Helix: Sequencing the Case Against Bitcoin Mixers
In the ever evolving arms race of privacy, cryptocurrencies have proven to be one of the most potent tools developed in the last few decades. The ability to move value, without intermediaries, without permission, and directly peer-to-peer has opened up immense opportunity. On the forefront of this arms race are those on the fringes – outcasts of society, those breaking social norms, and those doing things deemed illegal by the state.
This foremost battleground can be an invaluable litmus test for the effectiveness, proper use, and survivability of cutting-edge privacy technology, and so we have much to learn from those instances where the state fights back against those on the fringe. In one of the most important legal cases of recent years - that of the government against Larry Dean Harmon, operator of Helix, a Bitcoin mixing tool - we have an excellent opportunity to survey the scene, learn from the choices taken, and evaluate the tools and technologies involved.
A brief timeline #
Before we dive too deeply into the details of the government’s case against Larry Harmon and the Helix Bitcoin mixer, its important we get a broader picture of the case against Harmon. In this brief timeline we’ll highlight some notable events and dates involved, but rest assured we will dive into the fascinating details later on in this post.
- 2019-12-03: Harmon is indicted for “Conspiracy to Launder Monetary Instruments”, “Operating an Unlicensed Money Transmitting Business”, and “Money Transmission Without a License.”
- 2020-02-06: Harmon is arrested in Akron, Ohio. Three of Harmon’s properties are simultaneously searched via warrant in Ohio, California, and Belize.
- 2020-02-11: Initial hearing. Bail denied, Harmon is deemed a “flight risk” on behalf of his alleged cryptocurrency holdings and his ties to Belize. Harmon is detained.
- 2020-03-04: Harmon files Motion to Revoke Detention Order.
- 2020-03-13: Harmon is released from detention with terms: no internet usage and no cryptocurrency transactions.
- 2020-04-19: Someone starts sending funds from known Harmon Bitcoin wallets to new Bitcoin wallets between 2020-04-19 and 2020-04-24, detected by blockchain tracing tools: 8 Bitcoin transactions totaling ~712.6 BTC were made, allegedly from Harmon’s wallets.
- 2020-04-29: Status hearing and a restraining order to forfeit cryptocurrency and cease transactions issued.
- 2020-04-29: All Bitcoin (less the 712.6 BTC moved previously) are forfeited by Harmon to the government.
- 2020-05-20: Harmon makes a motion to release 160 BTC for funding his defense via Perkins Coie.
- 2020-07-17: Harmon is given release of funds for funding Perkins Coie.
- Harmon attempts to get counts 2 and 3 dismissed, is denied.
- 2021-08-10: Harmon pleads guilty to count 1 (“Conspiracy to Launder Monetary Instruments”) as a part of a plea deal, counts 2 and 3 are dropped in exchange for his ongoing cooperation.
- 2022-01-26: Harmon is granted the ability to use the internet as a part of his cooperation with the government, only under direct supervision.
- 2022-05-05: Harmon continues to serve the government as agreed in his plea deal.
What was Helix? #
Helix, a custodial Bitcoin mixer, was one of the early tools purported to bring better privacy to Bitcoin. Unfortunately, due to the transparent design of Bitcoin, transactions carry a clear and deterministic (provable) history with them that grows over time. This history includes who sent Bitcoin to whom, how much was transferred, when it was transferred, and any special scripts or properties that were used for the given transaction.
This transparent and traceable reality within Bitcoin has led to a gaping hole in the Bitcoin ecosystem, one that companies like Chainalysis have rushed to exploit by selling surveillance en mass, and one that entrepreneurs like Larry Harmon have sought to profit from through attempting to mitigate risk for users of their tools.
No one has ever been arrested just through bitcoin taint, but it is possible and do you want to be the first? – Helix Admin, allegedly Larry Dean Harmon
Helix was a simple custodial mixer where you provided a withdrawal address and then were given a deposit address, a user sent in funds to Helix (and fully custodied by Helix), and then different, entirely disassociated funds were sent back to the user’s withdrawal address. As this process is entirely custodial there was both the risk of theft (Helix administrators could have run off with deposited Bitcoin at any time) and trust in the operator to properly supply “untainted” Bitcoin funds on the withdrawal side. Users of Helix also trusted that Helix would not log or keep record of incoming funds and their matching outgoing transaction, something that would be a gold mine for law enforcement, governments, or hackers.
