Darknet Diaries - 147: Tornado
Episode Date: July 2, 2024In this episode, Geoff White (https://x.com/geoffwhite247) tells us what happened to Axie Infinity and Tornado cash. It’s a digital heist of epic proportions that changes everything.This st...ory comes from part of Geoff’s book “Rinsed” which goes into the world of money laundering. Get yours here https://amzn.to/3VJs7pb.
Transcript
Discussion (0)
All right, lights red, we're recording.
Hey, Tortoni, you're looking great today.
Still writing, I see.
See, here in my studio, which is just my closet,
I have a picture on the wall made by Edward Manet.
And it's a picture of a fine-looking gentleman sitting at a table writing something down.
I call him Tortoni, but that's not his name.
This picture has captured my imagination and curiosity for countless hours.
I stare into it and I just fall into an abyss.
But the thing about this picture is that it's not the content or even who made it. It's that this picture was stolen from the Isabella Stewart Gardner Museum back in 1990,
and it's never been recovered.
And I don't have the original.
I just have a print of it.
But the thieves didn't just steal this picture.
They took a bunch of others too.
And this was the biggest single heist of all time.
They estimated that the art that was stolen is worth $500 million,
and it still remains unsolved. I'm looking at this picture on my wall right now.
There's a $10 million reward for it, yet mine I just got from my printer for like five cents.
It's always been weird to me how art has just so much value.
Now I just don't see how this picture,
which is not that much bigger than a regular sheet of paper,
is worth more than a mansion.
But that's no longer the biggest heist ever.
Because in 2022, a digital heist happened, which set
a new record high.
These are true stories from the
dark side of the internet.
I'm Jack
Recider.
This is Darknet Diaries. This episode is sponsored by Delete Me. I know a bit too much about how scam callers work.
They'll use anything they can find about you online to try to get at your money.
And our personal information is all over the place online.
Phone numbers, addresses, family members, where you work, what kind of car you drive.
It's endless.
And it's not a fair fight.
But I realize I don't need to be fighting this alone anymore.
Now I use the help of Delete Me.
Delete Me is a subscription service that finds and removes personal information from hundreds of data brokers' websites
and continuously works to keep it off. Data brokers hate them because Delete.me makes sure
your personal profile is no longer theirs to sell. I tried it and they immediately got busy scouring
the internet for my name and gave me reports on what they found. And then they got busy deleting
things. It was great to have someone on my team when it comes to my privacy.
Take control of your data and keep your private life private
by signing up for Delete Me.
Now at a special discount for Darknet Diaries listeners.
Today, get 20% off your Delete Me plan
when you go to joindeleteme.com slash darknetdiaries
and use promo code darknet at checkout.
The only way to get 20% off is to go to
joindeleteme.com slash darknetdiaries
and enter code Darknet at checkout.
That's joindeleteme.com slash darknetdiaries and use code Darknet.
Support for this show comes from Black Hills Information Security.
This is a company that does penetration testing,
incident response, and active monitoring to help keep businesses secure.
I know a few people who work over there, and I can vouch they do very good work.
If you want to improve the security of your organization, give them a call.
I'm sure they can help.
But the founder of the company, John Strand, is a teacher,
and he's made it a mission to make Black Hills Information Security world-class in security training.
You can learn things like penetration testing, securing the cloud, breaching the cloud, digital forensics, and so much more.
But get this, the whole thing is pay what you can.
Black Hills believes that great intro security classes do not need to be expensive, and they are trying to break down barriers to get more people into the security field.
And if you decide to pay over $195, you get six months access to the MetaCTF Cyber Range, which is great for practicing your skills and showing them off to potential employers.
Head on over to BlackHillsInfosec.com to learn more about what services they offer and find links to their webcasts to get some world-class training, that's BlackHillsInfosec.com.
BlackHillsInfosec.com.
Digital assets are fascinating to me.
I'm no economist, but they behave in ways that don't make sense to me. Like, let's take
audiobooks, for example. It takes a lot of work to make the first one, but then infinite copies
can be made at zero cost after that. So I don't know. What happens when supply goes to infinity?
It seems like price would go down to nothing, But it's not the case. Audiobooks
are still $10, $20 each, despite there being an infinite amount of them, which costs nothing to
make more of. That's kind of wild. And you'd think that piracy would have destroyed the market for
digital assets too. With unlimited supply, demand should have gone way down. But no, the demand for
digital goods is at an all-time
high. Top-tier musicians are making more money now than they ever did before. And that's because we
all have mobile devices glued to our hands 24-7, and we're continually thirsty for more digital
content to consume. It almost seems like our whole lives are digital now. Movies, shows, memes, music,
books, even the people we are closest to, shows, memes, music, books.
Even the people we are closest to, we have a digital relationship with them.
But I'm always wondering, of all the digital stuff in our lives, is any of it really ours to own?
Okay, so I think anything that's saved on your computer and you can use it offline,
I'll say that's yours and you own that.
Photos that are saved on your phone, that's yours.
Music saved in MP3 form, that's yours too.
You own that.
But the line is often blurry between what's on our devices
versus what's on the Internet.
Like, if you have an Android phone,
it tries to get you to back up your photos to Google Drive.
And it's not always clear if your photo is on your phone or on Google's servers. If it's just on Google's surfers,
then you don't really own it, do you? Since they have complete and full control of your photos.
What about audiobooks? Let's look at those for a minute. Most audiobooks I listen to, I can
actually borrow from the library.
And there are apps which let you check them out,
and you can listen to it for a few weeks and then return it digitally.
It's great.
But often my library doesn't have the book I want, so I've got to buy it.
And when I buy an audiobook, the biggest marketplace for that is Audible. So I look there.
And what drives me crazy about buying books from Audible is,
well, I don't own that book.
Like, at all.
If I owned it, I should be able to save it locally, give it to a friend, donate it to my library, or resell it to someone else like a used audiobook.
But all that is impossible to do through Audible.
And of course, Audible could cancel your account at any time, and you would lose all of the books that you bought.
So to me, the audiobooks that you buy on Audible are not really yours.
You don't own them at all.
So let's look at some other digital assets.
How about my online accounts, like Twitter or email accounts or online gaming accounts?
Do I own my Twitter username?
No, I don't think so.
Twitter does.
They graciously let me use it.
And at any moment, they could terminate it or rip it out of my hands.
I don't have any actual ownership of it.
I mean, just look at what happened when Twitter changed their name to X.
There was a user on Twitter who had the username X,
and Twitter just ripped it right out of their hands.
And there was nothing that user could do to keep it, because Twitter owns everyone's account.
Yet, it's interesting because even though you can't own a Twitter account,
they are still valuable, and people are buying and selling Twitter accounts all the time.
Let's look at video games now. There are digital assets in video games, right? Like,
imagine you're playing an online game,
and when you level up your character,
you get all kinds of armor and weapons and gold.
That character is yours, right?
Well, I don't think so.
I mean, the game can ban you at any moment, and then what?
Or what about those in-game items like gold and weapons?
It feels like that stuff is yours, but it's not, really.
You can't save it
offline or take it with you to another game. And it's strange because even though you don't own
that stuff in the game, those items still can have real world value. I know I've bought an
in-game weapon before for a hundred bucks. And it's ridiculous because I bought something I
don't actually own.
All right, what about my website, darknetdiaries.com?
Do I have ownership of that?
Well, at first glance, sure.
I purchased the domain and I can do whatever I want on it.
I'm the admin.
I can say what I want and nobody can stop me.
But no, first of all, I didn't purchase the domain.
I'm renting it.
All domains have to be renewed like yearly or every few years.
Registrars control the domains, and you pay them to get it. But then you have to keep paying them to maintain control of it.
Seems like I don't own it if I have to pay someone over and over to keep it mine.
On top of that, governments can go to domain registrars and take over a domain that's
being used for illegal purposes. So yeah, I'd say I don't actually own my domain if someone else can
rip it out of my hands like that, or if it'll expire after a while. But domains on the dark web
are different. I'm talking about on Tor, the dark net. See, on the dark web, domains look awful.
They're like a long string of random letters and
numbers. You'd never be able to memorize it. And then it ends in.onion. So how do you get a domain
on the dark web? Is there a central body like ICANN where you go to register domains with? No,
no, not at all. You create the domain yourself. Yeah, that's right. You generate a private-public
key pair, and that public key is your domain name. So with this system, the person who has
the private key controls that domain. Now, to me, this is true digital ownership, and I love that.
Unless someone comes and steals my key from me,
nobody can ever take my.onion domain from me.
It's never going to expire,
and it can't be seized by the feds.
This is why a lot of people are drawn to the dark web,
to have something on the internet that's truly yours,
and nobody can ever take it away from you.
Another thing that I think gives you true digital ownership is cryptocurrency.
Not all money is like that.
Your bank can refuse your service if they want.
They can cancel your credit card and kick you out of the bank and freeze your money.
I know PayPal has frozen my account before, trapping my money in there.
But because cryptocurrency is built on decentralized blockchains, there's no one
managing it to kick anyone out or freeze an account or take over an account. Everyone and
anyone is welcome at all times, forever. And the best part is you truly own your crypto wallet.
Because to get a cryptocurrency wallet, you just make it yourself by generating a random private key and then using that to derive a public key.
