Early Friday, I published “Blockchain analytics firm CipherBlade steps in to launder ShapeShift’s image.”

The story was about how crypto exchange ShapeShift requested analytics firm CipherBlade to repeat a September 2018 report by the Wall Street Journal. The original report said ShapeShift had been used to facilitate $9 million in money laundering over a period of several years. The investigation took place before ShapeShift implemented KYC identity checks in October 2018.

After I published my story, CipherBlade founder and CSO Richard Sanders sent me a response late in the evening on March 24. What follows is his letter in full, which adds a little more background to the whole story. Thank you, Richard.

Hey Amy,

Thanks for taking the time to review some items I noticed in your article. I’ll quote particular items and provide some feedback on each.

The second WSJ report does not address what happened to Quadriga’s missing funds, only that, according to two independent researchers, some ether left the online accounts of the platform and moved through ShapeShift before Quadriga became insolvent. But the implication was the same—money laundering.

I haven’t looked into this myself, but FYI, I believe ShapeShift looked into this. If I recall correctly, these transactions were indicative of liquidity—if you can’t find the bit I’m referencing, let me know, and I’ll hunt it down for you. I’d equally be happy to review proof the WSJ provides behind their claim, but to be frank, don’t expect that to be provided by them.

To defend its reputation, ShapeShift “requested” CipherBlade, a hitherto unknown

This has been addressed in numerous articles, so I’m not sure how to appease the “requested” bit here. However, this request was done indeed—ShapeShift has been aware of CipherBlade for some time now (as most major exchanges/platforms are) and knows what we do. Regarding the ‘hitherto unknown,’ we’ve spent precisely $0.00 on marketing. In this current phase, we just don’t need to—we have more than enough requests coming our way, primarily via word of mouth. We’re quite well known by the current demographics that constitute the largest demand for our services (ICOs, exchanges, attorneys) – and while we may not yet be on the tip of the tongue of the average person in blockchain, we’re certainly well-known enough to get a stream of word of mouth referrals large enough that we can’t take all of the requests.

It is important to clarify what the new report actually says. It does not vindicate ShapeShift. It only says the laundering was less than what WSJ said. But money laundering is money laundering, and no matter how you slice or dice it, or who else is allowing it, it’s still money laundering.

I’ll start with saying that I have extensive respect for the way you worded this—the report indeed did not vindicate ShapeShift. ShapeShift was very, very aware that if our findings were damning, they’d still be our findings. However, I will disagree with the “but money laundering is money laundering” bit. There is significant importance behind analyzing the extent instances of laundering takes place on any platform. Analyzing how much money has gone through any system contingent with volume is a KPI that’s existed before blockchain was a thought, and continues to be a metric of review for anyone in the know on these topics. Obviously, in a perfect world, the amount would be $0 – but we live in a far from perfect world. If you’d like to break down percentiles of dirty funds going through other platforms, I’m keen to discuss more in-depth – but the short version is that, relative to other platforms, the percentile of laundered funds that went through ShapeShift is substantially lower, and yeah, this matters a lot.

The company is based in Pittsburgh.

I personally am based in Pittsburgh, and the core team is spread out mostly in Europe. This datapoint, as you linked, is from our LinkedIn, which has a location of Pittsburgh since it is much more of a tech hub and place someone may decide to meet me in person. Your other due diligence on registered office/incorporation aside, I simply find it sensible to be public-facing enough to a degree to say “hey, I’m here if anyone cares to meet.” This is more than many companies have done, and frankly, a step I think as an industry we must demand more of – so why not practice what I preach, right?

You can file “incident reports” on CipherBlade’s website. A basic report costs $100. Adding a police report brings the price to $350. The platform accepts payments in bitcoin, ether and go—the latter being an obscure coin that mainly trades on Binance. The company does accept cash, but only via bank wires. 

