The closure of cryptocurrency mixer Samourai Wallet and the arrest of its co-founders have far-reaching implications for the sector. Cointelegraph Research unpacks the in-depth details of how Samourai Wallet worked, why United States authorities shut it down, and what this could mean for privacy and self-custodial cryptocurrency tools.
The indictment of Samourai Wallet’s founders
Samourai Wallet co-founders Keonne Rodriguez and William Lonergan Hill were arrested on April 24 and charged with money laundering and operating an unlicensed money-transmitting business.
Rogriguez, the CEO of Samourai Wallet, pleaded not guilty and was subsequently released on a $1 million bond. Meanwhile, Hill, who served as the chief technology officer, is awaiting his extradition to the U.S. from Portugal, where he was apprehended.
Following the indictment, the Federal Bureau of Investigation released an announcement warning Americans against using cryptocurrency money-transmitting services that are not registered as money services businesses. To some, this suggests that U.S. regulators may attempt to make money transmitter licenses mandatory for non-custodial cryptocurrency tools in the future.
How Samourai Wallet worked
Samourai Wallet offered privacy-enhancing features that set it apart from standard wallet applications, including Ricochet, which added intermediary transactions between the sender and the recipient, and an implementation of CoinJoin called Whirlpool.
CoinJoins are transactions that pool inputs and outputs from several parties in a way that obfuscates who might own an unspent transaction output (UTXO). Most commonly, several users contribute identically sized inputs to a CoinJoin transaction and receive one of a set of identically sized outputs. This makes it difficult for blockchain analysts to trace the ownership of funds after they have passed through a CoinJoin.
Whirlpool, the CoinJoin service run by Samourai Wallet, relied on a coordinator server to facilitate the construction of these transactions. Each user’s wallet would initially submit both an input address and a blinded output address to the server.
Related: Deciphering Pendle Finance’s surge and the pop up of Notcoin
The wallet would then reconnect to the server through a fresh Tor circuit and anonymously reveal the unblinded version of the output address. This procedure allowed the server to verify that the output address belonged to a valid participant without knowing exactly which input they contributed.
The CoinJoin transaction would then be constructed and signed by all participants. Samourai Wallet planned to increase its decentralization by switching to a decentralized coordinator.
Accused of operating an unlicensed money transmitting business
18 U.S. Code § 1960, under the title “Prohibition of unlicensed money transmitting businesses,” applies to “whoever knowingly conducts, controls, manages, supervises, directs, or owns all or part of an unlicensed money transmitting business.” While this clause does not offer a definition of what it means to be a money transmitter, it highlights that the extent of control over the money transmission is essential to be charged under the statute.
Samourai Wallet was a self-custodial wallet and could not control funds or conduct transactions on behalf of its users. However, had it chosen to do so, it would have been capable of pre-screening transaction inputs for its CoinJoin service. This would have allowed it to prevent Office of Foreign Assets Control-sanctioned addresses from engaging with its CoinJoin service — an approach that Wasabi Wallet chose.
In an opposition made in the case against fellow cryptocurrency mixer Tornado Cash by the U.S. District Court for the Southern District of New York, the definition of a money transmitter was given as “any other person engaged in the transfer of funds.” The court argued that having control over the transferred funds is not required for a business to be a money transmitter.
It also cited the Merriam-Webster online dictionary for the definition of “transfer” as “conveyance of right, title, or interest in real or personal property from one person to another.” However, this definition cannot be straightforwardly applied to a CoinJoin transaction, as no funds (with the exception of fees) change hands.
Related: Tornado Cash sentence ‘radically unfair and unreasonable’ — Nym CEO
Interestingly, Samourai Wallet had a privacy tool for payments from one person to another. The feature, called Stowaway, was an implementation of PayJoin that let two wallet users collaboratively initiate a transaction that mixes the coins and masks the payment amount. However, Stowaway was offered free of charge and had a low number of users, which is likely why it was excluded from the indictment and did not arouse interest from the Department of Justice.
The profits that Samourai Wallet generated from the operation of Whirlpool may indeed hold key legal significance. In the aforementioned opposition, the court also argued that Tornado Cash “offered the same service to customers as other businesses that courts have held to be money transmitters” and that its founders “paid for and exercised control over critical components of the service [...] and [...] reaped substantial profits from the service,” suggesting that a service that extracts profit from facilitating crypto transactions is deemed a money transmitter business.
The importance of proceeds generated from the CoinJoin service is also echoed by Financial Crimes Enforcement Network guidance, which says the suppliers of software that makes transactions untraceable are deemed anonymization service providers but not money transmitters. However, if an entity uses the software to “engage as a business in the acceptance and transmission of value,” it is deemed a money transmitter. Here, business is interpreted as an “ongoing enterprise carried out for financial gain.”
Money laundering charges
Both Samourai Wallet founders are also facing charges for money laundering, which can result in prison sentences of up to 20 years. According to 18 U.S.Code § 1956(a)(1), in order to be charged with money laundering, “a defendant must conduct or attempt to conduct a financial transaction, knowing that the property involved in the financial transaction represents the proceeds of some unlawful activity.”
Samourai’s founders advertised the platform as a tool for “Dark/Grey market participants,” suggesting that they not only knew about but also encouraged the flow of illicit funds. However, they could not conduct any financial transactions in a strict sense, as they were never in control of funds.
The indictment states that “Samourai […] operate[d] a centralized server that […] create[d] new BTC addresses used during the transactions.” However, this is factually inaccurate since the users’ wallets generated the addresses themselves, as explained in this article’s first section. The server could only verify that the address submitted for withdrawal was provided by one of the participants of the Whirlpool but could not match the sending and receiving wallets.
The accusations against Samourai Wallet indicate that the prosecution is attempting to extend legal responsibility for laundered funds to non-custodial products if the deployment of server infrastructure is involved.
In the Tornado Cash opposition, the conspiracy to commit money laundering was also said to be evidenced by “(i) t[he defendant’s] ongoing payments to host the website after becoming aware that it was being used to launder criminal proceeds [and] (ii) [the] payment for traffic between the UI and the blockchain to process transactions that they knew involved criminal proceeds.”
As such, it seems to be implied that non-custodial Bitcoin (BTC) wallet providers can be convicted of money laundering as well if they run a node and host a front end, provided that they are aware of illicit activities being conducted through their wallet.
At the same time, if a project simply consists of code hosted on a Git repository, then the distribution of privacy tools is protected by First Amendment rights in the United States. This is due to a legal precedent from 1996, namely Bernstein v. U.S. Dept. of State. In the case, Daniel J. Bernstein challenged regulations that required him to obtain a government license in order to publish and distribute his encryption software. The court ruled in favor of Bernstein, holding that computer code is a form of expressive speech protected by the First Amendment.
Magazine: ‘Bitcoin Layer 2s’ aren’t really L2s at all: Here’s why that matters