Remember that time when you tried to transfer your life savings from one
bank account to another for a small fee, but swapped the fee field
with the total transfer amount field, and ended up losing all your life
savings? Of course you don't. There are safeguards to catch and prevent
these kinds of errors.
Not your parents' laundry machine.
That fee is approximately 3 million times higher than it ought to be. So the question is: what happened?
Because the amount involved is so large, there were immediate accusations of nefarious activity and money-laundering.
Let's explore the two different techniques for making cash flows private in Bitcoin, and then use some help and new data from Dr. Christian Decker to rule out one of the possibities.
Sorting Different Kinds of Laundry
Bitcoin's unique structure allows people to hide their coin flows through a very creative mechanism that I have not seen discussed elsewhere. There is no counterpart for this in the regular fiat currency world, since the scheme involves collusion with the Mint. Here's how this scheme, MML, differs from your run of the mill money laundering.
The Old Boring Way: Tumbling
The traditional way to do this in Bitcoin is to "tumble" the money. This is where I mix the cash with some other people's tainted money to make tracing it difficult. You may have seen collection bags that go around churches, where you put a bill in your closed fist and stick your hand in the bag, so no one knows how much you put in or took out. Imagine that we come up with a (cryptographic) protocol where I donate some amount to the local church's collection bag, so do others (however much they desire), and after the bag has made it through the congregation, I stick my hand in again and take out exactly as much as I put in during the first round from the same collection bag. In essence, we swap our bills so as to throw off anyone who may have recorded the serial numbers and is watching the coins. That's, roughly speaking, what happens in tumblers, though the low-level details between coinjoin, coinkite, bitlaundry and other similar services differ.
Tumbling is also not necessarily nefarious: there are good
reasons to tumble cash flows, such as financial privacy.
If you don't want your employer, your friends or the merchants
you visit to discover your spending habits by examining the
blockchain, tumbling is a useful operation.
But tumbling is not foolproof. I might end
up with some of my own bills and still carry taint,
especially if I'm the biggest game in town, trying to
tumble really large amounts compared to the small fry at my
church. Or I might end up getting tainted with
someone else's dirtier money in the process -- it's one
thing to carry PHP taint, it's another thing, on a day when
the church has a shady visitor seeking absolution, to get tainted
with the proceeds from blood diamonds.So, overall, tumbling doesn't scale and it doesn't provide strong protection.
There's a much better way to launder bitcoins.
Miner-Money-Laundering (MML)
If I really want to erase all connection to past transactions recorded on the blockchain, I can just find a miner that I trust and let him mine my transactions with hefty fees. To the rest of the world, the miner looks like he's doing valuable work, mining my transactions, securing the distributed ledger. In reality, it's a rigged game, where I give my transactions, with fat fees totaling $X, solely to a designated miner for him to mine. In return, he collects the fees and pays out $X back to me, minus his cut. My payment is going to be with newly mined coins, the Bitcoin equivalent of fresh, crisp dollar bills straight from the Mint. There will be no white powder residue on these particular bills.
Hot, neatly lined up, and a fire hazard: laundry machines and Bitcoin miners have a lot in common.
This is a brilliant way to launder money, because it leaves
no trace on the blockchain. Miners, in effect, terminate and
regenerate cash flows, the same way the US mint withdraws
old and tattered bills out of circulation and reissues brand
new ones. The only fly in the ointment is the need to trust
the miner, but hey, people with these kinds of cash flows
typically have what we in the distributed systems community
would euphemistically call "exogeneous enforcement mechanisms."
One would probably structure the cash flow across many transactions,
but of course, if someone gets impatient and wants to short-cut this
process, they'd just send a single transaction with a mega-fee.
And there is reason to suspect this might have been what happened, because
there are rumors (which we have not ascertained independently)
that this transaction was being tumbled using the traditional
tumbling technique when it suddenly evaporated into mining fees,
raising eyebrows about potential MML.Likely Not MML
Luckily, Christian Decker has been recording transactions on the Bitcoin blockchain, and we can pin down parts of the backstory using his data.
If anyone will engage in MML with ultra-large fees, and they don't
want to take any additional risk, they'll do so
by prearranging the deal with a miner they trust. They should
send their mega-fee bearing transaction to their designated
miner via a private channel, because if another miner gets their hands
on a megafee transaction, they'll mine it, collect the huge fee and keep it.
It turns out that this transaction carrying a $137K megafee was
seen on the public Bitcoin network a full two minutes before the
corresponding block was mined. This suggests that miners
had a fair shot at mining this transaction. It most likely was
not part of an MML effort. By the same argument, this likely was not
a directed gift to this specific miner, as it could have been
collected by anyone.
There's still the small possibility that the miner may have pre-mined his
block, but if that's the case, they took a risk by not announcing
the block for a full two minutes, at least as observed from the vantage
points of Dr. Decker's measurement apparatus.
Mistakes Were Made
Overall, the evidence is stacked high on the side of an unintentional error.
This particular transaction most likely was not part of
an MML scheme to launder the cash through a colluding
miner. Instead, it is much more likely that there was an
error of some kind, wherein the transaction amount and
fee fields got swapped, perhaps in a script that was programmatically
moving money around.
Now, that erroneous script may have been written to perform
money laundering the traditional way via tumbling. But at least,
subject to the provisos in the preceding
section, we can clear the miner from complicity.What Happens Now
Miners keepers.
The particular lucky miner turns out to be a Chinese MLM operation. While
there was
some initial noise that the miner may voluntarily return the erroneous
fee, these early indications came from affiliates in the MLM scheme who
were speaking without authority. To date, there is no
official word from the people in charge. It's not even quite clear
who they are.
And even if the miner wanted to return the fee, it might be difficult
for the sender to collect it. If the $137K needed to be tumbled,
how does the rightful owner of the coins come out and claim them?
The miner, if it's operating above-board, may have to book the incoming
coins and deduct the payment as a business expense to balance their
books. Depending on their jurisdiction, the recipient may have to
provide a name and address, and of course, be subject to scrutiny.
The owner could provide proof of address by signing a message with
their private key, and the miner could just return the cash to that
address out of the kindness of their hearts. Of course, the kind of
script that swaps arguments by mistake may be the kind of script that
does not write its keys out to a database, so the private keys may be
long gone.
Or, you know, the miner could just keep the mega-fee. Wouldn't be the
first time someone found a bounty and kept it.
After all, $137K is an expensive lesson on how to write good code,
but it's still cheaper than a college education in the US.
Post a Comment