95 comments

[ 3.8 ms ] story [ 198 ms ] thread
This is an interesting piece, and it highlights one problem I’ve noticed with crypto in general recently, which is that these kinds of investigations are largely being carried out by private entities who build platforms around this type of forensics without any real ability to go after the exchanges that have permitted this laundering.

Between this and Bitfinex refusing to submit to an external auditor and other events, I have a hard time trusting the big crypto players any more than I trust the big banks. Wasn’t that whole point of these coins to begin with?

It seems like the assumption that the problems with the current financial system stem from centralization isn’t holding up, at least when it comes to the administration of these big exchanges. They’re still running into many of the same problems that big banks have, and frankly they’re not doing any better of a job.

Are there any authorities that help track down stuff like this now? If you can pay taxes on it you'd think the police would help investigate a theft.
Last I had heard the FBI and Royal Canadian Mounted Police were investigating the QuadrigaX situation so it definitely happens.

It seems law enforcement doesn’t really have the time (and maybe lacks the interest/expertise) to investigate most cryptocurrency cases until they become major news.

yes, plenty. national authorities are fully capable and familiar with crypto currency transactions and how to request coordination to subpoena foreign exchanges.

its happened plenty of times and funds have been recovered, its usually in Department of Justice press releases and an associated court filing. Other times you can just talk to people that were involved in an investigation. Not really news, stuff happens way after the event.

On one hand, the authorities are mocked for incompetency (see recently: surveillance cameras on the open internet, 26-year-old EMT shot by police raiding the wrong home) and yet we expect them to handle cases like this? This seems like a double standard. Is there a solution?
Yes.

You should assume the government will always have a lot of incompetence and abuse in the application of its power.

So give government as little power as possible.

I would rephrase that to "give government as little power as necessary."

If you give government as little power as possible, because you believe all government is maximally incompetent and abusive, you might as well just do away with it altogether and have anarchy.

Allowing a government at all implies at least some trust that government can have some positive societal effect.

There are going to be both competent and incompetent people in any sizable organization.

I don't think it's fair to use extreme examples like that EMT getting killed as a generalization of the incompetence of "authority". In that case, it's more like a couple of trigger-happy police officers severely abused their rights.

The authorities don't want it to succeed. They want a bunch of "I told you so's" to justify shutting it down
I think you've hit on the core reason cryptocurrencies aren't going to take off as currencies. They've taken the governance aspect previously enacted by the federal reserve and enforced through the banks and replaced it with a shadowy cabal of exchange owners.

Ultimately I think it's a people problem that can't be solved through technology. But cryptocurrency does happen to be quite useful for money laundering...

Decentralized exchanges exist for the more sophisticated cryptos (e.g. Ethereum).
Sure, but you will never be able to get out fiat currency from a decentralized exchange (which is what most people want).
Sure, but you can use something like LocalCryptos[1] to facilitate such a trade (which, in the case of Ethereum, has escrow that happens on the blockchain). There's still a middleman (if needed), but with a reputation system, they generally are not required.

The whole idea of cryptocurrency is that one day you won't need fiat because all txs will be happening in crypto, so not exactly a dealbreaker for the concept. In fact, it kinda proves the concept – when fiat is involved, you need middlemen. With pure crypto, you do not.

1: https://localcryptos.com/

Also for bitcoin- based protocols (Block DX)
If the main purpose is money laundering, then perhaps cryptocurrency is good enough for those players? Maybe shady cabals are easier to deal with than governments, downsides included.
(comment deleted)
You definitely don't need to trust these players most of the time. Your coins can sit in an offline wallet out of their reach for the majority of the time.

What you use them for is liquidity. Since you probably won't find a private party to buy/sell from. Realistically if you want to buy, or sell coins you have to go through one of them. And yes that kinda sucks because none of them are trustworthy., so you have some amount of risk there.

The larger problems comes from the risk they inject in the market just by existing. They will be hacked, fail KYC, or straight up scam exit with all their customers money and that will impact the value of the market as a whole.