When you do this, only you are the only person who's ever seen that private key.
And whoever has that private key controls that public address or wallet.
There's no admin that can revoke your key or move your money without your permission.
Your key is your key forever and ever.
The blockchain is a fascinating
invention. And whether you love or hate cryptocurrency, the technology behind it is
very interesting. Take the Ethereum blockchain, for example. It popularized something called
smart contracts, which allows people to add code into the blockchain, which means you can program money and even create apps integrated directly
into cryptocurrencies. And this is wild, and it's opening up a whole new future that we never
imagined. For instance, people are making entire video games with these smart contracts where the
whole game lives on the blockchain, which means the in-game currency is actually real cryptocurrency. Not only that,
but the apps you make on the blockchain are truly yours, where nobody can ever seize it from you
or stop you from making it. It's time we step foot into this big, new, wild digital world.
I think the game Axie Infinity represents a fundamental shift in video game development.
I spoke to Jeff White about this game.
Hi, I'm Jeff White. I'm an author and investigative journalist,
and I cover organized crime and technology.
Yeah, so Axie Infinity is not like the games that I used to play when I was a kid,
where they sell you the video game and then you go away and you play it and that's it.
Axie's an online game, as of course lots of them are, and you're playing against other people
online, which of course lots of games are. But the thing that made Axie different and quite radical,
I think, for some people was that everything in the game was basically for sale. It was a whole
marketplace. So the way it worked was you have these Axies, which are based on the Axolotl
Salamander. You have a team of axes three axes
and you you basically wrestle them you fight them against your opponent's team of axes and if you
win you're rewarded with um smooth love potion tokens which you can use to breed your axes
together to to get them to be better fighting machines it's basically a bit like do you remember
those tamagotchi keyring things?
Yeah, I do.
Little digital pet that you can level up and stuff.
Exactly that.
It's like that mixed with WWF wrestling.
So that's the idea, actually.
This game is hugely, hugely popular.
Okay, so I need a team of three of them.
How do I get one of them?
What's the process?
You buy. You have to buy the team. You can't, as far as I get, one. You have to buy a team of three of them. How do I get one of them? What's the process? You buy.
You have to buy the team.
And you can't, as far as I'm aware, get one.
You have to buy a team of three, because three is a magic number.
In order to do this, and this is where it gets interesting
with the sort of cryptocurrency aspect to it.
If you have, I'm assuming it's dollars for you, Jack,
you can swap your dollars into ETH,
the currency on the Ethereum blockchain, the cryptocurrency.
It's a bit like Bitcoin.
Actually, it's number two, I think, to Bitcoin, ETH, I think I might say.
You can then take that Ethereum money and you can put it into, transfer it into Axie Infinity,
and then you can use that in-game currency to buy your Axies, to buy Smooth Love Potion,
you can buy land in the game.
So it's all, the whole game is based on cryptocurrency.
And there's a sort of internal blockchain within the game that tracks who owns, and there's an internal blockchain within the game
that tracks who owns what and who's sold what to whom.
I see. And I like the ownership aspect of this.
You really do digitally own one of these Axies
since it's all on the blockchain.
There's no way for anyone to take your Axies away from you
if you own them, unless they steal your private key.
To me, this is interesting,
because look at the software world right now.
You can't buy Microsoft Word or Adobe Photoshop.
You have to pay a monthly fee in order to use it.
You don't own a lot of the software or games today
if you have to have an internet connection for it to work.
And as the meme goes,
if purchasing isn't ownership, then piracy isn't theft.
Axie Infinity was created by a company called Sky Mavis,
who are headquartered in Vietnam.
I think the company's registered, though, in Singapore.
And this was five guys who'd been part of the sort of eSports scene,
so they'd been around gaming for a very long time.
And the idea of sort of crypto-based video games
wasn't sort of radically new.
I think CryptoKitties predates Axie Infinity from what
I've read of it. But basically what they did was they built this game and released it. And in a
way they locked out because they obviously got the benefits of video game obsession. People became
obsessed with this game and started playing it and battling their Axies together and so on.
They also got the benefit of a sort of cryptocurrency boom, because it was a sort of 2019, 2020. And crypto was starting to rise in value quite steeply at
that point. So people who were into video gaming got into Axie Infinity. But what was really
interesting around the discussion boards around Axie Infinity is you start to see this change
where people are discussing the game, and then they start to discuss crypto investments and
crypto speculation. So suddenly people who are into crypto and the speculative side of it started
to see this game as an opportunity, a money-making opportunity. So you've got this incredible
whirlwind of obsessive gamers and also obsessive cryptocurrency speculators coming in. And this
game just went up and up in value. I think at one point it was valued at $2 billion,
I think I might say.
It's astonishing values.
And the other thing that fed into this was COVID,
it was lockdown.
So during that period,
the game was big in Southeast Asia,
particularly big in Southeast Asia,
because that's where the company was headquartered.
And it absolutely took off,
particularly the Philippines.
I think 40% of the players apparently were in the Philippines.
And during lockdown, a lot of people lost work,
weren't able to go to work,
were looking around for alternative sources of income,
and they started to see that actually
they could potentially play this video game
and make money at it.
So you put all these factors together
and you just get this explosive combination
that just launched Axie Infinity into the stratosphere.
Much to the surprise, I think it's fair to say,
of the guys at Sky Mavis who made it.
I don't think they were expecting it to be such big of a hit.
Now, because the in-game currency was the Ethereum cryptocurrency,
this allowed for a whole in-game marketplace.
You could buy or sell things to other players with cryptocurrency,
just like directly on the blockchain.
Ethereum wasn't just for cryptocurrency, but there like directly on the blockchain. Ethereum wasn't
just for cryptocurrency, but there were items on it now. Axies, for instance. And you could buy one
from another person directly if you wanted, without having to go through any game to do it.
How do people make money? Do you understand the complexities of this? Because if you're
battling someone and you win the battle, do you take money from the other person? No, the way it would work, as I understand it, is your Axies would become
more and more valuable the more fights they won. And you could actually sell them to other people
in the game. So you could say, you know, I've got this team of Axies. Look, they've got a fantastic
track record of killing lots of other Axies. I don't know actually, but the killing was part of
it, but winning the battles. You know, would you like to buy them off me? Also, there's a trade in smooth love potions.
So as you played the game, you got more smooth love potion.
You could sell the smooth love potion to people.
You could buy and sell plots of land on Lunacia,
which is the virtual environment in which the game is played.
So almost everything was for sale.
So the money was being shared around by trading within the game.
Now you might be thinking,
hold on, wait a minute.
This is an awful idea
to bridge real money into a video game.
Well, you're not the only one to think that.
The video game marketplace Steam
has outright banned all crypto-based games from there.
At first glance, you might be thinking,
oh, that's because they don't want people
spending real money on games like that. It can ruin the in-game economy, and it leads to speculative
behavior. And also, isn't it stupid to just buy video game assets like gold and weapons?
But none of those are the reasons why Steam banned crypto-based games.
A very popular game on Steam is CSGO, or I guess it's now called Counter-Strike 2.
Within Steam itself, there's a whole marketplace where you can buy and sell in-game Counter-Strike items from other players for real money.
It's like a giant marketplace on Steam.
Thousands of purchases happen every day.
Yeah, you can show up, type your credit card details in,
and start buying items in the game from other players with real money. Steam has built this
whole system, so clearly they are perfectly fine with people using real money to buy in-game items
or be speculative in the game or mess up the game economy. However, when you sell an item,
you don't get the money from the sale.
They give you Steam credits, which can be used to buy other games on Steam.
But players were like, wait a minute, if I'm selling this to someone who's buying it with their credit card,
why can't I get the money they paid for it?
And Steam's like, we really don't want to give you money.
Game credits are much better for us.
So players were like, well, you know what?
Nobody can stop us from just trading among ourselves.
So player-to-player sales started happening.
But how do you send money digitally?
You can't just give someone your credit card.
It doesn't work that way.
So players started trading using cryptocurrency.
But this became unsafe.
People were sending their money
and not getting anything in the trade.
So websites started popping up saying,
hey, we'll broker the deal for you.
And they started acting like the middleman
and trades for Counter-Strike.
And that went on for a while,
and Steam was like,
all right, here, we'll make an API for the marketplace.
And this allowed secondary marketplaces
to let players buy and sell in-game items with real money.
And not only that, a lot of markets allowed you
to buy and sell items with cryptocurrency.
So while Steam has banned crypto-based games,
you can actually use crypto to buy things in Counter-Strike 2
or sell things and get crypto from it.
And this is all totally allowed by Steam.
Steam could put an end to all this right now if they wanted.
They could make it so players just can't trade with each other anymore.
But they won't because they make far too much money from this whole system.
So why does Steam actually ban crypto-based games?
I think it's because the regulatory landscape is unclear. When you start
accepting cryptocurrency, suddenly you get into these regulations that are very difficult to
figure out. And don't tell me that Steam bans crypto-based games because it keeps out the
trashy scammy type stuff. Well, have you seen the game Banana? As I'm saying this, it is the second
most popular game on Steam, and it's possibly the world's dumbest game.
You just click a banana, and after a while, you might get a banana for doing it,
which can be sold on the marketplace.