So by now, a few other articles analyze bits about our Report function (and why it exists,) but allow me to go more in-depth with you directly: often times (and this ties into why people would pay for a Report) law enforcement doesn’t have the training on how to handle these types of incidents. Local/state police in the US often don’t even know where to direct victims (typically, would be an IC3 report) and victims (and sometimes law enforcement) often don’t know what should be in a report of one of these incidents. While I wish I had all of the time in the world to help everyone for free, I don’t – and the fees we charge for help on these reports, to be quite candid, is obviously not of a level that is highly attractive to us as a business. This may be explained better on a call, as it’s a lot to type in a brief paragraph – but the short version is that most incidents aren’t reported at all, and the few that are reported often don’t have what LE needs in them. The reports we generate give LE everything in what I like to call “a nice pretty box with a bow on it,” increasing the likelihood of action on these reports.

“Matthew [Greene] paints a picture of a company doing James Bond-level work.”

I have to chuckle a bit here, because I hear this joke on at least a weekly basis. Yeah, we do some pretty… interesting stuff, and indeed, some of it does involve tradecraft (I have and do cover both the cyber and physical realms in these cases,) but that’s pretty rare.

Sanders is the public face because his background, experience, training, and connections “hedge the risk he is exposed to,” Matthew [Greene] said. He added that Sanders likes “to joke that we should state on our website that all death threats should kindly be addressed to him directly.”

I mean, again, in fairness—I know you’re quoting Matthew here with the hedge the risk portion, but it’s simply the reality. There are indeed death threats we receive—and many in the industry get these (though, obviously, based upon angering criminals and friends of criminals, we get more,) so you’d likely have some context. The majority of these threats hold little to no merit of concern even for the average person – those making the threats are highly unlikely to act on them. However, we have done numerous reports that have identified sophisticated criminal organizations and even nationstate actors as responsible for a particular incident (actually, no less, one of these was identified via someone that filed via Report—and we identified a key logger ran by a particular organization that was benefiting a particular nationstate.)

If you do want a hilarious quote for an article, do feel free to ask me what another journalist once did – if I’m scared about this.

Where am I going with all this? Nowhere, other than, when a company issues a report that downplays money laundering on a crypto exchange, you may be interested in finding out just how that company actually knows about the subject—of money laundering, that is. The answer may surprise.

So I disagree extensively with your wording here, and here is why—all of the items regarding the company registration/incorporation have already been covered. Our knowledge of laundering primarily stems from my knowledge of laundering, drawn across an extensive case history. Without delving into cases, let’s simply say this – I can respect and appreciate the due diligence attempted on a company, and it would be fair to analyze connections in the way you did. However, to imply a company that has someone like me public-facing being knowledgeable of money laundering by premise of past history therein is a pretty insane accusation if you contemplate my background, holding of a security clearance, the fact I’m extremely public-facing (and, certainly, US Gov’t keeps tabs on what I’m doing and who I associate with)—it’s simply not a strong connection to make. I can go far more in depth about my knowledge of money laundering, whether in crypto, fiat (suitcase of cash stories?) or both—tell me what you need to know.

Lastly, I need to chuckle with you on this one…

His bio reads a bit like an Internet tough guy.

My military service making me have a label of “tough guy” (let alone internet tough guy, which, typically, is someone faking the funk and hasn’t served) isn’t warranted. In reality, I’m a huge softy. I’m continually baffled why I’m hearing multiple claims basically alluding to “badass” “tough guy” or other variations. I volunteered to do a job, and I did that job. It was my choice to do it. I expect no (nor do I want) any labels ranging from “brave” to “tough guy”—either side is just not applicable. There is courage in numerous lines of work, just like there is courage in being a journalist hunting for truth in the best interests of the public. We all have our roles. I served my role as a soldier, and I now serve my role as someone cleaning up this industry. I’m a bit baffled as to why CipherBlade, and especially in particular myself, are receiving labels that essentially amount to “scary”—the only people that need to be scared of me are people that have commit crime.

Put simply—I think that equipping you with some perspective from my end may prove beneficial to you. Make whatever revisions you see fit having had read this, and feel free to ask me any questions you have. I certainly assess you as the type receptive to getting the record straight.

Side note, props for your work on Quadriga. I was just in Toronto to do a solvency and security audit on an exchange… you know, the types of steps folks like you and I are pushing to make fair expectations. It’s a damn shame it had to come to that, but the overall vibe of transparency is reflected in both situations here.

Cheers,

Rich

(Sanders also wrote a lengthy response to David Gerard’s CipherBlade report.)