Crypto privacy software refuses money stolen in $9.5m hack

Software that conceals the flow of crypto is a standard part of hackers’ toolkit, allowing them to sell stolen assets unnoticed.

That software just thwarted a hacker.

Privacy protocol Railgun reverted a Thursday transaction in which a hacker attempted to move almost $10 million in stolen crypto, according to blockchain records.

It’s perhaps the first real-world victory for technology built to satisfy two diametrically opposed parties: the regulators and law enforcement agencies alarmed by cybercriminals’ growing use of crypto, and the privacy-obsessed cypherpunks who created the first cryptocurrencies and were their earliest users.

That technology was first detailed in a 2023 paper authored by Ethereum co-founder Vitalik Buterin and several other researchers.

Privacy enhancing software has been controversial in crypto. Proponents have long argued that blockchains need privacy if they’re going to become the backbone of a new financial system — nobody will transact entirely “onchain” if doing so has the potential to reveal their entire financial history.

But privacy protocols have proven popular with cybercriminals, including hackers with ties to North Korea and its nuclear weapons programme. The US has sanctioned crypto “mixer” Tornado Cash and charged one of its developers with money laundering and sanctions evasion, a case that has the potential to dramatically chill development of privacy-preserving software, according to industry groups.

ZkLend, a lending-and-borrowing protocol on the Starkware blockchain, suffered a $9.5 million hack Thursday, according to crypto security experts. The hacker transferred the crypto to the Ethereum blockchain, and then attempted to transfer it again using Railgun, a protocol that allows users to break the chain of traceability between blockchain transactions.

That would have allowed the hacker to continue moving the stolen crypto across the blockchain or to transfer it to an exchange unnoticed, where it could be exchanged for cash.

Instead, Railgun functionally refused the hacker’s request.

That’s because it uses a version of the technology detailed in Buterin’s 2023 paper.

That technology lets honest users create a cryptographic proof showing their money — the origin of which is otherwise kept secret — didn’t come from wallets associated with stolen funds or other illicit activity.

“And if they are [ill-gotten], the only action the bad actor can perform is to send back to their originating address,” Alan Scott, co-founder of the Railgun project, told DL News.

Pseudonymous crypto security expert Officer’s Notes called it a solution that struck a “perfect balance.”

“It will avoid unnecessary attention and regulatory pressure while respecting the basic principles of privacy,” he told DL News.

“After all, it wasn’t Railgun itself that sent the money to the hacker. It was the hacker who could not use the service and had to withdraw his money back.”

Aleks Gilbert is DL News’ New York-based DeFi reporter. You can reach him at aleks@dlnews.com.