The Harmon Brothers - Forfeited BTC is Re-Forfeited

Apparently the Trezor wallet isn't secure. At least between brothers.

Gary James Harmon, brother of Larry Dean Harmon of Helix Bitcoin mixer fame, was sentenced to 51 months in prison for stealing and mixing 712 bitcoin that Larry had criminally obtained, mixed, and later forfeited to the government. The 712 bitcoin, forfeited by Larry, will be re-forfeited by Gary.

Larry Dean Harmon and Helix

In December 2019 Larry Harmon was arrested for his operation of Helix, a darknet-based crypto mixer or tumbler described by the government as a "money laundering service" for crypto. Larry operated Helix from 2014 through 2017 as a service to people using darknet marketplaces to buy and sell illegal ... everything. In the four years it was operational, the Helix mixer moved (laundered) over 354,000 bitcoin – valued at over $300 million at the time of the transactions but worth about $10.6 billion today – on behalf of customers, with the largest volume coming from darknet markets.

When Larry was arrested, law enforcement executed at least four search warrants in Ohio (where Larry was physically located), California, Belize, and Sweden, and seized twenty different assets. Among those assets was a Trezor One cryptocurrency storage device containing sixteen crypto wallets that held some of Larry’s illegal proceeds generated through the operation of Helix: 4,877 BTC.

All of these assets were eventually forfeited to the government (the criminal case is United States v Larry Dean Harmon, DC District Court 19CR00395).

Larry was also hit with a $60 million civil money penalty imposed by the Treasury Department's Financial Crimes Enforcement Network (FinCEN) in October 2020. The FinCEN assessment order, and accompanying press release provided some details that weren't in the criminal case. FinCEN determined that Larry was "the founder, administrator, and primary operator of Helix and Coin Ninja, convertible virtual currency mixers or tumblers". Helix was an unregistered money services business (MSB) from 2014 to 2017 and Coin Ninja from 2017 to 2020. FinCEN also determined:

"From June 2014 through December 2017, Helix conducted over 1,225,000 transactions for its customers and was associated with virtual currency wallet addresses that sent or received over $311 million dollars.?FinCEN’s investigation has identified at least 356,000 bitcoin transactions through Helix. Mr. Harmon operated Helix as a bitcoin mixer, or tumbler, and advertised its services in the darkest spaces of the internet as a way for customers to anonymously pay for things like drugs, guns, and child pornography."

That $60 million civil assessment may be satisfied by any proceeds the DOJ may be able to recover in the criminal case.

Back to the criminal case. As of early 2020 law enforcement was unable to recover the bitcoin stored on the Trezor One device, and Larry didn't initially provide access to the device. Without that authorized access, the only way to access the bitcoin was with a recovery seed phrase of twelve to twenty-four words. And only Larry would have known that recovery seed phrase.

Enter Larry's younger brother Gary.

Gary James Harmon - Steal, Mix, Dogecoin, and Lambos

Gary Harmon bounced around at some odd jobs before landing a gig for his brother's Coin Ninja business. Apparently he wasn't much of an asset, as his compensation didn't go over $70,000 for the year or two he worked at Coin Ninja before Larry's arrest and the collapse of the business.

According to the government's allegations in his subsequent criminal case (see United States v Gary James Harmon, DC District Court 21CR00433), Gary used his brother’s credentials to recreate the bitcoin wallets stored on the Trezor device and covertly transfer more than 712 bitcoin, valued at approximately $4.9 million at the time, to his own wallets. He did so knowing that the government was seeking to recover the bitcoin stored on his brother's seized device for forfeiture, and therefore obstructing the pending criminal forfeiture proceeding. According to the government, Gary Harmon then laundered the proceeds through two online bitcoin mixer services before using the laundered bitcoins to finance large purchases and other expenditures.?

It should be noted that even when crypto wallets are "offline" and stored ("securely") on an unconnected device (such as a Trazor device), the wallets can be recreated with a recovery seed phrase. This is what Gary did.

Gary Harmon confirmed the government's allegations. According to his own Sentencing Memorandum in his criminal case, from April 19th to 21st of 2020, Gary Harmon used his brother's recovery seed phrase to access the contents of eight of the sixteen wallets. He transferred 712.6 BTC, then worth about $4.9 million, to eight new wallets. He then ran that bitcoin through two mixers (Wasabi Wallet and BitMixer). He then cashed out some of the bitcoin (according to his sentencing memo) "in the ensuing months to, among other things, purchase a car, go on a trip to Miami where he visited a nightclub and spent lavishly". He then deposited 66 bitcoin with BlockFi to secure a loan "with which he purchased a Cleveland condominium. He went to nightclubs in Ohio, drank heavily, and used drugs."