And it's making the creator a ton of money,
since people are buying bananas with real money for no reason.
The banana does nothing in the game.
This is 10 times dumber than any NFT game I've ever
seen. And it's not even an NFT game. The fact that Steam allows this is kind of breaking my brain,
honestly. I bet there are a million teenagers today who are very fluent at understanding the
market intricacies of V-Bucks or Robux, the virtual currencies for their favorite games. And the thing about Steam credits or V-Bucks or Robux is you can only buy it.
You can never sell it.
It's against the terms of service to trade that for real money.
And that kind of frustrates me.
It's kind of like when you go to an arcade and they make you buy tokens to play the video games there.
Video games can operate just fine on quarters.
There's no need to invent a whole new currency
just to play them.
And the currency can only be bought, never sold.
And it stinks when I come home from an arcade
and there are a few extra tokens in my pocket.
These things are worthless,
except for one place in the entire world.
So Axie Infinity was built directly
on the Ethereum cryptocurrency,
utilizing smart contracts.
But they soon hit a problem.
When you play video games, you want it to be fast.
Ethereum transactions were slow,
sometimes taking a few minutes to complete,
and the fees on Ethereum were high,
like often costing $30 in fees
just to buy an Axie from another player.
So to fix that, Sky Mavis, the creators of Axie Infinity,
created a sidechain of Ethereum called the Ronin Network.
This sidechain was very compatible with Ethereum,
so players could move their money in and out between the Ronin Network and the Ethereum Network easily.
And that mechanism of moving money between the two, they named that the Ronin Bridge.
The Ronin network was much faster and had very low fees, like less than a cent,
making it much more ideal for a video game to be played on this blockchain.
But for this Ronin network to operate, there needed to be nodes and validators.
Sky Mavis didn't want to be the only one controlling those nodes and validators,
because if they were, they could theoretically control the whole network.
I guess if you have a majority control of the validators,
you could manipulate the system if you wanted.
The idea of a decentralized network is that nobody should ever have
a majority of the validators so that it can't be manipulated.
So they made sure to have people outside their control
also running nodes and validators.
You can play on a browser, I think, most people playing on a phone.
It got so popular there were reports in the Philippines
of people giving up their jobs just to play this game full time.
Now, of course, as soon as that happens and hits the headlines,
you get this rush of people who all think,
oh, I'll do that.
And of course, it became a pile on.
People just went for this game, particularly in Southeast Asia. So there's this very valuable company
with millions and maybe billions of dollars worth of cryptocurrency assets running through it,
swapping around, moving fast, moving a lot. This will attract somebody who wants to steal that money.
Inevitably, as soon as you start to make scads of money as a video game,
somebody tries to hack you.
And that's exactly what happened with Axie Infinity.
A lot of scammers and thieves flocked to this game,
trying to steal things from other players.
Some players' crypto wallets were loaded
with tens of thousands of dollars of Axie Infinity assets, and scammers were trying hard to steal
stuff from players' wallets. One common tactic is to get an Axie Infinity player to connect their
crypto wallet to the scammer's website, maybe by saying something like, oh, we're giving away a
free rare Axie. With some cleverly crafted message, they can trick a person into
giving them access into their wallet, which then the thief can drain everything from it. Hundreds,
if not thousands of Axie Infinity players were victim to this type of attack. And I should say
that even though attacks on players and cryptocurrency-based games is very common,
it's not unique to only crypto-based games. I remember when I was playing World of Warcraft a long time ago,
someone somehow got into my account
and transferred all the gold and removable items from my character
into whatever account they had.
I got digitally robbed in World of Warcraft.
And if you hang out in the Counter-Strike forums
or Roblox forums or Fortnite forums,
you see people begging for help every day saying
their account got hacked or their stuff got stolen there's a lot of money in stealing video game
assets it's crazy ideally what you want to do is want to go to the source of all the money the
fount of all the money which you know is sky mavis's sort of servers themselves and so the
hackers targeted one of the engineering team and carried out a very very elaborate or at
least in my opinion very elaborate social engineering exercise on this person offered
them a job now that's not an uncommon thing for you know crypto developers to get game developers
get poached all the time and so they said a great job for you really big salary you know
are you interested in talking to us and And this employee said yes, started receiving details of the job,
did apparently a couple of rounds of interviews for the job,
which I presume was webcams off, but, you know,
was interviewed by people for a job that seemed to exist.
Of course, none of this was true. There was no job.
This employee of Sky Mavis was being targeted by hackers
who were trying to maneuver them to the point
where they would effectively download malware.
Hmm.
So we don't know how they made contact.
My first thought was Discord.
A ton of scammers were on Discord
trying desperately to hack into people's accounts.
But in this case,
I'm willing to bet the initial contact was made on LinkedIn.
It's kind of easy to find
developers for Axie Infinity on there to begin with. Then it's only a few clicks away before
you can message one of them. And it sounds like they messaged a developer offering them a job.
So if that's the case, it's not so hard to create a fake persona on LinkedIn to look like you work
for some prestigious company, making the whole story more believable. I mean, who gets job offers on Discord anyway?
You know, LinkedIn is the place to go get job offers.
The other thing you can do if you target someone in this way
is you can say to them,
hey, for this job, we need to know that you can use
this particular piece of software.
Can you download it for us?
Or can you click on this link and go to this private server
so you can do this exercise as part of the job application?
There's lots of ways with a job application that you can sort of trick someone into doing something they wouldn't
necessarily have done downloading stuff clicking on links so i find that really i think that was
a really sort of smart way of of operating one for people to watch out for eventually malware
gets downloaded by this employee of sky mavis onto their work device. Now, full disclosure, I don't think Sky Mavis have revealed
how that specifically was done,
but you can think of multiple ways
whereby you'd be able to convince someone
as part of the job application process
to download something.
There's lots of ways to do that.
Effectively, the malware allowed the hackers
access to Sky Mavis' computer systems,
and because they targeted an engineer
who had what Sky Mavis describes as very deep level access,
it wasn't like they hacked somebody in the HR department
that had to work their way over to the development environment.
They were already in, they'd hit the mother load effectively
and were already in at a very deep level inside Sky Mavis.
Yeah, I mean, if you get malware onto a developer's computer
and then take control of their computer, then you can assume the role of that developer in that company.
You have their access keys, their logins, their privileged access to the network.
With their sort of deep level access to SkyMaker's systems, the hackers start scoping out how Axie Infinity works and how this money is moving around.
I bet they were looking for a central wallet like cold storage or something where Sky Mavis stores all the keys and has access to millions of dollars in crypto.
But they couldn't find that.
So the second thing was, with all this money flowing through the system, was there a way to grab it somehow?
And what they realize is, what we've covered earlier, is there's this internal blockchain within Axie Infinity,
monitoring the transactions between the players.
There's the external sort of Ethereum blockchain, which is effectively bringing in money that people are, you know,
Ethereum, Ether currency that people are spending into the game and then putting it out. So there's a conduit through which this is all happening. And that conduit is a thing called the Ronin Bridge.
The Ronin Bridge's job is basically to reconcile what's going on in the game with what's going on
on this external Ethereum blockchain. Effectively, the Ronin Bridge is nine computers around the
world. And those computers are looking at all the transactions
inside and outside and reconciling the two ledgers together.
So basically, the hackers realize, very, very smartly,
that's the pinch point.
That's the conduit.
That's where the money is going across.
If they can control the Ronin Bridge,
they can effectively control the flow of money.
And since there's millions and millions of dollars
inside Axie Infinity, they can control that money. Now the thing about this is there are nine computers as part of the
bridge. There's effectively nine what they call validators. And SkyMavis had sort of thought about
the possibility of getting hacked, to give them credit, and they only controlled four out of those
nine, which isn't enough to give you majority control. So you can't just take over
Sky Mavis, get control of the bridge and take the money out. The hackers had to find a fifth
computer. So they have five out of nines that got majority control. And this is where things go wrong
for Sky Mavis. Sky Mavis had outsourced the other five validator computers to external companies,
so they weren't in control of them.
You know, so Sky Mavis didn't hold all the cards effectively.
But one of the companies it outsourced to gave Sky Mavis a temporary access to its validator,
and that temporary access was never revoked.
The hackers somehow managed to realize all of this and thought,
aha, we've got four computers validating Sky Mavis.
We need a fifth to get majority control.
There's the fifth one.
We still got access to it via Sky Mavis.
We've got five out of the nine computers.
And guess what?
We control the bridge.
We control the money.
And it's time to steal.
Wow.
I think the level of knowledge needed to pull this off is quite remarkable.
This is not so simple as opening up a wallet and transferring the funds out.
To take over five of the nine nodes of this side chain
and to know how to operate them in a way that will allow them to steal money
takes a specific skill set.
Whoever did this must have had to prepare quite a bit for an attack like this.
It kind of reminds me of that one time my friend went and bought an antique for, I don't know, $1,000 or something.
And on his way home, he stopped for lunch somewhere and his car got broken into and the thieves stole the loose change in his cup holder.
They looked at that old antique and didn't think it was worth anything and left it. Whoever was targeting Axie Infinity knew exactly where to look
to extract the most amount of value they could from the system.
They knew exactly where the value was.
And I don't think many of us would know how to work these controlling nodes,
even if we could take them over.
