Uncover the story behind the 'Biggest Heist Ever' — a gripping new Netflix documentary! Watch the trailer.

Mixing It Up: Does DOJ's case against Helix preview what's next for Bitcoin Fog and the future of crypto mixing?

TRM InsightsInsights
Mixing It Up: Does DOJ's case against Helix preview what's next for Bitcoin Fog and the future of crypto mixing?

On April 27, U.S. law enforcement arrested Roman Sterlingov, a 32-year-old dual Swedish Russian national, as he passed through Los Angeles International Airport. Sterlingov was arrested on criminal charges lodged by the United States Department of Justice (DOJ) related to his role as administrator of Bitcoin Fog, the longest-running Bitcoin mixing service on the darknet. The whirlwind saga - a Les Miserables style Valjean and Javert cat and mouse game - ended abruptly with Sterlingov's arrest in L.A.

What ended last week at LAX began back in 2011, when Sterlingov allegedly founded Bitcoin Fog. He advertised Bitcoin mixing and tumbling services on Bitcoin forums such as BitcoinTalk, asserting that Bitcoin Fog "[mixes] up your bitcoins in our own pool with other users," and "can eliminate any chance of finding your payments and making it impossible to prove any connection between a deposit and a withdraw inside our service."

According to the charges in the criminal complaint, of the $336 million Bitcoin Fog laundered over a decade, at least $78 million passed through the mixing service to darknet markets like Silk Road, Agora, and AlphaBay.  In 2019, undercover U.S. Internal Revenue Service Criminal Investigations (IRS-CI) agents transacted with Bitcoin Fog, in one case sending messages to Bitcoin Fog's administrator that explicitly stated that they hoped to launder proceeds from selling ecstasy. Bitcoin Fog completed that user's transactions without a response.

Undercover U.S. Internal Revenue Service Criminal Investigations (IRS-CI) agents transacted with Bitcoin Fog, in one case sending messages to Bitcoin Fog's administrator that explicitly stated that they hoped to launder proceeds from selling ecstasy. Bitcoin Fog completed that user's transactions without a response.

Whether his decision to transit through the United Sates was a display of terrible op-sec (for someone used to hiding on the darknet) or he simply was not aware of the sealed charges, which typically keep savvy illicit actors from traveling to the U.S. or countries that have a Mutual Legal Assistant Treaty (MLAT) with the U.S., we'll likely never know, but the consequences endure. Sterlingov was arrested on a three-charge criminal complaint with (1) money laundering conspiracy (18 United States Code 1956(h); operating an unlicensed money transmitting business (18 United States Code 1960(a); and, conducting money transmission without a D.C. license (D.C. Code 26-1023(c). He is currently awaiting trial on those charges in Washington, D.C.

If this seems like a familiar storyline, that's because it is; Sterlingov is not the first administrator of a darknet-marketed mixer to find himself in DOJ's crosshairs. In February 2020, Larry Harmon, former CEO of crypto media site Coin Ninja, was arrested for his operation of Helix, a darknet-based cryptocurrency laundering service. Harmon was charged with the three counts — the very same charges, in the exact same Court, in fact — that Sterlingov faces today. According to the Indictment in the Harmon case, Helix functioned as a bitcoin "mixer" or “tumbler” from 2014 to 2017 and allowed customers to send bitcoin to designated recipients in a manner that was designed to conceal the source or owner of the bitcoin.

In reviewing the court docket in the Harmon case, not only can we derive insights on how the Bitcoin Fog case may play out, but we can also get a sense of DOJ's focus on crypto mixers generally. Get ready to unmix.

What’s the deal with crypto mixing — is it a crime?

A mixer is a service that mixes different streams of crypto. For example, a Bitcoin owner could transfer money from her wallet to a mixer; the mixer mixes that Bitcoin with other users' crypto and then transfers the mixed currency leaving no connection between the original Bitcoin and the final destination. Mixing services are used by both legitimate actors who want to maintain the anonymity of their funds, and by criminals who use mixers to launder money and obfuscate the origin of illicit proceeds by mixing them with legal ones.

