Original author: Javier Paz, Forbes magazine reporter

Original translation: Luffy, Foresight News

In the world of cryptocurrency, privacy is a major issue. For those who want to hide something, there is a tool called a cryptocurrency mixer that can help asset owners hide their identities. The working principle of a mixer is simply to mix the deposited cryptocurrency into a pool of funds, cut off its connection with the original crypto wallet, and then people cannot know the original source of the funds. In 2022, the most "notorious" mixer, Tornado Cash, was added to the sanctions blacklist by the US Treasury Department because the mixer was suspected of laundering billions of dollars for criminals, including a hacker group from North Korea.

U.S. law enforcement agencies stated that a North Korean hacking group named Lazarus Group has been using mixers such as Blender.io, Tornado Cash, Railgun, and Sinbad.io to launder stolen cryptocurrency. The chart below shows that mixers have been used to launder $700 million in stolen funds from blockchain applications such as the online game Axie Infinity, wallet software Atomic Wallet, and the cross-chain bridge Harmony Bridge. Harmony Bridge is a tool that allows users to transfer token assets from one blockchain to another, such as Ethereum. According to the Wall Street Journal, Lazarus has stolen over $3 billion worth of cryptocurrency in total.

The chart below lists some incidents of alleged money laundering by hackers (red) and mixers (green) in chronological order. The green numbers do not always equal the red numbers, as the funds stolen by hackers do not always equal the laundered funds, and some funds may have been used for laundering more than once.

Lazarus Group cryptocurrency hacking incident, data source: FBI, U.S. Department of the Treasury, compiled by Forbes

The Harmony Bridge hacking incident is unique because, unlike the other mixers mentioned above, U.S. law enforcement has not yet sanctioned Railgun. The Treasury Department did not respond to requests for comments regarding Railgun. However, new information indicates that the Digital Currency Group (DCG), the fund management company behind Grayscale, which holds $25 billion in cryptocurrency, may have profited from money laundering through Railgun. Forbes conducted a two-month investigation supported by data from blockchain intelligence firm ChainArgos, which revealed that DCG received $436,906 from Railgun from June 2023 to present. This figure accounts for 18% of the $2.4 million spent by Railgun during this period. According to cryptocurrency forensic firm Elliptic, the mixer Railgun may have participated in money laundering activities amounting to $60 million by the Lazarus Group in 2023. A spokesperson for DCG declined to comment on the matter. Forbes repeatedly sought comments from Railgun but received no response.

Harmony hacking incident

In June 2022, the FBI reported that North Korea's hacking group Lazarus Group stole $100 million worth of cryptocurrency from Harmony's blockchain cross-chain bridge, including Ethereum, USDC, WBTC, and 11 other tokens. The hackers executed the attack via a cloud storage program password leaked by a cross-chain bridge administrator, then used the program to steal private keys protecting customer asset transfers, resulting in a massive asset theft. Elliptic stated, 'After the stolen funds sat idle for seven months, from January 11 to 14, 2023, 41,647 ETH was sent to the Railgun relay contract through 71 accounts.' The exit strategy used by Lazarus Group through Railgun was also traced back to '184 intermediary accounts, which then deposited into 19 deposit addresses across multiple centralized cryptocurrency exchanges, primarily directed to Huobi, Binance, and OKX.'

On April 16, 2024, Railgun, based in the UK, denied the alleged mixing activities, stating, 'This is not true, this is false reporting.' Nevertheless, the usage and fees of Railgun saw a significant increase in early 2023. Historically, the amount of mixing handled by Railgun ranged between 1 to 5 ETH daily. On January 13, 2023, the mixing volume surged to 41,000 ETH, coinciding with suspected money laundering activities, and since then, Railgun's mixing volume has not reached that level again.

DCG's investment in Railgun

In January 2022, DCG invested $10 million in Railgun and received 5 million RAIL (the native token of the Railgun network). Based on recent prices, DCG's investment in RAIL is now worth $3.9 million, down over 60%. DCG staked these tokens, effectively using the tokens as collateral for the protocol, allowing it to gain voting rights on significant business decisions regarding the protocol's future and a share of the network fees paid by users. DCG's RAIL tokens are stored in five separate Ethereum wallets:

  • 0x5348b77cF55B90147CbB6a938e0058DD25cbF0CA

  • 0x3decD5DA4bC6489dfe1e73d0469c59f281ED8811

  • 0x54Aa22EaCB1da8Ee635Ab0E94C8DA77F49916b4E

  • 0x02698237DDC5Cf63660DA2cfD10934C911433724

  • 0xE82f012dd671f94094d0c33D9E8c99330D1D2B79

Additionally, DCG donated stablecoin DAI worth $7.1 million to Railgun's protocol treasury, which is pegged to the price of the U.S. dollar, for general business purposes. 'It is rare for large investors to send funds to a fully decentralized DAO treasury in support of a project, while requiring any management keys or becoming part of a multi-signature team,' said Edward Fricker, a lawyer who provided consulting for Railgun on the transaction, in a statement at the time.

