In this episode, Geoff White (https://x.com/geoffwhite247) tells us what happened to Axie Infinity and Tornado cash. It’s a digital heist of epic proportions that changes everything.This story comes from part of Geoff’s book “Rinsed” which goes into the world of money laundering. Get yours here https://amzn.to/3VJs7pb.
All right, lights red, we're recording. Hey, Tortoni, you're looking great today. Still writing, I see. See, here in my studio, which is just my closet, I have a picture on the wall made by Edward Manet. And it's a picture of a fine-looking gentleman sitting at a table writing something down. I call him Tortoni, but that's not his name.
This picture has captured my imagination and curiosity for countless hours. I stare into it, and I just fall into an abyss. But the thing about this picture is that it's not the content or even who made it. It's that this picture was stolen from the Isabella Stewart Gardner Museum back in 1990, and it's never been recovered. And I don't have the original. I just have a print of it.
But the thieves didn't just steal this picture. They took a bunch of others too. And this was the biggest single heist of all time. They estimated that the art that was stolen is worth $500 million. And it still remains unsolved. I'm looking at this picture on my wall right now. There's a $10 million reward for it. Yet mine, I just got from my printer for like five cents.
It's always been weird to me how art has just so much value. I just don't see how this picture, which is not that much bigger than a regular sheet of paper, is worth more than a mansion. But that's no longer the biggest heist ever. Because in 2022, a digital heist happened, which set a new record high. These are true stories from the dark side of the internet. I'm Jack Recider.
This is Darknet Diaries. This episode is sponsored by Mint Mobile. With big wireless providers, what you see is what you get. Somewhere between the store and your first month's bill, the price you thought you were paying magically skyrockets. With Mint Mobile, you'll never have to worry about gotchas ever again. When Mint Mobile says $15 a month when you purchase a three-month plan, they mean it.
All plans come with high-speed data, unlimited talk and text, and you can use your own phone with any Mint Mobile plan and bring your phone number along with your existing contacts. To get this new customer offer with your new three-month premium wireless plan for just $15 a month, go to mintmobile.com.com. That's mintmobile.com slash darknet.
Cut your wireless bill to $15 a month at mintmobile.com slash darknet. $45 upfront payment required, equivalent to $15 a month. New customers on first three-month plan only. Speed slower above 40 gigabytes on unlimited plan. Additional taxes, fees, and restrictions apply. See Mint Mobile for details. Support for this episode comes from Delete Me. It feels like a war out there.
Companies all over trying to scrape and store all kinds of personal data about me. My phone number, address, family members, where I work, sexual orientation, club affiliations, income level, what kind of car I drive. It's just endless. And every now and then I Google myself and just get freaked out about the amount of data there is about me out there. This is why I use delete me.
I registered there and told them what to look for about me. They were able to discover what sites have data on me and took steps to get that information removed for me. That's my favorite part. It's like getting help in this war. Their scouts know exactly where to look and they'll tell me what they found about me.
And if they can't remove it themselves, they'll give me recommendations on how to get it removed or mitigate it. Take control of your data and keep your private life private by signing up for Delete Me. Now at a special discount for Darknet Diaries listeners. Today, get 20% off your Delete Me plan when you go to joindeleteme.com slash darknetdiaries and use promo code DD20 at checkout.
The only way to get 20% off is to go to joindeleteme.com slash darknetdiaries and enter code DD20 at checkout. That's joindeleteme.com slash darknetdiaries, code DD20. Digital assets are fascinating to me. I'm no economist, but they behave in ways that don't make sense to me. Like, let's take audiobooks, for example.
It takes a lot of work to make the first one, but then infinite copies can be made at zero cost after that. So I don't know. What happens when supply goes to infinity, right? It seems like price would go down to nothing. But it's not the case. Audiobooks are still $10, $20 each, despite there being an infinite amount of them, which costs nothing to make more of. That's kind of wild.
And you'd think that piracy would have destroyed the market for digital assets, too. With unlimited supply, demand should have gone way down. But no. The demand for digital goods is at an all-time high. Top-tier musicians are making more money now than they ever did before.
And that's because we all have mobile devices glued to our hands 24-7, and we're continually thirsty for more digital content to consume. It almost seems like our whole lives are digital now. Movies, shows, memes, music, books, even the people we are closest to, we have a digital relationship with them. But I'm always wondering, of all the digital stuff in our lives,
Is any of it really ours to own? Okay, so I think anything that's saved on your computer and you can use it offline, I'll say that's yours and you own that. Photos that are saved on your phone, that's yours. Music saved in MP3 form, that's yours too. You own that. But the line is often blurry between what's on our devices versus what's on the internet.
Like if you have an Android phone, it tries to get you to back up your photos to Google Drive. And it's not always clear if your photo is on your phone or on Google's servers. If it's just on Google's servers, then you don't really own it, do you? Since they have complete and full control of your photos. What about audiobooks? Let's look at those for a minute.
Most audiobooks I listen to, I can actually borrow from the library. And there are apps which let you check them out, and you can listen to it for a few weeks and then return it digitally. It's great. But often my library doesn't have the book I want, so I've got to buy it. And when I buy an audiobook, the biggest marketplace for that is Audible. So I look there.
And what drives me crazy about buying books from Audible is... Well, I don't own that book. Like, at all. If I owned it, I should be able to save it locally, give it to a friend, donate it to my library, or resell it to someone else like a used audiobook. But all that is impossible to do through Audible.
And of course, Audible could cancel your account at any time, and you would lose all of the books that you bought. So to me, the audiobooks that you buy on Audible are not really yours. You don't own them at all. So let's look at some other digital assets. How about my online accounts, like Twitter or email accounts or online gaming accounts? Do I own my Twitter username? No.
No, I don't think so. Twitter does. And they graciously let me use it. And at any moment, they could terminate it or rip it out of my hands. I don't have any actual ownership of it. I mean, just look at what happened when Twitter changed their name to X. There was a user on Twitter who had the username X, and Twitter just ripped it right out of their hands.
And there was nothing that user could do to keep it. Because Twitter owns everyone's account. Yet, it's interesting because even though you can't own a Twitter account, they are still valuable. And people are buying and selling Twitter accounts all the time. Let's look at video games now. There are digital assets in video games, right?
Like, imagine you're playing an online game, and when you level up your character, you get all kinds of armor and weapons and gold. That character is yours, right? Well, I don't think so. I mean, the game can ban you at any moment, and then what? Or what about those in-game items like gold and weapons? It feels like that stuff is yours, but it's not really.
You can't save it offline or take it with you to another game. And it's strange because even though you don't own that stuff in the game, those items still can have real-world value. I know I've bought an in-game weapon before for $100. And it's ridiculous because I bought something I don't actually own. All right, what about my website, darknetdiaries.com? Do I have ownership of that?
Well, at first glance, sure. I purchased the domain and I can do whatever I want on it. I'm the admin. I can say what I want and nobody can stop me. But no, first of all, I didn't purchase the domain. I'm renting it. All domains have to be renewed like yearly or every few years. Registrars control the domains and you pay them to get it.
But then you have to keep paying them to maintain control of it. Seems like I don't own it if I have to pay someone over and over to keep it mine. On top of that, governments can go to domain registrars and take over a domain that's being used for illegal purposes.
So yeah, I'd say I don't actually own my domain if someone else can rip it out of my hands like that, or if it'll expire after a while. But domains on the dark web are different. I'm talking about on Tor, the dark net. See, on the dark web, domains look awful. They're like a long string of random letters and numbers. You'd never be able to memorize it. And then it ends in .onion.
So how do you get a domain on the dark web? Is there a central body like ICANN where you go to register domains with? No, no, not at all. You create the domain yourself. Yeah, that's right. You generate a private public key pair and that public key is your domain name. So with this system, the person who has the private key controls that domain.
Now, to me, this is true digital ownership, and I love that. Unless someone comes and steals my key from me, nobody can ever take my .onion domain from me. It's never going to expire, and it can't be seized by the feds. This is why a lot of people are drawn to the dark web, to have something on the internet that's truly yours, and nobody can ever take it away from you.
Another thing that I think gives you true digital ownership is cryptocurrency. Not all money is like that. Your bank can refuse your service if they want. They can cancel your credit card and kick you out of the bank and freeze your money. I know PayPal has frozen my account before, trapping my money in there.
But because cryptocurrency is built on decentralized blockchains, there's no one managing it to kick anyone out or freeze an account or take over an account. Everyone and anyone is welcome.
at all times forever and the best part is you truly own your crypto wallet because to get a cryptocurrency wallet you just make it yourself by generating a random private key and then using that to derive a public key when you do this only you are the only person who's ever seen that private key and whoever has that private key controls that public address or wallet
There's no admin that can revoke your key or move your money without your permission. Your key is your key forever and ever. The blockchain is a fascinating invention, and whether you love or hate cryptocurrency, the technology behind it is very interesting. Take the Ethereum blockchain, for example.
