But when Anderson mentioned this problem in January to David Fox, a professor of law at Edinburgh Law School, Fox pointed out that British law already provides a solution: An 1816 precedent known as Clayton's Case, which dealt with who should be paid back from the remaining funds of a bankrupted financial firm. The answer, according to the presiding judge, was that whoever put their money in first should take it out first. The resulting first-in-first-out—or FIFO—rule became the standard way under British law to identify whose money is whose in mixed-up assets, whether to resolve debts or reclaim stolen property.

Unmixing Coins

So Anderson and his team of researchers started to consider what that rule would look like applied to Bitcoin's blockchain. Mix up a dirty coin and nine clean ones in a laundry address or exchange, and all 10 coins that came out would be defined by the same order they went in—even if that order was just a millisecond's difference in which transaction was written to the blockchain's record first. If the first bitcoin to go into the mix were stolen, the first to come out of the mix would be considered that same coin, and thus still stolen. "It allows us to see through the great majority of the algorithms people use to try and mix and obscure the origins of bitcoin transactions," says Anderson.

And doesn't that essentially make bitcoin laundries into reverse lottery systems, where an arbitrarily chosen person ends up holding a stolen coin that might be claimed back by a theft victim? Anderson argues that the principle has worked for centuries as part of British law. And if innocent users end up having their coins claimed as stolen property, they'll quickly learn to stay away from Bitcoin laundries and shady exchanges. "One unlucky person is going to end up holding the stolen bitcoin," Anderson says. "If you’re not the person who went in with the stolen bitcoin in the first place, you’re never going to play that game."

When the researchers tried out their FIFO analysis on Bitcoin's actual blockchain, they found that in massive thefts—like the 2012 heist that took 46,653 bitcoins from the cloud provider Linode, or the 2014 theft of 896 bitcoins from bitcoin "bank" Flexcoin—they could create far tidier answers about where those stolen coins ended up than the haircut method could. Using the FIFO method, they linked the Linode haul to fractions of tainted bitcoins at around 372,000 addresses, compared with 2.7 million tainted bitcoins with the haircut method. (The latter number would mean a single theft had tainted nearly 5 perceent of the whole blockchain, the researchers point out.) For the Flexcoin attack, they traced fractions of the stolen coins to just 18,000 accounts, compared with 1.4 million using the haircut system.

Accountability at a Cost

For the Cambridge researchers' technique to be put into practice, of course, it would have to be adopted by the people who actually make the rules about what constitutes a tainted bitcoin—governments around the world, or at the very least, Bitcoin exchanges or banks trying to avoid handling dirty money. But simply by publishing the results of their FIFO blockchain, as they plan to do later this year, the researchers may influence how those power brokers determine which coins they consider tainted.

If their system is adopted, it would come at a price, argues Sarah Meiklejohn, a professor of cryptography and security at the University College of London. "It basically destroys all privacy solutions for Bitcoin," Meiklejohn says simply. After all, innocent users sometimes put their bitcoins through laundries, too, to keep their legal but sensitive transactions private. "The default level of anonymity in Bitcoin is not very high, and there are legitimate reasons for people to want to make it higher. It’s not a good thing for everyone to have no anonymity."

The legal basis for FIFO, particularly in the US, also isn't quite as simple as the Cambridge researchers describe, says University of Texas law professor Andrew Kull. In some cases, judges instead use pro rata tracing—the haircut approach in which all the mixed accounts hold a proportional amount of the tainted assets—or a technique called "Jessel's Bag," which takes money from guilty parties before innocent ones.

And how ownership tracing works in practice can depend on myriad factors like the statutes of a particular state, the decisions of a judge, and whether the asset is defined as money or as a commodity, which is hardly a simple question in the case of Bitcoin. FIFO is "just a convention. It doesn’t have any inner logic to it at all," Kull points out. "It's arbitrary, but it’s as good as anything else between two people who are innocent."

Arbitrary as it may be, FIFO does have hundreds of years of legal history behind it, the Cambridge researchers argue. And given how powerful it may be as a mechanism for sorting out mixed-up bitcoins, it could be only a matter of time until someone applies that precedent to try to claim their stolen stash.

"Some people will sue regulated Bitcoin exchanges and say, 'You’ve been receiving stolen goods and they were mine. Kindly compensate me,'" Anderson says. "When the first such case hits a sufficiently senior court for it to set a precedent, that will be of enormous importance to the entire cryptocurrency world."

Attack the Blockchain

• You sloppy bitcoin drug deals are going to haunt you for years
• What's the blockchain, anyway? Here's our complete guide
• Monero, another popular cryptocurrency, also has some privacy issues users might not have expected