In this article, we explain the connection between one of the biggest bitcoin thefts of all time and the little explored world of bitcoin mixing services, explaining how the often-heard phrase “code is law” works both ways for bitcoin users.

Blockchain Forensics, Binance, & BTC Blenders

In May of this year, crypto exchange titan Binance was the victim of an extremely elaborate hacking of 7,000 bitcoins, or close to $40 million in BTC prices at the time. The hacking involved the collection of large amounts of user data by a combination of viruses and phishing techniques over an extended period of time.

The scheme was slow, methodical, and even managed to bypass the security checks and balances of one of the biggest and “safest” cryptocurrency exchanges around. Only after the withdrawal had been processed by Binance itself was it noticed, which effectively shut down the exchange for at least a 24 hour period. The price of bitcoin dropped 3% on the news, and Binance had forever lost its near-pristine reputation among the crypto trading community.

The consequences were devastating to the morale of the crypto trading community, regardless of the fact that 7,000 BTC was still only the equivalent of 2% of Binance’s total hot wallet holdings. The day after the hacking, CEO Changpeng Zhao (or “CZ Binance” as he is known of Twitter) boldly went through with plans for a live video “Ask Me Anything” (AMA) presentation, during which he floated an ill-conceived idea of conducting a hard fork on the BTC blockchain to reverse transactions related to the hacking, which he almost immediately regretted:

“Before the AMA, I had been up all night and I was really feeling the effects. So, I took a 15-minute nap just before the AMA. Upon waking up, my team told me there was an interesting proposal from a Bitcoin Core developer. I read it for a few seconds. It involved something called a “reorg”. While I know it’s technically possible for a rollback in a 51% attack scenario, it never occurred to me that it is also technically possible to change one transaction and keep all other transactions intact, while hugely incentivizing the miners. The discussion was already pretty hot on Twitter, so I mentioned it in the AMA as something that was suggested. Little did I know, it was a taboo topic. Lesson learned.”

Code is Law, for Bitcoin Anyway

Why is the idea of a blockchain rollback a “taboo topic” in bitcoin? The answer is simple: it entirely goes against the idea of the blockchain being an immutable or unchangeable ledger. The history of every bitcoin transaction is forever set in stone thanks to the blockchain. This is one of the foremost principles of bitcoin, and it should not be altered for the benefit of any individual or group of individuals – even Binance. The immutability of the blockchain is what gives it its strength over traditional money systems. It is entirely guided by coded mathematics: unalterable, tamper-proof, and resistant to fraud. When it comes to bitcoin’s philosophical underpinnings, its code is the law, and thus should not be changed on behalf of any particular party.

Of course, not every cryptocurrency follows by this ideal. After one of Ethereum’s first and biggest ICOs, the Dao, was exploited and lost 12.7 million ETH (worth $150 million at the time), the Ethereum community voted to perform a hard fork which restored the hacked ETH to its investors, ultimately leading to the split between Ethereum (ETH, hard fork version) and Ethereum Classic (ETC, original, unforked version). The Dao was the first large-scale application of Ethereum-based smart contracts, and as the Ethereum network was still quite young, allowing the hacked version to proceed might have been too damaging to its future development. However, critics argue that Ethereum is forever tainted by this maneuver, raising questions over what circumstances could bring about another such blockchain rollback hard fork, and to the benefit of whom.

Blockchain Forensics: Both Art and Science

As far as the Binance hack goes, there was to be no rollback, no reorg, and no hard fork. What Binance does have going for them, however, is the very fact that the bitcoin blockchain is still immutable, and thus their lost coins can somewhat easily be traced. Though the blockchain may just seem like a jumble of addresses, timestamps, transaction IDs and BTC amounts, if one has the proper resources and know-how, quite a bit about a bitcoin’s owner can be determined through the science of blockchain forensics. This burgeoning field of conducting detective work based on blockchain data has thus far been highly successful in identifying bitcoins belonging to tax evaders, drug dealers, money launderers, and even terrorists.