It popularized something called smart contracts, which allows people to add code into the blockchain, which means you can program money and even create apps integrated directly into cryptocurrencies. This is wild, and it's opening up a whole new future that we never imagined.
For instance, people are making entire video games with these smart contracts where the whole game lives on the blockchain, which means the in-game currency is actually real cryptocurrency. Not only that, but the apps you make on the blockchain are truly yours, where nobody can ever seize it from you or stop you from making it. It's time we step foot into this big, new, wild digital world.
I think the game Axie Infinity represents a fundamental shift in video game development. I spoke to Jeff White about this game.
Hi, I'm Jeff White. I'm an author and investigative journalist, and I cover organized crime and technology. Yeah, so Axie Infinity is not like the games that I used to play when I was a kid, where they sell you the video game and then you go away and you play it and that's it.
Axie's an online game, as of course lots of them are, and you're playing against other people online, which of course lots of games are. But the thing that made Axie different and quite radical, I think, for some people was that it Everything in the game was basically for sale. It was a whole marketplace. So the way it worked was you have these axes, which are based on the axolotl salamander.
You have a team of axes, three axes, and you basically wrestle them. You fight them against your opponent's team of axes. And if you win... you're rewarded with smooth love potion tokens, which you can use to breed your Axies together to get them to be better fighting machines. It's basically a bit like, do you remember those Tamagotchi keyring things? Yeah, I do.
Little digital pet that you can level up and stuff.
Exactly that. It's like that mixed with WWF wrestling. So that's the idea, actually. This game is hugely, hugely popular.
Okay, so I need a team of three of them. How do I get one of them? What's the process?
You buy. You have to buy the team. And you can't, as far as I'm aware, get one. You have to buy a team of three, because three is the magic number. In order to do this, and this is where it gets interesting with the sort of cryptocurrency aspect to it,
If you have, I'm assuming it's dollars for you, Jack, you can swap your dollars into ETH, the currency on the Ethereum blockchain, the cryptocurrency. It's a bit like Bitcoin. Actually, it's number two, I think, to Bitcoin, ETH, I think I might say. You can then take that Ethereum money and you can put it into, transfer it into Axie Infinity.
And then you can use that in-game currency to buy your Axies, to buy Smooth Love Potion. You can buy land in the game. So it's all, the whole game is based on cryptocurrency. Yeah. And this is an internal blockchain within the game that tracks who owns what and who's sold what to whom.
I see. And I like the ownership aspect of this. You really do digitally own one of these Axies since it's all on the blockchain. There's no way for anyone to take your Axies away from you if you own them, unless they steal your private key. To me, this is interesting because look at the software world right now. You can't buy Microsoft Word or Adobe Photoshop.
You have to pay a monthly fee in order to use it. You don't own a lot of the software or games today if you have to have an internet connection for it to work. And as the meme goes, if purchasing isn't ownership, then piracy isn't theft.
Axie Infinity was created by a company called Sky Mavis, who are headquartered in Vietnam. I think the company's registered, though, in Singapore. And this was five guys who'd been part of the sort of esports scene, so they'd been around gaming for a very long time. And the idea of sort of crypto-based video games... It wasn't sort of radically new.
I think CryptoKitties predates Axie Infinity from what I've read of it. But basically what they did was they built this game and released it. And in a way, they locked out because they obviously got the benefits of video game obsession. People became obsessed with this game and started playing it and battling their Axies together and so on.
They also got the benefit of a sort of cryptocurrency boom because this was sort of 2019, 2020, and crypto was starting to rise in value quite steeply at that point. So... people who were into video gaming got into Axie Infinity.
But what was really interesting around the discussion boards around Axie Infinity is you start to see this change where people are discussing the game and then they start to discuss crypto investments and crypto speculation. So suddenly people who are into crypto and the speculative side of it started to see this game as an opportunity, a money-making opportunity.
So you've got this incredible whirlwind of sort of obsessive gamers and also obsessive cryptocurrency speculators coming in. And this game just went up and up in value. I think at one point it was valued at $2 billion, I think I might say. It's astonishing values. And the other thing that fed into this was COVID, it was lockdown.
So during that period, the game was big in Southeast Asia, particularly big in Southeast Asia, because that's where the company was headquartered. And it absolutely took off, particularly the Philippines. I think 40% of the players apparently were in the Philippines. And during lockdown... A lot of people lost work, weren't able to go to work, were looking around for alternative sources of income.
And they started to see that actually they could potentially play this video game and make money at it. So you put all these factors together and you just get this explosive combination that just launched Axie Infinity into the stratosphere. Much to the surprise, I think it's fair to say, of the guys at Sky Mavis who made it. I don't think they were expecting it to be such a big of a hit.
Now, because the in-game currency was the Ethereum cryptocurrency, this allowed for a whole in-game marketplace. You could buy or sell things to other players with cryptocurrency, just like directly on the blockchain. Ethereum wasn't just for cryptocurrency, but there were items on it now. Axies, for instance.
And you could buy one from another person directly if you wanted, without having to go through any game to do it. How do people make money? Do you understand the complexities of this? Because if you're battling someone and you win the battle, do you take money from the other person?
No. The way it would work, as I understand it, is your axes would become more and more valuable the more fights they won. And you could actually sell them to other people in the game. So you could say, you know, I've got this team of Axies. Look, they've got a fantastic track record of killing lots of other Axies. I don't know actually whether killing was part of it, but winning the battles.
You know, would you like to buy them off me? Also, there's a trade in smooth love potions. So as you played the game, you got more smooth love potion. You could sell the smooth love potion to people. You could buy and sell plots of land on Lunacia, which is the virtual... environment in which the game is played. So almost everything was for sale.
So the money was being shared around by trading within the game.
Now you might be thinking, hold on, wait a minute. This is an awful idea to bridge real money into a video game. Well, you're not the only one to think that. The video game marketplace, Steam, has outright banned all crypto-based games from there. At first glance, you might be thinking, oh, that's because they don't want people spending real money on games like that.
It can ruin the in-game economy, and it leads to speculative behavior. And also, isn't it stupid to just buy video game assets like gold and weapons? But none of those are the reasons why Steam banned crypto-based games. A very popular game on Steam is CSGO, or I guess it's now called Counter Strike 2.
Within Steam itself, there's a whole marketplace where you can buy and sell in-game Counter Strike items from other players for real money. It's like a giant marketplace on Steam. Thousands of purchases happen every day. Yeah, you can show up, type your credit card details in, and start buying items in the game from other players with real money.
Steam has built this whole system, so clearly they are perfectly fine with people using real money to buy in-game items, or be speculative in the game, or mess up the game economy. However, when you sell an item, you don't get the money from the sale. They give you Steam credits, which can be used to buy other games on Steam,
But players were like, wait a minute, if I'm selling this to someone who's buying it with their credit card, why can't I get the money they paid for it? It seems like, yeah, we really don't want to give you money. Game credits are much better for us. So players were like, well, you know what? Nobody can stop us from just trading among ourselves. So player to player sales started happening.
But how do you send money digitally? You can't just give someone your credit card. It doesn't work that way. So players started trading using cryptocurrency. But this became unsafe. People were sending their money and not getting anything in the trade. So websites started popping up saying, hey, we'll broker the deal for you.
And they started acting like the middleman and trades for Counter-Strike. And that went on for a while. And Steam was like, all right, here, we'll make an API for the marketplace.
and this allowed secondary marketplaces to let players buy and sell in-game items with real money and not only that a lot of markets allowed you to buy and sell items with cryptocurrency so while steam has banned crypto-based games you can actually use crypto to buy things in counter-strike 2 or sell things and get crypto from it And this is all totally allowed by Steam.
Steam could put an end to all this right now if they wanted. They could make it so players just can't trade with each other anymore. But they won't because they make far too much money from this whole system. So why does Steam actually ban crypto-based games? I think it's because the regulatory landscape is unclear.
When you start accepting cryptocurrency, suddenly you get into these regulations that are very difficult to figure out. And don't tell me that Steam bans crypto-based games because it keeps out the trashy, scammy type stuff. Well, have you seen the game Banana? As I'm saying this, it is the second most popular game on Steam, and it's possibly the world's dumbest game.
You just click a banana, and after a while, you might get a banana for doing it, which can be sold on the marketplace. And it's making the creator a ton of money since people are buying bananas with real money for no reason. The banana does nothing in the game. This is 10 times dumber than any NFT game I've ever seen. And it's not even an NFT game.
The fact that Steam allows this is kind of breaking my brain, honestly. I bet there are a million teenagers today who are very fluent at understanding the market intricacies of V-Bucks or Robux, the virtual currencies for their favorite games. And the thing about Steam credits or V-Bucks or Robux is you can only buy it. You can never sell it.
