DeFi Wallets: Poor Man's Crypto Mixers?

Lessons from looking at pig butchering scams too much - is the distinction between a network communication software and money transmitter is blurring?

Disclaimer: I’m not a lawyer or compliance expert

Note: Some brand names have been changed and anonymized.

DeFi - shorthand for Decentralized Finance, it refers to an aspirational vision of modern finance run in a decentralized manner and with no (human) intermediaries, because of the ability to automate transactions using computer programs, or smart contracts, on public blockchains.

Cryptocurrency - the scientific synthesis of the material dialectics of financial transparency versus privacy; an evolved mode of class struggle between the economic forces of the bourgeoisie state and the crypto-proletariat.

At least that’s what we’re made to think with what's happening in the US regarding some famous crypto anonymizers:

• Alleged founder of Bitcoin Fog convicted of money laundering (he is appealing)

• Large crypto advocacy non-profits helping defend the arrested developers of the US-sanctioned Tornado Cash

• Ethereum founder Vitalik Buterin sending $325,000 to and tweeting support for Railgun, labelled recently by analysts as a “prime alternative to Tornado Cash”

In any case, aside from these crypto privacy tools, there are still other things to be considered that are, in effect, used by bad actors to complicate cryptocurrency tracing. Consider that some cryptocurrency wallets offer functions that can and are being used to launder stolen cryptos — they’re less sexy than ‘anonymity sets’ or ‘zero-knowledge proofs’, they’re still traceable with extra effort and special tools, but they work well enough for most purposes of scammers of plain commoners.

Basics

As a primer, a crypto wallet is a software or app for managing (the private keys to) cryptocurrency addresses. For many crypto users, wallets mean self-custody wallets like mobile phone apps or a desktop extensions (e.g. Trust Wallet, Metamask). The owner has full control of his/her cryptos, as opposed to depositing at a centralized crypto exchange acting like a crypto bank.

More than just sending and receiving cryptos, crypto wallets allow users to directly interact with decentralized finance (DeFi) - decentralized exchanges, decentralized lending, etc. Ideally, this would be useful for things like automating payments, trading, lending, etc. — without intermediaries. It’s just you, your peers, and the immutable smart contract on the blockchain network.

When most users do cryptocurrency swaps like exchanging ETH to USDT through a “decentralized” exchange (DEX), swapped cryptocurrency are often described as never having left the crypto wallet but swapped in place by smart contracts. In many popular wallets, the built-in token swap function returns exchanged assets back to the same original sender address. So DEX swaps are conceived as “atomic” swaps because it either takes place or not at all, and there is no intermediate state where someone’s crypto is in limbo in the ether.

from ETH to USDT, on Coinbase Wallet

on Trust Wallet (Binance)

Wallet Abilities

So, that kind of swapping is not so useful to hide one’s tracks on the blockchain for whatever purpose. One should still easily see on free blockchain explorers the exchanged asset immediately going back to the same wallet in different form.

But there are wallets and DEXs that allow you to send the swapped tokens to another address. So it’s not just a swap, but also a transmission of assets to another address. Consider the originally Chinese-made TokiToki Wallet:

Highlighted space: where recipient address is entered

See also the Sundan DEX, accessible from any crypto wallet browser:

Highlighted: Please enter receiving address

Still, tracing is not too hard if one knows to look at the notes section or the “internal transactions” of smart contracts the swapped cryptos are sent to. Usually, or hopefully, the final recipient address will be in there. Looking at the internal transaction / notes won’t be so obvious to new crypto users though, who might go on a wild goose chase tracing out of a smart contract address.

In any case, convoluted swapping are what scammers are using these wallets/DEXs for. That’s what they think they’re using it for, as I heard first-hand. Below are famous moves in pig butchering scams; this is how they use TokiToki and Sundan.

So far, the examples above are of token swaps in the same blockchain, in Ethereum.

TokiToki and Sundan DEX can also do cross-chain transfers. When swapping tokens across entirely different blockchains e.g., a cross-chain transfer from Bitcoin to Ethereum, the receiving address has to be supplied by the user or the multi-chain wallet. Because different blockchains can have entirely different computer languages, networks, and transaction histories, they can’t simply “talk” to each other with smart contracts. Assets have to go off-chain through… intermediaries.