Harmon seemingly used an exchange called “HitBTC” as the main method to “clean” tainted funds, sending them into HitBTC and withdrawing different funds using 26 different accounts he created with HitBTC. These funds would appear clean to chain analysis tools and exchanges, as they would come from known exchange wallets of HitBTC and generally be untainted.
Helix operated entirely as a Tor hidden service (exclusively on the “darknet”), and was closely intertwined with a darknet search tool called “Grams”, also operated by Harmon.
What made Helix “illegal”? #
While there remain no cases brought forward against non-custodial privacy solutions for Bitcoin, custodial mixers like Helix are a different beast entirely – one that is much easier to litigate and attempt to shutdown. So what was it about Helix that made it attractive and open to litigation by the US government?
Harmon primarily advertised Helix to darknet market (DNM) users #
One of the primary points in the case brought against Harmon was that he made it very clear that his target customer was that of the common DNM user. He was an active participant in DNM subreddits, gave extensive customer support and recommendations to DNM users who contacted him, and heavily advertised Helix and Grams in DNM circles.
While there does seem to have been a large percentage of Helix’s usage that was not attributable to DNMs by the government (over 85% of Bitcoin volume through Helix was not directly linked to DNM usage!), Harmon did seem to target DNM users with his service specifically.
Harmon partnered closely with DNMs like Alphabay #
Another proverbial “nail in the coffin” was Harmon’s seeking of partnerships with admins from multiple DNMs, namely Alphabay, Outlaw, Silkroad2, Cloud Nine, and Agora. He partnered closely with Alphabay in particular, even having explicit recommendation by the platform and direct API integration at one point.
I have been talking to outlaw, silkroad2, cloud nine. They all said they want on grams and are either going to use my api [i.e., Application Program Interface] or give me some of their own. - Grams Admin, allegedly Larry Dean Harmon
This close partnership and seeking of relationships with DNMs made Helix an easy target as the case against it could leverage this close association to dismiss any legitimate usage as “negligible” even if there remained a large amount of volume unattributed to the DNMs in question.
Harmon retained sole custody of funds sent in by users #
One of the most commonly litigated aspects of cryptocurrency has been using money transmission laws to crack down on peer-to-peer exchanges and “non-compliant” custodial tools like Helix. The fact that Helix took complete custody of user’s funds after deposit and then sent them entirely disassociated funds after a delay of about two hours made it an easy target under money transmission laws.
When a tool like Helix takes full custody of funds and then sends funds to another party, it can easily be lumped into needing a money transmitters license to be “compliant”, and all of the harsh sentences available when those rules are not followed make for a formidable potential sentence.
To catch a mixer #
So how did the government end up tracking down Larry Harmon and determining he was the admin of Helix and Grams? While the initial thread that started the investigation into Harmon was never made clear in court documents, the weight of the evidence against him after the initial connection had been made was clearly laid out.
Bitcoin Conference spooks #
While it wasn’t a pivotal piece of evidence in the overall case, one of the more interesting discoveries in the trial came at the hands of undercover FBI agents engaging with Harmon at a Bitcoin conference in July 2019.
The government obtained a covert recording of the defendant talking to undercover officers at a bitcoin conference on or about July 25, 2019, in which Harmon stated that he was working on raising money to obtain “licensing” for his bitcoin payment app, Dropbit.
Harmon was attending the conference and promoting his new Bitcoin wallet and purchasing app, DropBit, when multiple undercover FBI agents assuming the role of conference attendees sparked a discussion with him about DropBit. Harmon made it clear in the conversation that he was seeking funding to pursue a money transmitters license, which later was used against him in court as proof of his understanding “proper” procedures.
