Bitcoin Fog is a case that seems to be shaping up to put crypto tracing and privacy on trial. Roman Sterlingov was accused of laundering $336 million. However, he is now proclaiming his innocence and even challenging a major investigative tool. Tools used for crypto tracing have, in the past several years, enabled law enforcement agencies to convict some dark-web black-market administrators, seize billions in stolen bitcoins, recover millions in ransomware payments, and disrupt major networks of child abuse.
Now, one criminal defendant alleges that the same crypto tracing tools have unjustly put him in jail for over 15 months.
In the spring of 2021, a 33-year-old Swedish-Russian national, Roman Sterlingov, was apprehended by Internal Revenue Service (IRS) criminal investigators at the Los Angeles airport. During his arrest, he was accused of creating and operating Bitcoin Fog.
What Is Bitcoin Fog?
Bitcoin Fog is a bitcoin “mixing” service on the dark web that got coins from its users and returned others aiming to prevent forensic accountants from following the money’s trail. The US Justice Department accuses Sterlingov of over $336 million in money laundering over Bitcoin Fog’s decade online.
For now, Sterlingov’s legal team, led by the infamous hacker defense attorney Tor Ekeland, has fired back: they are alleging in a series of legal motions filed on August 1 that Sterlingov is innocent and vowing to take his case on trial.
In doing that, Sterlingov’s defense says that they plan to show that he never operated Bitcoin Fog and the blockchain analysis techniques used to pin the case on him were mainly faulty, resulting in his wrongful arrest and a lost year of his life.
While speaking from a Northern Virginia jail, Sterlingov said:
“I did not create Bitcoin Fog. I was never an administrator of Bitcoin Fog. I’ve been here for more than a year now. I’m perplexed at the system that could put me in here, at what they can do to an innocent man. It’s a Kafkaesque nightmare.”
The Case Implicated Sterlingov
Unlike in some of the more clear-cut investigations of criminal use of crypto, prosecutors in Sterlingov’s case have not pointed to any smoking-gun digital evidence retrieved from Sterlingov’s possessions or devices when he was apprehended during his trip to the United States in 2021.
Instead, the facts unveiled when charges against Sterlingov became public in April 2021 included a combination of IP address matching, blockchain-based crypto tracing, and online account information links.
The IRS states that collection of evidence ties Sterlingov to Bitcoin Fog’s creation in 2011 and shows – via bitcoin tracing particularly – that he continued to get profits from the service as late as 2019.
Sterlingov’s defense attorney Ekeland asked:
“Where’s the corroborating evidence?”
He runs through the entire inventory of items found on Sterlingov at the time of his arrest, which he mentioned that it included hard drives, Bitcoin debit cards, laptops, backup codes for his accounts, and a customized smartphone for storing crypto funds.
“But you know what’s not found when they catch him traveling? A shred of evidence that he operated Bitcoin Fog. No witnesses, no logs, no communications. They’re pinning it on a multi-layer guessing game.”
The Department of Justice is yet to respond to requests for comments. Notably, the IRS declined to comment on pending litigation. Sterlingov together with his lawyers on August 1 filed a motion to dismiss, a motion to free all seized assets, a motion for a bill of particulars, and a motion to reconsider pretrial detention, among many other items.
Authorities Produce Mountains Of Perceived Evidence
In that context, the DOJ has produced over three terabytes of data that is related to the case during its discovery. The defense claims that the huge volume of information is quite challenging to analyze but nothing in it appears to establish a direct connection between Sterlingov and the creation or even operation of Bitcoin Fog.
They further insist that the digital forensic analysis that the prosecution has shared is opaque and flawed.
In case the prosecution does not avail of any clear evidence as Sterlingov’s case unfolds, it might need to rely on the indirect digital connections between Bitcoin Fog and Sterlingov that it highlights in the statement of facts collected by the IRS’s criminal investigations division. A lot of that evidence was based on crypto tracing techniques.
The statement highlights a trail of financial transactions from 2011 supposedly linking Sterlingov to payments made to register the Bitcoinfog.com domain that was not Bitcoin Fog’s real dark web website but a traditional website that advertised it.
The money to pay for that domain traveled via multiple accounts and was in the end exchanged from Bitcoin for Liberty Reserve, the now-defunct digital currency, as stated by prosecutors. However, the IRS insists that blockchain data, IP addresses, and phone numbers connected with the different accounts all connect the payments to Sterlingov.
