This is the story of two brothers, Larry and Gary, who were convicted for money laundering conspiracy and theft arising from their operation of Helix, a cryptocurrency mixing service operating on the dark web. Thanks to Blockchain forensic investigation, law enforcement agencies were able to track the obfuscated transactions in crypto mixer to get them convicted. Here is how this investigation meandered the challenges of tracing Blockchain transactions to to build a solid evidence of the crime.
This post was originally published in Chainalysis.
Use Case: Blockchain Forensic Investigation
Problem Statement
Money laundering in Blockchain is a rampant activity and crypto mixers are a means to obfuscate and club multiple transactions to hide the identities of end parties.
Realization Approach
Tracing transactions in crypto mixers involve painstaking analysis of the transactions to establish relationships between identities.
Solution Space
Using a Blockchain forensic investigation tool, transactions can be traced across Blockchains to follow the trail of crypto with the help of powerful visualizations
The first brother, Larry Dean Harmon, was arrested and charged for a money laundering conspiracy arising from his operation of Helix, a cryptocurrency mixing service operating on the dark web. Shortly after Internal Revenue Service Criminal Investigations (IRS-CI) seized Larry’s Bitcoin wallets, his younger brother, Gary James Harmon, used Larry’s passwords to steal a portion of the Bitcoin back from the seized wallets. In April 2023, Gary was sentenced to four years in prison for his theft from the government.
We’re proud to share that Chainalysis tools helped in the investigation of these cases. Below, we’ll describe the Harmon brothers’ criminal activities and how blockchain analysis helped authorities recover some of the stolen funds.
Blockchain Forensic Investigation of Larry Harmon’s Money Laundering Operations
As the founder and primary operator of Helix, Larry Harmon was involved in the cryptocurrency ecosystem for several years. He was also the CEO of Coin Ninja, where Gary was employed, and founded DropBit, the company’s mobile Bitcoin wallet.
Helix was a Bitcoin mixer, and was often used to hide proceeds from drug trafficking and other activities on the dark web. Between 2014 and 2017, Helix processed more than 350,000 Bitcoin (worth approximately $300 million at the time) on behalf of users. Larry regularly promoted Helix to darknet market users and partnered with AlphaBay, Evolution, Agora Market, Nucleus, Dream Market, and other darknet markets to grow Helix’s customer base. Larry also ran Grams, a darknet search engine linked to Helix. In Chainalysis Reactor, we can see the relationship between Helix and these darknet markets:
These activities quickly attracted the attention of IRS-CI and the Federal Bureau of Investigation (FBI). In the early stages of the investigation, an undercover FBI agent transferred Bitcoin from an AlphaBay wallet to Helix and confirmed that using the mixer reduced direct traceability to AlphaBay. Then, law enforcement used Chainalysis to identify 16 Bitcoin wallets which contained nearly 5,000 Bitcoin worth of proceeds from Helix’s operation. When law enforcement searched Larry’s residences in Ohio and Belize, they recovered multiple cryptocurrency storage devices linked to these wallets, and also found an accounting spreadsheet in his Google Drive that indicated ownership of more than $56 million worth of Bitcoin and other assets.
Larry was charged in February 2020 and pled guilty in 2021 to money laundering conspiracy. He also admitted to partnering with darknet market vendors to provide Bitcoin laundering services. Shortly after, Financial Crimes Enforcement Network (FinCEN) ordered Larry to pay a $60 million civil penalty — the first of its kind for Bitcoin mixing activities. He forfeited 4,400 Bitcoin and IRS-CI took custody of his wallets.
Gary Follows Larry’s Footsteps
After Larry’s arrest in 2020, Gary was laid off from Coin Ninja and struggled financially. Sensing an opportunity to acquire funds from his brother’s 16 wallets in custody, Gary used Larry’s passwords to access several of them and transferred 712 Bitcoin (worth more than $5 million at the time) to eight new wallets. We can see those transactions below in Reactor to aid in the Blockchain forensic investigation of Gary’s activities.
Once complete, Gary deposited 68 Bitcoin as collateral for a $1.2 million loan from BlockFi, which he used to purchase a luxury condo in Cleveland, Ohio, and spent at strip clubs and on private jets. The below image shows Gary in a bathtub with cash at a nightclub, which investigators recovered on his phone. Additionally, text messages on the phone suggest he made extravagant purchases around the same time.
In July 2021, Gary was arrested and federal agents searched his Ohio residence. They found wallets which contained approximately $6,000 in Bitcoin at the time. In addition to his four-year prison sentence, Gary was ordered to surrender $20 million in virtual currencies and other property. He pled guilty to wire fraud and obstruction of justice.
Tracking Criminals on the Blockchain
Although criminals like the Harmon brothers continue to launder money using blockchain technology, law enforcement is now able to leverage tools like Chainalysis Reactor and Storyline, and employ other sophisticated Blockchain forensic investigation strategies to track and recover stolen funds.
In 2022, IRS-CI announced that it had seized $7 billion worth of digital assets in the previous year. This included a record $3.6 billion from two individuals accused of laundering funds stolen from the 2016 Bitfinex hack, and $3.36 billion recovered from a theft of Bitcoin from darknet market Silk Road. These numbers suggest a crucial difference between investigations involving fiat versus those with cryptocurrency; on the blockchain, everything is immutable and transparent, ensuring that law enforcement will always have trails to follow.