It's against the terms of service to trade that for real money. And that kind of frustrates me. It's kind of like... When you go to an arcade and they make you buy tokens to play the video games there. Video games can operate just fine on quarters. There's no need to invent a whole new currency just to play them. And the currency can only be bought, never sold.
And it stinks when I come home from an arcade and there are a few extra tokens in my pocket. These things are worthless except for one place in the entire world. So Axie Infinity was built directly on the Ethereum cryptocurrency, utilizing smart contracts. but they soon hit a problem. When you play video games, you want it to be fast.
Ethereum transactions were slow, sometimes taking a few minutes to complete, and the fees on Ethereum were high, like often costing $30 in fees just to buy an Axie from another player. So to fix that, Sky Mavis, the creators of Axie Infinity, created a side chain of Ethereum called the Ronin network.
This side chain was very compatible with Ethereum, so players could move their money in and out between the Ronin network and the Ethereum network easily. And that mechanism of moving money between the two, they named that the Ronin bridge. The Ronin network was much faster and had very low fees, like less than a cent, making it much more ideal for a video game to be played on this blockchain.
But for this Ronin network to operate, there needed to be nodes and validators. Sky Mavis didn't want to be the only one controlling those nodes and validators, because if they were, they could theoretically control the whole network. I guess if you have a majority control of the validators, you could manipulate the system if you wanted.
The idea of a decentralized network is that nobody should ever have a majority of the validators so that it can't be manipulated. So they made sure to have people outside their control also running nodes and validators.
You can play on a browser. I think most people playing on a phone. It got so popular there were reports in the Philippines of people giving up their jobs just to play this game full time. Now, of course, as soon as that happens and hits the headlines, you get this rush of people who all think, oh, I'll do that. And of course, it became a pile on.
People just went for this game, particularly in Southeast Asia.
So there's this very valuable company with millions and maybe billions of dollars worth of cryptocurrency assets running through it, swapping around, moving fast, moving a lot. This will attract somebody who wants to steal that money.
Inevitably, as soon as you start to make scads of money as a video game, somebody tries to hack you. And that's exactly what happened with Axie Infinity.
A lot of scammers and thieves flocked to this game, trying to steal things from other players. Some players' crypto wallets were loaded with tens of thousands of dollars of Axie Infinity assets, and scammers were trying hard to steal stuff from players' wallets.
One common tactic is to get an Axie Infinity player to connect their crypto wallet to the scammer's website, maybe by saying something like, oh, we're giving away a free rare Axie. With some cleverly crafted message, they can trick a person into giving them access into their wallet. which then the thief can drain everything from it.
Hundreds, if not thousands, of Axie Infinity players were victim to this type of attack. And I should say that even though attacks on players and cryptocurrency-based games is very common, it's not unique to only crypto-based games.
I remember when I was playing World of Warcraft a long time ago, someone somehow got into my account and transferred all the gold and removable items from my character into whatever account they had. I got digitally robbed in World of Warcraft.
And if you hang out in the Counter-Strike forums or Roblox forums or Fortnite forums, you see people begging for help every day, saying their account got hacked or their stuff got stolen. There's a lot of money in stealing video game assets. It's crazy.
Ideally, what you want to do is you want to go to the source of all the money, the fount of all the money, which, you know, Sky Mavis has sort of serviced themselves. And so the hackers targeted one of the engineering team and...
carried out a very very elaborate or at least in my opinion very elaborate social engineering exercise on this person offered them a job now that's not an uncommon thing for you know crypto developers to get game developers get poached all the time and so they said look great job for you really big salary you know are you interested in talking to us and this employee said yes started receiving details of the job did apparently a couple of rounds of interviews for the job
which I presume was webcams off, but, you know, was interviewed by people for a job that seemed to exist. Of course, none of this was true. There was no job. This employee of Sky Mavis was being targeted by hackers who were trying to maneuver them to the point where they would effectively download malware.
So we don't know how they made contact. My first thought was Discord. A ton of scammers are on Discord trying desperately to hack into people's accounts. But in this case, I'm willing to bet the initial contact was made on LinkedIn. It's kind of easy to find developers for Axie Infinity on there to begin with. Then it's only a few clicks away before you can message one of them.
And it sounds like they messaged a developer offering them a job. So if that's the case, it's not so hard to create a fake persona on LinkedIn to look like you work for some prestigious company.
making the whole story more believable i mean who gets job offers on discord anyway you know linkedin is the place to go get job offers the other thing you can do if you target someone in this way is you can say to them hey for this job we need to know that you can use this particular piece of software can you download it for us or can you click on this link and go to this private server so you can do this exercise as part of the job application
There's lots of ways with a job application that you can sort of trick someone into doing something they wouldn't necessarily have done. Downloading stuff, clicking on links. So I find that really, I think that was a really sort of smart way of operating. One for people to watch out for. Eventually, malware gets downloaded by this employee of Sky Mavis onto their work device.
Now, full disclosure, I don't think Sky Mavis have revealed how that specifically was done. But You can think of multiple ways whereby you'd be able to convince someone as part of the job application process to download something. There's lots of ways to do that. Effectively, the malware allowed the hackers access to Sky Mavis' computer systems.
And because they targeted an engineer who had what Sky Mavis describes as very deep level access, it wasn't like they hacked somebody in the HR department and had to work their way over to the development environment. They were already in. They'd hit the mother load effectively and were already in at a very deep level inside Sky Mavis.
Yeah, I mean, if you get malware onto a developer's computer and then take control of their computer, then you can assume the role of that developer in that company. You have their access keys, their logins, their privileged access to the network.
With their deep-level access to SkyMaker's systems, the hackers start scoping out how Axie Infinity works and how this money is moving around.
But they were looking for a central wallet like cold storage or something where SkyMavis stores all the keys and has access to millions of dollars in crypto. But they couldn't find that. So the second thing was, with all this money flowing through the system, was there a way to grab it somehow?
And what they realize is what we've covered earlier is there's this internal blockchain within SkyMavis. Axie Infinity, monitoring the transactions between the players. There's the external sort of Ethereum blockchain, which is effectively bringing in money that people are, you know, Ethereum, Ether currency that people are spending into the game and then putting it out.
So there's a conduit through which this is all happening. And that conduit is a thing called the Ronin Bridge. The Ronin Bridge's job is basically, it's to reconcile what's going on in the game with what's going on in this external Ethereum blockchain. Effectively, the Ronin Bridge is nine computers around the world.
And those computers are looking at all the transactions inside and outside and reconciling the two ledgers together. So basically, the hackers realize very, very smartly, that's the pinch point. That's the conduit. That's where the money is going across. If they can control the Ronin Bridge, they can effectively control the flow of money.
And since there's millions and millions of dollars inside Axie Infinity, they can control that money. Now, the thing about this is there were nine computers as part of the bridge. It's effectively nine what they call validators.
And SkyMavis had sort of thought about the possibility of getting hacked to give them credit, and they only controlled four out of those nine, which isn't enough to give you majority control. So you can't just take over SkyMavis, get control of the bridge, and take the money out. The hackers had to find a fifth computer. So they have five out of nine, so they've got majority control.
And this is where things go wrong for Sky Mavis. Sky Mavis had outsourced the other five validator computers to external companies, so they weren't in control of them. So Sky Mavis didn't hold all the cards effectively. But one of the companies it outsourced to gave Sky Mavis a temporary access to its validator. And that temporary access was never revoked.
The hackers somehow managed to realize all of this and thought, aha, we've got four computers validating Sky Mavis. We need a fifth to get majority control. There's the fifth one. We've still got access to it via Sky Mavis. We've got five out of the nine computers. And guess what? We control the bridge. We control the money. And it's time to steal it.
Wow, I think the level of knowledge needed to pull this off is quite remarkable. This is not so simple as opening up a wallet and transferring the funds out. To take over five of the nine nodes of this side chain and to know how to operate them in a way that will allow them to steal money takes a specific skill set. Whoever did this must have had to prepare quite a bit for an attack like this.
It kind of reminds me of that one time my friend went and bought an antique for, I don't know, $1,000 or something. And on his way home, he stopped for lunch somewhere and his car got broken into and the thieves stole the loose change in his cup holder. They looked at that old antique and didn't think it was worth anything and left it.
Whoever was targeting Axie Infinity knew exactly where to look to extract the most amount of value they could from the system. They knew exactly where the value was. And I don't think many of us would know how to work these controlling nodes, even if we could take them over.
But when they took over these nodes, they got immediately to work, setting up an attack which would allow them to transfer as much out of the Ronin network as they could and as fast as they could, directly into the Ethereum wallets that were ready and waiting. They set up everything and using their control of the bridge, deployed a command to transfer the money.