The arrests of both Harmon and Sterlingov lit up crypto twitter with one fundamental question: is it a crime to operate a crypto mixing service? In the wake of Harmon's arrest, Coindesk wrote, "Many bitcoin experts are concerned this could establish a precedent where simply creating a bitcoin mixer is seen, in itself, as a money-laundering conspiracy," and continued, "Bitcoin Core contributor Matt Corallo tweeted that if this accusation was upheld by the federal court in Washington, D.C., it would be 'the beginning of the end.'"

Operating a mixer, in and of itself, does not seem to be the focus of the Helix or Fog cases. DOJ's ire seems reserved for (1) mixer administrators who knowingly conspire with illicit actors on the darknet to launder criminal proceeds; and, (2) mixers that don't register as a Money Service Business (MSB) or meet anti-money laundering requirements.

But operating a mixer, in and of itself, does not seem to be the focus of the Helix or Fog cases. DOJ's ire seems reserved for (1) mixer administrators who knowingly conspire with illicit actors on the darknet to launder criminal proceeds; and, (2) mixers that don't register as a Money Service Business (MSB) or meet anti-money laundering requirements.

The real problem? Ties to the darknet

Notably, DOJ's focus in both Helix and Fog is on the darknet. In Harmon, the indictment  begins, "Starting in or about April 2014, Harmon owned and operated a darknet search engine called Grams. The darknet refers to a collection of hidden websites available through a network of globally distributed relay computers called the Tor network. The darknet includes a number of hidden websites that sell illegal goods like guns and drugs, and services, like hacking and money laundering." Even Harmon, according to prosecutors, acknowledged, in July 2014, that "the darknet primarily sold drugs and illegal items."

According to the indictment, Helix partnered with darknet market AlphaBay to provide bitcoin laundering services for AlphaBay customers. AlphaBay was the largest darknet market at the time it was seized by law enforcement in 2017. The indictment, which charges Harmon with conspiring with AlphaBay's administrator to launder funds, explains that, in 2016, AlphaBay recommended to its customers that they use a bitcoin mixing service to "erase any trace of their coins coming from AlphaBay," and provided an embedded link to Grams-Helix. Helix advertised to customers on the darknet, "Helix uses new addresses for each transaction so there is no way [Law Enforcement]," would be able to track. Similarly, Harmon posted online, "No one has ever been arrested just through bitcoin taint, but it is possible and do you want to be the first?" The charges allege that Helix moved over 350,000 bitcoin – valued at over $300 million at the time of the transactions – on behalf of customers, with the largest volume coming from darknet markets.

The charges allege that Helix moved over 350,000 bitcoin – valued at over $300 million at the time of the transactions – on behalf of customers, with the largest volume coming from darknet markets.

DOJ's playbook: it's all coming in

In addition, in the Harmon case, the government filed a motion to admit evidence of other crimes under Federal Rule of Evidence 404(b) — a notable indicator of what to expect from the government's case at trial. While prosecutors are not allowed to admit evidence of prior bad behavior to demonstrate the defendant's propensity to commit the charged conduct, Rule 404(b) allows exceptions to demonstrate things such as motive and intent.

The 404(b) motion in Harmon, like the indictment, focuses on Harmon's connections to the darknet. "The defendant operated Helix as a money laundering service integrated with his broader darknet site . . . Grams allowed users to search across multiple darknet markets for products listed by various vendors, particularly narcotics vendors." The government cites to numerous conversations between Harmon and darknet operators. For example, "in 2014, the defendant engaged in a conversation with a member of the administrative team of Evolution, a prominent darknet market at the time that advertised narcotics for sale on its homepage." In trying to solidify a partnership with Evolution, Harmon even name drops Bitcoin Fog touting the success of Fog's partnership with Agora, another popular darknet site.

The government also identifies services tied to Grams that offer search engine optimization (SEO): ". . . a cocaine vendor could pay to ensure that a Grams user searching for 'cocaine' would see that vendor’s listings displayed at the top of the search results. The advertising vendors dealt primarily in illegal narcotics, and the evidence related to InfoDesk, Flow, TorAds, GramsWords, and related services shows that the defendant was aware of the nature of these advertisements and the materials on the marketplaces. The government thus intends to admit evidence related to all of the Grams services, including the defendant’s own statements, conversations between the defendant and the vendors, conversations between the defendant and others involved in helping the defendant design the Grams site."

