regulated activity. According to FinCEN, “[a]n exchanger is a person engaged as a business in the exchange of virtual currency for real currency, funds, or other virtual currency.” An exchanger must register with FinCEN as a money services business (MSB). Once registered, the exchanger must implement procedures reasonably designed to prevent money laundering.
Blockchain Analysis and Financial Privacy
While the standard of reasonableness is evolving, one possible way to prevent money laundering is blockchain analysis. Blockchain analysis companies have large marketing budgets and are persuading crypto exchanges to use their services in order to “de-risk” the exchange’s own compliance reporting duties.
Similarly, though not required by law, some larger banks have made the use of blockchain forensic analysis services a condition of getting a bank account. Akin to the dragnet surveillance exposed by Edward Snowden in 2013, these services attempt (with debatable accuracy) to identify the history of a bitcoin, which (absent other intervening actions) potentially exposes all past and future transactions made by the user who broadcasted the transaction.
Blockchain forensic analysis can include the collection of large amounts of personal information about a user’s spending habits, total holdings, and whether or not the bitcoin has traveled to the dark web or been used for something illegal. Aside from privacy considerations related to the over-collection of data, the requirement that companies purchase these services can significantly raise the costs of entry into the industry, reducing competition and depriving consumers of the choices they might otherwise have when obtaining financial services.
If a blockchain analysis service determines that particular bitcoin have been involved in criminal activity, these bitcoin are referred to as “tainted.” The concept of tainted bitcoin is controversial. The ultimate objective for a blockchain analysis company, and thus the government to which they offer their services, is to know who owns the bitcoin. It’s a tall order, but if they can accomplish this, financial privacy on layer-one Bitcoin will be nonexistent.
One failsafe way to remove a bitcoin’s alleged taint is to have it seized by the government and resold at an auction. Once it’s passed through the government, regulated cryptocurrency exchanges can begin accepting it again; it is “clean.”
The other way to “clean” a bitcoin is to break the link between the bitcoin’s past and current transactions by running it through a tumbler/mixer, or CoinJoin. Tumblers and mixers are custodial: This means that when one uses a tumbler or mixer, they must give control of their coins to another party, and trust that this party will return the bitcoin to them. By contrast, there are various implementations of CoinJoin that can be conducted without sacrificing control of your coins. Not your keys, not your bitcoin.
While most agree that the government has a legitimate interest in fighting crime, some privacy advocates are concerned that industry standards are being heavily influenced by two powerful forces that may not properly weigh financial privacy concerns: (1) the global Financial Action Task Force (FATF), an intergovernmental agency that seeks to assist global governments in surveillance and tax collections; and (2) compliance companies that stand to gain immensely from lucrative government contracts.
From the privacy advocates’ perspective, the more draconian measures that interested groups (whether public or private sector) can push for, the more money the compliance companies will make. In an ideal world for a forensic blockchain analysis company, a user’s personal privacy may be considered evidence of criminal activity.
Privacy and Fungibility Go Hand in Hand
Fungibility is defined as “capable of being substituted in place of one another.” Fungibility is a critical quality of money. Consider the following example:
If Alice lends Bob a $10 bill, Alice does not need to be repaid with the very same $10 bill; any $10 bill will do. In the same sense, Alice could accept one $5 bill and five $1 bills and still be satisfied, since the total equals $10.
Conversely, as an example of non-fungibility, if Alice lends Bob her car, it is not acceptable for Bob to return a different car, even if it is the same make and model as Alice’s original car. Cars are not fungible with respect to ownership. (The gas that Bob buys to fill up the car upon its return, however, is fungible.)
As applied to Bitcoin, a looming concern is that if some bitcoin are treated differently than others, then one of bitcoin’s inherent characteristics as money will be reduced, potentially hampering bitcoin’s future as a global reserve currency.
Coin Mixing / Tumbling
Since the Bitcoin blockchain is publicly verifiable through the use of a block explorer, some users have taken to coin mixing or tumbling, where a user sends their bitcoin to a service that accepts them and then sends the designated amount, minus fees, to the destination requested by the sender. This makes the origin nearly impossible for the recipient to decipher. There could well be nefarious reasons for individuals to want privacy in their transactions, but there are also legitimate reasons for using Bitcoin privately; for example, you might not want the people you transact with to be able to see how much money you have, or to be able to view all of your transactions and associations, past and future.
