Remember that time when you tried to transfer your life savings from one bank account to another for a small fee, but swapped the fee field with the total transfer amount field, and ended up losing all your life savings? Of course you don't. There are safeguards to catch and prevent these kinds of errors.
But this is a common occurrence in Bitcoin-land. Just two days ago, someone sent a transaction for 0.001 BTC (about 5 cents), with a 291 BTC (approximately $137,000) in fees. A lucky miner quietly collected a jackpot.
That fee is approximately 3 million times higher than it ought to be. So the question is: what happened?
Because the amount involved is so large, there were immediate accusations of nefarious activity and money-laundering.
Let's explore the two different techniques for making cash flows private in Bitcoin, and then use some help and new data from Dr. Christian Decker to rule out one of the possibities.
Bitcoin's unique structure allows people to hide their coin flows through a very creative mechanism that I have not seen discussed elsewhere. There is no counterpart for this in the regular fiat currency world, since the scheme involves collusion with the Mint. Here's how this scheme, MML, differs from your run of the mill money laundering.
Suppose I have some tainted coins. Suppose they came from someone or some activity I do not want to reveal publicly to the world, say, moonlighting as a PHP programmer. I need to transfer them from my left hand, where they sit tainted, to my right hand, through some mechanism that'll hide the fact that they came from my left hand.
The traditional way to do this in Bitcoin is to "tumble"  the money. This is where I mix the cash with some other people's tainted money to make tracing it difficult. You may have seen collection bags that go around churches, where you put a bill in your closed fist and stick your hand in the bag, so no one knows how much you put in or took out. Imagine that we come up with a (cryptographic) protocol where I donate some amount to the local church's collection bag, so do others (however much they desire), and after the bag has made it through the congregation, I stick my hand in again and take out exactly as much as I put in during the first round from the same collection bag. In essence, we swap our bills so as to throw off anyone who may have recorded the serial numbers and is watching the coins. That's, roughly speaking, what happens in tumblers, though the low-level details between coinjoin, bitlaundry and other similar services differ.
Tumbling makes it very difficult to trace the individual banknotes back to me. It's similar to the way crooks will often move money through multiple shell organizations, divvy it up and restructure it to make financial tracing difficult. You may, perhaps, have heard of Panama Papers, where some of the companies involved exist solely to make it difficult to audit the cash flows.
Tumbling is also not necessarily nefarious: there are good reasons to tumble cash flows, such as financial privacy. If you don't want your employer, your friends or the merchants you visit to discover your spending habits by examining the blockchain, tumbling is a useful operation.
But tumbling is not foolproof. I might end up with some of my own bills and still carry taint, especially if I'm the biggest game in town, trying to tumble really large amounts compared to the small fry at my church. Or I might end up getting tainted with someone else's dirtier money in the process -- it's one thing to carry PHP taint, it's another thing, on a day when the church has a shady visitor seeking absolution, to get tainted with the proceeds from blood diamonds.
So, overall, tumbling doesn't scale and it doesn't provide strong protection.
There's a much better way to launder bitcoins.
If I really want to erase all connection to past transactions recorded on the blockchain, I can just find a miner that I trust and let him mine my transactions with hefty fees. To the rest of the world, the miner looks like he's doing valuable work, mining my transactions, securing the distributed ledger. In reality, it's a rigged game, where I give my transactions, with fat fees totaling $X, solely to a designated miner for him to mine. In return, he collects the fees and pays out $X back to me, minus his cut. My payment is going to be with newly mined coins, the Bitcoin equivalent of fresh, crisp dollar bills straight from the Mint. There will be no white powder residue on these particular bills.
This is a brilliant way to launder money, because it leaves no trace on the blockchain. Miners, in effect, terminate and regenerate cash flows, the same way the US mint withdraws old and tattered bills out of circulation and reissues brand new ones. The only fly in the ointment is the need to trust the miner, but hey, people with these kinds of cash flows typically have what we in the distributed systems community would euphemistically call "exogeneous enforcement mechanisms."
One would probably structure the cash flow across many transactions, but of course, if someone gets impatient and wants to short-cut this process, they'd just send a single transaction with a mega-fee.
And there is reason to suspect this might have been what happened, because there are rumors (which we have not ascertained independently) that this transaction was being tumbled using the traditional tumbling technique when it suddenly evaporated into mining fees, raising eyebrows about potential MML.
Luckily, Christian Decker has been recording transactions on the Bitcoin blockchain, and we can pin down parts of the backstory using his data.
If anyone will engage in MML with ultra-large fees, and they don't want to take any additional risk, they'll do so by prearranging the deal with a miner they trust. They should send their mega-fee bearing transaction to their designated miner via a private channel, because if another miner gets their hands on a megafee transaction, they'll mine it, collect the huge fee and keep it.
It turns out that this transaction carrying a $137K megafee was seen on the public Bitcoin network a full two minutes before the corresponding block was mined. This suggests that miners had a fair shot at mining this transaction. It most likely was not part of an MML effort. By the same argument, this likely was not a directed gift to this specific miner, as it could have been collected by anyone.
There's still the small possibility that the miner may have pre-mined his block, but if that's the case, they took a risk by not announcing the block for a full two minutes, at least as observed from the vantage points of Dr. Decker's measurement apparatus.
Overall, the evidence is stacked high on the side of an unintentional error. This particular transaction most likely was not part of an MML scheme to launder the cash through a colluding miner. Instead, it is much more likely that there was an error of some kind, wherein the transaction amount and fee fields got swapped, perhaps in a script that was programmatically moving money around.
Now, that erroneous script may have been written to perform money laundering the traditional way via tumbling. But at least, subject to the provisos in the preceding section, we can clear the miner from complicity.
The particular lucky miner turns out to be a Chinese MLM operation. While there was some initial noise that the miner may voluntarily return the erroneous fee, these early indications came from affiliates in the MLM scheme who were speaking without authority. To date, there is no official word from the people in charge. It's not even quite clear who they are.
And even if the miner wanted to return the fee, it might be difficult for the sender to collect it. If the $137K needed to be tumbled, how does the rightful owner of the coins come out and claim them? The miner, if it's operating above-board, may have to book the incoming coins and deduct the payment as a business expense to balance their books. Depending on their jurisdiction, the recipient may have to provide a name and address, and of course, be subject to scrutiny. The owner could provide proof of address by signing a message with their private key, and the miner could just return the cash to that address out of the kindness of their hearts. Of course, the kind of script that swaps arguments by mistake may be the kind of script that does not write its keys out to a database, so the private keys may be long gone.
Or, you know, the miner could just keep the mega-fee. Wouldn't be the first time someone found a bounty and kept it.
After all, $137K is an expensive lesson on how to write good code, but it's still cheaper than a college education in the US.
|||Some people call these mixers, but the word "mix" is easy to confuse with Chaumian MIXes, so it's better to call them tumblers.|
|||Cash-Boycotts: How to Use Bitcoins for Social Change explores other creative uses of the traceability of bitcoins.|