For my risk tolerance, crypto is completely uninvestable

> You definitely don't need to trust these players most of the time. Your coins can sit in an offline wallet out of their reach for the majority of the time.

In a sweet bird-bath somewhere, no doubt.

Who says security through obscurity doesn't work?
>The larger problems comes from the risk they inject in the market just by existing. They will be hacked, fail KYC, or straight up scam exit with all their customers money and that will impact the value of the market as a whole.

Have you heard of Lehman Brothers? Enron? Madoff? The vast majority of scammers, criminals still use fiat. By your reasoning that would make fiat more risky.

>For my risk tolerance, crypto is completely uninvestable

It’s not really an investment. Many fiat currencies have collapsed before. IMO, risk of holding BTC was much greater when it was $1 compared to now, and as it keeps maturing and... existing... the risk is going to keep moderating.

It's for speculation and to get rich quick. That's how myself and a bunch of millennials used it. We had digital money beforehand, it's way easier to use than cryptos, and I get a legal safety net.
It may be useful to citizens of countries whose currency is about to collapse, or with strict currency controls.
A global currency, as administered by a global govt, would be better.

Einstein is often quoted as saying "The only way to world peace is with world government"

It would have to have ultimate say and the power to enforce, even against the US and China, with a globally elected reps & pres.

you seem to be conflating like 5 issues at the same time, elevating crypto to a fictional higher standard for areas it wasn't made to excel in.

"crypto" isn't acting differently here because this article is about centralized financial institutions.

and then there are expectations of those centralized financial institutions that are higher than non-crypto centralized financial institutions, simply because we can partially trace the destination of the funds

ironically, the only reason we can even do this is because of the hacker not following best practices, and the exchanges not following best practices. exchanges should be rotating addresses upon every deposit, and there should be no way of knowing that an address belongs to an exchange.

the hackers actually might be following some normal money laundering best practices, without taking into account how to improve them with crypto. the accounts they send the funds to may not actually be in their control. Like the funds may have changed physical owners through invoices and real services, and simply following onchain transfers won't tell you anything except "look ma, BLOCKCHAIN!". The new physical owner sent their address and that dumb person got their funds frozen because it was a custodial centralized exchange flagging origin transactions.

So the reality is that these investigations don't show anything, except try to advertise their work to get government contracts or private plaintiff's lawyers to pay them.

Not your keys, not your coins™ -- with that as the core philosophy of cryptocurrency, can you even say this was stolen, let alone laundered?

It sounds like the person with the keys transferred the coins into another wallet.

Resolved: behaves correctly. At least, as intended anyways.

That makes sense. I guess that seems to somewhat conflict with the concept of the exchange as a service, at least for how laypeople understand currency exchanges in general. It wouldn’t surprise me if most people with exchange accounts don’t understand that coins not in their own wallet aren’t actually theirs. The exchanges don’t really make that clear to their users either, at least the ones I’ve used.
It turns out people want centralization :) I'm sure users mostly understand it but they give the keys away anyway.

Core tenant of cryptocurrencies is purely anti-human

Can crypto be simultaneously anti-human [nature] and yet pro-user [intent]? Can the pain points of crypto be smoothed to make them pro-human [nature] without losing the qualities that make them pro-user [intent], supposing that they are pro-user [intent]?
What about the situation, "I paid them, but they never delivered?".

How would wage garnishment, as ordered by the courts, work? (This is the main one that needs answering because it is a simple example of the hardest anti-human problem that goes against core blockchain philosophy... reversing or forcing transactions)

To me that seems both too high a bar and making the perfect the enemy of the good. It’s asking too much of crypto specifically because the same complaint can be leveled against undeclared cash as you are leveling against crypto in your wage garnishment scenario. A hypothetical worker paid cash wages by a cash only business could in theory fail to divulge their full wages and thus fail to comply with a wage garnishment order. However, that is the status quo. To solve it is to solve it for all kinds of undeclared income, crypto included. For that reason I think that the current wage garnishment system is to blame for its own failings; it is also the moral failing or civil disobedience of the scofflaw which allows this situation as much as the existence of crypto. You may as well blame cash for the problems of crypto, and for the problems of wage garnishment evaders.

