GuShiio.com Vitalik, an Ethereum co-founder who has always been a Railgun platform, posted an article on social media specifically explaining how Railgun successfully avoided processing funds derived from crime this time.
Author: Ashley
How can hackers ‘stolen money be forcibly returned?
On February 12, the loan agreement zkLend on Starknet was hacked and lost nearly US$5 million. However, the hacker did not expect that after mixing the money into Railgun, he would immediately wash away the last step. However, it was restricted by Railgun’s agreement policy and forced to return it.
After the incident, zkLend suspended the withdrawal service to ensure the safety of remaining funds, and issued a document to the community stating that the team was actively tracking the identity of hackers and the flow of funds with multiple partners, promising to remain transparent, and eventually releasing a detailed investigation and analysis report. In addition, zkLend also offered to hackers that they could keep 10% of the funds as a white hat reward and transfer the remaining 90%(3,300 ETH) back to zklend’s Ethereum address. Upon receipt of the transfer, you will agree to waive any and all liability related to the attack.
As of press time, there has been no information that hackers have responded to this proposal. zkLend posted on social media saying that incident reports have been submitted to the Hong Kong police, the FBI and the Department of Homeland Security, and judicial proceedings will be initiated.
On February 13, Ethereum co-founder Vitalik, who has always been a Railgun platform, posted an article on social media, specifically explaining how Railgun successfully avoided processing funds derived from crime this time.
After Vitalik posted the article, the market was very sensitive to the news, and Railgun rose accordingly. According to market data, as of press time, Railgun has increased by 7.00% in the past 24 hours, and trading volume has increased by 162.31%.
How does Railgun do anti-money laundering on the chain?
Speaking of Railgun, a policy agreement that is obviously aimed at anti-money laundering, we have to mention Tornado Cash, a leading mixed-currency service project.
Tornado Cash and Railgun both belong to privacy tracks and are the first projects to provide mixed-currency services. Its privacy protection features make it a tool for hackers and criminals to launder money and hide funds. It has attracted the attention of governments and regulatory agencies, especially the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) sanctions against it.
In August 2022, the U.S. Treasury Department imposed sanctions on Tornado Cash, saying the service had laundered more than $7 billion in money over the past three years and helped North Korea’s state-owned hacking group Lazarus Group evade U.S. penalties. In May 2024, Alexey Pertsev, one of the founders and core developers of Tornado Cash, was sentenced to 5 years and 4 months in prison.
Because Tornado Cash has no anti-money laundering function, it has become a convenient tool for hackers and money laundering crimes. The heavy attack from the regulatory authorities has sounded the alarm for the entire privacy track. Having learned from Tornado Cash, Railgun, who is a privacy track Ryuji, naturally has to learn a lesson, and the direction of improvement is clear: anti-money laundering.
Railgun has adopted a more stringent anti-money laundering strategy, focusing on strengthening compliance while protecting privacy. The core of this strategy is to ensure that the platform can not only maintain user privacy, but also effectively respond to regulatory requirements and prevent funds from being used for illegal activities. The following are the specific measures taken by Railgun:
In the first step, Railgun did not focus entirely on optimizing the code, but cleverly compiled a blacklist from regulators, compliance platforms, etc. The blacklist covers transaction data related to illegal activities such as money laundering, fraud, and sanctions violations. With these criminal records, there are targets for targeted attacks.
Second, after any user deposits, there will be a one-hour testing period, during which various algorithms will analyze whether the deposit may come from the blacklist. The entire process is completely encrypted, and only the conclusion of “whether it is related” is output. Sensitive information such as user address, transaction history or balance is not disclosed, which can technically ensure that user privacy is not violated.
Third, users can use zero-knowledge certificate (ZKP) to make private withdrawals after 1 hour. In addition, Railgun’s internal agreement policy also stipulates that once a suspected blacklist address attempts to mix currencies, funds from the suspicious address will be forcibly returned.
Finally, Railgun took the initiative to comply. All certificates generated by users ‘wallets can be provided to exchanges or regulatory agencies, which use verification algorithms to confirm the validity of the certificate without having to obtain user funds flow, wallet activity details, or identity data. This mechanism not only meets the needs of external institutions for review of transaction compliance, but also completely avoids the risk of user privacy disclosure, achieving “self-certification of innocence without trust.”
It is this combination of privacy protection, compliance mechanisms and risk control strategies that constitutes the last barrier to intercept attackers ‘money laundering in this zkLend incident.
The founder of Slow Fog also said: “This is a good privacy solution.”
Privacy track, where does the future go?
While Railgun is building a moat for compliance, U.S. regulatory policies seem to be loosening.
On November 27 last year, the U.S. Fifth Circuit Court ruled that the U.S. Treasury Department’s sanctions on Tornado Cash smart contracts were illegal. This is a historic victory for cryptocurrency and all those who care about defending freedom. Uniswap’s founders call it “immutable smart contracts beat the Treasury in court.”
Will this ruling spawn a growing number of projects on the privacy track that shout “code is innocent” but actually encourage crime?
In any case, in the current environment of increasingly clear encryption regulation after Trump took office, Railgun, which combines privacy and compliance, should set an example for the development of this track.