But when they took over these nodes, they got immediately to work,
setting up an attack which would allow them to transfer
as much out of the Ronin network as they could and as fast as they could directly into the Ethereum wallets that
were ready and waiting. They set up everything and using their control of the bridge, deployed
a command to transfer the money. They stole ETH currency and USDC, which at the time was valued at $625 million.
$625 million.
Yes.
I'm trying to think, is there a single cyber heist that is more than $650 million?
I can't think of one.
I'll go further than that.
I've been a bit circumspect in the book, but
I'm being less circumspect the more I go on.
I think it's the biggest theft of all
time. And I'm
going to add a couple of qualifiers to that. It's a big
statement to make. I'm talking about
one-off theft. Obviously, ransomware
as well, you know, has made billions
over time by multiple victims.
I'm talking about one victim, one hit
at the time the theft happened.
Because obviously there's, you know,
the Bitfinex hack, you know,
the one that Heather Morgan and Illy Lichtenstein
got sentenced for.
Well, that was, I mean,
that ended up being $3 billion, I think.
But at the time of the hack, it was $70 million.
So I'm talking about valuing a crime at the time
the crime was committed, one off crime, one victim. And so I've been doing Google, you know,
you Google and you Google and you try and find these things. And, you know, there's the Isabella
Stewart Garden Museum heist is one of them. So that was, I think, 93, was it? They broke into
the museum, they stole artworks. The artworks were valued at 500 million.
Now that's often listed as being one of the most expensive heists of all time.
That's only 500 million.
So I know I'm out on a limb here, but I do think it's a serious,
if it's not the number one, it's a very serious contender for biggest theft of all time based on one hack, one victim,
one crime, one victim, valued at the time of the crime.
Some of my listeners might be shaking their heads right now and think,
no, Jack, none of this cryptocurrency is real money. This is not the biggest heist of all time.
And in fact, a lot of articles which list the biggest heists of all time don't include any
cryptocurrency heists. But the thing is, these thieves immediately started exchanging it for
traditional money.
So to me, if you can swap it quickly and easily for any currency you want,
then yeah, to me, it's real money.
Yeah, it may start off in crypto and you may turn your nose up at that,
but it ends up in hard dollars and hard dollars that can be used to fund criminal activity and some very serious, as we're going to talk about, some very serious criminal activity.
Maybe I should have mentioned this earlier,
but the reason I'm talking with Jeff about all this
is because he just published a book called Rinsed,
which is all about money laundering in the modern world.
And I just finished reading it,
and it sent me down a wild, twisted tunnel
into the world of money laundering.
Now, what we're talking about in this episode
is a single chapter of the book, though.
The biggest heist of all time, Axie Infinity, is interesting by itself, but the thieves are now faced with a staggeringly huge
challenge. How do you cash out $625 million in stolen cryptocurrency? If you sent it all to an
exchange, they might not be able to swap that much, or they might freeze your account and you
could lose it all. So while they immediately
started sending some of it to an exchange, that was only a small amount and they needed a big plan
for the bulk of it. We're going to take a quick break here, but stay with us because after the
break, someone's going to prison. This episode is sponsored by SpyCloud. With major breaches and
cyber attacks making the news daily,
taking action on your company's exposure is more important than ever.
I recently visited spycloud.com to check my darknet exposure
and was surprised by just how much stolen identity data criminals have at their disposal.
From credentials to cookies to PII.
Knowing what's putting you and your organization at risk and what to remediate
is critical for protecting you and your users from account takeover, session hijacking,
and ransomware. SpyCloud exists to disrupt cybercrime with a mission to end criminals'
ability to profit from stolen data. With SpyCloud, a leader in identity threat protection,
you're never in the dark about your company's exposure from third party breaches, successful phishes, or info-stealer infections. Get your free Darknet exposure report
at spycloud.com slash darknetdiaries. The website is spycloud.com slash darknetdiaries.
The news broke pretty fast. Axie, Infinities, Ronin Bridge hacked.
$625 million stolen.
Lots of people lost a lot of money,
and including Sky Mavis itself.
But of course, everyone wanted to know,
who did this?
Good question.
I mean, obviously, it very quickly hit the news
that this had happened.
And in fairness, Sky Mavis did a sort of rolling blog
on what had happened
and were filling people in.
And of course,
because it's cryptocurrency
and because all cryptocurrency moves
across a blockchain,
which is almost always publicly available,
and particularly when the hackers
transferred the money out from Sky Mavis,
it was publicly viewable.
People start looking at the wallet addresses to which the money out from Sky Mavis. It was publicly viewable. People start looking at the wallet addresses
to which the money is being sent.
They start looking at the methodology behind the hack.
And very quickly, the name that pops into the frame
is North Korea.
North Korea.
So North Korea's military has something called
the Reconnaissance General Bureau.
In it are believed to be where thousands of hackers are trained and tasked with completing military objectives. This isn't the
first time they've been accused of stealing millions of dollars in crypto. And it's estimated
that they've stolen over a billion dollars in cryptocurrency now. And I can't think of another
country where their government is hacking for financial gain like this? No, that we know of.
It's certainly very rare for nation state hackers to be put on the send for money.
Of course, North Korea is in this unique situation.
North Korea is unique for a lot of reasons,
but the unique situation that they are under international financial sanctions
have been for a very long time,
have, it seems, largely run out of money
or run out of legitimate sources of money.
And so the accusation is that North Korea's computer hackers are tasked with gaining currency,
but by any means necessary.
And that's, from what we know of North Korea, not unusual.
Its diplomats historically have been tasked with not just being diplomats,
but, you know, can you also make a bit of money on the side, please?
Hmm.
But now that I said that out loud, that I don't know of another
country that hacks for financial gain, I'm reminded of an episode I did with a CIA agent.
It was episode 116 called Mad Dog. In it, a CIA agent told me he tricked a diplomat from another
country to give him information on an upcoming trade deal between the U.S. and that country.
He saw what their bottom line was, the lowest amount that they would accept in the trade deal.
And he gave this information to the U.S., who in turn used that information to save the U.S.
billions of dollars in the trade deal. Is this hacking for financial gain?
Social engineering for profit, maybe? I guess economic security falls under national security
and countries will go to great lengths to keep their economic security going well.
When you steal cryptocurrency, one of the hazards of this is it's inevitably going to be on a
blockchain somewhere and that's almost inevitably going to be public. And so it's almost like you've
gone into the bank and stolen a whole bunch of banknotes,
but they're all fluorescent yellow.
And people can see in your pocket that you've got these banknotes.
So your key task as a cryptocurrency thief is to launder the money.
And that's why I've written a book about money laundering.
Well, hang on a second now.
So they have 170,000 Ethereum tokens.
They need to turn that into dollars so that they can buy whatever. they have 170,000 Ethereum tokens.
They need to turn that into dollars so that they can buy whatever.
Why don't they just set up an exchange in North Korea
that they can just send it to and be like,
all right, done.
That's a very good point.
One of the things that people have spoken about
is the idea of North Korea sort of setting up
a cryptocurrency exchange.
I guess the answer
to that would probably be, firstly, there's this idea, I think, with all these thefts that are
attributed to North Korea, that North Korea gets the money back to Pyongyang, and that's where its
destination is. Well, there's nothing to buy in Pyongyang. There's no point sending it there.
Yes, you could set up a cryptocurrency exchange in Pyongyang,
send all the cryptocurrency there, withdraw it in,
I think it's still Won is the currency they use.
But then you've got North Korean currency in North Korea.
What are you going to buy?
What was the point of that?
What you want is to ship the money to, I don't know,
you want to buy widgets in Frankfurt,
ball bearings in Frankfurt.
You want to pay somebody off in Brazil.
You want to get hold of missile technology secrets in Afghanistan. You want the money mobile,
you want it flexible. So you want to be able to move it around. And also, $625 million is a huge
quantity of money. You've got to take it somewhere where there's enough liquidity that somebody will buy that cryptocurrency off you
in exchange for cash.
Well, fiat money, dollars, pounds, yen, whatever.
And so this was the challenge that North Korea was faced with,
if indeed it was they behind the hack,
that they were trying to take this money somewhere
that could absorb it and turn it around
and give it back to them in cold, hard currency.
Okay, so North Korea has $625 million in stolen cryptocurrency. that could absorb it and turn it around and give it back to them in cold, hard currency.
Okay, so North Korea has $625 million in stolen cryptocurrency,
specifically Ethereum and USDC.
We should say there's allegations North Korea denies these allegations obviously being involved in these hacks.
Okay, so it's supposedly North Korea.
A lot of evidence points to them, but we don't know for certain.
I think it was.
Now, the way these cryptocurrencies work
is there's no way to recover that money.
This is real ownership.
As I was saying earlier, there's no central bank
that can reverse the transfer or pull the money back out.
The money is North Korea's,
and there's nothing anyone can do about that ever.
Except, North Korea is under strict sanctions,
which means it's forbidden to do business with them.
On top of that, it's stolen money, and those wallets were flagged.
So exchanges won't simply let them exchange it into cash.
What they need is a chop shop.
The only reason why I know about chop shops is because of playing Grand Theft Auto.
And when I was playing the game, and I stole a car,
and the police were chasing after me,
I could take that car into a chop shop shop and they'd scratch off the VIN,
paint the car a different color and give it a new license plate.
