The arrest of Samourai Wallet’s co-founders and the subsequent shutdown of the cryptocurrency mixer have severe consequences for the industry. This article from Cointelegraph Research delves into the inner workings of Samourai Wallet, why US authorities shut it down, and the implications this has for privacy and self-custodial cryptocurrency solutions.
The Indictment of Samourai Wallet’s Founders
On April 24, Keonne Rodriguez and William Lonergan Hill, co-founders of Samourai Wallet, were apprehended and charged with running an unregistered money-transmitting company and money laundering. After pleading not guilty, Samourai Wallet CEO Rogriguez was freed on a $1 million bail. At the same time, Hill, who was CTO, is currently in Portugal awaiting extradition to the United States.
In a statement issued after the indictment, the FBI cautioned Americans not to use unregistered money services firms that transfer cryptocurrencies. This has led some to speculate that US regulators would seek money transmitter licenses for cryptocurrency tools that do not require custody shortly.
How Samourai Wallet worked
Compared to other wallet apps, Samourai Wallet stood out for its privacy-enhancing features, such as Ricochet (which introduced intermediate transactions between the sender and the receiver) and Whirlpool (an implementation of CoinJoin).
By combining the inputs and outputs of several participants, CoinJoins makes it difficult to tell who exactly owns any unspent UTXOs. In a typical CoinJoin transaction, many users give an identically sized input and receive an output of the same size. Because of this, evaluating the ownership of money after it has gone through a CoinJoin becomes a challenging task for blockchain experts.
To make these transactions possible, Whirlpool—the CoinJoin service that Samourai Wallet runs—used a coordinator server. When first connecting to the server, each user’s wallet provided two addresses: one for input and one for blinded output.
Afterward, the wallet would reconnect to the server via a new Tor circuit and disclose the output address without revealing its anonymous version. With this method, the server could confirm that the participant’s output address was legitimate even if it didn’t know the particular input they used. After that, everyone involved would build and sign the CoinJoin transaction. Samourai Wallet intended to further decentralize its operations by moving to a decentralized coordinator.
Samourai Wallet Shutdown: Convicted with unauthorized money transmission
Whoever “knowingly conducts, controls, manages, supervises, directs, or owns all or part of an unlicensed money transmitting business” is subject to the penalties outlined in 18 U.S. Code § 1960, titled “Prohibition of unlicensed money transmitting businesses.” Although this provision does not define “money transmitter,” it does emphasize that the level of control over the transfer is critical for prosecution under the legislation.
Samourai Wallet was a self-custodial wallet that could manage neither its users’ money nor transactions. Nonetheless, it could have pre-screened inputs for its CoinJoin service’s transactions if it had wanted to. Wasabi Wallet would have been able to block addresses sanctioned by the Office of Foreign Assets Control from using its CoinJoin service if it had done so.
The United States District Court for the Southern District of New York defined a money transmitter in its objection to Tornado Cash, a cryptocurrency mixer: “any other person engaged in the transfer of funds.” According to the court’s argument, a firm does not necessarily need physical possession of the transferred monies to be considered a money transmitter.
A definition of “transfer” as “conveyance of right, title, or interest in real or personal property from one person to another” was also provided, according to the Merriam-Webster online dictionary. Nevertheless, a CoinJoin transaction defies this notion because no money changes hands (apart from fees).
Curiously, Samourai Wallet offered a privacy feature for inter-user payments. Two wallet users could work together to start a transaction that mixed the currencies and concealed the payment amount; this feature, named Stowaway, implemented PayJoin. Nevertheless, Stowaway was not included in the indictment and failed to capture the attention of the Department of Justice due to its low user count and free nature.
The earnings made by Samourai Wallet from running Whirlpool may be legally very important. As previously stated, the court’s opposition posits that Tornado Cash “offered the same service to customers as other businesses that courts have held to be money transmitters” and that its founders “paid for and exercised control over critical components of the service […] and […] reaped substantial profits from the service,” implying that a service that facilitates crypto transactions for profit is considered a money transmitter business.
Financial Crimes Enforcement Network guidelines state that producers of software that renders transactions untraceable are considered anonymization service providers, not money carriers, reiterating the significance of CoinJoin service revenues. Except when an organization “engages as a business in the acceptance and transmission of value” through the software, it is considered a money transmitter. In this context, a company is defined as an “ongoing enterprise carried out for financial gain.”
Money laundering charges
Money laundering charges, which any Samourai Wallet founders are also facing, carry a maximum term of twenty years in jail. To be charged with money laundering, a defendant must “conduct or attempt to conduct a financial transaction, knowing that the property involved in the financial transaction represents the proceeds of some unlawful activity,” as stated in 18 U.S.Code § 1956(a)(1).
Considering that Samourai was marketed to “Dark/Grey market participants,” it might be inferred that the creators were aware of and even promoted illegal cash movement. But they could never handle money and couldn’t do any financial transactions.
“Samourai […] operate[d] a centralized server that […] create[d] new BTC addresses used during the transactions,” reads the indictment. However, as we saw in the introduction, this is false because the consumers’ wallets generated the addresses. Although the server confirmed that the withdrawal address belonged to a Whirlpool member, it could not identify the wallets that were being sent or received.
The prosecution is trying to make non-custodial products legally liable for laundered cash via the claims against Samourai Wallet, which entail deploying server infrastructure.
The Tornado Cash side alleged that the defendant’s “ongoing payments to host the website after becoming aware that it was being used to launder criminal proceeds [and] (ii) [the] payment for traffic between the UI and the blockchain to process transactions that they knew involved criminal proceeds” as proof of their conspiracy to launder money.
Therefore, it appears that even Bitcoin wallet providers who do not have physical custody of their user’s funds can be held accountable for money laundering if they operate a node and host a front end and are aware of illegal acts taking place through their wallet.
However, the First Amendment shields the dissemination of privacy technologies from governmental interference in the US if the project in question is limited to code maintained on a Git repository. The reason for this is to a 1996 case law, Bernstein v. U.S. Dept. of State. Defending his right to share and publish his encryption software, Daniel J. Bernstein fought against rules that would have forced him to get a license from the government. Bernstein was successful in having his case heard by the court, which upheld the First Amendment protections for computer code as an expressive form of communication.
