Bitcoin Fog Case Could Put Cryptocurrency Tracing On Trial-Part 1

TOOLS TO TRACE cryptocurrencies have, over just the past several years, allowed law enforcement agencies to convict dark-web black-market administrators, recover millions in ransomware payments, seize billions in stolen bitcoins, and even disrupt networks of child abuse. Now one criminal defendant claims those same tools have also unjustly put him in jail for more than 15 months.

In the spring of 2021, Roman Sterlingov, a 33-year-old Swedish-Russian national, was arrested by Internal Revenue Service criminal investigators at the Los Angeles airport and was accused of creating and operating Bitcoin Fog, a bitcoin "mixing" service on the dark web that took in coins from its users and returned others with the intention of preventing forensic accountants from following that money's trail. The US Justice Department accuses Sterlingov of no less than $336 million in money laundering over Bitcoin Fog's decade online.

Now, Sterlingov's legal team, led by the well-known hacker defense attorney Tor Ekeland, has fired back: They're claiming in a series of legal motions filed late yesterday that Sterlingov is innocent and vowing to take his case to trial. In doing so, Sterlingov's defense says, they plan to show not only that he never ran Bitcoin Fog but also that the blockchain analysis techniques used to pin the case on him were faulty, leading to his wrongful arrest and a lost year of his life.

"I did not create Bitcoin Fog. I was never an administrator of Bitcoin Fog," Sterlingov told WIRED, speaking from a Northern Virginia jail. "I've been here for more than a year now. I'm really perplexed at the system that could put me in here, at what they can do to an innocent man. It's a Kafkaesque nightmare."

Unlike in some more-clear-cut investigations of criminal use of cryptocurrency, prosecutors in Sterlingov's case haven't pointed to any smoking-gun digital evidence retrieved from Sterlingov's possessions or devices when he was arrested during his trip to the US last year. Instead, the statement of facts released when charges against Sterlingov became public in April 2021 detailed a combination of blockchain-based cryptocurrency tracing, IP address matching, and online account information links. The IRS says that collection of evidence ties Sterlingov to Bitcoin Fog's creation in 2011 and shows—through Bitcoin tracing in particular—that he continued to receive profits from the service as late as 2019.

"Where's the corroborating evidence?" asks Sterlingov's defense attorney Ekeland. He runs through the inventory of items found on Sterlingov at the time of his arrest, which he says included laptops, hard drives, backup codes for his accounts, Bitcoin debit cards, and a customized smartphone for storing cryptocurrency. "But you know what's not found when they catch him traveling? A shred of evidence that he operated Bitcoin Fog. No witnesses, no logs, no communications. They're pinning it on a multi-layer guessing game."

The Department of Justice did not yet respond to WIRED's request for comment. The IRS declined to comment on pending litigation.

Sterlingov and his lawyers yesterday filed a motion to dismiss, a motion for a bill of particulars, a motion to free seized assets, and a motion to reconsider pretrial detention, among other items. The DOJ has produced more than three terabytes of data related to the case during discovery. The defense alleges that the sheer volume of information is difficult to parse but that nothing in it seems to establish a direct connection between Sterlingov and the creation or operation of Bitcoin Fog. And they further argue that the digital forensic analysis the prosecution has shared is flawed and opaque at best.

If the prosecution doesn't produce clear evidence as Sterlingov's case unfolds, it may have to rely on the more indirect digital connections between Sterlingov and Bitcoin Fog that it describes in the statement of facts assembled by the IRS's criminal investigations division, much of which was based on cryptocurrency tracing techniques. That statement shows a trail of financial transactions from 2011 allegedly linking Sterlingov to payments made to register the Bitcoinfog.com domain, which was not Bitcoin Fog's actual dark-web site but a traditional website that advertised it.

The funds to pay for that domain traveled through several accounts and were eventually exchanged from Bitcoin for the now-defunct digital currency Liberty Reserve, according to prosecutors. But the IRS says IP addresses, blockchain data, and phone numbers linked with the various accounts all connect the payments to Sterlingov. A Russian-language document in Sterlingov's Google Account also described a method for obfuscating payments similar to the one he's accused of using for that domain registration.

Sterlingov says he "can't remember" if he created Bitcoinfog.com and points out that he worked at the time as a web designer for a Swedish marketing company, Capo Marknadskommunikation. "That was 11 years ago," Sterlingov says. "It's really hard for me to say anything specific."

Even if the government can prove that Sterlingov created a website to promote Bitcoinfog.com in 2011, however—and Ekeland argues even that is based on faulty IP address connections that came from Stertlingov's use of a VPN—Ekeland points out that's very different from running the Bitcoin Fog dark-web service for the subsequent decade it remained online and laundered criminal proceeds.

To show Sterlingov's deeper connection to Bitcoin Fog beyond a domain registration, the IRS says it used blockchain analysis to trace Bitcoin payments Sterlingov allegedly made as "test transactions" to the service in 2011 before it was publicly launched. Investigators also say that Sterlingov continued to receive revenue from Bitcoin Fog until 2019, also based on their observations of cryptocurrency payments recorded on the Bitcoin blockchain.

Ekeland counters that the defense hasn't received any details of that blockchain analysis and points out that it was left out of the most recent superseding indictment against Sterlingov, which was filed last week. That means, he argues, that the government has based the core of its case on an unproven, relatively new form of forensics—one that he says led them to the wrong suspect. "Has it been peer-reviewed? No," Ekeland says of blockchain analysis. "Is it generally accepted in the scientific community? No. Does it have a known error rate? No. It's unverifiable. They can say total nonsense, and everyone has to take it on faith."

Ekeland says that discovery documents in the case show that the prosecution's cryptocurrency tracing was performed with tools sold by Chainalysis, a New York–based blockchain analysis startup, along with consulting help from Excygent, a government contractor specializing in cybercriminal and cryptocurrency investigations, which Chainalysis acquired in 2021.

Ekeland argues that Chainalysis, valued at $8.6 billion in a recent investment round and frequently used in high-profile cybercriminal law enforcement investigations, had a conflict of interest in the case, given its financial dependence on US government contracts and a flow of former government investigators who have gone to work for Chainalysis. "This is a story of people profiteering and advancing their careers, throwing people in jail to promote their blockchain analysis tool that is junk science and doesn't withstand any scrutiny," says Ekeland. He adds that, based on the evidence provided in Sterlingov's case, he believes "Chainalysis is the Theranos of blockchain analysis."

Source: wired.com

Editor: IPR Daily-Selly