$5 Million Stolen Funds Rejected: Is the Mixer Railgun Becoming a “Recovery Tool” for DeFi Platforms?

$5 Million Stolen Funds Rejected: Is the Mixer Railgun Becoming a "Recovery Tool" for DeFi Platforms?

$5 Million Stolen Funds Rejected: Is the Mixer Railgun Becoming a "Recovery Tool" for DeFi Platforms?

Author: Ashley

Table of Contents
Toggle

Can the stolen funds from hackers really be forcibly returned?
On-chain anti-money laundering, how does Railgun achieve this?
What is the future of the privacy track?

On February 12, the lending protocol zkLend on Starknet was attacked by hackers, resulting in a loss of nearly $5 million. However, the hackers did not anticipate that after mixing the money with Railgun (the final step to wash it clean), they would be restricted by Railgun’s protocol policy, leading to a forced return of the funds.
Following the incident, zkLend suspended withdrawal services to protect the remaining funds and announced to the community that the team is actively tracking the hacker’s identity and the flow of funds in collaboration with multiple partners, promising transparency and a detailed investigation report in the future. Additionally, zkLend offered the hacker the option to retain 10% of the funds as a white hat bounty, with the remaining 90% (3,300 ETH) to be returned to zkLend’s Ethereum address. Upon receiving the transfer, zkLend would agree to waive any and all liabilities related to the attack.
As of the time of publication, there has been no response from the hacker regarding this proposal. zkLend posted on social media that they have submitted an incident report to the Hong Kong police, the FBI, and the Department of Homeland Security, and will initiate legal proceedings.

On February 13, Ethereum co-founder Vitalik, a consistent supporter of Railgun, took to social media to explain how Railgun successfully avoided processing illicit funds this time.

After Vitalik’s post, the market reacted sensitively to the news, and Railgun’s value surged. According to market data, as of the time of publication, Railgun saw a 7.00% increase in the past 24 hours, with trading volume rising by 162.31%.

When discussing Railgun’s apparent anti-money laundering policy, one cannot overlook the leading mixing service project, Tornado Cash.
Tornado Cash and Railgun both belong to the privacy track and were the first to provide mixing services. Its privacy protection features made it a tool for hackers and criminals to launder and conceal funds, attracting the attention of governments and regulatory bodies worldwide, particularly the U.S. Treasury’s Office of Foreign Assets Control (OFAC), which imposed sanctions against it.
In August 2022, the U.S. Treasury sanctioned Tornado Cash, claiming the service laundered over $7 billion in the past three years and helped the North Korean state-sponsored hacking group Lazarus Group evade U.S. sanctions. In May 2024, Alexey Pertsev, one of the founders and core developers of Tornado Cash, was sentenced to 5 years and 4 months in prison.
Related Reading: “Guilty! What the Tornado Cash Verdict Means for DeFi Regulation?”
Due to the lack of anti-money laundering features, Tornado Cash became a handy tool for hackers and money laundering criminals. The heavy-handed actions of regulators have sounded the alarm for the entire privacy track. With Tornado Cash as a cautionary tale, Railgun, as the second leader in the privacy track, must learn lessons and the direction for improvement is clear: anti-money laundering.
Railgun has adopted stricter anti-money laundering strategies, focusing on enhancing compliance while protecting privacy. The core of this strategy is to ensure that the platform can both maintain user privacy and effectively meet regulatory requirements to prevent funds from being used for illegal activities. Below are the specific measures taken by Railgun:

The first step is that Railgun does not focus solely on optimizing code but cleverly compiles a blacklist from regulatory bodies and compliance platforms. This blacklist includes transaction data related to money laundering, fraud, and sanction violations. With this background, it can target potential offenders precisely.
The second step involves a 1-hour detection period following any user deposit, during which various algorithms analyze whether the deposit may originate from the blacklist. The entire process is fully encrypted, only outputting a conclusion of “associated” or “not associated,” without revealing sensitive information such as user addresses, transaction history, or balances, thus technically ensuring user privacy is not compromised.
The third step allows users to make private withdrawals using zero-knowledge proofs (ZKP) after the 1-hour period. Additionally, Railgun’s internal protocol policy stipulates that if any suspected blacklist addresses attempt to mix funds, the funds from that suspicious address will be forcibly returned.
Finally, Railgun actively collaborates with regulators. All proof generated by user wallets can be provided to exchanges or regulatory bodies, allowing these third-party institutions to verify the validity of the proof through verification algorithms without needing to access user fund flows, wallet activity details, or identity data. This mechanism satisfies external institutions’ scrutiny of transaction compliance while thoroughly avoiding the risk of user privacy leakage, achieving “self-proof without trust.”
It is this combination of privacy protection, compliance mechanisms, and risk control strategies that forms the last line of defense against the attackers’ money laundering in the zkLend incident.

The founder of SlowMist also remarked, “This is a very good privacy solution.”

While Railgun builds a moat for compliance, U.S. regulatory policies seem to be loosening.
On November 27 last year, the U.S. Fifth Circuit Court ruled that the U.S. Treasury’s sanctions against Tornado Cash’s smart contracts were illegal. This was a historic victory for cryptocurrency users and all those concerned with defending freedom. The founder of Uniswap referred to it as “immutable smart contracts defeating the Treasury in court.”
Will this ruling lead to the emergence of more projects in the privacy track that wave the banner of “code is law,” but in reality, foster crime?
Related Reading: “A Comprehensive Analysis of the Privacy Track: Defending Privacy or Fostering Crime, the Revolution is Yet to Succeed”
Regardless, in the current environment of increasingly clear crypto regulation since the Trump administration, Railgun, which combines privacy and compliance, should serve as a model for the development of this track.

The original article is republished with permission from Lidu BlockBeats.