Then when I got back on the road, I could drive right past the police without them knowing
it's the same stolen car since it looks entirely different.
But with cryptocurrency, you can't hide very well by just transferring the money into a fresh wallet.
There's a big glaring transfer displayed publicly for anyone to see.
Moving it into a new wallet doesn't do anything to hide your tracks.
They somehow needed to clean this money
so it can't be linked back to the money stolen from Axie Infinity.
By this point, the wallets into which the crypto had been transferred,
the stolen money from Axie had been transferred into crypto wallets.
And those wallets were flagged as being recipients of crime. And the law enforcement had acted quite quickly and gone around to the major
exchanges, the big legitimate crypto exchanges and said, hey, if anybody tries to transfer you
money from that wallet there, don't take it because it was stolen from Axie. And so they
tried, I think, $60 million worth of exchanges, the hackers, at legitimate sort of above the line,
above the board exchanges. And that money all got frozen. Because of course, as soon as the
exchanges received the money, they went, oh, this is the stolen Axie money. Yeah, we're keeping this.
And so the hackers lost tens of millions of the stolen money because they tried to pump it through
the legitimate system. And the legitimate system just froze it. So then they needed to find
somewhere else. Where can you go with hundreds of millions of dollars of stolen
crypto and just put it in, no questions asked. And that's what led them to Tornado Cash.
Tornado Cash? I've used Tornado Cash before. Let me tell you why. Okay, so I was going for a coffee
a while back in my town and I noticed they accepted Ethereum cryptocurrency.
And I was like, hot diggity, people have been donating Ethereum to my podcast.
I'm going to use it to buy some coffee.
So I started to get it going.
But I thought, wait a minute, hold on, no way.
This is a bad idea.
My donation wallet is public.
So anyone can see where I spend my money.
And if they see I spent it on coffee in my town,
that might expose where I live.
I go to extreme lengths to keep my private life and public life separate.
So I need a way to move this money into a personal wallet
so I can spend it without people able to see where I'm
spending it. So what are my options? I could send it to an exchange and then send it to a fresh
wallet. But to use an exchange, I have to give them my personal details like my driver's license
and stuff, which seems a bit much just to buy a cup of coffee. Isn't there a simpler system,
one that's more privacy focused? Yeah, Tornado Cash.
Tornado Cash is great. You send your money to it. It gets thrown in a pool with a bunch of other
people's money and you get sort of a claim ticket. And at any moment, you can use your claim ticket
to get your money back out into a fresh wallet. Essentially, this allows you to transfer your
money into a new wallet, but it removes the tracks of where it came from.
What's great about it is that it's all automatic.
I was telling you about smart contracts before,
where you can add code to the Ethereum blockchain.
Money is programmable now.
So I can see the Tornado Cash code, verify it looks okay,
and then get my wallet to interact with it directly,
giving it my money and getting that claim ticket back.
And the way Tornado Cash worked is that they purposely built it
so the creators themselves never took control of your money.
The only person who would ever have control of your money is you.
The smart contract is programmed to handle the money,
but the creators built it so that they can't even control the smart contract anymore.
They literally coded all zeros in for
who can control it, which means nobody can. As this story sort of emerged, one of the people
who'd used this particular mixer was Vitalik Buterin, who, of course, came up with the Ethereum
protocol, I think co-developed it. And he said, look, this is exactly what I did. I wanted to
donate to Ukraine. I didn't want to do it publicly.
And that is the hazard of using crypto is it is public.
So I used a mixer because I want to preserve my privacy.
There are good privacy preserving reasons to use something like Tornado Cash.
And that's, I suspect, the reason Tornado Cash was set up largely was for those privacy preserving reasons.
Okay, so you might be thinking, hold on, this is just a Bitcoin tumbler, a mixer for money laundering. And there have been lots of them in the past. And weren't they all
illegal anyway? Yeah, that's the thing. This one was different, very different. The ones in the
past were typically custodial mixers, meaning someone is actually in possession of your money.
If someone put a gun to their head, they could hand over all your money these kind of
mixers are illegal because the person holding the money should know whose money they're holding like
if I give you something illegal to hold you could be in just as much trouble for holding it as me
and yeah a bunch of people were running these mixers and were caught by the police and arrested
for running unlicensed money transmitters and the police were able to shut down those services. The difference here is very important. A custodial mixer is where you give your money to some person
to hold for when you want it back. While a non-custodial mixer, the money is held on the
blockchain, not in anyone's possession. Kind of like if you just stashed your money in a locker
somewhere, and then you gave the key to someone else, and they got it out.
The place that owned those lockers had no idea what you put in there,
so they can't be held liable for whatever was in there.
Kind of like a dead drop.
Now, I imagine the makers of Tornado Cash saw that custodial mixers had been shut down and arrested in the past.
And they probably knew full well that a service like this might be abused by people. So Tornado Cash developers were like, we have to be absolutely certain that we're never in
possession of anyone's money ever. We can never have custody since those kind of mixers are illegal.
So it's only with the invention of smart contracts that they were able to make a service like this,
that they could be completely
hands-off, a service that nobody was operating or running. It was headless. And the developers
could never touch anyone's money, even if they wanted. It was coded that way. In no way, shape,
or form are they ever in possession of anyone's money. And they went to great lengths to prove
that. Not only that, they wanted this thing to be extremely resilient and impossible to be taken down,
as they felt that privacy tools like this were very important to people.
Also, a lot of these mixers in the past were tailored for criminals.
So Alphabay, for example, was a darknet marketplace where people could buy and sell illegal items.
Well, the site had its own crypto mixer, specifically designed to help you hide your illegal items. Well, the site had its own crypto mixer specifically designed to help you
hide your illegal purchases. And in the world of cybercrime, intention matters. If you are building
something specifically for criminals to conduct crimes with, that's racketeering and you could
get RICO charges against you. But the developers of Tornado Cash held on strong that this was a
privacy tool. That was their point.
And to make that clear, they didn't hide in the shadows of the dark net.
They were open about their service and made it easily accessible.
I mean, they even had a Twitter account and a normal website,
which all clearly said,
this is a way to have private transactions on Ethereum.
So as you can see, as a person who values my own privacy, I found this tool
to be helpful and important. Decentralization is very fascinating to me too. My website,
darknightdiaries.com, is hosted on a single server somewhere. But Tornado Cash was kept
up by hundreds of thousands of people running Ethereum validators. And there's something
amazing and beautiful about that.
We can put something on the blockchain
and you know it'll permanently be there
as long as Ethereum exists.
You've understood exactly, that's precisely what it is.
At least that's what the claim was from inside Tornado Cash.
As we'll talk about later on,
others have cast a lot of doubt on that,
but certainly that was the claim.
Look, Tornado Cash is this headless organization.
And once you use it, you're effectively using an automated machine.
It's like going up to a vending machine, sticking your money in, getting the can out.
And the vending machine has been forgotten by whichever company was meant to own it.
It just runs on its own.
Well, clearly, I wasn't the only one to use Tornado Cash.
The people who stole the $600 million from Axie Infinity
also noticed Tornado Cash
and sent hundreds of millions of dollars to it.
Now, this obviously presents a lot of problems
for particularly the United States government
because they can see that money's gone from the stolen, the money's gone
from Axie Infinity, been stolen, sent to
Tornado Cash. They believe it's North Korea
behind this. But
who do you prosecute?
Who do you prosecute? There's nobody behind Tornado Cash
at this time. That's what they thought.
What do we do about this?
They did the next best thing, the US government.
They put Tornado Cash under sanctions
and basically said, look, this. They put Tornado Cash under sanctions.
And Basie said, look, this mixer, this Tornado Cash mixer,
is working for the North Koreans, we believe, we claim.
And therefore, anybody who interacts with this mixer and sends money to it or receives money from it,
anybody who interacts, who's in the US,
people, organizations, doesn't matter,
they are breaching sanctions as well.
We can't shut Tornado Cash down,
but we can freeze it out by
saying, you cannot interact with anybody in the US anymore. And anybody in the US who interacts
with Tornado Cash, you've committed an offense and we can come after you. Sanctions? What?
The privacy tool I use got sanctioned? Hold on, hold on. This does not feel right.
Okay. I need some names. Who created Tornado Cash?
Yes, three people, it seems, created it.
They are Andrei Pertsev, Roman Storm, and Roman Semenov.
They worked for a company called Pepersec.
And I think it's, as we'll get into,
there's some legal proceedings around this that we have to be quite careful about.
But I think it's fairly uncontroversial that they set up Peppercasek
and they created Tornado Cash.
But the key thing is they created it, they say, to preserve privacy.
And having created it, they got to a certain stage and said,
okay, we now burn our passwords to this.
We step back. We have nothing more to do with this.
It's running on its own, the Tornado Cash DAO.
Oh, it was a DAO. Of course.
DAOs are fascinating.
What I'm saying is an acronym, D-A-O, DAO, and it stands for Decentralized Autonomous
Organization.
And this is a perfect example of one.
The internet has changed everything about our lives.
You know that already.
