What’s in your wallet Barry Silbert? A Forbes investigation reveals that despite alleged safeguards, Grayscale’s owner’s fee income spiked after its crypto mixer Railgun saw a sudden surge in laundered money in 2023.
By Javier Paz, Forbes Staff
In the world of cryptocurrency privacy is a huge issue. For those with something to hide, so called cryptocurrency mixers exist to cloak the identity of owners by scrambling the digital currency in pools, disassociating it from the original crypto wallets, and making it nearly impossible to know the original source of funds. In 2022, perhaps the most notorious mixer, Tornado Cash, was blacklisted by the U.S. Department of Treasury for allegedly money laundering billions of dollars for criminals, including the group fronting for North Korea.
U.S. law enforcement authorities say a North Korean-hacker outfit known as the Lazarus Group has been using mixers including Blender.io, Tornado Cash, Railgun and Sinbad.io, to launder stolen crypto. The chart below shows that mixers have been used to launder over $700 million in stolen funds from blockchain-based applications such as the online game Axie Infinity, Atomic Wallet, and Harmony Bridge, which is a tool that lets users move tokens from the Harmony blockchain to other major networks like Ethereum. According to reporting from the Wall Street Journal, Lazarus has stolen over $3 billion worth of crypto.
Lazarus Group Crypto Hacks
Hacks (red) and the mixers (green) used to allegedly launder proceeds. Numbers in green do not always equal red numbers because hacked funds do not always equal laundered funds, and some funds are laundered more than once
The Harmony hack stands out from the others because U.S. law enforcement authorities have not sanctioned Railgun, unlike the other mixers mentioned above. The Treasury did not respond to a request for comment about Railgun. However, new information suggests that Digital Currency Group (DCG), owner of $25 billion crypto fund manager Grayscale, likely benefited from the laundering through Railgun. A two-month Forbes investigation supported by data from blockchain intelligence firm ChainArgos shows that DCG received $436,906 in fees from Railgun from June 2023 to the present. This figure represents 18% of the $2.4 million that Railgun paid out. According to Elliptic, mixer Railgun may have been involved in as much as $60 million worth of laundering for Lazarus Group in 2023.
A company spokesperson for DCG declined to comment on this story. Multiple requests for comment sent to Railgun went unanswered.
The Harmony Hack
In June 2022, according to the FBI, North Korea’s Lazarus Group stole $100 million worth of crypto, including ether, USDC, WBTC, and 11 other tokens, from blockchain bridge Harmony. It obtained the funds by compromising the password of one of the bridge’s administrators to a cloud storage program, which it then used to steal the private keys which safeguarded client assets in transit. “The stolen funds remained dormant for seven months, stated crypto forensics firm Elliptic, when “between January 11th and 14th, 2023, 41,647 ETH was sent to the Railgun Relay Contract via 71 accounts.” The Lazarus Group’s Railgun exit strategy was also traced to “184 intermediary accounts before depositing into various exchanges using 19 deposit addresses targeting Huobi, Binance, and OKX.”
On April 16, 2024, Railgun, which is based in the United Kingdom, denied the alleged mixing on X saying, “This is not true and it’s false reporting.” Still, there was a massive bump in Railgun’s usage and fees in early 2023. Historically, Railgun was handling mixing volumes of between 1 and 5 ether per day. The volume surged to 41,000 eth on January 13, coinciding with the alleged laundering, and has never been reached again.
DCG’s Investment
In January 2022, DCG invested $10 million in Railgun and in return received 5 million RAIL (the network’s native token). Based on recent prices, DCG’s investment in RAIL is now worth $3.9 million, down more than 60%. DCG staked these tokens, which is a form of posting them as collateral in the protocol so that it would be able to vote on important business decisions about its future and receive a portion of network fees paid by users. The DCG RAIL tokens were posted in five separate ethereum wallets:
0x5348b77cF55B90147CbB6a938e0058DD25cbF0CA
0x3decD5DA4bC6489dfe1e73d0469c59f281ED8811
0x54Aa22EaCB1da8Ee635Ab0E94C8DA77F49916b4E
0x02698237DDC5Cf63660DA2cfD10934C911433724
0xE82f012dd671f94094d0c33D9E8c99330D1D2B79
Additionally, DCG donated $7.1 million worth of a stablecoin called DAI, whose value is pegged to the price of the U.S. dollar to Railgun’s treasury for general business usage. “It’s very new to have a large investor send funds to a fully decentralized DAO treasury in support of a project, without any admin key or multisig team,” attorney Edward Fricker, who advised on the deal on behalf of Railgun, said in a statement at the time.
