Samourai Wallet shutdown: implications for other privacy & self-custody tools
The closure of cryptocurrency mixer Samourai Wallet and the arrest of its co-founders have far-reaching implications for the sector. Cointelegraph Research unpacks in-depth details of how Samourai Wallet worked, why United States authorities shut it down and what this could mean for privacy and self-custodial cryptocurrency tools.
The Indictment of the Samourai Wallet Founders
Samourai Wallet co-founders Keonne Rodriguez and William Lonergan Hill were arrested on April 24, 2024, and charged with money laundering and operating an unlicensed money-transmitting business.
Rogriguez, the CEO of Samourai, pleaded not guilty and was subsequently released on a $1 million bond. Meanwhile, Hill, who served as the CTO, is awaiting his extradition to the U.S. from Portugal, where he was apprehended.
Following the indictment of the Samourai founders, the FBI released an announcement warning Americans against using cryptocurrency money-transmitting services that are not registered as Money Services Businesses (MSB). To some, this suggests that US regulators may attempt to make money transmitter licenses mandatory for non-custodial cryptocurrency tools in the future.
How Samourai Wallet Worked
Samourai offered privacy-enhancing features that set it apart from standard wallet applications. These features included Ricochet, which added intermediary transactions between sender and the recipient, and an implementation of CoinJoin called Whirlpool.
Coinjoins are transactions that pool inputs and outputs from several parties in a way that obfuscates who might own a UTXO. Most commonly, several users contribute identically sized inputs to a Coinjoin transaction and receive one of a set of identically sized outputs. This makes it difficult for blockchain analysts to trace the ownership of funds after they have passed through a Coinjoin.
Whirlpool, the Coinjoin service run by Samourai, relied on a coordinator server to facilitate the construction of these transactions. Each user’s wallet would initially submit both an input address and a blinded output address to the server.
Related: Deciphering Pendle Finance’s surge and the pop up of Notcoin
The wallet would then reconnect to the server through a fresh Tor circuit and anonymously reveal the unblinded version of the output address. This procedure allowed the server to verify that the output address belonged to a valid participant without knowing exactly which input they contributed.
The Coinjoin transaction would then be constructed and signed by all participants. Samourai planned to increase its decentralization by switching to a decentralized Coordinator.
Accused of Operating an Unlicensed Money Transmitting Business
18 U.S. Code § 1960 under the title “Prohibition of unlicensed money transmitting businesses” applies to “[w]hoever knowingly conducts, controls, manages, supervises, directs, or owns all or part of an unlicensed money transmitting business”. While this clause does not offer a definition of what it means to be a money transmitter, it highlights that the extent of control over the money transmission is essential to be charged under the statute. Samourai was a self-custodial wallet and could not control funds or conduct any transaction on behalf of its users. However, it would have been capable of pre-screening transaction inputs for its Coinjoin service had it chosen to do so. This would have allowed them to prevent OFAC-sanctioned addresses from engaging with their Coinjoin service – an approach that was chosen by Wasabi Wallet.
In an opposition made in the case against another cryptocurrency mixer, Tornado Cash, by the court of New York, the definition of a money transmitter was given as “any other person engaged in the transfer of funds.” The Court argued that having control over the transferred funds is not required for a business to be a money transmitter. It also cited the Merriam-Webster online dictionary for the definition of “transfer” as “conveyance of right, title, or interest in real or personal property from one person to another.” However, this definition cannot be straightforwardly applied to a Coinjoin transaction, as no funds (with the exception of fees) change hands.
Related: How SocialFi is changing social media dynamics and creator monetization
Interestingly, Samourai had a privacy tool for payments from one person to another. The feature called Stowaway was an implementation of PayJoin that let two wallet users collaboratively initiate a transaction that mixes the coins and masks the payment amount. However, Stowaway was offered free of charge and had a low number of users, which is likely why it was excluded from the indictment and did not arouse interest from the DOJ.
The profits that Samourai generated from the operation of Whirlpool may indeed hold key legal significance. In the aforementioned Opposition, the Court also argued that Tornado Cash “offered the same service to customers as other businesses that courts have held to be money transmitters” and its founders “paid for and exercised control over critical components of the service [...] and [...] reaped substantial profits from the service,” suggesting that a service that extracts profit from facilitating crypto transactions is deemed a money transmitter business.
The importance of proceeds generated from the Coinjoin service is also echoed by FinCEN guidance. In this guidance, the suppliers of software that makes transactions untraceable are deemed anonymization service providers but not money transmitters. However, if an entity uses the software to “engage as a business in the acceptance and transmission of value,” it is deemed a money transmitter. Here, business is interpreted as an “ongoing enterprise carried out for financial gain.”
Charges of Money Laundering
Both Samourai founders are also facing charges for money laundering, which can result in prison sentences of up to twenty years. According to 18 U.S.Code § 1956(a)(1), in order to be charged with money laundering, “a defendant must conduct or attempt to conduct a financial transaction, knowing that the property involved in the financial transaction represents the proceeds of some unlawful activity.” Samourai’s founders advertised the platform as a tool for “Dark/Grey market participants,” suggesting that they not only knew about but also encouraged the flow of illicit funds. They could not, however, conduct any financial transactions in a strict sense as they were never in control of funds.
The indictment states that “Samourai […] operate[d] a centralized server that […] create[d] new BTC addresses used during the transactions.” However, this is factually inaccurate since the users’ wallets generated the addresses themselves, as explained in the article’s first section. The server could only verify that the address submitted for withdrawal was provided by one of the participants of the Whirlpool but could not match the sending and receiving wallets.
The accusations against Samourai Wallet indicate that the prosecution attempts to extend legal responsibility for laundered funds to non-custodial products if the deployment of server infrastructure is involved. In the Tornado Cash opposition, the conspiracy to commit money laundering was also said to be evidenced by “(i) t[he defendant’'s] ongoing payments to host the website after becoming aware that it was being used to launder criminal proceeds [and] (ii) [the] payment for traffic between the UI and the blockchain to process transactions that they knew involved criminal proceeds. As such, it seems to be implied that non-custodial Bitcoin wallet providers can be convicted of money laundering as well if they run a node and host a front end, provided that they are aware of illicit activities being conducted through their wallet.
At the same time, if a project simply consists of code hosted on a Git repository, then the distribution of privacy tools is protected by First Amendment rights in the U.S. This is due to a legal precedent from 1996, namely Bernstein v. U.S. Dept. of State. In this, Daniel J. Bernstein challenged regulations that required him to obtain a government license in order to publish and distribute his encryption software. The court ruled in favor of Bernstein, holding that computer code is a form of expressive speech protected by the First Amendment.
Magazine: ‘Bitcoin Layer 2s’ aren’t really L2s at all: Here’s why that matters