As to how you are making the perfect the enemy of the good: your complaint fails to specifically apply to cryptocurrencies in general or to any specific crypto for the same reasons it fails to apply to cash specifically. That cryptocurrencies cannot mitigate the market failings of cash is not a failure of crypto or of cash. It is no failure at all because cryptocurrency never sought to solve that which you perceive as a fault. The problems you raise may be very real problems in society, but they are not a problem that is in-scope for crypto developers to solve or mitigate. That’s more of a problem for crypto custodians and their customers.

This is very confusing and I don't follow
How is cryptocurrency worse than cash for complying with court orders? If cash is no better or worse than cryptocurrency in regards to complying with court orders, then why single out cryptocurrency?
Nobody gets paid their salary with cash for a reason...
Small businesses, strip clubs, public houses and bars, restaurants and their staff, handymen, private cleaning and janitorial staff, groundskeepers and lawnmowers, etc in every country in the world are innumerable counter-examples to that assumption.
Many of those are fringe cases, and many more are moving (or have already moved) to digital payments. Square took food trucks, restaurants, handymen, lawnmowers, etc, on to credit card payments. Janitorial staff probably get paid through payroll the majority of the time.

Sweden even got to the point nobody was accepting physical cash in the first place.

These fringe cases exist and are people too, not “nobody.” Cash still exists too. So do cryptocurrencies. Arguments against cryptocurrency that also apply to cash are obvious and uninteresting. That was my point.
That doesn't solve the general problem of complying with legal orders.

For example, how would escrow help with wage garnishment, suing a company and winning, or generally forced transactions by court order?

Not who you are replying to, but I answered and addressed those claims in a sister comment, here:

https://news.ycombinator.com/item?id=23199291

You keep saying you answered but you have not. That is very unclear and just throwing around words.

You haven't understood the idea and instead hang on to narrow focus around cash, which had nothing to do with the argument, because most people have digital money that goes through institutions. Using fringe cases to justify the common is the wrong way around.

If your argument against cryptocurrency could also apply to cash, why don’t you also say so? My point is that cryptocurrency has aspects of digital assets and cash assets simultaneously. So if your argument equally would apply to cash, which is commonly used, then I think it’s worth pointing that out.

Also, I don’t agree that my writing is unclear. I find your dismissal unjustified by your arguments. I simply bring up a counter-example to your argument with cash. You saying it is fringe and beside the point is not an argument. To then criticize my writing is to miss the point I was making. I don’t find that you are debating in good faith when you make personal attacks on quality of writing when your own argument hasn’t been made or won.

You haven't clearly replied to the scenario I presented and have rather used this cash analogy (and idea that if I don't address cash than the question is invalid) to continually deflect from from having to answer the original question and how it applies to cryptocurrency.

Cash is a bad analogy because it is the only widely used currency, it defines what we mean by currency, and it has always been a part of modern history in some form. Cryptocurrency has fundamental differences from a digital, public, immutable ledger.

So if you'd like to get back to the original questions, I'd be happy to continue this discussion.

However if your only defense for cryptocurrency is "cash does it too so we don't have to talk about it" then we can stop here.

I’m not advocating for or defending cryptocurrency. I’m asking questions to clarify what it is you are asking. I don’t see why you think I am deflecting. Asking questions is as old as the Socratic method.

If you don’t think analogies to cash are a good answer to your questions, please restate your question. I’m not using cash as an analogy, I’m using it as a counter-example in the monetary marketplace that proves that different monetary instruments have different properties, some of which are inherent to the medium of exchange. I want to know why you think cash isn’t a good answer to your questions. I also am curious why you think cryptocurrency is a bad answer to your questions, if indeed you do.

as expected...

I asked a question about how an immutable ledger, with public consensus, deals with the reversal transactions as ordered by the rule of law. Do you have an answer for that?

I think you misunderstand, by thinking in terms of nature vs intent you are already anti-human.

Remember, Users are Humans. Unless you want to let your cat buy cat food using cryptocurrencies?

