Can the hackers stolen money be forced to return?
On February 12, the lending protocol zkLend on Starknet was hacked, resulting in a loss of nearly $5 million. However, the hacker did not expect that after mixing the money into Railgun, the last step before laundering the money would be restricted by Railguns protocol policy and forced to return it.
After the incident, zkLend suspended withdrawal services to ensure the safety of the remaining funds, and sent a message to the community stating that the team is actively tracking the identity of the hacker and the flow of funds with multiple partners, promising to remain transparent and eventually release a detailed investigation and analysis report. In addition, zkLend also proposed to the hacker that he could keep 10% of the funds as a white hat bounty and transfer the remaining 90% (3,300 ETH) back to the Ethereum address of zklend. After receiving the transfer, it will agree to waive any and all responsibilities related to the attack.
As of press time, no hacker has responded to this proposal. zkLend posted on social media that it has submitted an incident report to the Hong Kong police, the FBI and the Department of Homeland Security, and will initiate legal proceedings.
On February 13, Ethereum co-founder Vitalik, who has always supported Railgun, posted a message on social media specifically explaining how Railgun successfully avoided handling funds obtained through crime this time.
After Vitalik posted the article, the market reacted very sensitively to the news, and Railgun rose accordingly. According to market data, as of press time, Railgun rose 7.00% in the past 24 hours, and the trading volume increased by 162.31%.
How does Railgun do anti-money laundering on the chain?
When talking about Railgun, a policy agreement that is clearly aimed at anti-money laundering, we have to mention Tornado Cash, the leading project in currency mixing services.
Tornado Cash and Railgun are both in the privacy track and are the first projects to provide currency mixing services. Its privacy protection features make it a tool for hackers and criminals to launder and hide funds. It has attracted the attention of governments and regulators around the world, especially the US Treasury Departments Office of Foreign Assets Control (OFAC).
In August 2022, the U.S. Treasury Department imposed sanctions on Tornado Cash, saying that the service had laundered more than $7 billion in the past three years and helped the North Korean state-run hacker group Lazarus Group evade U.S. penalties. In May 2024, Alexey Pertsev, one of the founders and core developer of Tornado Cash, was sentenced to 5 years and 4 months in prison.
Related reading: Found guilty! What does the Tornado Cash case ruling mean for DeFi regulation?
Tornado Cash has become a handy tool for hackers and money launderers because it has no anti-money laundering function. The heavy blow from the regulators has sounded the alarm for the entire privacy track. With Tornado Cash as a precedent, Railgun, as the second leader in the privacy track, naturally has to learn from the lesson, and the direction of improvement is very clear: anti-money laundering.
Railgun has adopted a stricter anti-money laundering strategy, focusing on strengthening compliance while protecting privacy. The core of this strategy is to ensure that the platform can both maintain the privacy of users and effectively respond to regulatory requirements to prevent funds from being used for illegal activities. The following are the specific measures taken by Railgun:
In the first step, Railgun did not focus all its attention on optimizing the code, but cleverly compiled a blacklist from regulators, compliance platforms, etc. The blacklist covers transaction data related to illegal activities such as money laundering, fraud, and sanctions violations. With these criminal records, there are targets for precise strikes.
In the second step, after any user makes a deposit, there will be a 1-hour detection period during which various algorithms will analyze whether the deposit may be from the blacklist. The entire process is completely encrypted, and only the conclusion of whether it is associated is output. Sensitive information such as user addresses, transaction history or balances will not be disclosed, which can technically ensure that user privacy is not violated.
In the third step, users can use zero-knowledge proof (ZKP) to withdraw privately after 1 hour. In addition, Railgun’s internal protocol policy also stipulates that once a suspected blacklist address attempts to mix coins, the funds of the suspicious address will be forcibly returned.
Finally, Railgun proactively complies with regulations. All proofs generated by user wallets can be provided to exchanges or regulators, and these third-party institutions confirm the validity of the proofs through verification algorithms without obtaining user fund flows, wallet activity details, or identity data. This mechanism not only meets the needs of external institutions to review transaction compliance, but also completely avoids the risk of user privacy leakage, achieving self-proven innocence without trust.
It is this combination of privacy protection, compliance mechanisms, and risk control strategies that constitutes the last barrier to intercept attackers from laundering money in this zkLend incident.
The founder of SlowMist also said: This is a good privacy solution.
Privacy track, where is the future going?
While Railgun is building a moat for compliance, U.S. regulatory policies seem to be loosening.
On November 27 last year, the U.S. Fifth Circuit Court ruled that the U.S. Treasury Department’s sanctions on Tornado Cash smart contracts were illegal . This is a historic victory for cryptocurrencies and all those who care about defending freedom. The founder of Uniswap called it “immutable smart contracts defeating the Treasury Department in court.”
Will this ruling give rise to more and more projects in the privacy sector that claim “code is not guilty” but actually encourage crime?
Related reading: A panoramic analysis of the privacy track: defending privacy may also encourage crime, the revolution has not yet succeeded
In any case, in the current environment where encryption regulation is becoming increasingly clear after Trump took office, Railgun, which combines privacy and compliance, should set an example for the development of this track.