Apparently Gary drank heavily on the day he moved the bitcoin from his brother's wallets. In the government's sentencing memo, the government wrote:

"According to text messages subsequently recovered from the defendant’s phone, he messaged an associate on or about April 22, 2020 - in the midst of these transfers - with the message, 'Drunk and moved way to much.' The associate expressed concern about the defendant driving while intoxicated. The defendant responded that he would not do so, adding, 'I’m the only one with the passphrass.'"

Gary moved and spent bitcoin like a typical bitcoin bro. According to the government's sentencing memo:

"On January 30, 2021, the defendant opened an account at the virtual currency exchange Bittrex using a ProtonMail email address ... Over a 4-day period in early February, the defendant deposited approximately 26.55 bitcoin - worth nearly $1 million at the time - into the account; shortly thereafter, he converted the majority of funds to Dogecoin, an alternative cryptocurrency. On March 25, 2021, the defendant deposited approximately 67.62 bitcoin - worth approximately $3.5 million at the time - into an account at the cryptocurrency finance company BlockFi. The defendant used the bulk of those funds as “loan collateral” for a $1.2 million cash loan, which he used to purchase a luxury condominium. The defendant purchased a luxury Swiss “Bitcoin” watch. The defendant also used the funds to commission custom work on a Lamborghini, though the car was not completed prior to the defendant’s arrest ...".

Larry Dean Harmon - His Cooperation Leads to his Brother's Arrest

Larry was charged in December 2019. One of the charges was criminal forfeiture of the proceeds of the criminal activity - $311 million. In late April 2020 the government discovered that eight of the sixteen wallets had been "emptied". They thought Larry had accessed the wallets, and brought an emergency motion. Fearing that he would be detained in prison, Larry cooperated, and on April 29, 2020 Larry provided the government with access to his various crypto wallets, including the sixteen on the Trezor device. When they accessed the device, they found 4,169 bitcoin in what they described as wallets 9 through 16, but wallets 1 through 8, which had been emptied, had held 712.6 bitcoin.

So the government went looking for the stolen forfeited bitcoin. Beginning in August 2020, federal agents monitoring the public blockchain began observing small transfers of bitcoin traceable back to the eight wallets and into Wasabi Wallet and ChipMixer. In total, between August 2020 and March 2021, about 519 bitcoin was traced.

Federal agents then looked at the US dollar activity of Larry's brother Gary. They found that his fiat spending habits reflected the movement and amounts of the stolen bitcoin. By June 2021 they had found the thief - Larry's brother Gary.

Gary James Harmon - Done and Dusted

Gary was indicted on June 28, 2021. He was arrested on July 28, 2021 and ordered detained until trial. He eventually pled guilty on January 6, 2023 and agreed to the forfeiture of cryptocurrencies - 647.41 Bitcoin (BTC), 2.14 Ethereum (ETH), and 17,404,400.64 Dogecoin (DOGE) - the condo in Cleveland, an Audi S5, about $285,000 from bank accounts, and the balance in his BlockFi account (no word on any balances in the Bittrex account).

The total value of all of this property is about $20 million.

Ironically, at the time the 712 bitcoin were stolen, the value was $4.9 million in US dollars. The re-forfeited bitcoin almost tripled in value. In effect, he stole $5 million worth of forfeited funds and is forfeiting $20 million worth of re-forfeited funds. It's crypto, go figure.

Larry Dean Harmon - What's Next?

On August 18, 2021 Larry Dean Harmon entered into what is known as a "cooperation guilty plea", where he pled guilty to a few of the charges but his sentencing would be deferred, and sentenced reduced, by providing whatever cooperation was agreed to. In this case, it was hunting down as many of the 354,000 bitcoin, darknet buyers and sellers, and Helix users as possible.

As of April 2023 his sentencing remains deferred as his cooperation "remains active and ongoing" (according to the latest court filing).

If his brother got 51 months in prison for stealing 712 of the 354,468 bitcoin that was originally ordered forfeited, what will Larry Dean end up getting? His cooperation better be stellar.