What I mean by anti-human, I am referring to the concept that to cryptocurrencies, people don't matter, their wishes, emotions, lives don't matter, the only thing that matters to cryptocurrencies is the algorithm and the principles.

I would say that is more ahuman than anti-human, in the same way one can be an atheist rather than a theist. Cryptocurrencies don’t have any regard or deference to humanity, because they lack agency. How then could they rise to become anti-human rather than simply ahuman?
I don't think there is anything fundamental about cryptocurrency that would make them entirely immune to theft.

You can both believe that the blockchain is working as intended and that the coins were stolen.

I don't disagree although the system philosophically, at it's core, has no concept of theft, of permission, or reversal. Keys = coins.
> Keys = coins

Exactly... and if you steal the keys, you are stealing the coins.

Can you steal keys? Can you "steal" a song? Is it a copyright issue? IP issue? I'm genuinely curious what this concept maps onto.
Yes it's like stealing a credit card number or generating one.

Can someone steal your password?

Keys have value, they are not yours, you take them, you stole them.
It's a bit of a flexible concept when it comes to IP and it's not a clean mapping.

If I "steal" a song that you wrote by downloading it, you can still listen to it of course. This is what the pedants love to argue against. The law doesn't call this theft AFAIK, but there are separate laws.

However a producer has lost something - the right to control who listens to it. The right to control how it is listened to, the right to an income from your creation. Various other things that people may or may not agree with but exist in law.

So, to be lazy, non-legal people say they stole the song instead of all this.

This applies to a lot of things such as crypto keys. Knowing the key doesn't remove the key from you. But I have removed control - you can no longer prevent me from taking your tokens/value. It is much like a stranger having a key to your house without your permission. They might never use it. You probably don't want it to be an ongoing situation though.

well, when you place cryptocurrency with an exchange, you're giving them the keys, no one's stealing anything.
The law generally makes a distinction between voluntary parting, which usually maps to “here, take my $thingy and use it, bring it back when ya done” and then not having it returned as expected.

And theft, which usually maps to taking something that belongs to another person, without their consent, and keeping it with no intention of giving it back to them.

Which one of these categories do you believe your example falls in to?

How does inserting the word cryptocurrency change your perspective?

The same as when you put money in a bank, you're giving them money, no one's stealing anything.

Until they don't give it back. That's the important part.

Banks, especially big established ones that have been around for hundreds of years, are well established businesses that work hand-in-hand with the government to ensure safety of both a country's economy as well as the bank account of individuals.

Got your credit card stolen and someone makes fraudulent purchases? Go to the bank and let them know, and they can do a chargeback and perform an investigation for you.

Someone hacks your bank account and takes out all the money? Go to the bank and they will perform an investigation and follow well laid out procedures to try their best to recover the money, as well as work with the police to identify the hacker. Of course there is no guarantee they can recover your money but, they are experts are figuring stuff like this out and have many fail-safes in place to prevent a hacking attempt to happen in the first place.

But with crypto exchanges, not only are some of the basic securities measures not foolproof, more absurd stuff can happen. Several big exchanges had to file for bankruptcy due to getting their coins hacked away. And if you wants a totally nuts crypto exchange story, look up Quadriga.

I was just saying that freely giving up an item does not necessarily mean theft cannot later occur if that item is not given back. The parent suggested the keys were not stolen because they were given. I say they were stolen as soon as they were used without consent, much like a bank spending your money and not giving it back.

I'd say the last point about crypto is a feature, not a bug. A lot of proponents absolutely cheer on the fact that no individual, business, or government can come along and sweep up coins/tokens and hand them back through force if appropriate cautions are taken. This is unfortunately the other side of that. The idea of people using exchanges as a value store and not as a pass-through or escrow service has always confused me for that reason.

(comment deleted)
The law is capable of finesse in situations like: "I point a gun at your head and tell you to empty your bank account via ATM". Sooner or later, criminals are going to figure out that the weak link in crypto is the people, and all the secure wallets in the world won't save users facing physical violence.

There has to be a place for legal enforcement in this world; "blockchain is the final word" doesn't lead to a society people actually want to live in.

