The stolen funds of $5 million were "automatically returned to the stolen money". Why can the currency mixer Railgun become an anti-money laundering DeFi protocol?

Author: Ashley

Can the hacker's stolen money be forced to be returned?

On February 12, the lending protocol zkLend on Starknet was hacked, losing nearly $5 million. But the hacker did not expect that after mixing the money into Railgun, the last step before whitewashing was immediately restricted by Railgun's agreement policy and forced return.

After the incident, zkLend suspended withdrawal services to ensure the security of the remaining funds, and issued a document to the community that the team is actively tracking the identity of the hacker and the flow of funds with multiple partners, promising to remain transparent, and will eventually release a detailed investigation and analysis report. In addition, zkLend also proposed to hackers that they can retain 10% of the funds as a white hat bounty, and return the remaining 90% (3,300 ETH) to zklend's Ethereum address. Upon receipt of the transfer, we will agree to be exempted from any and all liability related to the attack.

As of press time, no hackers have responded to the proposal. zkLend posted on social media that it has submitted an incident report to the Hong Kong police, the FBI and the Department of Homeland Security, and will initiate judicial proceedings.

On February 13, Ethereum Unicom Vitalik, who has always been a platform for Railgun, posted a post on social media specifically explaining how Railgun successfully avoids handling the proceeds of crime.

After Vitalik posted the article, the market was very sensitive to the news, and Railgun rose. According to market data, as of press time, Railgun has increased by 7.00% in the past 24 hours, and trading volume has increased by 162.31%.

How does Railgun do it on the chain?

Speaking of Railgun, a policy agreement that is obviously aimed at anti-money laundering, we have to mention Tornado Cash, the leading project of mixed currency services.

Tornado Cash and Railgun are both private tracks and are the first project to provide a currency mixing business. Its privacy protection features make it a tool for hackers and criminals to launder money and hide funds. It has attracted the attention of governments and regulators, especially the US Treasury Office of Overseas Asset Control (OFAC).

In August 2022, the U.S. Treasury Department imposed sanctions on Tornado Cash, saying the service laundered more than $7 billion in the past three years and helped North Korea's state-owned hacker group Lazarus Group evade U.S. penalties. In May 2024, Alexey Pertsev, one of the founders of Tornado Cash and core developer, was sentenced to 5 years and 4 months in prison.

Because Tornado Cash does not have the function of anti-money laundering crime, it has become a handy tool for hackers and money laundering crimes. The heavy blow from regulators has sounded the alarm for the entire privacy track. With the lessons of Tornado Cash, Railgun, as the privacy track, naturally needs to learn from the lessons, and the direction of improvement is clear: anti-money laundering.

Railgun has adopted a more stringent anti-money laundering strategy, focusing on strengthening compliance while protecting privacy. The core of this strategy is to ensure that the platform can not only maintain user privacy, but also effectively respond to regulatory requirements and prevent funds from being used for illegal activities. Here are the specific measures taken by Railgun:

In the first step, Railgun did not focus all on optimizing the code, but cleverly sorted out a blacklist from regulators, compliance platforms and other places. The blacklist covers transaction data related to illegal activities such as money laundering, fraud, and sanctions violations. With these records, there are targets for precise crackdowns.

The second step is that after any user deposits, there will be a 1-hour inspection period, during which various algorithms will analyze whether the deposit may come from the blacklist. The entire process is completely encrypted, and only the conclusion of "whether it is related" is output, and sensitive information such as user address, transaction history or balance is not disclosed. It can technically ensure that user privacy is not violated.

Step 3: After 1 hour, users can use Zero Knowledge Proof (ZKP) to withdraw privately. In addition, Railgun's internal agreement policy also stipulates that once a suspected blacklist address attempts to mix coins, the funds from the suspicious address will be forced to be returned.

Finally, Railgun actively complies. All proofs generated by user wallets can be provided to exchanges or regulators, and these third-party agencies confirm the validity of the proof through verification algorithms without obtaining user funds flow, wallet activity details or identity data. This mechanism not only meets the needs of external institutions for review of transaction compliance, but also completely avoids the risk of user privacy leakage, achieving "self-provement innocence without trust."

It is this combination of privacy protection, compliance mechanisms and risk control strategies that constitute the last barrier to intercept attackers in this zkLend incident.

"This is a great privacy solution," said the founder of Slow Mist.

Where will the privacy track go in the future?

While Railgun builds a moat for compliance, U.S. regulatory policies seem to be loosening.

On November 27, the U.S. Fifth Circuit ruled that the U.S. Treasury Department's sanctions on Tornado Cash smart contracts were illegal. This is a historic victory for cryptocurrencies and for all those who care about defending freedom. Uniswap founders called it "immutable smart contracts beat the Treasury in court."

Will this ruling breed more and more projects in the privacy track that shout "Code is innocent", but actually encourage crime?

In any case, in the current environment where cryptocurrency regulation is becoming increasingly clear after Trump took office, Railgun, which combines privacy and compliance, should set an example for the development of this track.