According to data from ChainArgos and Elliptic, Forbes calculated that the $60 million transaction allegedly involved in money laundering by the North Korean hacking organization required at least $260,000 in fees, which could be withdrawn from Railgun's fee pool as of January 21, 2023. However, DCG did not request payment for its share of Railgun fees until June 2023. During this period, 26 other wallet addresses also requested fees from Railgun.

Did DCG deliberately wait five months to request fees to distance itself from the alleged illegal activities? DCG did not respond (Forbes). ChainArgos CEO Jonathan Reiter stated, 'If it only takes a few weeks to legitimately obtain fees from the proceeds of money laundering, law enforcement will certainly not be satisfied.'

But that does not matter. Railgun's code automatically binds accumulated fees to the staking address or the recipient address. Matthew Sampson, co-founder of blockchain analysis firm Gray Wolf, stated, 'There is compelling evidence that DCG benefited from the alleged money laundering incident in January 2023.' 'Railgun's smart contracts specify who should receive the rewards, and the reward tokens for that period are reserved for DCG, which can be claimed at any time.'

The chart below displays the fee rewards Railgun recently paid to DCG wallets. The fee revenue from the mixer does not all come from so-called money laundering activities.

Railgun's rewards to DCG, data source: Forbes compiled Ethereum and Arkham data

The rewards obtained from staking RAIL in the aforementioned five wallets were delegated to the address 0xFED429FB7d243380B25bC11B10561D5A27f42D8E, through which the specific address information for DCG's receipt of Railgun rewards can be queried. Each receiving address received reward tokens in the form of three types of tokens, namely the stablecoin DAI (49%), the governance token RAIL (30%), and a wrapped ETH (WETH, 21%). 1 stablecoin is equivalent to 1 unit of a specific fiat currency, in this case, the U.S. dollar. The RAIL governance token grants holders the right to vote on protocol proposals, similar to proxy voting in traditional stock companies. WETH is a 'wrapped' ETH, worth the same as ETH, allowing it to be transferred across multiple blockchain protocols without being limited to its native Ethereum protocol.

DeFi compliance challenges

DCG's alleged involvement in the Railgun money laundering incident is just one example of how decentralized finance (DeFi) applications in cryptocurrency struggle to balance privacy tools with the need to prevent bad actors from entering their systems. The creators of these platforms often claim they are decentralized, thus not controlled by anyone and do not restrict anyone. However, such explanations are rarely accepted by law enforcement, especially in the United States.

According to the responsibilities guidelines released by U.S. authorities in October 2021 under the Bank Secrecy Act, 'members of the virtual currency industry have a responsibility to ensure they do not directly or indirectly engage in transactions prohibited by the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC), such as trading with frozen individuals or properties or engaging in prohibited trade or investment-related transactions.' A spokesperson for the IRS criminal investigation unit specifically mentioned DeFi projects, stating to Forbes, 'These platforms require ongoing maintenance and development to keep up with technological advancements and prevent criminals, necessitating oversight by the companies behind DeFi platforms to ensure compliance with laws and regulations.'

Violations of the Bank Secrecy Act are often difficult to detect, in part due to under-resourcing in the U.S. government. 'The Financial Crimes Enforcement Network has been under-resourced for years, with at most 10 people overseeing thousands of money service businesses, including cryptocurrency exchanges, some of which transfer trillions of dollars annually,' said Amanda Wick, a former regulator at the U.S. Department of Justice and head of Incite Consulting.

'Government staffing shortages and rising crime rates,' added Victor Fang, CEO and co-founder of blockchain analysis company Anchain, who closely collaborates with the IRS criminal investigation team tracking financial crimes, 'In the U.S. alone, law enforcement has 50,000 cases waiting to be processed, so how do they use Chainalysis or other data providers to help manage these cases? It's impossible.'

Railgun appears to be developing a technological solution to enhance its compliance. In May 2023, Railgun collaborated with Chainway Labs, the creator of 'proof of innocence,' to launch a new feature that makes it more compliant with regulatory requirements. The proof of innocence solution, also known as a privacy pool, allows users to choose whether to provide cryptographic proof to verify that their tokens do not come from sanctioned wallets. The idea is that good actors provide evidence, while bad actors stay away from evidence. The problem is that bad actors can easily create a large number of new unsanctioned wallets, distancing them from their illegal activities to counter such solutions.

ChainArgos Chief Legal Officer Patrick Tan stated, 'It is impossible to have a compliant system without permission; otherwise, you will always be one step behind when trying to blacklist or catch bad actors.'