They stole ETH currency and USDC, which at the time was valued at $625 million. $625 million. Yes. I'm trying to think, is there a single...
Is there a single cyber heist that is more than $650 million? I can't think of one.
I'll go further than that. I've been a bit circumspect in the book, but I'm being less circumspect the more I go on. I think it's the biggest theft of all time. And I'm going to add a couple of qualifiers to that because that is a big statement to make. I'm talking about one-off theft. Obviously, ransomware as well, you know, has made billions over time, multiple victims.
I'm talking about one victim, one hit. At the time the theft happened, because obviously there's, you know, the Bitfinex hack, you know, the one that Heather Morgan and Illy Lichtenstein got sentenced for. Well, that was, I mean, that ended up being $3 billion, I think. But at the time of the hack, it was $70 million.
So I'm talking about valuing a crime at the time the crime was committed, one-off crime, one-victim crime. And so I've been doing, you know, you Google and you Google and you try and find these things. And, you know, there's the Isabella Stewart Garden Museum heist is one of them. So that was, I think, 93, was it? They broke into the museum, they stole artworks.
The artworks were valued at 500 million. Now that's often listed as being one of the most, you know, expensive heists of all time. That's only 500 million. So I know I'm out on a limb here, but I do think it's a serious, if it's not the number one, it's a very serious contender for biggest theft of all time based on one hack, one victim, one crime, one victim valued at the time of the crime.
Some of my listeners might be shaking their heads right now and think, no, Jack, none of this cryptocurrency is real money. This is not the biggest heist of all time. And in fact, a lot of articles which list the biggest heists of all time don't include any cryptocurrency heists. But the thing is, these thieves immediately started exchanging it for traditional money.
So to me, if you can swap it quickly and easily for any currency you want, then yeah, to me, it's real money.
Yeah, it may start off in crypto and you may turn your nose up at that, but it ends up in hard dollars and hard dollars that can be used to fund criminal activity. and some very serious, as we're going to talk about, some very serious criminal activity.
Maybe I should have mentioned this earlier, but the reason I'm talking with Jeff about all this is because he just published a book called Rinsed, which is all about money laundering in the modern world. And I just finished reading it, and it sent me down a wild, twisted tunnel into the world of money laundering.
Now, what we're talking about in this episode is a single chapter of the book, though. The biggest heist of all time, Axie Infinity, is interesting by itself. But the thieves are now faced with a staggeringly huge challenge. How do you cash out $625 million in stolen cryptocurrency?
If you sent it all to an exchange, they might not be able to swap that much, or they might freeze your account, and you could lose it all. So while they immediately started sending some of it to an exchange, that was only a small amount, and they needed a big plan for the bulk of it. We're going to take a quick break here, but stay with us, because after the break, someone's going to prison.
Support for this show comes from Black Hills Information Security. This is a company that does penetration testing, incident response, and active monitoring to help keep businesses secure. I know a few people who work over there and I can vouch they do very good work. If you want to improve the security of your organization, give them a call. I'm sure they can help.
But the founder of the company, John Strand, is a teacher, and he's made it a mission to make Black Hills Information Security world-class in security training. You can learn things like penetration testing, securing the cloud, breaching the cloud, digital forensics, and so much more. But get this, the whole thing is pay what you can.
Black Hills believes that great intro security classes do not need to be expensive, and they are trying to break down barriers to get more people into the security field. And if you decide to pay over $195, you get six months access to the MetaCTF Cyber Range, which is great for practicing your skills and showing them off to potential employers.
Head on over to BlackHillsInfosec.com to learn more about what services they offer and find links to their webcasts to get some world-class training. That's BlackHillsInfosec.com. BlackHillsInfosec.com. The news broke pretty fast. Axie Infinity's Ronin Bridge hacked! $625 million stolen! Lots of people lost a lot of money, including Sky Mavis itself.
But of course, everyone wanted to know, who did this?
Good question. I mean, obviously, it very quickly hit the news that this had happened. And in fairness, Sky Mavis did a sort of rolling blog on what had happened and were filling people in. And of course...
Because it's cryptocurrency and because all cryptocurrency moves across a blockchain, which is almost always publicly available, and particularly when the hackers transferred the money out from Sky Mavis, it was publicly viewable. People start looking at the wallet addresses to which the money is being sent. They start looking at the methodology behind the hack.
And very quickly, the name that pops into the frame is North Korea.
North Korea. So North Korea's military has something called the Reconnaissance General Bureau. In it are believed to be where thousands of hackers are trained and tasked with completing military objectives. This isn't the first time they've been accused of stealing millions of dollars in crypto. And it's estimated that they've stolen over a billion dollars in cryptocurrency now.
I can't think of another country where their government is hacking for financial gain like this.
No, that we know of. It's certainly very rare for nation state hackers to be put on the send for money. Of course, North Korea is in this unique situation. North Korea is unique for a lot of reasons, but... The unique situation that they are under international financial sanctions have been for a very long time, have, it seems, largely run out of money or run out of legitimate sources of money.
And so the accusation is that North Korea's computer hackers are tasked with gaining currency by any means necessary. And that's, from what we know of North Korea, not unusual. Its diplomats historically have been tasked with not just being diplomats, but, you know, can you also make a bit of money on the side, please?
Hmm. But now that I said that out loud, that I don't know of another country that hacks for financial gain, I'm reminded of an episode I did with a CIA agent. It was episode 116 called Mad Dog. In it, a CIA agent told me he tricked a diplomat from another country to give him information on an upcoming trade deal between the U.S. and that country.
He saw what their bottom line was, the lowest amount that they would accept in the trade deal. And he gave this information to the U.S., who in turn used that information to save the U.S. billions of dollars in the trade deal. Is this hacking for financial gain? Social engineering for profit, maybe?
I guess economic security falls under national security, and countries will go to great lengths to keep their economic security going well.
When you steal cryptocurrency, one of the hazards of this is it's inevitably going to be on a blockchain somewhere, and that's almost inevitably going to be public. And so it's almost like you've gone into the bank and stolen a whole bunch of banknotes, but they're all... fluorescent yellow. And people can see in your pocket that you've got these banknotes.
So your key task as a cryptocurrency thief is to launder the money. And that's why I've written a book about money laundering.
Well, hang on a second now. So they have 170,000 Ethereum tokens. They need to turn that into dollars so that they can buy whatever. Why don't they just set up an exchange in North Korea that they can just send it to and be like, all right, done.
That's a very good point. One of the things that people have spoken about is the idea of North Korea sort of setting up a cryptocurrency exchange. I guess the answer to that would probably be, Firstly, there's this idea, I think, with all these thefts that are attributed to North Korea, that North Korea gets the money back to Pyongyang, and that's where its destination is.
Well, there's nothing to buy in Pyongyang. There's no point sending it there. Yes, you could set up a cryptocurrency exchange in Pyongyang, send all the cryptocurrency there, withdraw it in, I think it's still Won is the currency they use, but then you've got North Korean currency in North Korea. What are you going to buy? What was the point of that?
What you want is to ship the money to, I don't know, you want to buy widgets in Frankfurt, ball bearings in Frankfurt. You want to pay somebody off in Brazil. You want to get hold of missile technology secrets in Afghanistan. You want the money mobile. You want it flexible. So you want to be able to move it around. And also, $625 million is a huge quantity of money.
You've got to take it somewhere where there's enough liquidity that somebody will buy that cryptocurrency off you in exchange for cash. Well, fiat money, dollars, pounds, yen, whatever. And so this was the challenge that North Korea was faced with, if indeed it was they behind the hack.
that they were trying to take this money somewhere that could absorb it and turn it around and give it back to them in cold, hard currency.
Okay, so North Korea has $625 million in stolen cryptocurrency, specifically Ethereum and USDC. We should say there's allegations North Korea denies these allegations of being involved in these hacks. Okay, so it's supposedly North Korea. A lot of evidence points to them, but we don't know for certain. I think it was.
Now, the way these cryptocurrencies work is there's no way to recover that money. This is real ownership. As I was saying earlier, there's no central bank that can reverse the transfer or pull the money back out. The money is North Korea's, and there's nothing anyone can do about that ever. Except, North Korea is under strict sanctions, which means it's forbidden to do business with them.
On top of that, it's stolen money, and those wallets were flagged. So exchanges won't simply let them exchange it into cash. What they need is a chop shop. The only reason why I know about chop shops is because of playing Grand Theft Auto.
And when I was playing the game and I stole a car and the police were chasing after me, I could take that car into a chop shop and they'd scratch off the VIN, paint the car a different color and give it a new license plate. Then, when I got back on the road, I could drive right past the police without them knowing it's the same stolen car since it looks entirely different.
