Hacker's Loot, Somehow Forced to Return?

On February 12, the zkLend lending protocol on Starknet was hacked, resulting in a loss of nearly $5 million. However, the hacker did not anticipate that after mixing the money into Railgun, in the final step before whitewashing, they would be restricted by Railgun's protocol policy and forced to return the funds.

Following the incident, zkLend suspended withdrawal services to safeguard the remaining funds and issued a statement to the community that the team is actively working with multiple partners to track the hacker's identity and fund flow, promising to maintain transparency and eventually release a detailed investigative analysis report. In addition, zkLend proposed to the hacker that they could keep 10% of the funds as a white-hat bounty, with the remaining 90% (3,300 ETH) being returned to zkLend's Ethereum address. Upon receiving the transfer, the hacker would agree to waive any and all liability related to the attack.

As of the time of writing, there has been no response from the hacker regarding this proposal. zkLend announced on social media that they have reported the incident to the Hong Kong police, the FBI, and the Department of Homeland Security and will initiate legal proceedings.

On February 13, Ethereum co-founder Vitalik, who has always supported Railgun, posted on social media explaining how Railgun successfully avoided handling proceeds of crime this time.

Following Vitalik's post, the market reacted very sensitively to the news, and Railgun saw a price surge. According to market data, as of the time of writing, Railgun has increased by 7.00% in the past 24 hours, with trading volume up 162.31%.

On-Chain Anti-Money Laundering, How Did Railgun Achieve It?

When it comes to Railgun, a protocol clearly aimed at anti-money laundering, one cannot help but mention the leading privacy project Tornado Cash.

Tornado Cash and Railgun both belong to the privacy sector and are the first projects to offer mixing services. Their privacy features have made them tools for hackers and criminals to launder money and hide funds, attracting attention from governments and regulatory agencies worldwide, especially the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) sanctions against them.

In August 2022, the U.S. Treasury Department imposed sanctions on Tornado Cash, stating that the service had facilitated money laundering of over $7 billion in the past three years and assisted the North Korean state-backed hacker group Lazarus Group in evading U.S. sanctions. In May 2024, one of the founders of Tornado Cash, core developer Alexey Pertsev, was sentenced to 5 years and 4 months in prison.

Related Reading: "Guilty as Charged! What Does the Tornado Cash Case Verdict Mean for DeFi Regulation?"

Tornado Cash has become a handy tool for hackers and money launderers due to its lack of anti-money laundering features. The heavy-handed actions of regulatory agencies have sounded the alarm for the entire privacy track. Learning from Tornado Cash's experience, Railgun, as a prominent player in the privacy track, naturally seeks to learn from it and has a clear direction for improvement: anti-money laundering.

Railgun has adopted a stricter anti-money laundering strategy, focusing on enhancing compliance while maintaining privacy protection. The core of this strategy is to ensure that the platform can uphold user privacy, meet regulatory requirements effectively, and prevent funds from being used in illegal activities. The following are the specific measures Railgun has taken:

The first step Railgun took was not merely focusing on optimizing the code but rather cleverly compiled a blacklist from regulators, compliance platforms, etc. The blacklist covers transaction data related to illegal activities such as money laundering, fraud, and sanctions violations, providing precise targets for enforcement.

The second step involves a 1-hour detection period after any user deposit, during which various algorithms analyze whether the deposit may have come from the blacklist. The entire process is fully encrypted, yielding only a conclusion of "association" without disclosing sensitive information such as user addresses, transaction history, or balances, ensuring user privacy is technically preserved.

The third step allows users to make private withdrawals using zero-knowledge proofs (ZKPs) after the 1-hour period. Additionally, Railgun's internal protocol policy stipulates that if a suspicious address attempts to mix coins, the funds from that suspicious address will be forcibly returned.

Lastly, Railgun proactively complies. All proofs generated by user wallets can be provided to exchanges or regulatory bodies, and these third-party entities can verify the validity of the proofs through verification algorithms without needing access to user fund flows, wallet activity details, or identity data. This mechanism meets external organizations' requirements for transaction compliance review and completely avoids the risk of leaking user privacy, achieving a "trustless self-clean record."

It is precisely this combination of privacy protection, compliance mechanisms, and risk control strategies that formed the final line of defense in intercepting money laundering attempts in the zkLend event.

The founder of SlowMist also stated: "This is a very good privacy solution."

The Privacy Track: Where to Go Next?

While Railgun is fortifying compliance, regulatory policies in the United States seem to be loosening.

On November 27, last year, the U.S. Fifth Circuit Court of Appeals ruled that the U.S. Treasury Department's sanction of the Tornado Cash smart contract was illegal. For cryptocurrency and all those concerned with defending freedom, this was a historic victory. The founder of Uniswap referred to it as "an immutable smart contract defeating the Treasury Department in court."

Will this ruling foster more and more projects in the privacy track that proclaim "code is law" while actually fueling criminal activities?

Related reading: "A Comprehensive Analysis of the Privacy Track: Upholding Privacy or Fueling Crime, the Revolution is Not Yet Successful"

Nevertheless, regardless of the increasing calls for "code is law" in the privacy track post-Trump administration, Railgun, which combines privacy and compliance, should stand as an example for the development of this track in the increasingly clear landscape of cryptocurrency regulation.

Welcome to join the official BlockBeats community:

Telegram Subscription Group: https://t.me/theblockbeats

Telegram Discussion Group: https://t.me/BlockBeats_App

Official Twitter Account: https://twitter.com/BlockBeatsAsia