Every day I get online and I chat with loads of people from
all around the world and I visit websites from other countries and it never feels like I'm
traveling far away to another country to interact with them. It's just right here on the screen in
my bedroom, just milliseconds away. The internet has connected us in a way where national borders
just don't seem to exist anymore. So if you were to start an online business that exists only online,
and there's like no physical product or reason to have a home base,
and maybe you start it with two other people,
like one person is from Europe, another is from Asia, and the third is from the U.S.,
what country do you establish your business in?
Forget it.
Why not just make it an online company, not part of any nation at all?
Is that possible?
I mean, traditionally, you needed to make a company like an LLC or something
in order to get a business bank account to do business with the world.
But since this service is all cryptocurrency-based, you don't need a bank.
And autonomous means the company can continue to operate without
anyone controlling it. Tornado Cash was one of these DAOs. It was decentralized and autonomous.
It existed only online and was capable of operating all by itself. This is another new
thing in the world that didn't exist 10 years ago. These DAOs exist online only. It's a business that isn't seated in any
specific country. Why should it be? If people are getting paid from a DAO, then those people can
just report their income on their taxes and say they're contractors for that organization.
So the U.S. federal authorities were mad that hundreds of millions of dollars were stolen and
then sent through Tornado Cash.
They wanted to seize the funds and shut down the service. But like I said, Tornado Cash was built in a way that it was impossible to turn off and they never had control of the funds ever.
So the only tool the U.S. authorities had to try to stop it was to sanction it, which I don't even think you can sanction an app,
a piece of code. I mean, it's still there on GitHub for anyone to see right now. So if it's
illegal, why is it on GitHub? And code is just words and symbols. So in essence here, they've
sanctioned a bunch of words that in a certain combination has meaning. So can you even sanction
a page with words on it?
Isn't there like a free speech violation in here somewhere?
But not only did they sanction the code,
they decided to arrest the people who started it.
But what was their intention for starting Tornado Cash?
Because as I said earlier,
in the world of cybercrime, intention matters. It really does.
And, well, there's two sides to this.
You can go on the back of what they've said
and what their defenders say,
which is this was a privacy-preserving tool.
The intention was never to enable money laundering.
However, the counter-argument from the authorities,
which they're making very strongly and in court,
is it doesn't matter.
If you're going to run a money transmitting business that's dealing with,
as Tornado Cash was, hundreds of millions of dollars, you are obliged to think about money
laundering. You can't just naively set the thing up and hope no criminals are going to use it.
That's not how it works, buddy. You have to obey money laundering laws. So we've got arguments on
both sides. We've got arguments the intention was never there. We've got the argument on the other
side saying it doesn't matter.
You're on the hook for this if you set up these businesses.
As you can tell, I'm being diplomatic about this.
A, because there's legal procedures about it.
B, also because I hear both sides.
I do genuinely hear both sides.
And that's the thing.
It's a fascinating debate.
That's why it's a fascinating story.
The police are saying intention doesn't matter here.
The act of creating open source code and putting it on the blockchain to help make your financial transactions private was illegal because someone misused their tool.
And I want to point out here that the U.S. government isn't clear on whether cryptocurrency is even money or not.
The Commodity Futures Trading Commission, the CFTC, classifies it as a commodity.
The SEC classifies it as a security.
The IRS classifies it as property.
And FinCEN, the Financial Crimes Enforcement Network, classifies it as money,
which is what requires people to follow the anti-money laundering laws.
The government has made all this so confusing.
I hate being in this position.
I don't want to take the side of criminals who stole this money.
But because I want to live in a world where financial privacy exists,
I feel like sanctioning privacy tools hurts me.
Yes, but the cost of that.
If you do 100% privacy, you have to protect people
you don't like as well. It's a fascinating debate. This is why it goes around and around in my head
in the same way it sounds like it's going in yours as well. Because the money transmitting
rules they were supposed to follow was KYC, which stands for know your customer. For them to operate
this legally, they would have had to ask everyone who uses the service for their real name, identity,
upload your driver's license, tell them your address. And when you do all that, now it's not
so private anymore. Well, now creators have to maintain a database and a whole back end full of
people's personal information. I don't want my personal information in a database somewhere
just so I can privately buy a cup of coffee.
The best privacy tools are the ones who know nothing about who I am.
When the financial system becomes a surveillance system, we start having big problems.
Look at China, for example. They have this social credit system where if you do things the government doesn't like, they can restrict what you buy. They can also see everything you buy and make judgments about your character based on it,
restricting other areas of your life or even targeting you as a problem citizen.
A government that is watching your every purchase is not encouraging of a free society.
I mean, let's look at some legitimate use cases for why you'd want to use
Tornado Cash to hide your transactions. You heard me say that I like to have this buffer between my
public life and my private life. The internet is a big old dangerous place. And if you don't believe
me, listen to the previous 146 episodes of this podcast. It's important that we secure our stuff
and take our privacy seriously.
Also, imagine going to buy something from someone,
and as soon as you give them the money,
they can look to see how much money is in your bank account and all your previous purchases.
This is how Ethereum works by default,
so we need a way to shield our purchases from the rest of our transaction history.
You heard how Vitalik, the creator of Ethereum,
wanted to donate to Ukraine but wanted
to do so privately without anyone knowing. There's another reason. He's a public figure. He wants to
keep his political activities to himself. There are non-profits that I know of who go to great
lengths to keep their donors private because donors don't want the public to know what causes
they're giving towards and don't want any extra solicitation from people asking them for more
money. But I keep thinking about stories of people living in oppressive regimes. China, Russia, Iran. If you live there
and speak up against the government, you could easily go to jail. And these governments want
strict control over their citizens, so monitoring financial transactions is crucial to keeping a
strong grip on them. So dissenters and activists in these countries absolutely need a way to send and
receive money in a private way, to support their cause and educate people in the atrocities of
their own government. Their life depends on private financial transactions. Churches and
charities don't care if you deliver them a big bag of cash as an anonymous donor. And that's none of
anyone's business if I want to donate anonymously, I want the same thing for digital transactions.
I think taking down privacy tools like Tornado Cash
hurts regular people.
Which was exactly the basis on which the crypto campaigners
sued the United States Treasury and Janet Yellen individually
after the sanctioning of Tornado Cash.
This decision to sanction Tornado Cash went down very, very badly
with large swathes of the crypto community, it has to be said,
for exactly the reasons you've outlined.
One of the key arguments and a fascinating argument is,
to what extent are you responsible for the downstream effects of code
that you create and make available?
The people who saw this decision by the Treasury, the US Treasury,
to sanction Tornado Cash said, well, you can't sanction code. You can sanction the person who
misuses the code. You know, you don't, if somebody gets stabbed, you don't prosecute the person who
made the knife, you prosecute the person who did the stabbing. And so that was the argument on
which the US Treasury, one of the arguments on which the US Treasury is being sued. The other line of argument was that code, as you said, is freedom of speech and freedom of speech is constitutionally protected. Those cases, by the way, that the attempts to sue the Treasury over its decision on Tornado Cash got rejected, have not done well, but are being appealed as far as I'm aware at the moment. So they lost in the first at least one round, maybe two rounds,
but they're continuing that campaign
because they argue exactly the same as you're saying,
which is, you know, this is code.
You don't prosecute code because if you do,
you dampen freedom of speech, you stop people inventing code.
There's a chilling effect.
That's the risk here.
And that argument is still playing out in the courts.
I want to just take a step back here and note that this story wasn't possible like 10 years ago. This is such a novel new world we're in.
Money used to only be physical, but with credit cards, it's turned virtual. And with everything
being online today, we need digital money. Money used to be controlled by governments,
but now with cryptocurrency, it's controlled by the people. And it's like we're in the middle of a major revolution here. Money is power, and the
governments are losing their power as cryptocurrency becomes more widespread. So of course they'd want
to put up a fight against it. And now with smart contracts and DAOs, businesses can be fully
autonomous and always online. How crazy is that? That a company can exist and make money and act
as an online service and
it doesn't need to be maintained or controlled by anyone? This is an entirely new kind of problem
for the U.S. government to deal with, and they don't really have a good way to combat against it
other than sanctioning the code. If you aren't familiar with how sanctions work, it means the
U.S. Department of the Treasury's Office of Foreign Assets Control,
which is OFAC, has declared that you are forbidden to interact with Tornado Cash. If you do,
you might get arrested. But it also means your money may become frozen if you send it to an
exchange. I mean, typically, when I buy things or go online, I don't ever think about whether or not
I'm violating sanctions. Like, for instance, if North Korea is go online, I don't ever think about whether or not I'm violating sanctions.
For instance, if North Korea is sanctioned,
I don't expect North Korean-made goods to be in my supermarket
where I can buy them and break sanction codes or something.
I assume the shop owner knows not to buy sanctioned items
to try to sell them to me.
So it's completely off my radar.
But here's a situation which I think is the
first time ever that an online application is sanctioned. This is unprecedented. And so now,
I don't know how to navigate this world. Am I supposed to check the sanctions list every time
I go online, visit a website, buy something, use an online service. This breaks my brain.
You are clearly not the only person who feels this
because in the wake of the US government sanctioning Tornado Cash,
somebody clearly felt even more, felt very concerned by this
and very put out by it and thought the whole thing was ridiculous,
this idea of sanctioning.
And so they set up a stunt,
which is another bizarre wrinkle to this story
and an intriguing one.
