5 million dollars of stolen funds rejected, the mixer Railgun unexpectedly becomes a "debt collection tool" for DeFi protocols?

Author: Ashley, BlockBeats

Can the hacker's loot really be forcibly returned?

On February 12, the lending protocol zkLend on Starknet was hacked, resulting in a loss of nearly $5 million. However, the hacker did not expect that after mixing the money into Railgun, the final step to launder the funds would be restricted by Railgun's protocol policies, forcing a return.

After the incident, zkLend suspended withdrawal services to ensure the safety of the remaining funds and issued a statement to the community indicating that the team was actively tracking the hacker's identity and the flow of funds in collaboration with multiple partners, promising transparency and a detailed investigation report in the end. Additionally, zkLend offered the hacker the option to keep 10% of the funds as a white hat bounty, while returning the remaining 90% (3,300 ETH) to zkLend's Ethereum address. Upon receiving the transfer, they would agree to waive any and all liabilities related to the attack.

As of the time of publication, there has been no response from the hacker regarding this proposal. zkLend stated on social media that they have submitted an incident report to the Hong Kong police, the FBI, and the Department of Homeland Security, and will initiate legal proceedings.

On February 13, Ethereum co-founder Vitalik, who has consistently supported Railgun, posted on social media to specifically explain how Railgun successfully avoided processing funds from criminal activities this time.

After Vitalik's post, the market reacted sensitively to the news, and Railgun saw a corresponding increase. According to market data, as of the time of publication, Railgun's price increased by 7.00% in the past 24 hours, with trading volume rising by 162.31%.

On-chain anti-money laundering: How does Railgun achieve this?

When talking about Railgun's policies clearly aimed at anti-money laundering, one cannot help but mention the leading project in mixing services, Tornado Cash.

Tornado Cash and Railgun both belong to the privacy track and was the first project to offer mixing services. Its privacy protection features made it a tool for hackers and criminals to launder and hide funds, attracting the attention of governments and regulatory agencies worldwide, particularly the U.S. Treasury's Office of Foreign Assets Control (OFAC), which imposed sanctions on it.

In August 2022, the U.S. Treasury sanctioned Tornado Cash, stating that the service had laundered over $7 billion in the past three years and had helped the North Korean state-sponsored hacking group Lazarus Group evade U.S. sanctions. In May 2024, one of the founders and core developers of Tornado Cash, Alexey Pertsev, was sentenced to 5 years and 4 months in prison.

Tornado Cash, lacking anti-money laundering capabilities, became a handy tool for hackers and money laundering criminals. The regulatory crackdown served as a wake-up call for the entire privacy track. With Tornado Cash as a cautionary tale, Railgun, as the second player in the privacy track, naturally learned from the lessons, with a clear direction for improvement: anti-money laundering.

Railgun has adopted a stricter anti-money laundering strategy, focusing on enhancing compliance while protecting privacy. The core of this strategy is to ensure that the platform can maintain user privacy while effectively responding to regulatory requirements and preventing funds from being used for illegal activities. Here are the specific measures taken by Railgun:

First, Railgun did not solely focus on optimizing code but cleverly compiled a blacklist from regulatory bodies and compliance platforms. This blacklist includes transaction data related to illegal activities such as money laundering, fraud, and sanctions violations. With these records, they can accurately target offenders.

Second, after any user deposits, there is a 1-hour detection period during which various algorithms analyze whether the deposit may come from the blacklist. The entire process is fully encrypted, only outputting a conclusion of "associated or not," without disclosing sensitive information such as user addresses, transaction history, or balances, ensuring that user privacy is technically protected.

Third, after 1 hour, users can use zero-knowledge proofs (ZKP) for private withdrawals. Additionally, Railgun's internal protocol policies stipulate that if there is an attempt to mix funds from a suspected blacklist address, the funds from that suspicious address will be forcibly returned.

Finally, Railgun actively complies. All proofs generated by user wallets can be provided to exchanges or regulatory agencies, which can verify the validity of the proofs through verification algorithms without needing to access user fund flows, wallet activity details, or identity data. This mechanism meets the external institutions' review requirements for transaction compliance while completely avoiding the risk of user privacy leakage, achieving "self-proof of innocence without trust."

It is this combination of privacy protection, compliance mechanisms, and risk control strategies that forms the last line of defense against the attackers' money laundering in the zkLend incident.

The founder of Slow Mist also stated: "This is a very good privacy solution."

Privacy track: Where to go from here?

While Railgun builds a moat for compliance, U.S. regulatory policies seem to be loosening.

On November 27 last year, the U.S. Fifth Circuit Court ruled that the U.S. Treasury's sanctions against Tornado Cash's smart contracts were illegal. This was a historic victory for cryptocurrency and all those concerned with defending freedom. The founder of Uniswap called it "immutable smart contracts defeating the Treasury in court."

Will this ruling give rise to more projects in the privacy track that wave the flag of "code is law," but in reality, foster crime?

Regardless, in the current environment where cryptocurrency regulation is becoming increasingly clear after Trump's administration, Railgun, which combines privacy and compliance, should set an example for the development of this track.