Unencrypted Time Machine backups #
Once Harmon’s network-attached storage (“NAS”) device was confiscated at his arrest and pored over for some time it became clear that the government was sitting on a treasure trove of evidence against Harmon. Harmon had used unencrypted Time Machine backups from his personal Macbooks to his personal NAS at his house, storing years of browsing history, email correspondence, source code, and Bitcoin addresses.
One recovered Time Machine backup included a series of files which constitutes the source code used to create and operate the HELIX website.
Once the government was able to parse through the data, they were able to uncover the entirety of the source code for Helix and Grams, something that made it perfectly clear that Harmon had been the admin for both. These backups also contained a wealth of email correspondence - sent in PGP but stored in clear-text in his backups - showing his back and forth with many DNM admins seeking direct integrations and partnerships, his extensive customer support and recommendations offered to DNM users, and his acting as the sole admin of Helix and Grams.
The last key piece of information found in these backups was a file called “addresses.txt” which - true to its name - contained a list of Bitcoin addresses that matched up to most of the Bitcoin addresses the government had traced back to Harmon already. This list confirmed their blockchain tracing efforts, confirmed his custody of fees directly generated by Helix, and confirmed many of his exchange accounts at the same time.
Don’t be a Glasshole #
The first key piece of evidence that led to Harmon’s indictment and arrest was one of the most worthy of a face-palm. Harmon, while at his vacation home in Belize, had taken a picture with his Google Glasses of his apartment - one that included the screen of his open laptop. His laptop had up multiple browser windows, including Tor browser, and included clearly visible tabs for the admin pages of Helix and Grams.
[On Google Drive] investigators found a photograph taken by a Google Glass device showing an open laptop computer with several browser tabs open. Among other things, the computer … was accessing administrator pages for GRAMS and TorAds (a Darknet advertising service associated with GRAMS), as well as an open page for HELIX.
This photo was automatically uploaded to Harmon’s Google Drive from his Google Glasses and made it impossible to deny his being the administrator of Helix and Grams. As a result Harmon never even tried to argue the point in court, and readily accepted that he was the administrator of both services at an early stage of the trial.
KYC exchanges + Bitcoin = damning evidence #
And, last but not least, Harmon used his own personal name and information to open accounts at HitBTC and BlockFi where he summarily sent funds directly traceable back to fees generated by Helix. Harmon then converted Bitcoin to USD and sent it to personal and business bank accounts. While the majority of his conversions to USD from Bitcoin appears to have happened over non-KYC exchanges and peer-to-peer swaps, this use of services tied directly to his ID with funds directly traceable on-chain back to Helix was another nail in the coffin of an already tight case against Harmon.
Follow the tainted Bitcoin road #
While much of the evidence against Larry Harmon came down to OPSEC failures and simple mistakes, the brunt of the evidence proving his mixer served DNM customers, that the fees he earned went to accounts under his own name, and that he possessed keys to all of the fees generated by Helix came down to a critical failing in Bitcoin and Harmon’s usage of it. Harmon, even though he operated a claimed privacy tool for Bitcoin, ended up being greatly harmed in his case by the traceability of Bitcoin.
The ability to trace Bitcoin is something that has been well-known for years, but many people refuse to believe that Bitcoin’s lack of privacy can come back to bite real users. Harmon’s case shows quite the opposite, however, and it started even before his arrest - the FBI had a list of 16 wallet addresses known to connect Harmon to Helix, had already traced around 12% of deposits into Helix back to DNM users and markets, and had traced deposits made by Harmon into centralized exchanges back to fees generated by Helix.
This tracing also exposed the core way Harmon “mixed” funds in Helix, as he mostly used HitBTC to deposit “tainted” funds and withdraw “clean” funds which were then sent to customers of his service. This activity was clearly visible due to the fees collected from each user of Helix and exposed the operating model of Helix even before the FBI had access to his source code.
In an interesting twist, Harmon’s own lawyers even attempted to leverage the lack of fungibility in Bitcoin to put the burden of proof on the government to trace transactions back to the precise DNM transaction they were involved in, as they claimed this should be trivial. This argument was brought forward to protest the government’s prevention of Harmon using his Bitcoin assets to hire a lawyer of his own choosing, as the government was claiming that 100% of the Bitcoin confiscated was directly linked to money laundering of drug trade money.