On August 7th, blockchain analytics firm Clain published a blog entry detailing the movement of over 4,800 of the 7,000 BTC stolen from Binance. They traced 4,836 of the BTC to a bitcoin mixing service known as Chipmixer, and were able to determine that, as of the publishing of their findings, 814 BTC output from Chipmixer were likely to be confirmed as funds belonging to the hacker. Though none of these funds have been confirmed to have moved onto an exchange as yet, it is likely that at some point in the future at least some of them will. If this exchange should happen to conduct Know Your Customer (KYC) protocol on its user accounts, then it is only a matter of time before the identity of the hacker – or at least a party tied to the hacker – can be known.

Of course, the process isn’t exactly this simple, and the hacker(s) responsible for relieving a high security operation like Binance of 7,000 BTC probably aren’t naïve enough to use their real identities on exchanges. There is also the issue of legality in that exchanges wouldn’t just reveal information about their customers without some sort of warrant or court order compelling them to do so. What can be done in lieu of this, however, is that exchanges who are the recipients of the hacked funds can freeze bitcoin demonstrated to be deposited by the hacker through the result of blockchain analytics.

What is a Bitcoin Mixing Service?

As was previously mentioned, the majority of the BTC hacked from Binance was sent to Chipmixer, which is a “bitcoin mixing service.” A bitcoin mixer – sometimes known as a bitcoin tumbler – is a service that is used to help disguise the origins of bitcoins, either through mixing them with bitcoins from other sources or swapping them for different bitcoins entirely. In the case of Chipmixer, the bitcoins sent to the mixer are exchanged for bitcoins from entirely different sources, usually a combination of those deposited by previous clientele. This makes it difficult to immediately attribute the owner of coins sent to Chipmixer, as the new owner likely has no relationship with the old.

The practice of bitcoin mixing can be used to add an extra layer of privacy on top of a bitcoin user’s holdings if they are worried about exposing the origins of their funds to others. A reasonable example of this would be sending an amount of BTC won at a bitcoin casino to a bitcoin mixer before sending it to an exchange that may theoretically ban your account if they determine that your deposits came from a casino (Coinbase, for example, has been known to engage in this practice). Many countries deem bitcoin casino gambling to be perfectly legal, yet some exchanges have chosen not to service customers who partake in them.

This poses a problem to those who want to both gamble with their BTC and trade it on an exchange like Coinbase, which can be solved by sending one’s BTC through a bitcoin mixing service like Chipmixer. Of course, the customer won’t know for sure whose bitcoins they are getting from Chipmixer, but it won’t be their own. Another good reason is to simply retain some amount of privacy for fear of being hacked or targeted by thieves who can perform their own blockchain analytics to trace a user’s wallet to an exchange with a publicly known address.

The problem with bitcoin mixers, however, is that most of the volume that is being sent through their services is illicitly obtained, whether it is through hackings, sales of illegal goods through darknet markets, or other nefarious means. This would make a service like ChipMixer absolutely essential. On May 22nd, just a couple of weeks after the Binance hack, another bitcoin mixer known as Bestmixer was taken down by authorities in the EU after having been monitored for quite some time. The Dutch Fiscal Information and Investigation Service, working alongside other European agencies, had been investigating Bestmixer for almost a year, coming to the conclusion that the majority of the $200 million in 3 different cryptocurrencies had been obtained from criminal activity before finally seizing its servers. A week later, another major mixing service, Bitcoin Blender, shut down on its own accord, probably wary of suffering a similar fate as Bestmixer.

Regardless of what percentage of its volume was comprised of illegally-obtained bitcoin before, it can be safely assumed that any outputs from Chipmixer for the foreseeable future are going to contain BTC from the Binance hack, as according to Clain,

“Chipmixer was bombarded with inflow of the hacker’s funds in the magnitude it never operated before. Because of this huge volume, it is correct to assume that any outflow coming from Chipmixer these days is likely related to the same owner.”

Because of the information-sensitive nature of their industry, Clain is not ready to give away trade secrets on exactly how it determined the BTC was sent to ChipMixer and where it went afterward, though their blog entry on the subject does provide some clues. Whether they are working with Clain or a similar firm that has yet to publicly disclose their findings, it is likely that a multi-billion dollar business like Binance is going to be keeping a keen eye on where their bitcoin is headed for months – or even years – to come.