A quick look at Helix by Grams

I read about Helix by Grams a week ago as the new best Bitcoin cleaner so I thought to give it a look. They call them selves as the best because it’s not just coin mixing service, but you would get clean bitcoins for your dirty ones, comparing to other coinmixing services that you would get some other dirty bitcoins for your not-so-dirty coins.

The first thing that got my attention was the neat design of the site and the service that is far modern and better than any other darknet sites I’ve even seen, it does not feel like you’re in darknet at all.

Screen Shot 2015-06-24 at 8.26.02 PM


Grams offer different services such as :

  • Helix Bitcoin cleaner with PGP 2FA and …
  • Helix Light Bitcoin cleaner without any registeration
  • Flow a redirect service for .onion sites (e.g. Helix site would be: https://gramsflow.com/helix)
  • BitBall Darknet Lotto
  • TorAds Kinda like Google Ads but for darknet
  • InfoDesk Search Dark Market vendors

For now I’ll focus on Helix and Helix Light and see how they work.

 Helix by Grams

I’m really interested to know who’s behind this site, as the design perspective, they have cool designs and google like login page and search bars.

Helix login

In order to register, you need to have PGP encryption key and you will use your public key in the registration. This would be used as a mandatory two-factor Authentication every time you want to log in to the site.

Every login page would have a encrypted login token that you need to decrypt to be able to log in to your account:

Helix 2FA

This would decrypt as:

Login Token: b2b03fb35402ff0d416a5f448a99300c3be8779acb7306cf68a55bedbf1471e0f44b833aacb4a231f84ac3699ca6f764fc7be6efcdc02b0c956e26

They have some interesting Terms and Services:

Terms of Service


Account information
Grams will encrypt all passwords on the server so if the server gets compromised our user’s data will be secure.


Grams will encrypt all message with the recipient’s pgp key and store them on the server this way. The only message that will not be store using encryption are the messages from our system.

No spamming! if a users sends out messages to our users advertising products and/or sites that user will be banned.


Reviews are here to help the community and to stop scamming on the darkweb. If a user post fake reviews or derogatory reviews they will be warned. If it continues they will be banned.

Grams Words

All listings on Grams words or any other advertising features of grams must be approved before going live. If you change the content of the page the ad links to after it is approved or try posting listing to scam sites or scam vendors you will be banned and will not receive a refund for your advertisement.

Child Porn

As a community the darknet has decided child pornagraphy will not be tolerated. Any users posting or listing anything do with child pornagraphy will be banned immediatly! No exceptions.


Grams has spent a great deal of time trying to secure our server to keep all users data secure. No bitcoins or any information that could not be gathered simply by going to the market or sites is on the server. So please dont waste our time and yours by trying to hack the server. If we even suspect you are trying sql inject, manipulate the bitcoin balance, or any other form of hacking we will ban the user.


Grams reserves the right to ban any user for any reason. A user who gets banned will not be given a refund for any bitcoins they had in their grams account. You can dispute your ban with the administrator by email.

You need at least 0.01 BTC in your account to have an activated account, this could be used later on as your credit on the site.

I won’t go too much into these details as the purpose of this blog post is to see how they work underneath and on Blockchain level.

So after logging in and going to Bitcoin page, you will have a bitcoin address for 10 hours (resettable timer) that you can use to deposit bitcoins in, and then either activate Auto-Helix to withdraw the bitcoins to an specific address or manually request it.

Bitcoin Helix


And then it might take up to 8 hours for your coins (minus fees) to get deposited into your withdrawal address.

Helix Withdraw

It took mine around 4 hours to be complete and I received an encrypted auto-delete message saying that the transactions has been done.

Your Helix transaction has been completed.
0.02439024 BTC has been sent to 126upXXXXXXXXXXXXXXXXXXXXXXXDQ
Below is a list of the transaction hashes. Copy them for you records. This message has already been deleted out of the system for security.

Transaction hashes:

Have a good day.

So let’s dig deeper and see if we can figure out what happened there.

Here is my deposit address (generated be Helix) : 1LL2F7tXua3LJ9wgFfcZchpT31eSxLDJW6

Here is my withdrawal address (blockchain.info): 126up7M1PUebBk9g9mNXvTJRFgyRr75yDQ

as you can see on my withdrawal address I received 5 distinct transactions summing up to 0.02439024 BTC.

blockchain info

Now let’s follow each transaction and see if we can find any connection between those.

In the following picture (made by numisight), those two block squares are my deposit transactions. as you can see there’s not that much pattern going on in the transactions, either on the number of inputs/outputs nor the bitcoin value of each transaction.

BitIodine clusters the deposit address with 1999 other addresses that might be useful for future investigations.



Now let’s try where the “clean” bitcoins are coming from.

It’s interesting to see one connection when I traversed up the clean coins for a few transactions.


(Blue boxes are the inputs, Green boxes are the “clean” bitcoins I received)

let’s go crazy and open up as many transaction as possible.

(Blue boxes are the inputs, Green boxes are the "clean" bitcoins I received)

(Blue boxes are the inputs, Green boxes are the “clean” bitcoins I received)

It didn’t need that much craziness to get connected. now you can see there is a really complex connection between the inputs and the outputs. However this does not prove anything in specific, if you follow two distinct normal busy bitcoin addresses, it’s likely possible that they have some input transactions in common if you go deep enough, that just means there was a common address (same or not the same owner) in the transaction chain.

This is the first post of a series of posts!

%d bloggers like this: