Cyber Security

Police bust alleged operator of Bitcoin mixing service Helix

The guy who allegedly wanted to be the Dark Net’s “go-to” money launderer by acting as a “Bitcoin mixer” – soliciting cryptocurrency from crooks, slicing and dicing the coins, and then remixing them in an ultimately futile attempt to obscure their source – has been busted.

The US Department of Justice (DOJ) announced on Thursday that Larry Harmon, 36, of Akron, Ohio, has been indicted on three counts of allegedly running a Bitcoin mixer service called Helix from 2014 to 2017.

These services are also called Bitcoin tumblers, which is how Harmon allegedly referred to Helix in his sales pitch to the underworld. This is how the indictment summarizes Harmon’s alleged first post about his service in June 2014 – a pitch to convince criminals to pay him to hide their transactions from law enforcement:

Before launching Helix. HARMON posted online that Helix was designed to be a ‘bitcoin tumbler’ that ‘cleans’ bitcoins by providing customers with new bitcoins ‘which have never been to the darknet before.’

Harmon allegedly went on to promise that there was no way that law enforcement could tell which addresses are Helix addresses, given that the service uses new addresses for each transaction. His alleged “I’ll-scare-you-crooks-into-paying” followup advertising spiel:

No one has ever been arrested just through bitcoin taint, but it is possible and do you want to be the first? …Most markets use ‘Hot Wallets’, they put all their fees in these wallets. [Law enforcement] just needs to check the taints on these wallets to find all the addresses a market uses.

In short, “taints” are the trail left by bitcoins as they travel from wallet to wallet. Here’s a discussion about traceability from Stack Exchange.

Harmon’s Helix bitcoin mixer allegedly moved at least 354,468 bitcoin on behalf of customers: a sum that was valued at over $300 million at the time of the transactions and which is now worth about USD $3.6 billion. Most of those customers came in from Dark Net markets. Helix had partnered with AlphaBay – one of the largest Dark Net markets before law enforcement seized it in July 2017 – to provide bitcoin laundering for AlphaBay’s customers.

Harmon’s also been linked to “Grams,” a Dark Net search engine. Other Dark Net marketplaces that funneled funds to Helix included Agora, Market, Nucleus, and Dream Market, according to the indictment.

One of those bitcoin transfers led to Harmon’s bust. In November 2016, an FBI agent working undercover transferred 0.16 bitcoin from an AlphaBay bitcoin wallet to Helix. The tumbler mixed it up and exchanged it for an equivalent amount of “clean” coins, minus a fee of 2.5%. Those new coins weren’t directly traceable to AlphaBay, but that hasn’t stopped law enforcement in the past.

In January 2018, for example, researchers figured out how to unmask dark web markets’ buyers and sellers by forensically connecting them to Bitcoin transactions.

They didn’t unmask many, and, granted, those they did manage to identify made mistakes that were more common in the early, less careful days of dealing in cryptocurrency: they didn’t hide transactions using Bitcoin laundering services, for example, while some were none too scrupulous about using fake online identities that couldn’t be traced to personally identifiable information (PII).

Helix isn’t the first mixing service to go down in non-anonymous flames. A string of mixing services have eventually figured out that Bitcoin transactions aren’t fully anonymous. That’s why, in July 2017, the biggest mixer of the day – BitMixer – abruptly shut down.

Although BitMixer’s operator denied the connection at the time, its closure came fast on the heels of the shutdowns of the AlphaBay and Hansa dark markets. The reason why BitMixer closed up shop: it may have taken its operators a few years of operating, but they finally realized that Bitcoin doesn’t have additional protections for PII by design, not by omission.

BitMixer’s epiphany and shutdown came a week after Google and blockchain analysis firm Chainalysis – which markets a tool called “Reactor” to track and analyze the movement of Bitcoin – announced that they had managed to track ransomware payments, paid in Bitcoin, from end to end.

Some of those ransomware payments had been moved through Bitcoin mixers. That doesn’t mean that all bitcoin mixer payments are done for illicit purposes, mind you. In fact, Chainalysis said in August 2019 that most mix transactions are done for additional privacy.

In spite of that, 2017 was not a good time for mixers – many of which, like Helix, made their sales pitches directly to the “solidly illicit” crowd. In fact, BitMixer shut down three days after the DOJ shut down BTC-e: a fraudulent Russian cryptocurrency exchange that was handling 95% of all ransomware payments at the time and which itself relied on mixing services.

They can find you

Criminals seem to think that the Dark Net and cryptocurrency have a lot more opaque nooks and crannies than it does, the FBI suggests. Here’s a statement from Special Agent in Charge Timothy M. Dunham of the Criminal Division of the FBI Washington Field Office:

The perceived anonymity of cryptocurrency and the Darknet may appeal to criminals as a refuge to hide their illicit activity. However, as [Harmon’s arrest] demonstrates, the FBI and our law enforcement partners are committed to bringing the illegal practices of money launderers and other financial criminals to light and to justice, regardless of whether they are using new technological means to carry out their schemes.


Latest Naked Security podcast

Leave a Reply

Your email address will not be published. Required fields are marked *