(comment deleted)
That’s certainly an argument that can be made, but not one that’ll fly if you want more adoption.
Isn't this just the main trade-off between centralized banks and decentralized crypto?

Like, if a bank is able to reset my password, how safe is it really ?

The bank is regulated externally, they do not have arbitrary control over how they treat you.

In fact, if you get hacked the bank will make you whole at their expense, which is quite a bit different from what happens in crypto.

it is like saying in the 90s: we don't need open protocols like pop3/imap, because AOL is centralized anyway

(fast forward today: yes, most people still use centralized gmail/outlook.com, but I still have a) the choice to host my mails and b) lower cost to build a service that compete with the big ones, as I don't need to part of the big-players to plug-in to the open "email-system")

In "crypto" centralized" companies are not required for most stuff inside crypto (mostly necessary to bridge the new with the old fiat system)

Although that 'open email system' isn't as open in practice, since most of the big providers aren't going to accept your email if you set up your own sender.
For example which ones? For past few years I'm using Mail-in-a-Box hosted on soyoustart and can't remember any problems when sending mail to big providers. I only had to check that IP is not in spam lists initially and asked to remove it from one of them.
running email for 15+ years here, going with ditto.

many ppl get el-cheapo vps on a low-tier network, setup some new domain on a dirty IP without proper DNS records (PTR, MX, yadda), and then parrot this

emails not the easiest thing, but it's not impossible either

Isn't this anathema to the whole blockchain-currency credo? It's all about no authority. Its all on you to keep your bitcoin secure. For better or worse.
In order for something to function as money, it must be fungible - every unit must be interchangeable. Bitcoin and many other cryptocurrencies lack a critical ecash property known as untraceability. This has attracted private analysis companies offering solutions for legacy identity-bound concerns even despite them being directly contrary to existing cryptocurrency conventions and desires.

Ten years ago the refrain was "Bitcoin is anonymous". These days exchanges and even cash-based ATMs want your identifying info. Ten years from now, every flow of value will be bound to a real world identity. If we're lucky, the coins that do have untraceability will survive.

This is exactly why they will fail. Most of us don't want anonymous money and even more shady financial institutions. Ok with it being tied to the real identity. I fully expect govt fiat on a blockchain before any wild west money ever talked off.
Anonymity in ethereum is rapidly accelerating. Currently the best option is an on-chain mixer [1] for set amounts, but fully anonymous transaction systems are going to launch relatively soon [2]. In two years, ether is virtually certain to be the most anonymous cryptocurrency and dai (dollar stablecoin) to be the most anonymous digital dollar in existence. Anonymous digital dollar has the potential to cause quite a stir.

Coins that aim to be fully anonymous (like monero) are, counterintuitively, much worse, because they lack plausible deniability. Optional (but large enough!) anonymity on a smart-contract platform allows it: you can manufacture fake profits on a dex using anonymous funds, and then claim you never anonymized your funds - you made a speculative profit (from a much smaller fully transparent seed fund). Many, many possibilities exist in this area.

[1] https://tornado.cash/

[2] https://www.aztecprotocol.com/

IMO, if Bitcoin had had untraceability, it would be in the exact same regulatory situation it is in today. That would be serious plausible deniability.

The mechanisms you're describing also happen to already be crimes. As soon as a system has any legible structure, regulators want to mount up. They don't care about perfect enforcement or even aiming for perfection, but rather just exerting control over most uses. I do hope untracability can be sustainably implemented at scale by the techniques you're describing, but we'll see. There are many more people thinking that tracing cryptocurrency transactions is a desirable thing.

Without complex smart contracts plausible deniability is much harder, because you have to use a centralized entity (like an exchange) to manufacture profits somehow, and that's much easier to regulate away. Not to mention more risky - exchanges like to lock coins pending kyc. Note that no purely cryptographic method exists that prevents you from provably deanonymizing your transaction.

I'm nearly certain the legal situation is eventually going to deteriorate to a point where if you can't prove the origin of your crypto funds, you can't sell them for external property (ie. not fully decentralized tokens) at all.

>Wasn’t that whole point of these coins to begin with?