Digital assets like bitcoin, though, are not fungible. Rather, “every bitcoin has a history that anybody can view in the block chain.”
Harmon’s lawyers used the non-fungibility of Bitcoin to argue that the government must prove that the funds he wanted to use to pay the defense of his own choosing were involved in DNMs directly, or release the funds that could not be traced back to DNMs to Harmon to hire the legal counsel of his choosing. The argument seems to have carried weight as Harmon was shortly after granted the ability to hire Perkins Coie using these funds.
The other major example of tracing Bitcoin shown in this trial was an incredible one. The FBI had blacklisted and marked for surveillance all known addresses of Larry Harmon before he was arrested, and shortly after his release from detention in March 2020 over 700 BTC ($6.2 million at the time) were moved to new wallets from known addresses controlled by Larry Harmon that were subject to forfeiture. Upon the movement of these funds the government issued a new motion to force Harmon to disclose the information necessary to access his Ledger and Trezor Bitcoin hardware wallets, and all of his Bitcoin were seized.
The FBI was also able to validate the rest of the addresses they had traced back to him and confirm that addresses thought to be only under his control had been access and funds had been moved after his release from detention. After vehement denials and an anonymous third-party tip, the movement of funds was traced back to Larry’s brother, Gary, who apparently also had the information necessary to access the funds. Gary Harmon had accessed the funds without thought to the effect it would have on the trial and was trying to find ways to obfuscate the usage of the funds when the anonymous tip led to his discovery.
The traceability of Bitcoin (even when used by those who claim to be providing privacy to Bitcoin!) was put on full display in this case and should serve as a warning to those using Bitcoin and expecting privacy - even under very mild threat models.
Chainalysis: LE’s friendly black box #
At the root of the tracing performed all throughout this case, however, is a murky “black box” often referred to as “chain analysis”, and in particular in this case performed by a blockchain surveillance company, “Chainalysis”. While Chainalysis in particular have been around for quite some time (Chainalysis was started in 2014), their methods and practices remain veiled behind legal walls, regulatory moats, and vague catch-phrases. The ways that they trace transaction in Bitcoin - and in particular tie transactions to unique individuals in the real world - remain advantageously vague, something that benefits both Chainalysis and the law enforcement and regulatory enforcement bodies that they work closely with.
A lot of that is from these bitcoin analytics tools who use heuristics and their own type of, I guess, proprietary analysis to label as much as they can of the bitcoin addresses that are out there and who they belong to. - FBI Agent Haynie
Interestingly enough in this case, their ability to trace Bitcoin proved paradoxically immensely powerful and surprisingly poor, as they were able to ascertain the vast majority of Harmon’s personal Bitcoin wallets and associated activities, but were only able to trace around 12% of funds being deposited into Helix as coming from DNMs. They also were not able to trace a single Bitcoin transaction back to any specific DNM transaction, but proceeded to claim that the majority of funds likely originated at DNMs regardless. Their methods were entirely left out of the case documents, and no specifics on how they traced any funds were provided to the court.
The traceability of cryptocurrencies like Bitcoin leaves a profitable gap in the space that surveillance companies like Chainalysis are more than happy to fill, exploit, and pitch to law enforcement, exchanges, and regulatory bodies as necessary due to the “non-compliance” of Bitcoin users and the broader ecosystem. This gap proves extremely dangerous to individual privacy, harmful to the free flow of commerce, and is a key reason that regulatory moats have started to become common in the space.
Where is Harmon now? #
The case against Larry Harmon proved a strong one in the court’s eyes, and though he attempted to get the two charges of money transmission dropped under various approaches he was unable to do so. After a year of pleading his case back and forth with the prosecution, Larry Harmon agreed to a plea deal on 2020-08-10, pleading guilty to the charge of money laundering in exchange for the two remaining charges being dropped.
Your client shall cooperate fully … answering questions, providing sworn written statements, taking government administered polygraph examinations, and participating in covert law enforcement activities.
