Tools to trace cryptocurrencies have, over just the past several years, allowed law enforcement agencies to convict dark-web black-market administrators, recover millions in ransomware payments, seize billions in stolen bitcoins, and even disrupt networks of child abuse. Now one criminal defendant claims those same tools have also unjustly put him in jail for more than 15 months.
In the spring of 2021, Roman Sterlingov, a 33-year-old Swedish-Russian national, was arrested by Internal Revenue Service criminal investigators at the Los Angeles airport and was accused of creating and operating Bitcoin Fog, a bitcoin “mixing” service on the dark web that took in coins from its users and returned others with the intention of preventing forensic accountants from following that money’s trail. The US Justice Department accuses Sterlingov of no less than $336 million in money laundering over Bitcoin Fog’s decade online.
Now, Sterlingov’s legal team, led by the well-known hacker defense attorney Tor Ekeland, has fired back: They’re claiming in a series of legal motions filed late yesterday that Sterlingov is innocent and vowing to take his case to trial. In doing so, Sterlingov’s defense says, they plan to show not only that he never ran Bitcoin Fog but also that the blockchain analysis techniques used to pin the case on him were faulty, leading to his wrongful arrest and a lost year of his life.
"I did not create Bitcoin Fog. I was never an administrator of Bitcoin Fog,” Sterlingov told WIRED, speaking from a Northern Virginia jail. "I’ve been here for more than a year now. I’m really perplexed at the system that could put me in here, at what they can do to an innocent man. It’s a Kafkaesque nightmare."
Unlike in some more-clear-cut investigations of criminal use of cryptocurrency, prosecutors in Sterlingov’s case haven’t pointed to any smoking-gun digital evidence retrieved from Sterlingov’s possessions or devices when he was arrested during his trip to the US last year. Instead, the statement of facts released when charges against Sterlingov became public in April 2021 detailed a combination of blockchain-based cryptocurrency tracing, IP address matching, and online account information links. The IRS says that collection of evidence ties Sterlingov to Bitcoin Fog’s creation in 2011 and shows—through Bitcoin tracing in particular—that he continued to receive profits from the service as late as 2019.
“Where’s the corroborating evidence?” asks Sterlingov’s defense attorney Ekeland. He runs through the inventory of items found on Sterlingov at the time of his arrest, which he says included laptops, hard drives, backup codes for his accounts, Bitcoin debit cards, and a customized smartphone for storing cryptocurrency. “But you know what’s not found when they catch him traveling? A shred of evidence that he operated Bitcoin Fog. No witnesses, no logs, no communications. They’re pinning it on a multi-layer guessing game.”
The Department of Justice did not yet respond to WIRED’s request for comment. The IRS declined to comment on pending litigation.
Sterlingov and his lawyers yesterday filed a motion to dismiss, a motion for a bill of particulars, a motion to free seized assets, and a motion to reconsider pretrial detention, among other items. The DOJ has produced more than three terabytes of data related to the case during discovery. The defense alleges that the sheer volume of information is difficult to parse but that nothing in it seems to establish a direct connection between Sterlingov and the creation or operation of Bitcoin Fog. And they further argue that the digital forensic analysis the prosecution has shared is flawed and opaque at best.
If the prosecution doesn’t produce clear evidence as Sterlingov’s case unfolds, it may have to rely on the more indirect digital connections between Sterlingov and Bitcoin Fog that it describes in the statement of facts assembled by the IRS’s criminal investigations division, much of which was based on cryptocurrency tracing techniques. That statement shows a trail of financial transactions from 2011 allegedly linking Sterlingov to payments made to register the Bitcoinfog.com domain, which was not Bitcoin Fog’s actual dark-web site but a traditional website that advertised it.
The funds to pay for that domain traveled through several accounts and were eventually exchanged from Bitcoin for the now-defunct digital currency Liberty Reserve, according to prosecutors. But the IRS says IP addresses, blockchain data, and phone numbers linked with the various accounts all connect the payments to Sterlingov. A Russian-language document in Sterlingov’s Google Account also described a method for obfuscating payments similar to the one he’s accused of using for that domain registration.
Sterlingov says he “can’t remember” if he created Bitcoinfog.com and points out that he worked at the time as a web designer for a Swedish marketing company, Capo Marknadskommunikation. “That was 11 years ago,” Sterlingov says. “It’s really hard for me to say anything specific."