". . . a cocaine vendor could pay to ensure that a Grams user searching for 'cocaine' would see that vendor’s listings displayed at the top of the search results. The advertising vendors dealt primarily in illegal narcotics, and the evidence related to InfoDesk, Flow, TorAds, GramsWords, and related services shows that the defendant was aware of the nature of these advertisements and the materials on the marketplaces.

According to the 404(b) motion, the government intends to admit evidence of the full scope of illicit activity facilitated by Helix including narcotics trafficking, child exploitation, the sale of hacking tools and stolen financial information in order to rebut Harmon's assertion "that Helix was a privacy service used by law-abiding individuals mindful of security, rather than by criminals seeking to launder their funds." How can the government prove this up? According to the 404(b) motion, with electronic communications between Harmon and darknet administrators that "reveal that the defendant was aware of the nature of the activities occurring on the darknet marketplaces."

The government also intends to introduce evidence that Harmon "engaged in a sophisticated series of money laundering and fraud sub-schemes to conceal" illicit proceeds, and carried out "a multifaceted scheme" that involved fraud, forgery, and operating additional unlicensed MSBs. There were also, apparently, false tax returns. The government plans to admit all this evidence through Harmon's bank account records, witness testimony, evidence recovered from physical and electronic search warrants, and additional business records . . . [which] display the lengths the defendant went to conceal the proceeds from his operation of Grams/Helix."

The Court to crypto mixers: "Bitcoin is money and you are an MSB."

Among the 97 docket entries in the Helix case are three attempts by Harmon to dismiss the charges. The focus of all three motions to dismiss were the state and federal licensing charges.

Harmon argued that Helix was not a money service business under D.C. law because Bitcoin was not "money," under the District of Columbia's Money Transmission Act (MTA), and therefore he did not have to register. The Court disagreed, finding that the term "money" commonly means a medium of exchange, method of payment, or store of value. The Court held that, “Bitcoin is these things.”

Harmon argued that Helix was not a money service business under D.C. law because Bitcoin was not "money," under the District of Columbia's Money Transmission Act (MTA), and therefore he did not have to register. The Court disagreed, finding that the term "money" commonly means a medium of exchange, method of payment, or store of value. The Court held that, “Bitcoin is these things.”

Harmon also challenged the federal charge for failing to comply with the money transmitting business registration requirements under federal law.  Harmon argued that there was failure to state an offense because an "unlicensed money transmitting business" under 18 U.S.C. § 1960(b)(1)(B) must transmit funds from one person or location to another person or location but “the Indictment fails to allege that Helix did anything other than provide bitcoin back to the user from whom it was sent.” Again, the court disagreed.  Helix’s business, according to the court, was receiving Bitcoin to send to another location or person in order to mask the original source of the Bitcoin. Under the relevant authorities, that qualified as money transmission.

What we can conclude

If this is the government's playbook for Harmon and Helix, what can we likely expect for Sterlingov and Bitcoin Fog? One, we can expect the government to ensure that the jury hears the full scope of Sterlingov's ties, if any, to illicit activity, charged or uncharged through the use of witness testimony, bank records, seized electronics and other evidence.

Second, it means that some potentially dispositive issues are likely already decided in terms of how the court will define key terms related to crypto mixing services and cryptocurrencies. As Sterlingov and his lawyers prep motions to dismiss, they are not likely to find success re-litigating the definition of "money" pursuant to the MTA or whether or not a mixing service is an MSB under federal law.

Still mixed up?

In the cat and mouse game of following illicit activity across the cryptoverse, mixing, chain hopping and other obfuscation techniques have become common place. But for those trying to read the tea leaves, one lesson should stand out: law enforcement is most concerned with those that are intentionally conspiring to launder the proceeds of crime. If the operator of a crypto mixer is conspiring with the administrators of darknet sites that profit from criminal enterprise, they could be staring into a whirlpool of arrest and criminal prosecution. The Helix case may very well provide a playbook for what to expect in Bitcoin Fog and beyond.

This is some text inside of a div block.
Subscribe and stay up to date with our insights

Access our coverage of TRON, Solana and 23 other blockchains

Fill out the form to speak with our team about investigative professional services.

Services of interest
Select
Transaction Monitoring/Wallet Screening
Training Services
Training Services
 
By clicking the button below, you agree to the TRM Labs Privacy Policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
No items found.