This plea deal included complete and utter cooperation with the US government (including undercover activities for law enforcement), turning over all evidence that may be related to any other crimes by Harmon or anyone else he associated with, complete forfeiture of all assets and accounts, and agreement to testify at any grand jury the government wishes Harmon to testify at. Harmon’s agreement and subsequent cooperation with law enforcement is a fascinating turn of events in the case, and he continues to cooperate with the government as of 2022-05-05.
Helix, a Bitcoin mixer built to improve privacy, is now a database available to US investigators and their allies. Its creator? He’s their data analyst.
What lessons can we learn from the case against Larry Harmon and Helix? #
While certainly not condoning criminal activities, we can learn invaluable operations security (OPSEC) lessons from cases like these to better learn how to protect ourselves against malicious actors.
Avoid custodial mixing and privacy solutions for Bitcoin #
One of the first lessons we can learn is to avoid using a service like Helix in the first place. Services like Helix are an irresistable target for law enforcement and hackers, give complete visibility into transactions by their administrators, and open up users to theft of funds, hacked data connecting their transactions back to them, and much more. Its role as a custodial mixer is one that mostly benefited from the lack of other non-custodial Bitcoin privacy tools in existence at the time, but that is no longer the case.
Thankfully we have strong non-custodial tools to help bring better privacy to Bitcoin today like Samourai Wallet and Sparrow Wallet which allow you to use a technique called “CoinJoin” to detach Bitcoin outputs from their previous history and provide strong forward-looking privacy. To learn more about Bitcoin privacy broadly, take a look at the Bitcoin Privacy Guide.
If using Bitcoin exclusively is not a requirement, there is an excellent alternative that is seeing a rapid increase in usage thanks to its default privacy, ease of use, and excellent and time-tested privacy guarantees – Monero. Monero provides extremely strong on-chain privacy to every user, no matter what wallet you choose to use, and does so without any extra hoops to jump through under most threat models. To learn more about Monero, go to https://www.getmonero.org/.
Use strong encryption on any and all files at-rest #
While it has long been a recommendation, it cannot be said often enough that storing data in an unencrypted manner is reckless in 2022. With the wealth of tools out there that have simplified encrypting partitions, backups, and files at-rest there is no real excuse for having unencrypted backups stored anywhere, even in your home! Using tools like LUKS on your computers, Restic to backup your servers and files, and Cryptomator to handle encryption on popular cloud service can greatly simplify the process of encrypting your data.
Use ephemeral operating systems like Tails #
Another key way you can reduce your data footprint and online trail is using an ephemeral and Tor-only operating system like Tails. Tails allows you to run an operating system entirely from a flash drive, runs all network connections over the Tor network, and is entirely ephemeral - meaning all files, changes, and data are completely lost when the flash drive is removed or the computer is shut down.
Using an operating system like tails provides strong network privacy guarantees while ensuring you don’t accidentally leave a paper trail by storing old files, notes, or browsing history via an unknown backup process or forgotten folder. It’s an extremely powerful tool and well worth getting used to using.
Be extremely wary of unknown people at cryptocurrency conferences #
With cryptocurrencies like Bitcoin going more mainstream and conferences getting larger, OPSEC at events like these becomes ever more important. Not only is there inevitable undercover law enforcement presence, the risk of targeted attacks, theft, “$5 wrench” attacks, and many others are common at conferences where most attendees will have clear connections to cryptocurrency investment and usage.
Conclusion #
What began as the first clear case against a Bitcoin privacy tool in Helix turned out to be a fascinating and enlightening look at the methods employed for surveillance by law enforcement, the behavior of chain analysis companies in the gap provided them by Bitcoin’s traceability and non-fungibility, and a classic case of simple OPSEC failures leading to arrests and prosecutions.
The case against Larry Harmon provides us a helpful look into ways we can improve our own operational security, ways that large actors are leveraging the general lack of privacy today, and common mistakes to avoid.
Join our email newsletter for weekly updates, or subscribe for realtime privacy alerts.