Even if the government can prove that Sterlingov created a website to promote Bitcoinfog.com in 2011, however—and Ekeland argues even that is based on faulty IP address connections that came from Stertlingov’s use of a VPN—Ekeland points out that’s very different from running the Bitcoin Fog dark-web service for the subsequent decade it remained online and laundered criminal proceeds.
To show Sterlingov’s deeper connection to Bitcoin Fog beyond a domain registration, the IRS says it used blockchain analysis to trace Bitcoin payments Sterlingov allegedly made as “test transactions” to the service in 2011 before it was publicly launched. Investigators also say that Sterlingov continued to receive revenue from Bitcoin Fog until 2019, also based on their observations of cryptocurrency payments recorded on the Bitcoin blockchain.
Ekeland counters that the defense hasn’t received any details of that blockchain analysis and points out that it was left out of the most recent superseding indictment against Sterlingov, which was filed last week. That means, he argues, that the government has based the core of its case on an unproven, relatively new form of forensics—one that he says led them to the wrong suspect. “Has it been peer-reviewed? No,” Ekeland says of blockchain analysis. “Is it generally accepted in the scientific community? No. Does it have a known error rate? No. It’s unverifiable. They can say total nonsense, and everyone has to take it on faith."
Ekeland says that discovery documents in the case show that the prosecution’s cryptocurrency tracing was performed with tools sold by Chainalysis, a New York–based blockchain analysis startup, along with consulting help from Excygent, a government contractor specializing in cybercriminal and cryptocurrency investigations, which Chainalysis acquired in 2021.
Ekeland argues that Chainalysis, valued at $8.6 billion in a recent investment round and frequently used in high-profile cybercriminal law enforcement investigations, had a conflict of interest in the case, given its financial dependence on US government contracts and a flow of former government investigators who have gone to work for Chainalysis. “This is a story of people profiteering and advancing their careers, throwing people in jail to promote their blockchain analysis tool that is junk science and doesn’t withstand any scrutiny,” says Ekeland. He adds that, based on the evidence provided in Sterlingov’s case, he believes “Chainalysis is the Theranos of blockchain analysis."
Chainalysis declined to comment about the motions filed yesterday, their broader implications, or Ekeland’s characterization of its work.
Sterlingov, for his part, says his cryptocurrency holdings—all of which were frozen at the time of his arrest—came not from Bitcoin Fog but from early investment in cryptocurrency. He concedes that he did send and receive payments to Bitcoin Fog as a user of the service seeking privacy, but says he didn’t use his bitcoins for anything illegal. “I think some of my transfers must have gotten mixed up with everything," he says.
Along with their motions, the defense filed two expert declarations with the court, one from cybersecurity researcher Chris Vickery and the other from intelligence analyst Eric Garland. The documents are meant to support Sterlingov and his lawyer’s accusations about the prosecution’s digital forensic analysis and Chainalysis and Excygent’s alleged conflicts of interest in investigating Sterlingov’s potential ties to Bitcoin Fog.
Sterlingov, who moved with his family from Voronezh, Russia, to Gothenburg, Sweden, when he was 14, also argues that as a Swedish citizen he should be tried in Sweden rather than the United States. He had flown to the US, he says, only to go to flight school to train as a commercial pilot. His defense has argued in Monday’s motions that the District of Columbia prosecutors charging Sterlingov have no venue to pursue the case, given that he has no connection to Washington, DC.
"I don’t understand how I’m in an American jail. I’ve never done business with America,” says Sterlingov. “I’m worried. I don’t know what’s going to happen. I’m thousands of miles from my home. If I were some kind of crypto criminal kingpin, which I’m not, Sweden could deal with me."
Furthermore, Sterlingov’s lawyers argue in their motion to dismiss that the statute of limitations has run out on the charges against him, since the alleged conduct at issue, including registering the Bitcoinfog.com domain and conducting particular Bitcoin transactions, occurred in 2011. The motion argues that three of the counts brought against Sterlingov have a five-year statute of limitations and that one has a six-year statute.
Given that blockchain analysis and cryptocurrency payment tracing techniques have matured over the past decade and have become central to many cybercriminal investigations in the US and worldwide, it is inevitable that their methodology and validity will be called into question and interrogated. Sterlingov’s case is taking the first step to establish that battleground.
