Blockchain analysis of the billions of dollars in bitcoin stolen during the 2016 hack of cryptocurrency exchange Bitfinex shows an interesting evolution in the slow and careful laundering of those funds.
Cryptocurrency exchanges may once have been a quick cashing out option, but criminals like the Bitfinex hackers mostly gravitate towards large darknet marketplaces these days, according to research provided exclusively by blockchain analytics firm Elliptic.Â
Meanwhile, privacy wallets like Wasabi Wallet or JoinMarket appear to have become the preferred option over once-popular bitcoin mixing services. (At least 13% of all proceeds of crime in bitcoin were sent through privacy wallets in 2020, according to early data from Elliptic.)Â
Not everyone will remember the Bitfinex hack of August 2016, when almost 120,000 bitcoin (worth $72 million at that time, but now around $7 billion), was stolen from the exchange.Â
Only about 4% of the stolen bitcoin has been laundered or exchanged to date, and the vast majority has not moved at all, according to Elliptic. However, an uptick in bitcoinâs price may have tempted the thieves into shifting about $100 million worth in November 2020; in April 2021, another $774 million worth of coins were moved.
You donât have to be a crypto libertarian to be concerned about privacy on the internet, which seems paradoxically pulled between rules like General Data Protection Regulation (GDPR) on the one hand and know-your-customer (KYC) requirements on the other.Â
Wasabi Wallet, an open-source software that weaves together a collection of Bitcoin transactions as an obfuscation tactic, is largely administered and overseen by a private company called zkSNACKs, based in Gibraltar and within that jurisdictionâs crypto regulatory regime.Â
This raises an interesting philosophical question, at least from the point of view of blockchain analytics firms like Elliptic, which has been busy tracking bitcoin swiped from Bitfinex.
âGiven that Wasabi Wallet is now facilitating a huge proportion of all illicit transactions in crypto, is what zkSNACKs doing, as a company, legal?â said Elliptic co-founder Tom Robinson in an interview. âThey are effectively doing the same thing as a mixer operator would. So arenât they going to be in the sights of regulators?â
There are a couple of important points to note here.Â
Firstly, the current regulatory regime applies to cryptocurrencies in custodial settings, that is to say where a company like an exchange (virtual asset service provider, or VASP, in regulator speak) takes custody and holds a userâs coins. Applications that are non-custodial, which includes Wasabi Wallet, do not fall within the regulatorâs purview. (Although, itâs also worth noting that regulatory guidance is steadily creeping towards non-custodial wallets.)
A second point is that the âzkâ in zkSNACKs stands for âzero knowledge,â a branch of technology that shields any information about the user of the zkSNACKs platform from prying eyes, including from the company itself.
âPolice departments from all over the world have knocked on our door, investigating certain transactions,â zkSNACKs CEO and co-founder Bálint Harmat said in an interview, adding:
âThey have figured out through blockchain analytics companies that some of the transactions were made through Wasabi Wallet, and they ask whether we can share any kind of personal identification information with them, or IP addresses or whatever.â
Harmat said to the firmâs best knowledge it simply cannot share anything because of the way the software is built.
âEven if we gave someone access to all of our servers, they wouldnât be able to gather any kind of data because we donât have data. This is the way we build the software,â he said.
Being based in Gibraltar, zkSNACKs is regulated by the Gibraltar Financial Services Commission (GFSC), under the jurisdictionâs Distributed Ledger Technology Framework. Gibraltar, which became a hub for e-gaming back in the early 2000s is proud of its talent for keeping up with innovation including crypto.
Albert Isola MP, Gibraltarâs Minister for Digital and Financial Services, said firms regulated in the jurisdiction should report suspicious activity to the Financial Intelligence Unit (which uses another well-known blockchain analytics firm called Coinfirm).
Asked if the jurisdictionâs Financial Intelligence Unit has received some or any suspicious transaction reports (STRs) relating to Wasabi Wallet and zkSNACKs, Isola said he was not aware how many such reports related to any particular firm.
âI know that we have a significant number of STRs reported by the online gaming community, and also by the blockchain community. So I know that they are reporting, which is what I want to see,â Isola said, adding:
âI think we're in a much better position than we were with cash, if I could use that as an example. Because at least you've got trails and tracks, you can follow. And you can see the movement of these virtual assets.â
Ellipticâs Robinson said itâs the very fact that Wasabi is non-custodial that makes it more attractive than previous bitcoin mixers. Wasabiâs centralized forebears ran the risk of things like exit scams â not to mention the possibility that such services could be law enforcement in disguise.Â
Robinson likened the zkSNACKs scenario to decentralized exchange (DEX) dYdX, which runs a centralized order book but remains non-custodial and settlement happens on-chain.
âLike Wasabi, dYdX never has control of funds, but because they control the order matching they can block orders if they want,â said Robinson. âTherefore, does that mean that they should be checking whether their customers are sanctioned entities, for example, and blocking transactions?âÂ
The fact that zero-knowledge proofs stand in the middle of a protocol like Wasabi Wallet does not change the fact that a firm like zkSNACKs should be aware that bitcoin inputs are coming from something like the Bitfinex hack and take responsibility, Robinson argued.
âThey might not know who their users are or where the funds are going, but they are helping criminals to hide their tracks,â said Robinson.
A counterargument is that blockchain analytics is not an exact science to begin with.Â
Firms that have designed and built platforms to protect the privacy of their users and be censorship-resistant are not about to start blocking those users based on heuristics, pointed out Wasabi wallet contributor Max Hillebrand.
âThis sort of analysis is not conclusive and these types of censorship of transactions do not work,â Hillebrand said in an interview. âIt doesnât make sense philosophically and itâs impossible to implement technically. Therefore we donât do it.â
