Full Report
The pair had pleaded guilty in late July to participating in a conspiracy “to operate a money transmitting business in which they knowingly transmitted criminal proceeds.”
Analysis Summary
# Incident Report: Samourai Wallet Illicit Financial Transactions
## Executive Summary
This report summarizes the regulatory findings and sentencing of the co-founders of Samourai Wallet, a cryptocurrency mixing service. The founders pleaded guilty to operating an unlicensed money transmitting business that knowingly facilitated the movement of over \$237 million in criminal proceeds derived from activities including drug trafficking and fraud. The enforcement action concluded with prison sentences, substantial fines, and forfeiture of illicitly earned fees.
## Incident Details
- Discovery Date: Not explicitly stated; investigation likely ongoing prior to April 2024.
- Incident Date: Ongoing operations from 2015 (founding) until seizure/arrests (April 2024).
- Affected Organization: Samourai Wallet (Cryptocurrency Mixing Service)
- Sector: Financial Technology/Cryptocurrency Services
- Geography: Operations globally; arrests occurred in the U.S. and Portugal.
## Timeline of Events
### Initial Access
- Date/Time: Operations began in 2015, with key illicit features (Ricochet in 2017, Whirlpool in 2019) enabled later.
- Vector: Operation of an unlicensed money transmitting business designed to obfuscate cryptocurrency transfers.
- Details: The service offered "Whirlpool" (Bitcoin mixing) and "Ricochet" (introducing unnecessary intermediate transactions/hops) to aid users in concealing transaction origins.
### Lateral Movement
- Not applicable in the traditional sense; the "movement" was the transfer of illicit funds through the mixer service itself.
### Data Exfiltration/Impact
- Impact: Facilitation of over \$237 million in transactions directly tied to criminal proceeds, including funds from drug trafficking, darknet marketplaces, cyber-intrusions, and fraud. Total volume cited was over \$2 billion in value passing through the mixers.
### Detection & Response
- Date/Time: Arrests announced in April 2024. Sentencings occurred in November 2025.
- Vector: Law enforcement investigation culminating in coordinated seizures.
- Details: U.S. DOJ coordinated the seizure of Samourai’s domain and servers with assistance from authorities in Iceland. Co-founder Keonne Rodriguez (U.S.) was arrested in the U.S., and William Lonergan Hill (Portugal) was detained and extradited.
## Attack Methodology
*Note: Since this was an enforcement action against the operators of a service rather than a traditional cyberattack, the methodology focuses on the design and promotion of the illicit financial service.*
- Initial Access: Establishing and operating the unlicensed money transmitting business (Samourai Wallet).
- Persistence: Continuous operation of the mixing services ("Whirlpool" and "Ricochet") since their launches.
- Privilege Escalation: Not applicable.
- Defense Evasion: Utilizing cryptographic mixing techniques designed specifically to break the link between sender and receiver addresses.
- Credential Access: Not applicable.
- Discovery: Active promotion of the service to criminal users via dark web markets, messaging services, and public social media.
- Lateral Movement: Not applicable.
- Collection: N/A (The service collected fees, not user data in this context).
- Exfiltration: Transferring illicit fiat/crypto proceeds through the mixing process.
- Impact: Enabling money laundering for numerous criminal enterprises.
## Impact Assessment
- Financial: Operators forfeited over \$6.3 million (representing fees earned). Fines of \$250,000 were levied against each operator.
- Data Breach: Not a data breach, but facilitation of an estimated \$237 million in illicit transactions.
- Operational: The Samourai Wallet service was effectively shut down following the seizure of domains and servers.
- Reputational: Significant negative attention directed at cryptocurrency mixing services generally.
## Indicators of Compromise
*Note: Since the "compromise" was regulatory/legal, not a network intrusion, traditional IoCs are irrelevant. Focus is on the service's features.*
- Network indicators: Defanged URLs/IPs related to the seized infrastructure (Not provided in text).
- File indicators: N/A
- Behavioral indicators: Use of "Whirlpool" and "Ricochet" features by users attempting to obfuscate illicit funds.
## Response Actions
- Containment measures: Seizure of Samourai Wallet's domain and servers through international cooperation (involving Iceland). Arrest of co-founders in the U.S. and Portugal.
- Eradication steps: The service was taken offline and its operators indicted and sentenced.
- Recovery actions: Forfeiture of \$6.3 million in illicit profits.
## Lessons Learned
- The ability of regulatory bodies to coordinate international efforts (US, Portugal, Iceland) is critical for dismantling globalized illicit financial services built on cryptocurrency.
- Promotion and marketing of mixing features directly to known criminal elements is a significant factor in proving conspiracy charges.
- Legal precedent continues to be established regarding the operation of unregulated crypto mixing services as money laundering conduits.
## Recommendations
- Continued international regulatory cooperation is necessary to target the operators of cryptocurrency mixers.
- Financial institutions handling large or complex cryptocurrency movements should conduct enhanced due diligence, particularly concerning addresses known to interact with mixing services.
- Proactive monitoring and disruption of known criminal promotional channels (dark web, specific social media) used by illicit services should be maintained.