But with cryptocurrency, you can't hide very well by just transferring the money into a fresh wallet. There's a big, glaring transfer displayed publicly for anyone to see. Moving it into a new wallet doesn't do anything to hide your tracks. They somehow needed to clean this money so it can't be linked back to the money stolen from Axie Infinity.
By this point, the wallets into which the crypto had been transferred, the stolen money from Axie had been transferred into crypto wallets. And those wallets were flagged as being recipients of crime.
And the law enforcement had acted quite quickly and gone around to the major exchanges, the big legitimate crypto exchanges, and said, hey, if anybody tries to transfer you money from that wallet there, don't take it because it was stolen from Axie. And so they tried, I think, $60 million worth of exchanges, the hackers, at legitimate sort of above the line, above the board exchanges.
And that money all got frozen because, of course, as soon as the exchanges received the money, they went, oh, this is the stolen Axie money. Yeah, we're keeping this. And so the hackers lost tens of millions of the stolen money because they tried to pump it through the legitimate system. And the legitimate system just froze it. So then they needed to find somewhere else.
Where can you go with hundreds of millions of dollars of stolen crypto? And just put it in, no questions asked. And that's what led them to Tornado Cash.
tornado cash i've used tornado cash before let me tell you why okay so i was going for a coffee a while back in my town and i noticed they accepted ethereum cryptocurrency and i was like hot diggity people have been donating ethereum to my podcast i'm gonna use it to buy some coffee So I started to get it going, but I thought, wait a minute, hold on, no way, this is a bad idea.
My donation wallet is public, so anyone can see where I spend my money. And if they see I spent it on coffee in my town, that might expose where I live. I go to extreme lengths to keep my private life and public life separate. So I need a way to move this money into a personal wallet so I can spend it without people able to see where I'm spending it. So what are my options?
I could send it to an exchange and then send it to a fresh wallet. But to use an exchange, I have to give them my personal details like my driver's license and stuff, which seems a bit much just to buy a cup of coffee. Isn't there a simpler system, one that's more privacy focused? Yeah, Tornado Cash. Tornado Cash is great. You send your money to it.
It gets thrown in a pool with a bunch of other people's money, and you get sort of a claim ticket. And at any moment, you can use your claim ticket to get your money back out into a fresh wallet. Essentially, this allows you to transfer your money into a new wallet, but it removes the tracks of where it came from. What's great about it is that it's all automatic.
I was telling you about smart contracts before, where you can add code to the Ethereum blockchain. Money is programmable now. So I can see the Tornado Cash code, verify it looks okay, and then get my wallet to interact with it directly, giving it my money and getting that claim ticket back.
And the way Tornado Cash worked is that they purposely built it so the creators themselves never took control of your money. The only person who would ever have control of your money is you. The smart contract is programmed to handle the money, but the creators built it so that they can't even control the smart contract anymore.
They literally coded all zeros in for who can control it, which means nobody can.
As this story sort of emerged, one of the people who'd used this particular mixer was Vitalik Buterin, who, of course, came up with the Ethereum protocol, I think co-developed it. And he said, look, this is exactly what I did. I wanted to donate to Ukraine. I didn't want to do it publicly. And that is the hazard of using crypto is it is public.
So I used a mixer because I want to preserve my privacy. There are good privacy-preserving reasons to use something like Tornado Cash. And that's, I suspect, the reason Tornado Cash was set up largely was for those privacy-preserving reasons.
Okay, so you might be thinking, hold on, this is just a Bitcoin tumbler, a mixer for money laundering. And there have been lots of them in the past. And weren't they all illegal anyway? Yeah, that's the thing. This one was different, very different. The ones in the past were typically custodial mixers.
meaning someone is actually in possession of your money if someone put a gun to their head they could hand over all your money these kind of mixers are illegal because the person holding the money should know whose money they're holding like if i give you something illegal to hold you could be in just as much trouble for holding it as me
And yeah, a bunch of people were running these mixers and were caught by the police and arrested for running unlicensed money transmitters. And the police were able to shut down those services. The difference here is very important. A custodial mixer is where you give your money to some person to hold for when you want it back.
While a non-custodial mixer, the money is held on the blockchain, not in anyone's possession. Kind of like if you just stashed your money in a locker somewhere, and then you gave the key to someone else and they got it out. The place that owned those lockers had no idea what you put in there, so they can't be held liable for whatever was in there. Kind of like a dead drop.
Now, I imagine the makers of Tornado Cash saw that custodial mixers had been shut down and arrested in the past. And they probably knew full well that a service like this might be abused by people. So Tornado Cash developers were like, we have to be absolutely certain that we're never in possession of anyone's money ever. We can never have custody since those kind of mixers are illegal.
So it's only with the invention of smart contracts that they were able to make a service like this. that they could be completely hands-off, a service that nobody was operating or running. It was headless. And the developers could never touch anyone's money, even if they wanted. It was coded that way. In no way, shape, or form are they ever in possession of anyone's money.
And they went to great lengths to prove that. Not only that, they wanted this thing to be extremely resilient and impossible to be taken down, as they felt that privacy tools like this were very important to people. Also, a lot of these mixers in the past were tailored for criminals. So Alphabay, for example, was a darknet marketplace where people could buy and sell illegal items.
Well, the site had its own crypto mixer specifically designed to help you hide your illegal purchases. And in the world of cybercrime, intention matters. If you are building something specifically for criminals to conduct crimes with, that's racketeering, and you could get RICO charges against you. But the developers of Tornado Cash held on strong that this was a privacy tool.
That was their point. And to make that clear, they didn't hide in the shadows of the dark net. They were open about their service and made it easily accessible. I mean, they even had a Twitter account and a normal website, which all clearly said, this is a way to have private transactions on Ethereum.
So as you can see, as a person who values my own privacy, I found this tool to be helpful and important. Decentralization is very fascinating to me too. My website, darknightdiaries.com, is hosted on a single server somewhere. But Tornado Cash was kept up by hundreds of thousands of people running Ethereum validators. And there's something amazing and beautiful about that.
We can put something on the blockchain and you know it'll permanently be there as long as Ethereum exists.
You've understood exactly, that's precisely what it is. At least that's what the claim was from inside Tornado Cash. As we'll talk about later on, others have cast a lot of doubt on that. But certainly that was the claim. Look, Tornado Cash is this headless organization. And once you use it, you're effectively using an automated machine.
It's like going up to a vending machine, sticking your money in, getting the can out. And the vending machine has been forgotten by whichever company was meant to own it. It just runs on its own.
Well, clearly, I wasn't the only one to use Tornado Cash. The people who stole the $600 million from Axie Infinity also noticed Tornado Cash and sent hundreds of millions of dollars to it.
Now, this has obviously presented a lot of problems for particularly the United States government because they can see that money's gone from the stolen, the money's gone from Axie Infinity, been stolen, sent to Tornado Cash. They believe it's North Korea behind this. But, like, who do you prosecute? There's nobody behind Tornado Cash at this time. That's what they thought.
So it's like, what do we sort of do about this? So they did the next best thing, the U.S. government. They put Tornado Cash under sanctions. And Basie said, look, this mixer, this Tornado Cash mixer is working for the North Koreans, we believe, we claim.
And therefore, anybody who interacts with this mixer and sends money to it or receives money from anybody who interacts, who's in the US, people, organizations, doesn't matter, they are breaching sanctions as well. We can't shut Tornado Cash down, but we can freeze it out by saying, you cannot interact with anybody in the US anymore.
And anybody in the US who interacts with Tornado Cash, you've committed an offense and we can come after you.
Sanctions? What? The privacy tool I use got sanctioned? Hold on, hold on. This does not feel right. Okay, I need some names. Who created Tornado Cash?
Yes, three people, it seems, created it. They are Andrei Pertsev, Roman Storm, and Roman Seminov. They worked for a company called PeperSec. And I think it's, as we'll get into, there's some legal proceedings around this that we have to be quite careful about. But I think it's fairly uncontroversial that they set up PeperSec and they created Tornado Cash.
But the key thing is they created it, they say, to preserve privacy. And having created it, they got to a certain stage and said, okay, we now burn our passwords to this. We step back. We have nothing more to do with this. It's running on its own, the Tornado Cash DAO.
Oh, it was a DAO. Of course. DAOs are fascinating. What I'm saying is an acronym, D-A-O, DAO, and it stands for Decentralized Autonomous Organization. And this is a perfect example of one. The internet has changed everything about our lives. You know that already. Every day I get online and I chat with loads of people from all around the world and I visit websites from other countries.
And it never feels like I'm traveling far away to another country to interact with them. It's just right here on the screen in my bedroom, just milliseconds away. The internet has connected us in a way where national borders just don't seem to exist anymore. So if you were to start an online business,
that exists only online, and there's like no physical product or reason to have a home base, and maybe you start it with two other people, like one person is from Europe, another is from Asia, and the third is from the US. What country do you establish your business in? Forget it. Why not just make it an online company, not part of any nation at all? Is that possible?
