$5 Million Stolen Funds Blocked, Privacy Mixer Railgun Turns Into DeFi Protocol "Clawback Tool"?

By: blockbeats|2025/02/14 11:30:02

Hacker's Loot, Can Actually Be Forced to Return?

On February 12, the zkLend lending protocol on Starknet was hacked, losing nearly $5 million. However, the hacker did not expect that after mixing the money into Railgun, the final step before whitewashing could be immediately blocked by Railgun's protocol policy, forcing a return.

After the incident, zkLend suspended withdrawal services to safeguard the remaining funds and posted a message to the community stating that the team is actively working with multiple partners to track the hacker's identity and fund flow, promising transparency, and eventually will release a detailed investigation analysis report. In addition, zkLend also proposed to the hacker that they could keep 10% of the funds as a white hat bounty, with the remaining 90% (3,300 ETH) being transferred back to zkLend's Ethereum address. Upon receiving the transfer, the hacker would agree to waive any and all liability related to the attack.

As of the time of writing, there has been no response from the hacker regarding this proposal. zkLend posted on social media that they have reported the incident to the Hong Kong Police, the FBI, and the Department of Homeland Security and will initiate legal proceedings.

Million Stolen Funds Blocked, Privacy Mixer Railgun Turns Into DeFi Protocol

On February 13, Ethereum co-founder Vitalik, who has always supported Railgun, posted on social media, specifically explaining how Railgun successfully avoided dealing with criminal proceeds this time.

After Vitalik's post, the market's response to this news was very sensitive, and Railgun surged. According to market data, as of the time of writing, Railgun has seen a 7.00% increase in the past 24 hours, with trading volume up 162.31%.

On-Chain Anti-Money Laundering, How Does Railgun Do It?

Speaking of Railgun, this clearly anti-money laundering policy protocol, we have to mention the leading mixer service project, Tornado Cash.

Tornado Cash and Railgun both belong to the privacy track and are the first projects to provide mixer services. Its privacy protection features have made it a tool for hackers and criminals to launder money and hide funds, attracting the attention of governments and regulatory agencies worldwide, especially the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) sanctions against it.

In August 2022, the U.S. Department of the Treasury imposed sanctions on Tornado Cash, stating that the service had facilitated money laundering of over $7 billion in the past three years and assisted the North Korean state-sponsored hacker group Lazarus Group in evading U.S. sanctions. In May 2024, one of the founders of Tornado Cash and core developer, Alexey Pertsev, was sentenced to 5 years and 4 months in prison.

Tornado Cash, due to its lack of anti-money laundering capabilities, became a convenient tool for hackers and money laundering criminals. The regulatory crackdown sounded an alarm for the entire privacy track. Learning from the lessons of Tornado Cash, Railgun, as a frontrunner in the privacy track, naturally had to learn from it and had a clear direction for improvement: anti-money laundering.

Railgun has adopted a more rigorous anti-money laundering strategy, focusing on enhancing compliance while maintaining privacy. The core of this strategy is to ensure that the platform can protect user privacy while effectively meeting regulatory requirements and preventing funds from being used for illicit activities. The following are the specific measures Railgun has taken:

The first step, Railgun did not solely focus on optimizing the code but cleverly compiled a blacklist from regulators, compliance platforms, and other sources. The blacklist covers transaction data related to illegal activities such as money laundering, fraud, and sanctions violations, providing specific targets for precise enforcement.

The second step, after any user makes a deposit, there is a 1-hour detection period during which various algorithms analyze whether the deposit may be related to the blacklist. The entire process is fully encrypted, only outputting a conclusion of "association" or "non-association," without revealing sensitive information such as user addresses, transaction history, or balances, ensuring user privacy is technically protected.

The third step, one hour later, the user can utilize zero-knowledge proofs (ZKPs) for private withdrawals. Additionally, Railgun's internal protocol policy stipulates that if a suspicious address attempts to mix coins, the funds from that suspicious address will be forcibly returned.

Finally, Railgun proactively complies. All proofs generated by user wallets can be provided to exchanges or regulatory agencies, and these third-party entities can verify proof validity through validation algorithms without accessing user fund flows, wallet activity details, or identity data. This mechanism meets external organizations' scrutiny requirements for transaction compliance while completely avoiding the risk of user privacy leaks, achieving "trustless self-attestation."

It is precisely this combination of privacy protection, compliance mechanisms, and risk control strategies that formed the final line of defense in intercepting money laundering attackers in the zkLend incident.

The founder of Slowmist also stated, "This is a very good privacy solution."

Privacy Track, Where to Go Next?

While Railgun is building a regulatory moat, regulatory policies in the United States seem to be easing.

On November 27 last year, the U.S. Fifth Circuit Court of Appeals ruled that the U.S. Treasury Department's sanction on the Tornado Cash smart contract was illegal. For the cryptocurrency community and all who care about defending freedom, this was a historic victory. The founder of Uniswap referred to it as "an immutable smart contract beating the Treasury Department in court."

Will this ruling breed more and more calls in the privacy track for "code is law" while actually fostering criminal projects?

Regardless, in the current environment of increasingly clear cryptocurrency regulations post-Trump administration, Railgun, which combines privacy and compliance, should set an example for the development of this track.