When it comes to cryptocurrency transactions, questions about alleged money-laundering quickly get thorny.

A Wall Street Journal investigation from last September, titled “How Dirty Money Disappears Into the Black Hole of Cryptocurrency,” claimed the crypto conversion platform ShapeShift had facilitated at least $9 million worth of money laundering over several years with “a parade of suspected criminals.”

Now, at ShapeShift’s request, the blockchain analytics firm CipherBlade recreated the 2018 report and found less than $3 million in transactions involving potentially “tainted” funds.

The main distinction here is that CipherBlade focused on allegedly tainted coins instead of the total value held in each affiliated wallet or account.

“Of the ShapeShift addresses which receive ETH within three hops from the initial dirty addresses, less than half of the ETH traded through them are tainted,” the CipherBlade report says. “Using the most generous assumptions, this is still only 23.53 percent of the WSJ’s claimed $9 million.”

Add to that ether to roughly 40 bitcoin, which ShapeShift itself found to be associated with suspicious wallet’s the WSJ identified, and the total estimate falls just shy of $3 million.

When asked about the investigative process, a WSJ spokesperson told CoinDesk:

“An analysis looking at individual tainted ethereum coins, rather than tainted wallets, would be a different project than what the Journal embarked on, and one we can’t comment on because we have not reviewed it.”

All parties agree the most pessimistic reading of the data still indicates questionable transactions made up a pittance of ShapeShift’s volume since the company was founded in 2014. According to a tweet by CEO Erik Voorhees, ShapeShift processed crypto worth $30.3 million a month in 2017 alone.

Still, experts such as Pawel Kuskowski, CEO of the analytics firm Coinfirm, told CoinDesk there’s no clear answer to how much may have been laundered through the platform – because until October 2018 ShapeShift did not perform know-your-customer (KYC) identity checks.

“If you don’t know the underlying clients, how do you know?” Kuskowski told CoinDesk. “This is why you have KYC in the first place, to understand the profile.”

When asked about whether it’s better to account for the whole wallet or focus on the tainted coins themselves, Kuskowski said the truth hides in the shades of gray in between. He said a complex analysis of the risks associated with the people involved in these transactions, along with “plausibility and some other rules,” all combine to reveal whether the wallets themselves should be considered tainted or suspicious.

In Coinfirm’s own report on risks associated with crypto platforms, ShapeShift was classified as “high risk” with regards to anti-money laundering procedures and compliance because of anonymous usage until the KYC policy began last October. According to Kuskowski, it often takes months for a traditional bank to de-risk after any association with money laundering.

“It’s a good direction, that’s for sure,” Kuskowski said of ShapeShift’s added KYC procedures.

Compliance overhaul

That de-risking process actually began months before the WSJ report, according to ShapeShift Chief Legal Officer Veronica McGregor.

“Among law enforcement, ShapeShift is regarded as a very helpful and cooperative player,” she told CoinDesk. “Just because we started implementing those KYC procedures does not mean that we didn’t already have procedures in place to detect fraud and bad wallet addresses and theft, things like that.”

The company was already working with external consultants to identify and block transactions from suspicious wallets, McGregor said. Then ShapeShift underwent a compliance overhaul throughout the second half of 2018, mandating KYC identity checks for all users and working with three independent analytics firms, Chainalysis, ComplyAdvantage and IDology.

McGregor said ShapeShift continues to “tweak” its procedures, both in-house and through work with the three aforementioned services providers, in order to keep up with the evolving technology.

Richard Sanders, CSO and co-founder of CipherBlade, told CoinDesk he believes the claims in the WSJ report were “grossly exaggerated.”

“We did find around $3 million, which isn’t a great look for ShapeShift,” Sanders said. “But it is significantly smaller than what the Wall Street Journal reported.” CipherBlade says its independent analysis was not paid for by ShapeShift.

For his part, ShapeShift’s Voorhees continues request the WSJ retract the report, which was published in September 2018 during the company’s compliance overhaul. He believes the methodology used to tally questionable funds was fundamentally flawed.

“Crypto is bringing light, truth, and openness to finance,” Voorhees told CoinDesk. “And it’s a pleasant irony that the transparency of blockchains so easily vindicates us from the narrative that the Journal has imagined into existence.”