Trading

Samourai Wallet: Breaking Down Dangerous Precedents

On Wednesday, the founders of the Bitcoin privacy wallet Samourai Wallet were arrested and charged on behalf of the US Government. The indictment could set dangerous precedents beyond Bitcoin privacy services.

“If your government is worried about their own citizens controlling their money, the most important question you have to ask is ‘what the hell is wrong with my government’”

– Andreas Antonopolous

Last wednesday, Samourai Wallet founders Keonne Rodriguez and William Hill were arrested and charged with conspiracy to money laundering and conspiracy to operate an unlicensed money service business in the Southern District Court of New York. The indictment alleges that Samourai Wallet “facilitated more than $100 Million in money laundering transactions from illegal dark web markets”.

The definition of a non-custodial wallet as a money service business and the consequent indictment of the wallet’s maintainers can set dangerous precedents for the wider Bitcoin space and may go as far as affecting the freedom of the internet, essentially endangering all individuals, organizations and technologies involved in the transfer of financial transactions without exercising control over funds.

Can a non-custodial wallet be a money service business?

FinCEN’s 2019 guidance on persons administering, exchanging, or using virtual currencies, define a money transmitter as a “person that provides money transmission services,” or “any other person engaged in the transfer of funds.” As the guidance states, “a transmitter initiates a transaction that the money transmitter actually executes.”

The guidance further states that “the term “money transmission services” is defined to mean the acceptance of currency, funds, or other value that substitutes for currency from one person and

the transmission of currency, funds, or other value that substitutes for currency to another location or person by any means.”

As a non-custodial Bitcoin wallet, Samourai Wallet’s operators do not take custody of user funds and therefore are technically incapable to “accept” deposits or “execute” the transmission of funds, contrarily to what is alleged by prosecutors, stating that “Samourai engaged in the unlicensed receipt

and transmission of funds, including funds deposited into a Samourai wallet by an undercover law enforcement agent located in the Southern District of New York.”

However, technically speaking, the agent deposited funds into an application running locally on his device, with no engagement from Samourai operators – a circumstance correctly noted by prosecutors throughout the indictment, stating that “the private keys for these cryptocurrency addresses are stored in each user’s individual cell phone”, that “these private keys are not shared with Samourai employees,” and that “the Samourai software on the user’s cellphone will broadcast a transaction to the blockchain.”

The indictment yet alleges that Samourai Wallet “facilitates transactions between Samourai users” – a claim that seems blatantly incorrect in the face of the fact that coinjoin transactions do not facilitate transactions between users at all, but rather create a shared transaction in which every user spends their own funds to themselves.

The indictment further repeatedly alleges that Samourai creates “new addresses” used during the transactions, and that “The Samourai server is responsible” for broadcasting transactions – claims which, too, are technically incorrect as transactions are created solely on the users device and Samourai only broadcasts transactions on behalf of users if users choose to broadcast their transactions via Samourai’s node. For anyone running their own node with Samourai Wallet, known as “Dojo”, transactions are broadcast by users themselves.

Numbers provided by the node provider Ronin Dojo suggest that up to 85% of Whirlpool users run their own Dojo. It is questionable whether organized criminals would rely on nodes provided by Samourai Wallet as its operators would effectively be enabled to deanonymize transactions by gaining knowledge of users’ extended publickeys, a design choice often criticized in Samourai Wallet’s architecture. Notably, the indictment makes no mention of “Dojo” at all.

DoJ Challenges FinCEN Guidelines

The indictment against Samourai appears to suggest that the DoJ does not believe FinCEN guidelines apply as reflected in the language used to describe Samourai’s services, in which prosecutors note the broadcasting of transactions, the operation of a centralized server, and the subsequent collection of fees from the services offered:

“The Samourai server is responsible for broadcasting the Ricochet transactions to the BTC network […] From Whirlpool and Ricochet, RODRIGUEZ and HILL earned at least $4 million in fees”

The DoJ’s arguments appear more in line with recent recommendations issued by the financial action task force. FATF, an intergovernmental body established by the G7 in 1989 to combat money laundering and terrorist financing risks, is not a regulatory body, but the task force’s recommendations are known to form the basis of informing AML/CFT regulations around the world.