I mean, traditionally, you needed to make a company like an LLC or something in order to get a business bank account to do business with the world. But since this service is all cryptocurrency-based, you don't need a bank. And autonomous means the company can continue to operate without anyone controlling it. Tornado Cash was one of these DAOs. It was decentralized and autonomous.
It existed only online and was capable of operating all by itself. This is another new thing in the world that didn't exist 10 years ago. These DAOs exist online only. It's a business that isn't seated in any specific country. Why should it be? If people are getting paid from a DAO, then those people can just report their income on their taxes and say they're contractors for that organization.
So the U.S. federal authorities were mad that hundreds of millions of dollars were stolen and then sent through Tornado Cash. They wanted to seize the funds and shut down the service. But like I said, Tornado Cash was built in a way that it was impossible to turn off, and they never had control of the funds ever. So the only tool the U.S. authorities had to try to stop it was to sanction it.
which I don't even think you can sanction an app, a piece of code. I mean, it's still there on GitHub for anyone to see right now. So if it's illegal, why is it on GitHub? And code is just words and symbols. So in essence here, they've sanctioned a bunch of words that in a certain combination has meaning. So can you even sanction a page with words on it?
Isn't there like a free speech violation in here somewhere? But not only did they sanction the code, they decided to arrest the people who started it. But what was their intention for starting Tornado Cash? Because as I said earlier, in the world of cybercrime, intention matters. It really does.
And, well, there's two sides to this. You can go on the back of what they said and what their defenders say, which is this was a privacy-preserving tool. The intention was never to enable money laundering. However, the counter-argument from the authorities, which they're making very strongly and in court, is it doesn't matter.
If you're going to run a money-transmitting business that's dealing with, as Tornado Cash was, hundreds of millions of dollars, you are obliged to think about money laundering. You can't just naively set the thing up and hope no criminals are going to use it. That's not how it works, buddy, you know. You have to obey money laundering laws. So we've got arguments on both sides.
We've got arguments the intention was never there. We've got the argument on the other side saying it doesn't matter. You're on the hook for this if you set up these businesses. As you can tell, I'm being diplomatic about this. A, because there's legal procedures about it. B, also because I hear both sides. I do genuinely hear both sides. And that's the thing. It's a fascinating debate.
That's why it's a fascinating story.
Mmm, the police are saying intention doesn't matter here. The act of creating open source code and putting it on the blockchain to help make your financial transactions private was illegal because someone misused their tool. And I want to point out here that the U.S. government isn't clear on whether cryptocurrency is even money or not.
The Commodity Futures Trading Commission, the CFTC, classifies it as a commodity. The SEC classifies it as a security. The IRS classifies it as property. And FinCEN, the Financial Crimes Enforcement Network, classifies it as money, which is what requires people to follow the anti-money laundering laws. The government has made all this so confusing. I hate being in this position.
I don't want to take the side of criminals who stole this money. But because I want to live in a world where financial privacy exists... I feel like sanctioning privacy tools hurts me. Yes, but the cost of that.
If you do 100% privacy, you have to protect people you don't like as well. It's a fascinating debate. This is why it goes round and round in my head in the same way it sounds like it's going in yours as well.
Because the money-transmitting rules they were supposed to follow was KYC, which stands for Know Your Customer. For them to operate this legally, they would have had to ask everyone who uses the service for their real name, identity, upload your driver's license, tell them your address. And when you do all that, now it's not so private anymore.
Well, now creators have to maintain a database and a whole backend full of people's personal information. I don't want my personal information in a database somewhere just so I can privately buy a cup of coffee. The best privacy tools are the ones who know nothing about who I am. When the financial system becomes a surveillance system, we start having big problems. Look at China, for example.
They have this social credit system where if you do things the government doesn't like, they can restrict what you buy. They can also see everything you buy and make judgments about your character based on it, restricting other areas of your life or even targeting you as a problem citizen. A government that is watching your every purchase is not encouraging of a free society.
I mean, let's look at some legitimate use cases for why you'd want to use Tornado Cash to hide your transactions. You heard me say that I like to have this buffer between my public life and my private life. The internet is a big, old, dangerous place. And if you don't believe me, listen to the previous 146 episodes of this podcast.
It's important that we secure our stuff and take our privacy seriously. Also, imagine going to buy something from someone, and as soon as you give them the money, they can look to see how much money is in your bank account and all your previous purchases. This is how Ethereum works by default, so we need a way to shield our purchases from the rest of our transaction history.
You heard how Vitalik, the creator of Ethereum, wanted to donate to Ukraine but wanted to do so privately without anyone knowing. There's another reason. He's a public figure. He wants to keep his political activities to himself.
There are nonprofits that I know of who go to great lengths to keep their donors private because donors don't want the public to know what causes they're giving towards and don't want any extra solicitation from people asking them for more money. But I keep thinking about stories of people living in oppressive regimes, China, Russia, Iran.
If you live there and speak up against the government, you could easily go to jail. And these governments want strict control over their citizens, so monitoring financial transactions is crucial to keeping a strong grip on them. So dissenters and activists in these countries absolutely need a way to send and receive money in a private way.
To support their cause and educate people in the atrocities of their own government. Their life depends on private financial transactions. Churches and charities don't care if you deliver them a big bag of cash as an anonymous donor. And that's none of anyone's business if I want to donate anonymously. I want the same thing for digital transactions.
I think taking down privacy tools like Tornado Cash hurts regular people.
Which was exactly the basis on which the crypto campaigners sued the United States Treasury and Janet Yellen individually after the sanctioning of Tornado Cash. This decision to sanction Tornado Cash went down very, very badly with large swathes of the crypto community, has to be said, for exactly the reasons you've outlined.
One of the key arguments and a fascinating argument is, to what extent are you responsible for the downstream effects of code that you create and make available? The people who saw this decision by the US Treasury to sanction Tornado Cash said, well, you can't sanction code. You can sanction the person who misuses the code. You don't
if somebody gets stabbed, you don't prosecute the person who made the knife, you prosecute the person who did the stabbing. And so that was the argument on which the US Treasury, one of the arguments on which the US Treasury was being sued. The other line of argument was that code, as you said, is freedom of speech, and freedom of speech is constitutionally protected.
Those cases, by the way, that the attempts to sue the Treasury over its decision on Tornado Cash got rejected, have not done well, but are being appealed as far as I'm aware at the moment. So they lost in the first at least one round, maybe two rounds, but they're continuing that campaign because they argue exactly the same as you're saying, which is This is code. You don't prosecute code.
Because if you do, you dampen freedom of speech. You stop people inventing code. There's a chilling effect. That's the risk here. And that argument is still playing out in the courts.
I want to just take a step back here and note that this story wasn't possible like 10 years ago. This is such a novel new world we're in. Money used to only be physical, but with credit cards, it's turned virtual. And with everything being online today, we need digital money. Money used to be controlled by governments, but now with cryptocurrency, it's controlled by the people.
And it's like we're in the middle of a major revolution here. Money is power, and the governments are losing their power as cryptocurrency becomes more widespread, so of course they'd want to put up a fight against it. And now with smart contracts and DAOs, businesses can be fully autonomous and always online?
How crazy is that, that a company can exist and make money and act as an online service and it doesn't need to be maintained or controlled by anyone? This is an entirely new kind of problem for the U.S. government to deal with, and they don't really have a good way to combat against it other than sanctioning the code. If you aren't familiar with how sanctions work, it means the U.S.
Department of the Treasury's Office of Foreign Assets Control, which is OFAC, has declared that you are forbidden to interact with Tornado Cash. If you do, you might get arrested. But it also means your money may become frozen if you send it to an exchange. I mean, typically, when I buy things or go online, I don't ever think about whether or not I'm violating sanctions.
Like, for instance, if North Korea is sanctioned, I don't expect North Korean-made goods to be in my supermarket where I could buy them and break sanction codes or something. I assume the shop owner knows not to buy sanctioned items to try to sell them to me. So it's completely off my radar. But here's a situation which I think is the first time ever that an online application is sanctioned
This is unprecedented. And so now, I don't know how to navigate this world. Am I supposed to check the sanctions list every time I go online, visit a website, buy something, use an online service? This breaks my brain.
You are clearly not the only person who feels this, because in the wake of the U.S. government sanctioning Tornado Cash... Somebody clearly felt even more, felt very concerned by this and very put out by it and thought the whole thing was ridiculous, this idea of sanctioning. And so they set up a stunt, which is another bizarre wrinkle to this story and an intriguing one.