One Russian-language document found in Sterlingov’s Google Account also described a strategy of obscuring payments similar to the one that he is accused of utilizing for that domain registration. Sterlingov said that he “can’t remember” if he created Bitcoinfog.com and said that he worked at the time as a web designer for Capo Marknadskommunikation, a Swedish marketing firm. Sterlingov said:
“That was 11 years ago. It’s really hard for me to say anything specific.”
Even if the government can state and prove that Sterlingov created a site to promote Bitcoinfog.com in 2011, nonetheless – and Ekeland insists even that is based on faulty IP address connections that arose from Sterlingov’s use of a VPN – Ekeland highlights that is quite different from operating the Bitcoin Fog dark-web service for the consequent decade it remained online and laundered a lot of criminal profits.
How Is Sterlingov Connected To Bitcoin Fog?
To prove Sterlingov’s deeper connection to Bitcoin Fog past a domain registration, the IRS mentioned that it used blockchain analysis to track Bitcoin payments that Sterlingov supposedly made as “test transactions” to the service back in 2011 before it was launched publicly.
Analysts and investigators believe that Sterlingov continued generating revenue from Bitcoin Fog up to 2019, according to observations of crypto payments recorded on the Bitcoin blockchain.
Ekeland counters that the defense is yet to receive any details of the blockchain analysis and points out that it was left out of a majority of the recent superseding indictment against Sterlingov, filed in the last week of July.
He insists that the government has focused the center of its case on some untested new type of forensics, one that he believes led them to arrest the wrong suspect. Ekeland commented on blockchain analysis:
“Has it been peer-reviewed? No. Is it generally accepted in the scientific community? No. Does it have a known error rate? No. It’s unverifiable. They can say total nonsense, and everyone has to take it on faith.”
Ekeland states that discovery documents in the case indicate that the prosecution’s crypto tracing was done using tools sold by a New York-based blockchain analysis startup, Chainalysis. Also, the prosecution was offering consulting help from Excygent, a government contractor that specializes in crypto and cybercriminal investigations. Interestingly, Chainalysis acquired Excygent in 2021.
Ekeland believes that Chainalysis, valued at around $8.6 billion, had a conflict of interest, in this case, considering its financial dependence on US government contracts and a flow of previous government investigators who shifted to work for Chainalysis. Ekeland stated:
“This is a story of people profiteering and advancing their careers, throwing people in jail to promote their blockchain analysis tool that is junk science and doesn’t withstand any scrutiny.”
Based on all the evidence offered in Sterlingov’s case, Ekeland thinks “Chainalysis is the Theranos of blockchain analysis.”
Chainalysis declined to comment on the motions filed recently.
Sterlingov Pleads Not Guilty
For his part, Sterlingov said his crypto holdings, which were frozen at the time of his arrest, did not come from Bitcoin Fog but from early investment in crypto. He agrees that he sent and received payments from Bitcoin Fog as a user of the service looking for privacy, but he never used his bitcoins for anything illegal. He insisted:
“I think some of my transfers must have gotten mixed up with everything.”
Coupled with their motions, the defense filed two expert declarations with the court, one from intelligence analyst Eric Garland and the other from cybersecurity researcher Chris Vickery.
These documents are meant to support Sterlingov together with his lawyer’s allegations about the prosecution’s digital forensic analysis and Excygent and Chainalysis’ supposed conflicts of interest in investigating Sterlingov’s possible links to Bitcoin Fog.
Sterlingov relocated with his family from Voronezh, Russia, to Gothenburg, Sweden, at the age of 14 also says that as a Swedish citizen he has a right to be tried in Sweden instead of the United States.
He had gone to the US to train as a commercial pilot. In their August 1 motions, his defense argued that the District of Columbia prosecutors that were charging him have no venue to pursue the case, since he has no connection to Washington DC.
“I don’t understand how I’m in an American jail. I’ve never done business with America. I’m worried. I don’t know what’s going to happen. I’m thousands of miles from my home. If I were some kind of crypto criminal kingpin, which I’m not, Sweden could deal with me.”
Moreover, Sterlingov’s lawyers insist in their motion to dismiss that the statute of limitations has already run out on the charges against him, because of the alleged conduct at issue, including the registration of the Bitcoinfog.com domain and executing specific Bitcoin transactions, happened in 2011.
The motion insists that three of the counts brought against Sterlingov have a 5-year statute of limitations and this one has a 6-year statute. Since blockchain analysis and crypto tracing methods have matured in the past ten years, and have become integral in most cybercriminal investigations in the world, it is quite inevitable that their strategy and validity will be interrogated.
Sterlingov’s case is taking the first step to set up that battleground.