On the usefulness of tumbling

Recently, there has been some debate on the practice of tumbling, and whether it's a helpful part of one's OPSEC. I thought it might be interesting to create a discussion thread on the subject, and I'd like to summon u/Seraphim_X as they've been relatively outspoken on the subject and raised some good points. I hope that people will chime in to fill in what I've omitted and correct mistakes I may be making here.

First, what is tumbling? Tumbling is the use of a service intended to obfuscate the connection between bitcoin in a given wallet and its owner, by means of exchanging coins with some connection to a person's real identity with those that have none. Coins go from Personal Wallet A to a Tumbler Wallet, then some time later and ideally over the course of a number of hours, the coin comes from a number of different Tumbler Wallets to Personal Wallet B. There's then no connection on the blockchain from Wallet A to Wallet B.

Why do people tumble? Services like Coinbase and Circle have banned users' accounts if they suspect that purchased BTC are being sent to DNMs. You don't have to be a genius to see that the people whose job it is to keep these companies from being shut down know that if John Smith buys coins equaling $X.XX which are then sent to an intermediary wallet and then that wallet sends $X.XX to a known DNM wallet, it's likely that John is a customer of that DNM.

Furthermore, many are concerned that LE could use blockchain analysis to tie DNM purchases to a person's real identity. Little is known about the resources available to LE at various levels, but reports of Homeland Security having a Bitcoin and blockchain task force should reinforce that this is a potential OPSEC vulnerability.

It's worth keeping in mind that there are essentially two threat levels to consider: that faced by the average 'personal use' drug buyer, and that faced by someone under specific federal investigation such as Xanax King. Crucially, the blockchain is forever, meaning that LE can develop blockchain analysis ability later and revisit old transactions to learn new information. This means that privacy-minded BTC users need to anticipate not only their current need for strict OPSEC, but anticipate their future needs in this regard. For the purposes of this thread, I'm equally interested in 'Average Joe OPSEC' and high-end theoretical scenarios.

Is tumbling effective? Maybe, or maybe not. Anecdotally, it does seem to provide effective coverage for threats of the first type - a service like Circle is just interested in keeping their business from being shut down by the government for facilitating crime and needs to show a good-faith effort to comply with the law. The concern, however, is whether tumbling is sufficient to completely break the connection between a person and their BTC, and there are some potential vulnerabilities here.

First, the tumbler itself could be compromised. A tumbler could be operated by LE or another adversary, or a tumbler operated by trustworthy actors could be exploited to some degree through a vulnerability in their code, hosting, personel, etc.

For a theoretical example, consider the pattern of an individual using a clearnet source for BTC, tumbling to a wallet like Electrum, then sending to a DNM wallet (or for a vendor, the reverse - DNM to Electrum to tumbling to a 'cashing out' wallet). With sufficient processing power, one could identify this pattern in transactions, where an arbitrary amount of BTC leaves Clearnet Wallet and then that amount minus a few percent arrives in a known DNM wallet the same day. Over a long enough time, you could be pretty sure that the wallets are owned by the same person. This can be defeated by, for instance, not using the same wallets each time or using multiple wallets on either end, by stashing a portion of coins in a third wallet while tumbling the remainder.

There is also the obvious risk when tumbling of sending coins in and nothing arriving in the destination wallet. Noobs especially are at risk of finding a legit-looking copy of a tumbling site, and being scammed out of their coins. Furthermore, a trusted service could exit scam just the same as a market could.

Adding to the reasons to be skeptical of tumbling are the alternatives, such as any method of acquiring BTC that is not tied to your clearnet identity from the beginning. This could mean doing anonymous / pseudonymous work in exchange for BTC, buying from a BTC ATM, or using a service like LBC that doesn't require a real ID. They all have their own problems: online work for BTC isn't available to everyone, and most would rather work their normal job for normal money and convert only what they intend to spend into BTC, BTC ATMs require phone verification and dealing with security cameras, and LBC involves meeting in person, making a bank deposit, or using moneygram / sending cash in the mail. Another alternative is the exchange of BTC for an alternative currency and then back to BTC, though this presents many of the same challenges as tumbling (questionable effectiveness, cost, etc)

Another argument against tumbling is that there are no known arrests or convictions which hinged on blockchain analysis, to which I both refer to my previous point about the evolving ability of LE (past evidence can be revisited in the future, possibly when you have more to lose), and the practice of Parallel Construction, which is when LE uses illegal methods to pursue an investigation and then re-writes their records such that they can proceed with a case as though they had gained evidence through legal means. This allows small-time cops to take advantage of NSA hand-me-down technology without publicizing that technology to the world. In short: these investigations could already be taking place or may take place in the future.

So, what do you think? Could Grams Helix be operated by or compromised by LE? Should everyone bite the bullet and abandon services like Coinbase an exclusively use end-to-end BTC anonymity?


Comments


[5 Points] LibertyDNM:

Disclaimer: I have no evidence to back up what I'm about to say; I'm merely thinking out-loud as a computer programmer with an American LE education.

At the end of the day, do you want to be truly secure? Get a BTC miner and mine over TOR. You'll convert your power bill into bitcoins. Tumble from your multiple mining wallets into another wallet, and then tumble into your market of choice. Finally wipe all your wallets and start anew


[3 Points] Seraphim_X:

Yes, I would love to talk about this topic. I also invite /u/gramsadmin and /u/gramssupport (have a look at his history also) to contribute to this discussion. I would like to ask him to provide us with reasons why we should tumble. I would expect to see proof of all those tracked "dirty" coins. I also expect to see examples of how tumbling could have saved a marketeer who was tracked through BTC. I'm sure tumbling is a lucrative business and it would be worth the effort. Without good examples, evidence and points of reference, it's all just f.u.d.

I would also ask the community to type up "grams helix" in the search bar and have a look for themselves about what others in the past have had to say.

I would like to add that money laundering is a high priority on LE radar and setting up a completely unknown "service" is right up their alley. There is no way of knowing otherwise. A cardinal rule of DNM is to never trust an unknown third party with your actions. SilkRoad2 was a "honeypot".

They operate from reddit people! Check the sub they mod. People are linking reddit identities with money laundering. I'd say that's a huge gaping hole in OpSec and really defeats the purpose of what they were doing in the first place.

Check out these two subs- /r/grams/ - /r/GramsHelix

Confused? You should be. Have a look at the mods of both subs and the subs they mod. Investigate this stuff if the subject of tumbling has ever mattered to you. Don't trust people on reddit.


[2 Points] None:

okay so tumble or not?

is CB -> electrum CN -> helix light -> tails electrum -> market

can we remove the tumble there and be fine?


[1 Points] None:

Never tumbled, never had a problem.


[1 Points] DriftedTaco:

Regarding this topic u/Seraphim_X, While there is no case that someone has been arrested for not tumbling, I would like to know if there has been cases for Buyers practicing poor opsec such as not using TAILS or using a mobile device. This is honestly just general curiosity.

I know everyone is supposed to use tails and mobile is a big opsec nono, But has it ever been used in a case?