So the thing about Tornado Cash is, even though the US government sanctioned it, it's still up and running. You can still use its code on the internet. The website went down, but that doesn't matter because the protocol, you can still send money to the protocol effectively and it will do what it's programmed to do and effectively mix the money and anonymize the money.
So the thing about that is, if I know, Jack, your Ethereum wallet address, I can use Tornado Cash to send you money and there's nothing you can do about it. It just gets sent to you automatically. So someone somewhere, we still know who did this, and I'm waiting for the day actually, Jack, when they turn up on your podcast.
Somebody took $50,000 and started randomly sending it in tiny bits, tiny, tiny amounts to anybody who was famous who had an Ethereum wallet, including Jimmy Fallon, the comedian Jimmy Fallon, Shaquille O'Neal, basketball star Shaquille O'Neal. they started receiving. And of course, it shows up on the blockchain.
You can't hide it because you see Shaquille O'Neal's address and you can see it's received money from Tornado Cash. That's all logged. And so technically, technically, I guess you could argue Jimmy Fallon and Shaquille O'Neal have breached sanctions or sanctions dodging. And I guess you've could say they should be prosecuted for that.
But the whole point of this exercise was to show how ridiculous it was that anybody, even famous people who've done clearly nothing wrong, can then, as a result of this sanctioning of Tornado Cash, get implicated in sanctions busting. The idea was just to illuminate how ridiculous this was. And so I don't know what Jimmy Fallon and Shaquille O'Neal have done about that, but it's tricky.
It was a fascinating sort of stunt that emerged as part of this.
So North Korea sent about $450 million worth of crypto to Tornado Cash to try to mix it.
There's cryptocurrency tracing companies who claim they left it in for about four weeks and then extricated it. What we don't know, of course, is who it went to thereafter. So you can, with mixers, I mean, particularly when you're mixing a huge amount like $450 million, There are companies that track crypto.
One of the things they do with mixes is they look at the amount going in, the amount going out. Now, you can't link, you know, this cryptocurrency payment is linked to that one going out. But you can see the volume and you can see the amounts going in, the amounts going out. And so I think that's what they've done is they've looked and gone, look, 450 million goes in.
We can look at the outflows and sure enough, four weeks later, you know, 450 million comes out to put it in very simple terms. And so that money is now somewhere in cryptocurrency wallets. The other interesting thing is, well, then who do you take that to, to cash out? You've got to say to somebody, right, you know, here's, here's $450 million, which came from Tornado Cash, don't know where else.
Could you transfer that and change it into pounds or dollars or yuan or whatever to There are people out there who'll do that, no questions asked, that they'll take a big cut. But doing that to $450 million, you've got to have some brokers that have got some serious, serious liquidity on their hands to be able to change that.
So the theory, I think, from some people is that there's a bit of a glut now of stolen money that the North Koreans are accused of stealing, that they're trying to cash out, but they can't cash out quickly enough. There's nobody can, you know, who can buy it off them for the $450 million or whatever they need. So that's where that's ended up, all that money.
I guess a chop shop wouldn't even work here because it's more like you stole a giant bus and no matter what color you change it, you're going to look like a giant bus coming out the other side.
Yeah, exactly. So ideally you want a chop shop that can convert your big yellow bus into a bunch of tiny little smart cars or whatever. Just going back as well, this idea that Tornado Cash was sort of leaderless is now being thoroughly challenged in the courts.
The first thing that happened was a guy called Andrei Pertsev was arrested in Holland and accused by the Dutch government of running Tornado Cash. Roman Semenov is also indicted by the US government. He's believed to be in the Russian Federation, so hasn't faced trial. I've tried to contact Roman Semenov, hadn't heard back from him.
Subsequently, after the sanctioning of Tornado Cash, the US government charged Roman Storm, who's in the US and is, I think, currently being tried and is in prison. Again, fascinating trial. The same arguments are coming up in his trial as we've talked about, you know, people saying, look, he did not run this. He was trying to preserve privacy. That's why he set it up.
Now, going against the idea that these guys didn't run, inverted commas, Tornado Cash, is a slightly inconvenient fact, which is that, according to the US government, they owned a lot of the voting tokens and crypto tokens inside Tornado Cash. So the way this works is... you know, Tornado Cash is leaderless. It's done by vote. Any changes to Tornado Cash get done by vote using tokens.
I think part of the US government's argument is, well, hang on, a lot of those tokens were in the hands of these three individuals. So they may say they didn't have control, but actually we think they did. Also, they say that they were still making money out of Tornado Cash. And so all this leads to trying to knock down this argument the defendants have, which is that, oh, we didn't run it.
The U.S. government is saying, no, you did run it, and here's the evidence why.
So the guys who started Tornado Cash, two have been arrested, and in May of this year, the first verdict came in. Alexey Pertsev was tried in the Netherlands, and the judge found him guilty and sentenced him to five years and four months in prison. The cops took his Porsche and 1.9 million euros in cryptocurrency.
The press statement from the Netherlands government says, quote, tornado cash is not a legitimate tool that has unintentionally been abused by criminals, end quote. Not a legitimate tool. In fact, the judge said specifically he could not find any legitimate use for this tool, as if privacy itself is a crime.
What's fascinating about this, it sort of starts with a hack on a video game to do with salamanders, and it ends up in this kind of epic battle royale over freedom of speech and privacy. And yeah, I find it really, really fascinating. It's almost like the kaleidoscopic story. You look into it, it's got everything in it.
Yeah, we've gone all over the road here, haven't we? How are you going to edit this one down? I do not envy you that task. Another way to look at this is that the feds are saying that the developers of the tool are responsible for how users use it. And that's a bit crazy, if you ask me. It's like saying a lighter company is responsible anytime someone uses their lighter to commit arson.
Or a drone maker is responsible anytime someone uses their drone illegally, like spying on people, flying in the wrong airspace, or dropping a bomb on someone. Or it's like saying a VPN provider gets arrested, shut down, sanctioned because some of their users went online and did something illegal. Or my goodness, is an encrypted messaging app responsible for people doing criminal activities on it?
I mean, we know criminals use iPhones. Apple knows criminals use their phones. In all these cases, the tech itself is neutral and it's up to the user to use it responsibly. Governments have never faced anything like this before and they simply have no precedent to act on here and in my opinion are just drawing really fuzzy lines arbitrarily.
They can't even come to a consensus on whether cryptocurrency is money or not.
The worst example you could possibly think of, maybe with the exception of child sexual abuse, one of the worst examples you could think of would be a country using this kind of technology to get nukes. I was like, oh, yes, we've got that. So it's almost like your privacy-defending hat, your privacy-defending head is being put to the most extreme test. It's like, you want privacy? Right.
What about North Korean nukes? It's almost like that's immediately what's happened. You know when you're arguing with somebody and they just go to the most extreme example of comparing you to Hitler or whatever? It's like that's happened. Now it's North Korea. What are you going to say now? It's, yeah, fascinating. Genuinely fascinating.
Okay. I don't buy that argument. Why? Because all this happened and they didn't catch the real criminals here. In fact, I think even if they implemented KYC, North Korea would just have used like some fake ID and it wouldn't have helped catch them or slow them down at all. North Koreans are still on the loose with their fresh and clean $400 million. And they're the real criminals here.
Go after them. It's crazy that this story starts with someone stealing hundreds of millions of dollars and the people who end up in prison are the privacy advocates. And as I'm researching all this, I had to refresh exactly what does money laundering mean?
The act of money laundering is to hide the cash you have that was involved in some illegal activity, stolen money or drug money or something like that. Me trying to hide my transactions isn't a crime. It's only a crime if I'm trying to hide criminal activity.
And by the way, Tornado Cash, despite being sanctioned, is still up and running because that's how it was designed, fully autonomous and decentralized. In fact, there's YouTube videos out there that explain how to still use Tornado Cash despite it being sanctioned, basically showing you how to get around sanctions. I mean, videos like that surely should be illegal, right?
And it just makes me wonder if these sanctions have any teeth at all. If you ever hear of anyone who gets arrested for violating the tornado cash sanction, please tell me. I would love to know. Because what's the point of all this if the government isn't going to enforce the sanction at all? Because it almost feels like the government is powerless here.
It has no ability to stop or control cryptocurrency or from people using apps like this. This is what permissionless money is like. And I don't see any evidence that the government is even trying to enforce sanctions. The sanctioned code is still there on GitHub. YouTube happily hosts videos on how to avoid sanctions and still use tornado cash. What is happening here?
Just a month ago, the SEC approved the Ethereum ETF. This means you can buy this stock on the regular stock exchange and they'll buy ETH for you. It's a way to invest in Ethereum without actually holding Ethereum. So there's this wallet out there which holds all the ETH from this ETF. Well, guess what?
