Privacy business: the impossible equation?

Is it still possible to develop business around privacy in cryptos? One might doubt it, given the number of cases in which specialist developers have come under pressure from numerous states.

On 24 April, it was the turn of the creators of Samourai Wallet, Keonne Rodriguez and William Lonergan Hill, to be arrested in the United States.

Samourai is a wallet well known to the bitcoin community. It allows a layer of anonymity to be added to transactions. The mobile application (now removed from the Apple and Google stores) relies on a "mixer" called Whirlpool. A blender mixes several transactions together to break the link between the sender and the recipient. Once the operation is complete, it becomes much more difficult to trace the transactions on the blockchain.

According to the US Department of Justice, Samourai Wallet allegedly facilitated more than $2 billion in transactions considered "illegal" and helped launder nearly $100 million linked to "criminal activities". The two developers face up to 25 years in prison.

This case is not unlike Tornado Cash, which led to the arrest of its lead developer Alexey Pertsev in the summer of 2022. Tornado Cash offers virtually the same thing as Whirlpool, but on Ethereum. The Dutch courts have requested 5 years' imprisonment for Alexey Pertsev and his trial began last week.

"The arrest of the members of Samurai Wallet confirms once again that the authorities are clearly targeting this type of tool, which is nonetheless essential for preserving a semblance of confidentiality on the blockchain," deplores Alexis Roussel, director of operations at Swiss start-up Nym, which has launched a communications network that guarantees the privacy of its users.

"We use a hammer instead of a scalpel" (Coinbase)

"Contrary to the idea regularly spread by its detractors, Bitcoin was never designed to guarantee the privacy of its users," insists Frédéric Ocana, ethical hacker and director of the cybersecurity programme at the Banque de France from 2017 to 2021. "It's mainly a tool that allows you to carry out unthinkable financial transactions outside the banking system," he explains.

According to him, cryptocurrencies are easily traceable and it is this that has spawned the creation of tools such as mixers to offer their users more privacy, starting with Bitcoin Fog from 2012, Blender in 2017 and more recently Tornado Cash or Whirlpool.

"Large companies will always have the means to develop tools to manage their privacy, which is far from obvious for individuals," notes Alexis Roussel. Hence the existence of a business aimed at them. And some crypto projects also see an interest in this. "If one of your wallets is leaked on social networks, a blender allows you to regain some discretion", confides one project owner.

The problem is that cryptocurrency blenders are also used by criminals, starting with the Lazarus hacker group (close to the North Korean government). According to the investigator ZachXBT, who is highly reputed in the ecosystem, he is said to have managed to launder the equivalent of $200 million between 2020 and 2023, using mixers in particular.

Should they be banned and their developers thrown in jail as a result? For some perfectly respectable companies such as Coinbase, "we use a hammer instead of a scalpel", she indicated in a post published on her website in September 2022.

"We have no problem with the Treasury punishing bad actors and we take a firm stance against illegal behaviour. But in this case, the Treasury has gone much further by sanctioning an entire technology instead of specific individuals. The problem is twofold: there are legitimate applications for this type of technology and, as a result of these sanctions, many innocent users now have their funds blocked and have lost access to a crucial privacy tool", abounds Coinbase.

The angles of attack used by the authorities

Most often, developers are accused of mixing cases of money laundering, but also of operating a money transfer business (Money Services Business - MSB) illegally.

This licence is issued by regulators to businesses considered to be providing services for the conversion or transmission of financial flows.

"Except that the regulatory scope of this licence is unclear," Laurent MT, a developer who worked on Samourai Wallet, tells The Big Whale. "Until Tornado Cash, the rule for not being outlawed stipulated that the entity behind the mixer should never take control of the funds", he adds.

In the case of Tornado Cash and Samourai, the authorities accuse them of having levied transaction fees and therefore of having indirectly benefited financially from money laundering operations. In addition, they also believe that as money transfer companies, Samourai Wallet and Tornado Cash should have fulfilled their duty to combat this practice.

"This angle of attack denies the principle of neutrality of these technologies", worries Laurent MT. "A developer doesn't have to fulfil the role of the police, this confusion makes me think that they are prepared to do anything to prevent the proliferation of tools that they still know little about", he insists.

Prove your bona fides to the regulator

So what can you do to avoid going to prison? "The main thing is to prove your good faith to the regulator, while taking care not to provoke them," says Frédéric Ocana.

In the case of Tornado Cash or Samourai, this will involve demonstrating that their operation is not optimal for laundering funds. In fact, to be as effective as possible, Whirlpool recommends leaving its funds inside the blender for as long as possible to ensure that they are thoroughly mixed. However, this is precisely what a criminal wants to avoid.

"When a player is looking to launder funds, they need to do it as quickly as possible in a 'go fast' manner to get the stolen sums outside the scope of any seizure," explains Frédéric Ocana. "This is one of the reasons why the schemes used by Lazarus left a huge amount of trace despite their use of mixers", he continues.

Will this convince the courts? Not so sure...

"In the end, the safest approach is certainly to draw inspiration from Bitcoin's design, i.e. to publish a totally decentralised protocol and not to collect any revenue from it", stresses Laurent MT. But without the promise of future revenue, this will limit the incentives for developers to create new software of this type...

"I'm not optimistic about the approach of states to privacy. The transparency of blockchains and the ability to exchange funds without intermediaries is shaking up certainties. This is what should motivate the authorities to punish very harshly those who have developed software that brings confidentiality to financial transactions", Alexis Roussel concedes.