In recommendations issued in 2021, FATF expands the definition of virtual asset service providers as “decentralized exchanges or platforms” which “have a central party with some measure of involvement or control,” such as developing “user interfaces for accounts holding an administrative “key”” or “collecting fees.”

By the logic put forward by FATF, it appears that the development of any individual, organization or technology interfacing with financial transactions could require a money service business license. Notably, a new AML package adopted by the European Parliament last week aimed at updating current AML regulations in accordance with FATF recommendations, specifically exempted self-custodial services.

Similar attempts to circumvent FinCEN guidelines are currently being made on the Tornado Cash case. In an opposition issued on April 26th, prosecutors argue that the definition of money transmitting “does not require the money transmitter to have “control” of the funds being transferred,” highlighting that Section 1960 of US Code, a codification of permanent federal laws, extends the definition of money transmitting to “transferring funds on behalf of the public by any and all means.”

As interpreted by the department of justice, AT&T would require a money service business license to allow customers access to their PayPal, an ISP would need a money service business license to allow users to access online banking services, a postman would require a money service business license to deliver cash in mail, a grocer would need a money service business license to hand out change, and Telegram, WhatsApp, Signal and X (formerly Twitter) would require a money service business license if users utilize the platform to share PSBTs or lightning invoices – subsequently deeming all such services to require full know your customer verification.

Can the Bitcoin Network be KYCed?

The indictment has sent ripples through the Bitcoin ecosystem, leaving anyone involved in the broadcasting of Bitcoin transactions in uncertainty, including bitcoin miners and node operators. The non-custodial Lightning wallet Phoenix has since announced the suspending operations in the US. The privacy-first Bitcoin wallet Wasabi Wallet has banned US users from accessing its services and software.

Reading the indictment, it appears as though everything we knew about the regulatory aspects of money transmission may have been misapplied, as the indictment appears to go as far as to attempt the criminalization of self-spending. As the indictment reads, self-spends, as evident in coinjoins and Samourai’s Ricochet, “further obscure ownership of the funds.” But any Bitcoin wallet allows users to generate self-spends and essentially circumvent blockchain surveillance mechanisms and censorship, further muddying regulatory waters.

The foundations to introduce KYC to the Bitcoin network have been researched as early as 2016 with the MIT ChainAnchor project, which explored the introduction of identities and permission groups to blockchains, preventing non-registered users from having transactions mined in blocks.

With increasing miner centralization, with around 47% of hashrate’s mining rewards custodied by a single custodian, including the pools of AntPool, F2Pool, Binance Pool, Braiins, btcom, SECPOOL, and Poolin, plans to KYC the Bitcoin network may not seem too far fetched. In 2023, F2Pool already began censoring transactions in line with the OFAC sanctions list.

Since the indictment of the Samourai founders, the FBI has issued a PSA concerning cryptocurrency money service businesses, alerting the public to avoid services which do not require know your customer information.

If the non-custodial operation of services is ruled to classify as money transmission, the doors could be open to KYCing any service operating communication protocols, from Nostr to WiFi hotspots and telecommunication providers. If spun ad absurdum, it could even be argued to require the registration of KYC for the use of highways or the purchase of briefcases.

Plans to KYC the internet have been around since as early as 2014, when the US Government attempted to introduce a “drivers license for the internet,” similar to the planned introduction of digital identities around the world.

It should be noted that the treatment of Samourai founders, who are currently serving pre-trial detention, stands in no comparison to the handling of financial crime allegations around the world. Since 2000, traditional financial institutions, such as UBS, JP Morgan, and Bank of America, have been fined over $380 Billion. The argument that traditional banks are primarily used for legal transactions can also be applied to Samourai Wallet, as the indictment reportedly only alleges the transmission of illicit funds of 3.6% of Samourai’s total transaction volume, leaving 96.4% of legitimate usage.

The Samourai case has been assigned to judge Richard M. Berman, who previously presided over the the Jeffrey Epstein case. In 2005, Berman ruled that random police searches of riders bags on the New York City subway did not violate the U.S. constitution. 

This is a guest post by L0la L33tz. Opinions expressed are entirely their own and do not necessarily reflect those of BTC Inc or Bitcoin Magazine.