Image by eXploration Etoile via License: Creative Commons

Last week ended with a hard blow to the privacy of Bitcoin users: the two founders of the privacy wallet Samourai were arrested in the USA. Because the lawsuit also rearranges what Bitcoin wallets are allowed to do, other wallets are already turning their backs on the “land of the free”.

On May 25, the New York Attorney General’s Office announced the arrest of Keonne Rodriguez, 35, and William Lonergan Hill, 65. The two US citizens founded Wallet Samourai. They are now charged with operating an unlicensed “money transmitter” and orchestrating the laundering of more than $100 million.

Anyone who is interested in Bitcoin and privacy should be familiar with Samourai. The wallet, founded in 2015, is explicitly intended to improve the privacy of Bitcoin users. The developers have integrated two features for this purpose, Richochet 2017 and Whirlpool 2019. Because of these two tools in particular, they are now facing a prison sentence of up to 20 years for incitement and aiding and abetting money laundering.

However, another point of complaint could be more explosive: Hill and Rodriguez are accused of operating as “money transmitters” without a license. With this point, the indictment redefines the “money transmitter,” a company that receives and spends money on behalf of its customers, in a disturbing way—and this will have consequences that reach far beyond Samourai and other privacy wallets.

But let’s start with the more obvious facts before we get back to it.

Ricochet and whirlpool – not illegal in themselves

Samourai gives users two tools to improve their privacy: Ricochet allows additional transaction jumps to be inserted, which makes it more difficult for exchanges to provably trace the sources from which Bitcoins come.

Whirlpool, on the other hand, is a decentralized mixer. Users can put the Bitcoins in their Samourai wallet into a pool and withdraw them from it. Ideally, an external observer cannot connect deposits and expenditures, and if they can, then only with difficulty and with a high degree of uncertainty.

First of all, there shouldn’t be anything illegal about it. Developing and managing software is not illegal under current laws and regulations in either the EU or the USA. Therefore, neither hardware wallet manufacturers nor software wallet developers fall under a regulatory regime, and there is a relatively wide consensus that it should remain that way.

Without further allegations, the prosecution is likely to be quite fragile.

With a server knowingly allowed money laundering

The Samourai developers apparently did not draw the line between software and service clearly enough. Both Whirlpool and Ricochet involved a central server. At Whirlpool he managed the liquidity pool and at Ricochet he composed transaction chains.

Both servers were operated by the Samourai team, the developers received fees from both, a total of three from Whirlpool and one million dollars from Ricochet. Part of the developers’ income is stored as liquidity in Whirlpool, where they generate further income from fees.

So by running a server, Samourai became an active participant in transaction obfuscation. By also collecting fees, it did so with entrepreneurial intent.

Making matters worse for Samourai is that the founders apparently knew that their software was being used to launder criminal funds. They not only knowingly allowed this, but expressly encouraged it. They once welcomed new Russian oligarchs on Twitter after the EU and US imposed sanctions; another time, a Samurai developer explained in a private chat that they were focusing on black and gray markets; then they encourage Nazis to use their wallets, boast in promotional materials about deriving money laundering proceeds from black and gray markets, and so on.

The lawsuit accuses the two of failing to take action against him despite knowing about the abuse. One might assume that the development of software is not a criminal offense in itself, but it can be if the developer consciously accepts that it will be misused for criminal activities.

However, the main deciding factor is likely to be the operation of a centralized service and the collection of fees from money laundering. Anyone who actively provides services through which money is laundered and who also benefits from these services is engaging in money laundering.

However, both boundaries are vague, and one can only hope that the court process draws them as clearly as possible. Otherwise there is a risk of massive uncertainty.

Not a trustee, but still a money transmitter

What makes the lawsuit really explosive is a side issue: It also accuses Samourai of failing to register as a “money transmitter”. The lawsuit does not explain why Samourai is such a money transmitter.

Until now, there has been a strong belief in the crypto industry that in order to become a money transmitter, you have to exercise control over your customers’ money, i.e. act as a trustee. However, if you as a wallet do not exercise such trust because the users store the private keys themselves, you should not be a money transmitter and therefore not subject to the requirements. The legal self-image of many parts of the crypto industry is based on this rule of thumb.

The lawsuit against Samourai attacks this self-image: Samourai never had access to the users’ Bitcoins – but is still considered a money transmitter by the judiciary. As I said, why exactly is unclear, and here too one can only hope that a court case will bring about more clarity.

The close relative is already piling up

However, other Bitcoin startups have already gotten the message very well. The Wasabi Wallet, which like Samourai is committed to privacy, has announced that it will block citizens and residents of the USA. Americans can no longer access the website or download or use the wallet. All related products and services, such as API and RPC access, are also blocked. As an explanation for this, Wasabi cites “new announcements from US authorities” relatively briefly.

Wasabi has strong similarities to Samurai: it is a wallet that has an integrated mixer that runs over the actually decentralized CoinJoin process, but contains a central coordinator who earns a fee and is – I suspect – run by Wasabi itself. It’s easy to understand why Wasabi is getting cold feet about the lawsuit against Samourai.

At first glance, Phoenix has nothing in common with Samourai

Another case, however, is the Phoenix Wallet. This is a Lightning Wallet that is considered extremely user-friendly. Phoenix allows its users to receive money via Lightning without already having a Lightning Payment Channel. This is done through a kind of simulated channel from the Phoenix node.

This mechanism puts the wallet’s operator, the French startup Acinq, in a similar situation to Samourai and Wasabi: The wallet does not hold Bitcoins for its customers and never has access to their private keys – but it actively contributes to forming transactions and execute.

With this inherently non-fiduciary service, Phoenix goes a step beyond what other wallets, including hardware wallets, offer. The server doesn’t just query balances and forward transactions – it actively participates in forming transactions.

In any case, Acinq also seems to have understood the message from the USA. Shortly after the arrest of the Samurai developers announces Phoenix announced that it would remove the wallet from the app stores in the USA and recommends that all Americans completely empty the wallet.

The rules of the game as to when a wallet is regulated in the USA are apparently currently changing. The Samourai wallet was an easy first target because of its apparent willingness to facilitate money laundering. But most likely not the last.


Leave a Reply