So the thing about Tornado Cash is,
even though the US government sanctioned it,
it's still up and running.
You can still use its code on the internet.
The website went down, but that doesn't matter
because the protocol,
you can still send money to the protocol effectively
and it will do what it's programmed to do
and effectively mix the money and anonymize the money.
So the thing about that is,
if I know, Jack, your Ethereum wallet address,
I can use Tornado Cash to send you money,
and there's nothing you can do about it.
It just gets sent to you automatically.
So someone somewhere, we still know who did this,
and I'm waiting for the day, actually, Jack,
when they turn up on your podcast,
somebody took $50,000 and started randomly sending it
in tiny bits, tiny, tiny amounts
to anybody who was famous who had an Ethereum wallet,
including Jimmy Fallon, the comedian Jimmy Fallon,
Shaquille O'Neal, basketball star Shaquille O'Neal.
They started receiving.
And of course, it shows up on the blockchain.
You can't hide it because you see Shaquille O'Neal's address
and you can see it's received money from Tornado Cash.
That's all logged.
And so technically, I guess you could argue Jimmy Fallon
and Shaquille O'Neal have breached sanctions or sanctions dodging.
And I guess you could say they should be prosecuted for that.
But the whole point of this exercise was to show how ridiculous it was
that anybody, even famous people who've done clearly nothing wrong,
can then, as a result of this sanction of Tornado Cash,
get implicated in sanctions busting.
The idea was just to illuminate how ridiculous this was.
And so I don't know what Jimmy Fallon and Shaquille O'Neal have done about that,
but it's tricky.
It was a fascinating sort of stunt that emerged as part of this.
So North Korea sent about $450 million worth of crypto to Tornado Cash to try to mix it.
There's cryptocurrency tracing companies who claim they left it in for about four weeks and then extricated it.
What we don't know, of course, is who it went to thereafter.
So you can, with mixers, I mean, particularly when you're mixing a huge amount like 450 million,
there are companies that track crypto.
One of the things they do with mixers is they look at the amount going in, the amount going out.
Now you can't link, you know, this cryptocurrency payment is linked to that one going out.
But you can see the volume and you can see the amounts going in, the amounts going out. And so I think that's what they've done is they've looked and gone, look, 450 million goes in. We can look at the outflows and sure enough, four weeks later,
450 million comes out, to put it in very simple terms. And so that money is now somewhere in
cryptocurrency wallets. The other interesting thing is, well, then who do you take that to
to cash out?
You've got to say to somebody,
right, here's $450 million
which came from Tornado Cash,
don't know where else.
Could you transfer that and change it
into pounds or dollars or yuan or whatever?
There are people out there who'll do that,
no questions asked,
that they'll take a big cut.
But doing that to $450 million,
you've got to have some brokers that have got
some serious, serious liquidity on their hands to be able to change that. So the theory, I think,
from some people is that there's a bit of a glut now of stolen money that the North Koreans are
accused of stealing, that they're trying to cash out, but they can't cash out quickly enough.
There's nobody who can buy it off them for the $450 million or whatever they need.
So that's where that's ended up, all that money is pounding.
I guess a chop shop wouldn't even work here because it's more like you stole a giant bus
and no matter what color you change it, you're going to look like a giant bus coming out the other side.
Yeah, exactly.
So ideally you want a chop shop that can convert your big yellow bus into a bunch of tiny little smart cars or whatever.
So just going back as well, this idea that Tornado Cash was sort of leaderless is now being thoroughly challenged in the courts.
The first thing that happened was a guy called Andrei Pertsev was arrested in Holland and accused by the Dutch government of running Tornado Cash. Roman Semenov is also
indicted by the US government. He's believed to be in the Russian Federation, so hasn't
faced trial. I've tried to contact Roman Semenov, hadn't heard back from him.
Subsequently, after the sanctioning of Tornado Cash, the US government charged Roman Storm,
who's in the US and is, I think, currently being tried and is in prison.
Again, fascinating trial. The same arguments are coming up in his trial as we've talked about,
you know, people saying, look, he did not run this. He was trying to preserve privacy. That's
why he set it up. Now, going against the idea that these guys didn't run, inverted commas,
Tornado Cash, is a slightly inconvenient fact, which is that,
according to the US government, they owned a lot of the voting tokens and crypto tokens inside Tornado Cash. So the way this works is, you know, Tornado Cash is leaderless.
It's done by vote. Any changes to Tornado Cash get done by vote using tokens. I think part of
the US government's argument is, well, hang on, a lot of those tokens were in the hands of
these three individuals. So they may say they argument is, well, hang on, a lot of those tokens were in the hands of these three individuals.
So they may say they didn't have control, but actually we think they did.
Also, they say that they were still making money out of Tornado Cash.
And so all this leads to trying to knock down this argument the defendants have,
which is that, oh, we didn't run it.
The US government is saying, no, you did run it, and here's the evidence why.
So the guys who started Tornado Cash, two have been arrested.
And in May of this year, the first verdict came in. Alexey Pertsev was tried in the Netherlands, and the judge found him guilty and sentenced him to five years and four
months in prison. The cops took his Porsche and 1.9 million euros in cryptocurrency. The press
statement from the Netherlands government says,
quote, tornado cash is not a legitimate tool that has unintentionally been abused by criminals,
end quote. Not a legitimate tool. In fact, the judge said specifically he could not find any
legitimate use for this tool, as if privacy itself is a crime.
What's fascinating about this,
it sort of starts with a hack on a video game to do with salamanders,
and it ends up in this kind of epic battle royale
over freedom of speech and privacy.
And yeah, I find it really, really fascinating.
It's almost like the kaleidoscopic story.
You look into it, it's got everything in it.
Yeah, we've gone all over the road here, haven't we?
How are you going to edit this one down?
I do not envy you that task.
Another way to look at this is that the feds are saying
that the developers of the tool are responsible for how users use it.
And that's a bit crazy, if you ask me.
It's like saying a lighter company is responsible
anytime someone uses their lighter to commit arson.
Or a drone maker is responsible
anytime someone uses their drone illegally,
like spying on people, flying in the wrong airspace,
or dropping a bomb on someone.
Or it's like saying a VPN provider gets arrested,
shut down, sanctioned,
because some of their users went online
and did something illegal.
Or, my goodness, is an encrypted messaging app responsible for people doing criminal activities on it?
I mean, we know criminals use iPhones.
Apple knows criminals use their phones.
In all these cases, the tech itself is neutral, and it's up to the user to use it responsibly.
Governments have never faced anything like this before,
and they simply have no precedent to act on here,
and in my opinion are just drawing really fuzzy lines arbitrarily.
They can't even come to a consensus on whether cryptocurrency is money or not. The worst example you could possibly think of,
maybe with the exception of child sexual abuse,
one of the worst examples you could possibly think of, maybe, you know, with the exception of child sexual abuse, one of the worst examples you could think of
would be, you know, a country using this kind of technology
to get nukes.
As like, oh yes, we've got that.
So it's almost like your privacy defending hat,
your privacy defending head
is being put to the most extreme test.
It's like, you want privacy?
Right, what about North Korea nukes?
It's almost like that's immediately what's happened.
You know when you're arguing with somebody
and they just go to the most extreme example of
comparing you to Hitler or whatever? It's like, that's
happened. Now it's North Korea. What are you going to
say now? It's, yeah,
fascinating. Genuinely fascinating.
Okay. I don't buy that argument. Why? Because
all this happened and they didn't
catch the real criminals here.
In fact, I think even if they implemented KYC,
North Korea would just have used some fake ID,
and it wouldn't have helped catch them or slow them down at all.
North Koreans are still on the loose with their fresh and clean $400 million.
And they're the real criminals here.
Go after them.
It's crazy that this story starts with someone stealing hundreds of millions of dollars,
and the people who end up in prison are the privacy advocates. And as I'm researching all this, I had to refresh
exactly what does money laundering mean? The act of money laundering is to hide the cash you have
that was involved in some illegal activity, stolen money or drug money or something like that.
Me trying to hide my transactions isn't a crime. It's only a crime if I'm trying to hide criminal activity.
And by the way, Tornado Cash, despite being sanctioned,
is still up and running because that's how it was designed,
fully autonomous and decentralized.
In fact, there's YouTube videos out there that explain
how to still use Tornado Cash despite it being sanctioned,
basically showing you how to get around sanctions.
I mean, videos like that surely should be illegal, right?
And it just makes me wonder
if these sanctions have any teeth at all.
If you ever hear of anyone who gets arrested
for violating the Tornado Cash sanction,
please tell me.
I would love to know.
Because what's the point of all this
if the government isn't going to
enforce the sanction at all? Because it almost feels like the government is powerless here.
It has no ability to stop or control cryptocurrency or from people using apps like this. This is what
permissionless money is like. And I don't see any evidence that the government is even trying to
enforce sanctions. The sanctioned code is still there on GitHub. YouTube happily hosts videos on
how to avoid sanctions and still use tornado cash. What is happening here? Just a month ago,
the SEC approved the Ethereum ETF. This means you can buy this stock on the regular stock
exchange and they'll buy ETH for you. It's a way to invest in Ethereum without actually holding
Ethereum. So there's this wallet out there which holds all the ETH from this ETF. Well, guess what?