The whole point was to have an open system where you dont place trust in or ask permission of someone to use. That still holds up in this scenario.

And governments can’t just print more of it at their whim.
falls under trustless
Government printing money is not a bad thing.

Printing money can be a bad thing if used improperly.

But generally having the government be able to print money in an emergency has many benefits.

This is why people should use P2P exchanges like Bisq or localbitcoins. The moment you transfer your coins to an exchange is the moment you lose control.
This isn't a cryptocurrency problem so much as a cyber crime enforcement problem. There is currently very little enforcement against cyber criminals originating in certain countries. Governments probably like it this way, so it won't change.
Exactly, now you see. The exchanges are also the enemy. Bisq is a start at trying to make something like Local Bitcoins WITHOUT a central authority. Coins that aren't centralized in a single location can't be stolen in the first place. Hence "Not your keys not your coins". People should take control of your coins, but that's difficult in practice. In this regard, the Bitcoin doesn't actually need new users--it just needs the users in the ecosystem that understand this. However, every halving there is a bull cycle that leads to the same ways that people lose money (exchange insolvency, loss of money on shitcoin speculation, exchange hacks). But, exchanges, who do all of the advertising in the space, don't want you to even think about that. At best, they think they actually have control and drink their own kool-aide.
Never heard of Bisq. Can you tell me more about what it is and how it works, and any connection to it you may have that you are comfortable or obliged to share?
> Bisq is a start at trying to make something like Local Bitcoins WITHOUT a central authority.

It wouldn't be an HN cryptocurrency post without slipping in a reference to your own shitcoin. lol.

Exchanges exist primarily to convert between cryptos and fiat. If cryptocurrency succeeds, then why would anyone need to convert to fiat?
It will stop when Binance et. al. are sued to hand back the stolen property.
Too bad this theft did not affect the founders of Ethereum like the DAO exploit did. Otherwise, they would have found a way to reverse this and get people their money back from the hacker, even if it meant changing the protocol and upgrading existing binaries.
A point one of the founders of Ethereum has made:

If you do not like a particular cryptocurrency, you can always use your own. Ethereum is an open source platform whose value, like paper money, is only the price that people are willing to pay for it.

The fact that losses can only be reversed if you’re sufficiently well connected to the developers is a major problem.
The losses were reversed because the system was exploited, not because someone had a close connection with one of the devs. Had they not forked the network right then and there they would only be facing more of the same in the future, reducing the reliability of ETH down to 0. No forks have been made since the incident, and I would hazard to say none of the devs are planning on forking anytime soon either.

I think one of the problems in this space is that people treat their addresses like bank accounts when they should be treating them like cardboard boxes. Sure, you can put your money in it, but you only keep your money so long as nobody finds your box. Therefore, you should make as many cardboard boxes as possible and spread your wealth such that breaking into any individual cardboard box is worthless, and breaking into all of them would take so much time it effectively becomes impossible.

In terms of securing keys, that's also a difficulty, but that's the price you pay for this sort of experience. Any entity that could reverse your losses could also make transactions on your behalf - ruining the point of decentralizing in the first place.

If I lose money because of a buggy contract, will the developers trigger a hard fork for me, or is it just the DAO who gets that consideration?
If you lost half a billion dollars like the DAO did, you would probably get that consideration, too.
That’s my point, if I lose a more paltry sum like my life savings, nobody will lift a finger to bail me out. It’s only if my losses are massive will the developers trigger a hard fork on my behalf.

“Code is law” only turns out to apply to those with small balances and poor connections.

Are these "stolen" events part of the laundering process? That is, are fake thefts used to obscure where the money goes?
I met a woman last year who I'm pretty sure was cashing out for a hack of a New Zealand exchange..

she didn't say it explicitly but she was getting 10% to cash out on Huobi for a group of IT students in Guangzhou China. One of the guys was an american and I think it was his job to find people to cash out. They were doing about 150k USD a week, and she was pretty sure there were others doing the same thing.

he told her they found a way to get free ETH.

I sent a message to the exchange that got hacked Cryptopia or something but they never got back to me