CoinJoin, first introduced by Greg Maxwell in 2013, is a privacy-protection technique that does not require surrender of custody to another party. CoinJoin is a process of combining multiple Bitcoin payments from multiple spenders into a single transaction to make it more difficult for outside parties to determine which spender paid who. The distinction for CoinJoin is that CoinJoin is software, and FinCEN regulations exempt “the delivery, communication, or network access services used by a money transmitter to support money transmission services.” See 31 CFR § 1010.100(ff)(5)(ii).
Section 4.5.1 of the May 2019 FinCEN guidance states that “providers of anonymizing services” — such as custodial mixers — are money transmitters under FinCEN regulations. Anyone who provides anonymizing services by “accepting value from a customer and transmitting the same or another type of value to the recipient, in a way designed to mask the identity of the transmittor, is a money transmitter under FinCEN regulations.”
Helix operated as a custodial mixer, where users’ coins were allegedly sent to Harmon’s control and swapped, then different coins were sent back to the user or to a predetermined destination. This falls within the definition of money transmission.
FinCEN Guidance vs. the Law
We’ve likely all seen the 2019 FinCEN guidance, with its two-page disclaimer that it’s just guidance. Well, the actual laws that Harmon was charged with are as follows: (1) federal money laundering, (2) federal money transmission and (3) District of Columbia money transmission. He was not charged with anything to do with AMLD5 (inspired by FATF), the Office of Foreign Assets Control (OFAC) or international money laundering, but we will touch on those briefly as well, because he could have also been charged with any of them too.
Federal Money Laundering Law
Federal money laundering is sending and receiving financial transactions “involving the proceeds of specified unlawful activity … with the intent to promote” the unlawful activity. See Title 18 USC § 1956(a). The allegations say the bitcoin went through AlphaBay and was used to buy illegal drugs. The bitcoin-to-drug purchase happened on AlphaBay, then the drug dealer sent those bitcoin to Helix. Harmon knew these bitcoin were the proceeds of illegal activity because he himself wrote about AlphaBay being used for drugs. Then he mixed the bitcoin and sent it to himself again, at DropBit (another layering transaction), and from there, a regular user could unknowingly get the tainted bitcoin, and risk future issues with traditional on- and off-ramps for the reasons outlined above.
Money Transmission (Federal)
The other federal charge complication is that most money laundering cases also involve unregistered money services business activity, meaning, the company didn’t register with FinCEN before setting up their dark web drug website. Consequently, this means they did not collect user data, report suspicious activity or pay taxes. It seems plausible that this charge could stick. However, at first, this case looked interesting because it would be a case of first impression involving mixers. The mixer didn’t actually play a part, though, because the transfers of bitcoin from AlphaBay to Helix, and then from Helix to the DropBit wallet, are both “transmissions” whether or not the coins were mixed on Helix at all.
Money Transmission (DC)
The DC charge against Harmon was unexpected. The DC money transmitter law has never been modified to include bitcoin and never been tested against bitcoin. The jurisdiction here comes because the undercover agent performed the transaction on trial from DC. As a result of this case, DC may have to refine their money transmission law. It would be nice if they would look to Montana, a state with no money transmission regulation, or Wyoming, which has adopted crypto-friendly money transmission rules.
FATF & AMLD5
While Harmon was not charged with anything related to the FATF guidance, nor could he be, since it is strictly guidance, the AMLD5 has adopted much of this guidance into practice. The AML/CTF EU Directive 2018/843 (AMLD5) was published in the “Official Journal of the European Union” and took effect on January 10, 2020. It covers providers that exchange services between fiat and cryptocurrencies, as well as custodial wallets.
The FATF’s 59-page guidance, which is featured prominently on Google with a CipherTrace sponsored advertisement, encourages all member countries to adopt the American rules. However, as a point of concern among privacy advocates, this guidance also introduces concepts of “enhanced due diligence” in reference to privacy-centric cryptocurrencies or software. Notably absent from the guidance are explicit privacy considerations for how to balance privacy with legitimate law enforcement objectives.
The AMLD5 directive suggests that it is essential to extend its scope “so as to include providers engaged in exchange services between virtual currencies and fiat currencies as well as custodian wallet providers.” It also suggests that the EU monitor for “suspicious activity” by hiring “entities” to monitor the use of virtual currencies. “Such monitoring,” the directive states, “would provide a balanced and proportional approach, safeguarding technical advances and the high degree of transparency attained in the field of alternative finance and social entrepreneurship.”