Based on data from ChainArgos and Elliptic, Forbes calculates that the alleged North Korean-laundering of $60 million created a fee pool of at least $260,000 that was available for withdrawal from Railgun as of January 21, 2023. However, DCG waited to request its share of Railgun fees until June 2023. During that lag time 26 other blockchain addresses claimed fees from Railgun.
Did DCG wait five months to claim its fees in an effort to distance itself from alleged illicit activity? DCG didn’t respond to Forbes. ChainArgos CEO Jonathan Reiter had this to say: “If co-mingling fees derived from laundering funds is legal simply by waiting a few weeks, law enforcement would not be impressed”.
But it would not have mattered. Railgun’s code automatically pegs accrued fees to a staked address or recipient. “There’s conclusive proof that DCG claimed rewards from the alleged money laundering incident of January 2023,” says Matthew Sampson co-founder of blockchain analytics firm Gray Wolf. “The Railgun smart contract specifies who is due a reward and the tokens for that period were reserved for DCG, irrespective of when they were claimed.”
Railgun Rewards to DCG
The chart below shows recent fee rewards paid by Railgun to DCG wallets. Not all of the mixer’s fee income comes from alleged money laundering.
The rewards owed to the staked RAIL in the five wallets above were delegated to the address [0xFED429FB7d243380B25bC11B10561D5A27f42D8E], which illustrates the links to DCG receiving Railgun rewards. The reward tokens were received by each recipient in the form of three tokens, stablecoin DAI (49%), governance token RAIL (30%), and also wrapped ETH (WETH, 21%). A stablecoin is equivalent to one unit of select fiat currencies, in this case the US dollar. The RAIL governance token lets holders have a vote on proposals for each token held, akin to proxy voting in the stocks world. WETH is an ETH that has been “wrapped.” This allows it to move across multiple blockchain protocols and not be restricted to its native Ethereum protocol.
DEFI Compliance
The involvement of DCG in this episode is an example of how decentralized finance (DeFi) applications in crypto that mirror banking functions on a blockchain struggle to balance privacy tools with a need to keep bad actors off their systems. A common refrain from the creators of these platforms is that they are decentralized, and thus beyond anyone’s control. However, that explanation rarely washes with law enforcement officials, especially in the U.S.
According to U.S. authorities’ guidance on Bank Secrecy Act responsibilities released in October 2021, “members of the virtual currency industry are responsible for ensuring that they do not engage, directly or indirectly, in transactions prohibited by the Treasury Department’s Office of Foreign Assets Control (OFAC) sanctions, such as dealings with blocked persons or property, or engaging in prohibited trade- or investment-related transactions.” Referring specifically to DeFi projects, a spokesperson for the Internal Revenue Service’s Criminal Investigation unit told Forbes that “these platforms require ongoing maintenance and development to keep pace with technology and keep criminals at bay, and that requires the company behind the DeFi platform to have oversight of what’s taking place on the platform and ensure compliance with laws and regulations.”
Violations of the Bank Secrecy Act often go undetected in part because the U.S. government is understaffed. “FinCEN has been under-resourced for years and may have 10 people at most responsible for thousands of money services businesses, including crypto exchanges, some of which are moving trillions of dollars a year,” says Amanda Wick, a former regulator at the Department of Justice and principal with Incite Consulting.
“The [government] is short on staff and crime is rising,” adds Victor Fang, CEO and co-founder of blockchain analytics Anchain, who works closely with the Internal Revenue Service’s Criminal Investigations Team that tracks financial crime, “There are 50,000 cases sitting on law enforcement [desks] in the U.S. alone so how exactly are they going to use Chainalysis or other vendors manually? It’s impossible.”
It appears that Railgun is working on a technology solution in order to improve its compliance. In May 2023, Railgun partnered with Chainway Labs, creator of “Proof of Innocence”, to usher new functionality that could make it more regulatory compliant. The Proof of Innocence solution, also called Privacy Pools, lets users choose whether or not to give cryptographic proof that the user tokens don’t originate from sanctioned wallets. Good guys provide that proof, bad guys stay away, or so the thinking goes. The problem is, bad guys easily create a host of new unsanctioned wallets, with layers of separation from their illicit activities, to outsmart solutions like this.
Says ChainArgos General Counsel Patrick Tan, “You can’t have a permission-less system that is compliant – you will always be behind when it comes to blacklisting or trying to catch the bad guys.”
MORE FROM FORBES
Read the full article here
