$5 million stolen funds are "automatically returned", why can the mixer Railgun become an anti-Money Laundering DeFi protocol?

Vitalik gave Railgun another shoutout.

Authored by: Ashley

Hacker’s ill-gotten gains can actually be forced to be returned?

On February 12th, the zkLend lending protocol on Starknet was hacked, resulting in a loss of nearly 5 million USD. However, the hacker did not expect that after mixing the money into Railgun, the final step before whitewashing, they were immediately restricted by Railgun’s protocol policy and forced to return the funds.

After the incident, zkLend suspended withdrawal services to safeguard the remaining funds and issued a statement to the community that the team is actively tracking the hacker’s identity and fund flow with multiple partners, promising to maintain transparency and eventually release a detailed investigation report. In addition, zkLend proposed to reserve 10% of the funds as a white hat bounty for the hacker and return the remaining 90% (3,300 ETH) to zklend’s Ethereum address. Upon receiving the transfer, they will agree to waive any and all responsibilities related to the attack.

As of press time, there has been no response from hackers to this proposal. zkLend stated on social media that it has submitted incident reports to the Hong Kong Police, the FBI, and the Department of Homeland Security, and will initiate legal proceedings.

On February 13, Ethereum co-founder Vitalik, who has always been a supporter of Railgun, posted on social media, explaining how Railgun successfully avoided handling proceeds of crime this time.

Why can the mixer Railgun become an anti-money laundering DeFi protocol, where $5 million stolen funds are ‘automatically returned’?

After Vitalik’s article was published, the market reacted very sensitively to the news, and Railgun surged in response. According to market data, as of the time of writing, in the past 24 hours, Railgun has risen by 7.00%, with trading volume increasing by 162.31%.

( How does on-chain anti-money laundering, Railgun achieve it?

When it comes to the Railgun, a policy protocol clearly aimed at anti-money laundering, we have to mention the leading project of mixer service, Tornado Cash.

Tornado Cash and Railgun both belong to the privacy track and are the first projects to provide coin mixing services. Its privacy protection features have made it a tool for hackers and criminals to launder and hide funds, attracting attention from governments and regulatory agencies around the world, especially the Office of Foreign Assets Control (OFAC) of the U.S. Department of the Treasury imposing sanctions on it.

In August 2022, the US Department of the Treasury imposed sanctions on Tornado Cash, stating that the service had laundered over $7 billion in the past three years and helped the North Korean state-owned hacker group Lazarus Group evade US sanctions. In May 2024, one of the founders and core developers of Tornado Cash, Alexey Pertsev, was sentenced to 5 years and 4 months in prison.

Tornado Cash has become a handy tool for hackers and money launderers because it lacks anti-money laundering functionality. The heavy blow from regulatory agencies has sounded the alarm for the entire privacy track. With the lessons learned from Tornado Cash, Railgun, as a dragon in the privacy track, naturally needs to learn from it and the direction of improvement is clear: anti-money laundering.

Railgun has adopted a more stringent anti-money laundering strategy, focusing on strengthening compliance while protecting privacy. The core of this strategy is to ensure that the platform can maintain user privacy, effectively respond to regulatory requirements, and prevent funds from being used for illegal activities. The specific measures taken by Railgun are as follows:

![500 million USD stolen funds “automatically returned”, why can the mixer Railgun become an anti-money laundering DeFi protocol?])https://img.gateio.im/social/moments-c6a0e8c8658b8d2ede16aaa9b6546512###

In the first step, Railgun did not focus all its attention on optimizing the code, but cleverly compiled a blacklist from regulatory authorities, compliance platforms, and other sources. The blacklist covers transaction data related to illegal activities such as money laundering, fraud, and sanctions violations. With these case records, there are precise targets for targeted attacks.

In the second step, after any user makes a deposit, there will be a 1-hour detection period, during which various algorithms will analyze whether the deposit may come from a blacklist. The entire process is completely encrypted, only outputting the conclusion of ‘whether it is related’, without revealing sensitive information such as user addresses, transaction history, or balance, thus ensuring user privacy is not violated technically.

In the third step, users can use zero-knowledge proof (ZKP) for private withdrawal after 1 hour. In addition, Railgun’s internal protocol policy also stipulates that if there is an attempt to mix coins from a suspected blacklisted address, the funds of the suspicious address will be forcibly returned.

Finally, Railgun proactively complies. All proofs generated by user wallets can be provided to exchanges or regulatory agencies. These third-party organizations confirm the validity of the proofs through verification algorithms without the need to access user fund flows, wallet activity details, or identity data. This mechanism meets the external organizations’ need to review transaction compliance while completely avoiding the risk of user privacy leakage, achieving ‘trustless exoneration’.

It is this combination of privacy protection, compliance mechanisms, and risk control strategies that forms the last line of defense against money laundering attacks in the zkLend incident.

SlowMist founder also stated: ‘This is a very good privacy solution.’

( The privacy track, where to go in the future?

While Railgun is building a moat for compliance, there seems to be a loosening of regulatory policy in the United States.

On November 27 last year, the US Fifth Circuit Court of Appeals ruled that the US Treasury Department’s sanctions on the Tornado Cash smart contract were illegal. For cryptocurrency and all those who care about defending freedom, this is a historic victory. The founder of Uniswap called it ‘immutable smart contracts defeating the Treasury Department in court.’

Will this ruling breed more and more clamor for “Code Is Innocent” on the privacy track, but actually promote criminal projects?

Anyway, in the current environment of increasingly clear cryptocurrency regulation after Trump’s administration, Railgun, which combines privacy and compliance, should set an example for the development of this track.