As soon as the internet figured out which wallet is holding the money for the ETF, someone sent a whole ETH token worth over $3,000 through Tornado Cash and then to the ETF wallet, which in my opinion means the wallet is now violating sanctions and can no longer buy or sell on an exchange. They did it to protest these sanctions, to show that there's absolutely no way to enforce this.
And I guess this means Tornado Cash won. There's no way to stop it or to stop people from using it. And so today, there's still millions of dollars flowing through Tornado Cash.
It's gone down. Don't get me wrong, the amount it's processing has gone down. And therefore, it makes a less efficient mixer. You want your mixer to have lots of liquidity, lots of volume going through. The less it's used, the less efficient of a mixer it's going to be. However, it is now a criminal mixer. And so, you know, it's a sanctioned mixer, according to the US government.
And so anybody who uses it is going to be a crook. What that means, of course, is... if you use Tornado Cash, you're going to really struggle to send the money onwards. Because whoever sees money coming at them from Tornado Cash is going to go, no way I'm going to accept that.
Unless it's somebody who doesn't care about dealing with sanctioned entities, in which case, you know, you're in a sort of slightly murky world.
It is a very murky world. Because let's say, hey, I'm selling something online and someone's like, I'll buy it. And they send me the cryptocurrency that's been mixed through Tornado Cash. Am I supposed to say, oh, wait a minute, before you send me the money, let me analyze your wallet to make sure it doesn't have any sanctioned crypto in it? This is bonkers.
This is like running the serial number on every dollar bill you ever get to see if it's ever been used by someone who's been sanctioned in the past. That would be a nightmare to have to do. Yet that's what I feel like we have to do from now on. Yeah, so suddenly I'm wondering why the U.S. is even involved, right? So it's
Axie Infinity is based in Philippines, so I could see the Philippine police being upset. Vietnam. Oh, Vietnam. Okay, so I could see the Vietnamese being like, all right, we've got to sanction this because we don't have any other way, right? And then you've got the creators of Tornado Cash. They're not U.S.-based, are they?
Yeah. Yes, Roman Storm is based in the U.S., but actually at the point where they sanctioned it, I don't think that had been confirmed. And look, with sanctioning, sanctioning is a really interesting power in that basically any time money transfers across the U.S., the U.S. can exert control in terms of sanctions. So it's extremely difficult to avoid if the U.S.
government wants to go after you on sanctions. You know, it's extremely difficult to avoid that. The U.S. government's argument is that there would be U.S. users using this service... money transactions would have gone across the U.S. territory. Also, as far as I'm aware, the sanctions dodging accusations that the U.S. puts at the foot of North Korea gives the U.S.
government huge scope to go after it around the world. Wherever North Korea tries to dodge sanctions, it seems the U.S. government can go with its sanctions legislation. It seems odd, but in a way, it doesn't surprise me at one jot that the U.S. has managed to try and do this.
Right. I don't know if there's the word trad cry, but traditional crime is based with people in countries, and those countries can deal with that or whatever. And here we have a new kind of crime, which is there is no boundary. There is no country. There is no head of some company. There is no person controlling the code. I don't even know if it is a crime. We haven't even established that.
There's laws that are established to avoid money laundering that may have been... What's going on? It's another person in another country that did it, right?
But this is why sanctions are such a useful weapon and why the U.S. is resorting to them more and more. We've had Bitcoin fog. There was a prosecution in that case recently, another crypto mixer. This is why the U.S. government is using them. We can't nick these people. We can't lock them up and put them in handcuffs most of the time. We can use financial, frankly, financial warfare
This is what we do now. Financial warfare? We can't police the code. We can't police the people. But it's all about money. So we are just going to use that sanctions power, which is a really big, broad power to use. As soon as I started seeing this and I started realizing what was going on, I said, oh, that makes perfect sense. You know, you've got so few weapons to bring to the battle.
But you've got this weapon and it's really good and you can use it wherever.
It makes perfect sense. And you know, as I was researching this episode, I saw more stories like this. Another privacy service just like this called Samurai Wallet was also shut down by the U.S. federal authorities and the people who started it were arrested.
This was a coin join on the Bitcoin network, which isn't the same as the smart contract system, but it is autonomous system and it's non-custodial. And it was also open source. And here you have people who have contributed to an open source project who are getting arrested because the feds are accusing them of running an illegal money transmitting service.
And as my eyes become tuned into this, I'm seeing more and more stories like this. The Phoenix Wallet decided to remove themselves from the App Store, not saying a reason why. Ibex Pay is shutting themselves down, not saying why either. MetaMask received an enforcement action letter from the SEC, and they're countersuing the SEC over that. Something big is going on here.
Privacy advocates have fought the government in the past before and won. The story of Phil Zimmerman comes to mind. Phil created a fantastic encryption program called PGP, which allowed you to send an email to someone encrypted, so only you and the receiver could see what was in it. Yeah, well, the U.S. government hated this kind of encryption that gave us privacy. Encryption?
That's only for the military. How dare civilians try to use it? So they classified PGP as ammunition, and they called it a regulated arm, as if it was a weapon, which allowed them to say, look, Phil, unless you get an arms export control license, you can't go distributing encryption code online. Because, you know, what happens if criminals use it? They could hide their communications.
Nobody wants that, right? The FBI began investigating Phil. Well, the privacy community was outraged that the government was restricting us from encrypting our own messages. And they started being vocal about how important privacy was. Someone suggested to Phil that he should publish the PGP code in a book. And Phil's like, what? Why? It's a program. It's code. Just download it online.
Jeez, if I were to put it in a book, it would take 800 pages to print it. But the thing was, books weren't considered regulated munition. Books were protected under free speech law. So if he were to publish the source code in a book, that would give him protections that what he's written is just words and not in fact a regulated arm. So he published it in a book and it was 800 pages of code.
Well, enough people voiced their support for encryption and privacy that the government finally gave in and let Phil off the hook and even took encryption off the regulated arms list. It was a big victory for our privacy. And thank goodness, because encryption is inherent in everything we do online now.
Even what you're hearing right now, this podcast was delivered to you encrypted so that anyone who intercepted the packets along the way wouldn't know what you're listening to. It would have been illegal for me to use encryption on this podcast in the 90s without an export license. I did a whole episode on this, actually. That's episode 12, called Crypto Wars.
What Phil showed us is that code can be printed in a book, and if it's printable like that, it's protected under free speech. And so once again, it's unprecedented that the government would put a sanction on code, which has always been free speech. Until now. Until now.
No, the crypto space is so complex that if I sent it to your wallet and you sent it to my mom's wallet and she sent it to my wallet and then I sent it to the exchange, is the exchange going to know that still came from Tornado Cash?
Very good question. And that comes down to how much liability the exchange has. So in the situation you described there, that's what, four hops? Yes. I think, given that cryptocurrency tracing is fairly well developed, I think the authorities would say, well, hang on, you should still have known it came from that.
But if you're talking about 100 hops or 1,000 hops, maybe that's enough hops that the authorities say, well, yes, you had no way of knowing this back in the day.
Okay. Transfer it to Polygon and then back to ETH and now you've got a new wallet and it's, I don't know if that's traceable. There's just a lot of ways to get around that even still.
Now you're thinking like a money launderer, Jack. That's what I hoped we'd get in this conversation. You finally, that's what the book's about.
Yes, the book. Jeff has released a book called Rinsed, which goes into the modern ways criminals are laundering money. It's full of things that make you think about the new future that we're facing. I deviated quite a bit from it here, but what Jeff told us today was a single chapter from the book. So you can imagine how much more you learn from getting this book and diving in.
So go read Rinsed today and let me know what you think of it. And I'll leave you with this very important warning from the FBI, which was issued April 25th, 2024. This is PSA I-042524. The FBI warns Americans to avoid cryptocurrency money transmitting services that do not collect your name, ID, address, and other personal information.
To me, this is akin to the FBI advising against driving on roads without license plate readers or walking on sidewalks without facial recognition cameras. It's like being told not to wear sunglasses on a sunny day or to avoid using curtains in your house. By cautioning us against privacy tools, they aren't just infringing on our rights.
They're asking us to live in a glass house, exposed and vulnerable. This isn't just a warning. It's a push towards a future where privacy is a relic of the past. Is that the world we want to live in? A big thank you goes to Jeff White for sharing this story with us. You can find a link to his book, Rinsed, in the show notes. Go check it out.
This episode was created by me, the firewall fidgeter, Jack Recider. Our editor is the router rigger, Tristan Ledger. Mixing done by Proximity Sound. Intro music by the mysterious Breakmaster Cylinder. I was moving my stuff the other day, and I had to carry my computer down some stairs, but I dropped it. And it tumbled down the stairs, smashing itself to bits all the way down.
At the bottom of the stairs was just a big mess of broken parts. The only thing that was salvageable was a stick of RAM. So at least I have the memory of it. This is Darknet Diaries.