Money Transmission Catchall (OFAC)
Harmon was not charged with any OFAC violations, but he could have been. Had he processed a transaction for an individual, country or bitcoin wallet address that is on the sanctions list, he would’ve been in violation. But by not collecting the KYC data on his customers at Helix, Harmon likely has no idea whether or not he serviced any sanctions list member. The OFAC, like FinCEN, is a component of the Department of the Treasury. It administers and enforces economic and trade sanctions.
Are Individual Bitcoiners Responsible for Knowing Where Our Bitcoin Has Been?
No, individuals are “users” according to the 2013 FinCEN guidance. A user is a person that “obtains virtual currency to purchase goods or services” (or in Bitcoin’s case, for speculation, as a savings vehicle, hedge or store of value). Users are not regulated by FinCEN. However, individuals are required to pay taxes on capital gains, and the information collected by FinCEN, and most government agencies, is under a memorandum of understanding that it can be shared with the IRS.
The exception to this, which to our knowledge has not yet been tested in court, could be the laws regarding receiving stolen property. Generally, for someone to be guilty of receiving stolen property, they must know, or should have known, that the property they receive is stolen. For the overwhelming majority of users, this kind of knowledge is, for practical purposes, impossible.
The exchanges, however, have all of the responsibility and liability to use reasonable steps to comply with their FinCEN obligations. Their banking partners are also likely to have higher compliance requirements of the exchange than are required by FinCEN, which can include using blockchain analysis tools. It’s also possible that, at the bank’s or compliance officer’s discretion, the exchange may be advised not to accept coins that have come from a mixer or tumbler.
The balance between law enforcement efforts and privacy is challenging. Nobody wants to see terrorism or violent crime, but individual rights are jeopardized when we continue, as a society, to freely and willingly give up a lot of our financial privacy.
Maintaining bitcoin’s fungibility is arguably a necessity for bitcoin to achieve one of its core value propositions: freedom. Bitcoin is the currency of the internet, and the internet is, or should be, free and global. Not all countries have the benefit of a strong and stable financial system or a trustworthy government. When privacy is eroded, so is freedom of speech and association. We lose our privacy every day as we agree to use custodial Bitcoin solutions. Privacy and data security are not suspicious; they are responsible actions that individuals should be encouraged to take to help protect our identities against hackers from America and abroad.
As described above, exchanges must take “reasonable” steps to prevent money laundering. Whether that means accepting or blocking mixed coins is a decision that each exchange will make on their own. There is no codified standard. There is no “law” against CoinJoin. There is no definitive answer as to how far back they should check — or whether they should check at all.
Given the legitimate privacy concerns illustrated above, we encourage exchanges not to treat the use of CoinJoin in a bitcoin’s transaction history, without any external evidence of wrongdoing, as evidence of suspicious or criminal activity. We view CoinJoin as being no different than other standard privacy practices in Bitcoin, such as not reusing bitcoin addresses. (“For greater privacy, it’s best to use bitcoin addresses only once.” Satoshi Nakomoto, November 25, 2009.) Bitcoin users should not be required to leak personal information in the same way they are encouraged not to accidentally disclose their social security number. Maintaining Bitcoin privacy helps prevent individuals from being victimized by hackers, terrorists, scammers and system hijackers, and authoritarian governments.
It’s hard to price when achieving Bitcoin privacy moves from an inconvenience to a legal, financial or even safety-related necessity. Keeping the Bitcoin network private can be thought of as an act of unity by Bitcoiners in America to help keep the network useful for Bitcoiners in Venezuela and Hong Kong — indeed, around the world. United we stand, divided we fall.
Thank you to the many sources who helped pull this knowledge together. Rafael and I have spent years learning the intricacies of money transmission and money laundering laws, and we have each helped many Bitcoin companies navigate these regulations. While everything written in this article reflects our own opinions unless quoted directly, we appreciate the contributions to this topic provided by the following groups/individuals: the Samourai Wallet and Wasabi Wallet communities, Stephan Livera, 6102bitcoin, ErgoBTC, Peter Van Valkenburgh, Matt Odell and numerous other community contributors.