(Are they custodial intermediaries that hold the swapped crypto in the original chain?Are they custodial intermediaries to hold the swapped crypto in the original chain and take a cut with transaction fees?)

It becomes a stretch to say that those DEXs are decentralized and not intermediating, and still not money service businesses. Where trading fee profits really accrue is a good question. Finally, even if one can trace cryptos through DEX smart contracts, is just being transparent on where the moneys go sufficient for regulations?

Aren’t glass houses still houses? Photo by Wilhelm Gunkel on Unsplash

Well, their developers would probably say that they have no control over their DEX. In the goal of DeFi, the whole community of DEX token holders and users owns the protocol —and no one or everyone is responsible for it. As many crypto proponents might say, DEXs are only composed of immutable smart contracts running like automatons on the blockchain. Nevermind that many smart contracts can be upgradeable by their developers via proxy, i.e., developers can redirect wallet user business to changed, fixed, or newer versions of their smart contract protocols, i.e., control DEX behavior to become more compliant with the law.¹

Note that banks and money changers have anti-money laundering measures not because they technically cannot function without them. It is a mandated choice². Some other factoids: non-custodial peer-to-peer exchanges that match buyers and sellers together have to have KYC (know-your-customer) in most regulatory regimes now. Also, pure crypto-to-crypto transactions are considered money transactions in the eyes of courts in major financial centers.

Then there are self-custody wallets like Amfufu that have swaps that are practically fronts for a centralized exchange, like this one named Xchange. When Amfufu Wallet swaps cryptos, one will see on the blockchain that it just sends cryptos straight to Xchange, so tracing stops there. It’s hard to figure out from its transaction notes, if there is any at all, and if it’s possible at all, to what address at what blockchain does Xchange returns swapped tokens back.

Of course, one can subpoena Xchange to find out where the crypto was converted into and sent to. But in practice, if a crime is under a million dollars or two, no police will spend effort and time reaching out to Xchange, which is merely a P.O. box in an offshore island country as it is. If Xchange so wishes, it will comply only after a long and cumbersome cross-border mutual legal assistance treaty process³. In any case, Xchange would not know who sent and received the cryptos, because Amfufu Wallet itself doesn’t know who its users are.

So one can see how swapping “small” amounts through an unregulated offshore exchange is as good as using a crypto mixer. Even better, cryptos coming off an exchange back on-chain won’t have the taint of a crypto mixer. So, some of these crypto wallets are like automated over-the-counter broker for these transactions.

More Wallet Abilities

Finally, there is the interesting Alibokbok Wallet that allows creation and simultaneous control of up to 100 crypto addresses.

Allows splitting up of cryptos to send to up to 255 addresses, or collection from multiple addresses you control.

One can use a spreadsheet if addresses are too many to manage.

Batch and mass bulk senders have existed for a while, and they usually use smart contracts to do so. With Alibokbok though, one can simulate manual incoming or outgoing transfers to or from multiple addresses without the use of smart contracts, for a small monthly fee. One can imagine that batch transfers can make crypto tracing complicated and confusing, and I may have seen two or three instances of Alibokbok wallet being used downstream of pig butchering scams. It may not be a problem at all for people with powerful and expensive tracing softwares, but those are beyond the reach of mere commoners.

************

Crypto wallets are being described as just mere tools to communicate a user’s economic wishes to the blockchain network. Many wallets are also literally getting into the communications business (decentralized social media, decentralized messaging). With more and more features and functions being added to crypto wallets, it seems that the line between being just a cool network communication software app, and a bona fide money transmitter that should be regulated, is blurring.

.skdjf an;fij0r[wae faioeur ga’reh

1

For sure, smart contracts live on blockchains forever even if their original developers renounce control ownership permanently (that is technically possible), but in many DEXs so far, the developers still retain exclusive control, and virtually all DEXs are practically unusable without their wallet user interface, APIs, and other interventions.

2

Haha, an oxymoron

3

Businesses of many blockchain tech companies have global reach but liabilities limited to their home tropical island, or city state.