As soon as the internet figured out which wallet is holding the money for the ETF,
someone sent a whole ETH token worth over $3,000 through Tornado Cash and then to the
ETF wallet, which in my opinion means the wallet is now violating sanctions and can no longer buy
or sell on an exchange. They did it to protest these sanctions, to show that there's absolutely no way to enforce this. And I guess this means
Tornado Cash won. There's no way to stop it or to stop people from using it.
And so today, there's still millions of dollars flowing through Tornado Cash.
It's gone down. Don't get me wrong, the amount it's processing has gone down.
And therefore, it makes a less efficient
mixer. You want your mix to have lots of liquidity, lots of volume going through.
The less it's used, the less efficient of a mixer it's going to be. However, it is now
a criminal mixer. And so it's a sanctioned mixer according to the US government. And so anybody
uses it is going to be a crook. What that means, of course, is if you use Tornado Cash,
you're going to really struggle to send the money onwards.
Because whoever sees money coming at them from Tornado Cash
is going to go, no way I'm going to accept that.
Unless it's somebody who doesn't care about dealing with sanctioned entities,
in which case, you're in a slightly murky world.
It is a very murky world.
Because let's say, hey, I'm selling something online
and someone's like, I'll buy it,
and they send me the cryptocurrency that's been mixed through Tornado Cash.
Am I supposed to say, oh, wait a minute,
before you send me the money, let me analyze your wallet
to make sure it doesn't have any sanctioned crypto in it?
This is bonkers.
This is like running the serial number on every dollar bill you ever get
to see if it's ever been used
by someone who's been sanctioned in the past.
That would be a nightmare to have to do.
Yet that's what I feel like we have to do from now on.
Yeah, so suddenly I'm wondering
why the U.S. is even involved, right?
So Axie Infinity is based in Philippines.
So I could see the Philippine police being upset.
Vietnam.
Oh, Vietnam.
And okay, so I could see the Vietnamese being like,
all right, we got to sanction this
because we don't have any other way, right?
And then you've got the creators of Tornado Cash.
They're not US-based, are they?
Yes, Roman Storm is based in the US.
But actually at the point where they sanctioned it
I don't think that had been confirmed
and look, with sanctioning, sanctioning is a really interesting power
in that basically any time money transfers across the US
the US can exert control
in terms of sanctions
so it's extremely difficult to avoid
if the US government wants to go after you on sanctions
it's extremely difficult to avoid if the U.S. government wants to go after you on sanctions.
It's extremely difficult to avoid that.
The U.S. government's argument is that there would be U.S. users using this service.
Money transactions would have gone across the U.S. territory.
Also, as far as I'm aware, the sanctions dodging accusations that the U.S. puts at the foot of North Korea gives the U.S. government huge scope to go after it around the world.
Wherever North Korea tries to dodge sanctions,
it seems the U.S. government can go with its sanctions legislation.
So, you're right, it seems odd, but in a way,
it doesn't surprise me at one jot that the U.S. has managed to try and do this.
Right. I don't know if there's the word trad cry,
but traditional crime
is based with people
in countries, and those
countries can deal with that or whatever.
And here we have a new kind of crime,
which is there is no boundary.
There is no country. There is no head
of some company. There is no
person controlling the code.
I don't even know
if it is a crime. We haven't even established that.
There's laws that are established to avoid money laundering that may have been,
I don't know what's going on. It's another person in another country that did it, right?
But this is why sanctions are such a useful weapon and why the US is resorting to them more and more.
We've had Bitcoin fog. There's a prosecution in that case recently,
another crypto mixer.
This is why the US government is using them.
We can't nick these people.
We can't lock them up and put them in handcuffs most of the time.
We can use financial, frankly, financial warfare.
This is what we do now.
Financial warfare?
We can't police the code.
We can't police the people.
But it's all about money.
So we are just going to use that sanctions power,
which is a really big, broad power to use.
As soon as I started seeing this and I started realizing what was going on,
I said, oh, that makes perfect sense.
You've got so few weapons to bring to the battle,
but you've got this weapon and it's really good and you can use it wherever.
It makes perfect sense.
And you know, as I was researching this episode, I saw more stories like this.
Another privacy service just like this called Samurai Wallet
was also shut down by the U.S. federal authorities
and the people who started it were arrested.
This was a coin join on the Bitcoin network,
which isn't the same as the smart contract system,
but it is autonomous system and it's non-custodial
and it was also open source.
And here you have people who have
contributed to an open source project who are getting arrested because the feds are accusing
them of running an illegal money transmitting service and as my eyes become tuned into this
i'm seeing more and more stories like this the phoenix wallet decided to remove themselves from
the app store not saying a reason why ibex pay is shutting themselves down not saying why either
metamask received
an enforcement action letter from the SEC, and they're countersuing the SEC over that.
Something big is going on here. Privacy advocates have fought the government in the past before,
and one, the story of Phil Zimmerman comes to mind. Phil created a fantastic encryption program
called PGP, which allowed you to send an email to someone encrypted,
so only you and the receiver could see what was in it.
Yeah, well, the U.S. government hated this kind of encryption that gave us privacy.
Encryption? That's only for the military.
How dare civilians try to use it?
So they classified PGP as ammunition,
and they called it a regulated arm, as if it was a weapon,
which allowed them to say, look, Phil, unless you get an arms export control license, you can't go
distributing encryption code online. Because, you know, what happens if criminals use it? They could
hide their communications. Nobody wants that, right? The FBI began investigating, Phil. Well, the privacy
community was outraged that the government was restricting us from encrypting our own messages.
And they started being vocal about how important privacy was.
Someone suggested to Phil that he should publish the PGP code in a book.
And Phil's like, what? Why?
It's a program. It's code. Just download it online.
Geez, if I were to put it in a book, it would take 800 pages to print it.
But the thing was, books weren't considered regulated munition.
Books were protected under free speech law.
So if he were to publish the source code in a book,
that would give him protections that what he's written is just words
and not, in fact, a regulated arm.
So he published it in a book, and it was 800 pages of code.
Well, enough people voiced their support for encryption and privacy
that the government finally gave in and let Phil off the hook
and even took encryption off the regulated arms list.
It was a big victory for our privacy.
And thank goodness, because encryption is inherent in everything we do online now.
Even what you're hearing right now, this podcast was delivered to you encrypted
so that anyone who intercepted the packets along the way wouldn't know what you're listening to.
It would have been illegal for me to use encryption on this podcast in the 90s without
an export license. I did a whole episode on this, actually. That's episode 12 called Crypto Wars.
What Phil showed us is that code can be printed in a book, and if it's printable like that,
it's protected under free speech. And so once again, it's unprecedented that the government would put a sanction on code, which has always been free speech. Until now. Until now.
I don't know. The crypto space is so complex that if I sent it to your wallet, and you sent it to mom's wallet and she sent it to my wallet and then I sent it to the exchange, is the exchange going to know that still came from Tornado Cash?
Very good question. And that comes down to how much liability the exchange has. So in the situation you described there, that's what, four hops? I think, given that cryptocurrency tracing is fairly well developed,
I think the authorities would say,
well, hang on, you should still have known it came from that.
But if you're talking about 100 hops or 1,000 hops,
maybe that's enough hops that the authorities say,
well, yes, you had no way of knowing this back in the day.
Transfer it to Polygon and then back to ETH,
and now you've got a new wallet,
and I don't know if that's traceable.
There's just a lot of ways to get around that even still.
Now you're thinking like a money launderer, Jack.
That's what I hoped we'd get in this conversation where you finally,
that's what the book's about.
Yes, the book.
Jeff has released a book called Rinsed,
which goes into the modern ways criminals are laundering money.
It's full of things that make you think about the new future that we're facing.
I deviated quite a bit from it here,
but what Jeff told us today was a single chapter from the book.
So you can imagine how much more you learn from getting this book and diving in.
So go read Rinsed today and let me know what you think of it.
And I'll leave you with this very important warning from the FBI,
which was issued April 25th, 2024. This is PSA
I-042524. The FBI warns Americans to avoid cryptocurrency money transmitting services
that do not collect your name, ID, address, and other personal information.
To me, this is akin to the FBI advising against
driving on roads without license plate readers
or walking on sidewalks without facial recognition cameras.
It's like being told not to wear sunglasses on a sunny day
or to avoid using curtains in your house.
By cautioning us against privacy tools,
they aren't just infringing on our rights.
They're asking us to live in a glass house, exposed and vulnerable.
This isn't just a warning.
It's a push towards a future where privacy is a relic of the past.
Is that the world we want to live in?
A big thank you goes to Jeff White for sharing this story with us.
You can find a link to his book,
Rinsed, in the show notes.
Go check it out.
This episode was created by me,
the firewall fidgeter, Jack Recider.
Our editor is the router, rigger, Tristan Ledger.
Mixing done by Proximity Sound.
Intro music by the mysterious Breakmaster Cylinder.
I was moving my stuff the other day,
and I had to carry my computer down some stairs,
but I dropped it, and it tumbled down the stairs,
smashing itself to bits all the way down.
At the bottom of the stairs was just a big mess of broken parts.
The only thing that was salvageable was a stick of RAM.
So at least I have the memory of it.
This is
DwarfNet Diaries.