Why care?
In March the Axie Infinity’s Ronin Bridge was hacked and $625 million stolen, supposedly by North-Korean cyber criminals. What is special of the crypto-hack this time? Its scale, one of the biggest in history, its malicious actors, a Nation-backed criminal cyber group (Lazarus), and particularly its novel means of enforcement. In this short article, I provide the details behind and conclude, how effective crypto addresses on a sanctions list are to prevent money laundering in the DeFi space, today.
The U.S. government has yesterday (6th of May, 2022) added BTC and ETH addresses on their North Korean sanctions list. To put cryptocurrency addresses onto a sanctions list in itself is noteworthy. Many would expect only individuals, organizations or entire nations to feature on such lists. But first time in history, also an autonomously operated / self-executed and de-centrally governed mixer service was sanctioned by the The United States Treasury Department Office of Foreign Assets Control (“OFAC”). This is novel, but is it also adequate and effective?
Fast-backward, in March, cryptocurrencies over $600 million in value at the time were stolen via a hack from the Axie Infinity’s Ronin Bridge. Ronin is an Ethereum sidechain built for the quite popular play-to-earn NFT game Axie Infinity, to facilitate cross-chain transfers within the Axie Infinity ecosystem. Stolen were mainly ether (ETH), and a minor portion of USDC stablecoins. Approx. $400 million of the stolen crypto belonged to users, ie. the over 2 million players, which shows the potential spread and impact to the community. The reason why this could happen, has been identified: The governance model behind the Ronin bridge was just not designed decentralized enough; the use of 9 validators, 4 of which are controlled by a single party alone is a misconception and was in retrospective carelessly set up, obviously (more on what and why this could happen e.g. on Cointelegraph).
Behind the this cyber theft supposedly stands the North Korean hacker Lazarus Group, known also under speaking names as “Hidden Cobra” or “Whois Hacking Team” (full list here on the official OFAC page), and that group backed by the sanctioned regime of North Korea. Since the attack, the group has tried to cash out its theft to finance the “unlawful weapons of mass destruction and ballistic missile programs” subject to the U.S. and UN sanctions. They do so by leveraging different means to obfuscate the traces back to the first used address, where the crypto was originally sent to. Particularly, they used so called mixer services producing new addresses, not (yet) featuring on the U.S. sanctions list, thereby launder their funds and finance state terrorism.
The Blender.io operating model is illustrated below (source: U.S. Treasury):
After getting behind that scheme in joint efforts of the Treasury Department together with the FBI and private forensic firms like Chainalysis, the government added yesterday the new ETH and BTC crypto-addresses onto their OFAC Specially Designated Nationals and Blocked Persons (“SDN”) list: OFAC SDN list.
Additionally in parallel, the U.S. put for the first time also a tumbler (=mixer) service, i.e. Blender.io onto their list, the mixer being said to have processed $20.5 million of the theft, and thereby laundering its proceeds.
In an official statement Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson said: “Today, for the first time ever, Treasury is sanctioning a virtual currency mixer, … Virtual currency mixers that assist illicit transactions pose a threat to U.S. national security interests. We are taking action against illicit financial activity by the DPRK and will not allow state-sponsored thievery and its money-laundering enablers to go unanswered.” (statement see here).
This move is noteworthy, not as it is the first time for a regulator to step in against a mixer service. But more as it triggers the question about the effectiveness of such measure: Are self-executing protocols (Smart Contracts) designed to be changed after their deployment, e.g. to permanently screen, identify and prevent banned addresses from access, and thereby act as the extended arm of the U.S. watch dog? Technically for mixers like Blender.io or a far more popular one, Tornado Cash, the answer is clearly “No” – they are autonomously operating and controlled fully decentralized via governance tokens giving its (distributed) holders voting rights to decide the protocol’s upgrades and other developments (typically referred to as a DAO scheme). I would call such systems thereby pedigree DeFi schemes – not centrally controlled / controllable. Further, and from a regulatory perspective the argumentation might be not that clear and different interpretations made depending on how extensive one likes to interpret the FATF rules. Next to the technical limitations mentioned, it is clear that mixers, designed like Tornado Cash or Blender.io are not money transmitters, and therefore required to do KYC checks as they do not provide any custodian services or have a centralized host for its website (more background here). Bottom line, and despite their underlying purpose to break the link between the sender and receiver’s addresses on transactions sent over the Ethereum blockchain and their often shady user groups, they cannot, hence should not fall under the FATF rules and potentially neither the related sanctions. Other regulatory means have to be developed and put in place, therefore.
What is the effect of the measures taken by the U.S. governments?
Tornado Cash: As a consequence from the ongoing discussion, Tornado Cash, which is not sanctioned like Blender, is still operating. Yet, they have meanwhile added a Chainalysis compliance tool to its user-facing dapp (decentralized application) blocking transactions sent from the sanctioned addresses (more here). Again, this is not affecting the protocol itself, and users interacting directly with the protocol will be able to further do so and under the regulators radar. This is why at least to date the funds are continuing to move, proving the sanctioning of a fully decentralized mixer to be not (fully) effective.
Blender.io: The url blender.io seems to be down (taken down as a consequence of the sanctions?), but there seems to be a re-routing to the seemingly same service under blendar.io, at the time, this article is being written (May, 7th, 2022, 5pm CET).
Hence, and beyond being novel, is it adequate and effective to put fully decentralized mixer schemes onto a sanctions list?
For the adequacy aspect you might argue for a “yes”: Targeting DeFi schemes meant to anonymize bitcoin transactions, and to prevent bad actors (not all are !) to obfuscate crypto transactions originating from criminal attacks looks legitimate. Just consider that it is not only a group of hackers; it is a fierce one, equipped with all the resources of its backing regime, willing to spons cyber attacks to finance its agenda of terror.
For the effectiveness aspect, you may say “no”, and indeed, sanctioning the mixer itself is arguable, as funds still seem to flow, presumably directly via the protocols of Tornado Cash and Blender. Nevertheless, both mixers seem to have made changed on its front-ends: Tornado implemented a compliance tool, and blender seemed to re-route its users from the official address blender.io to a newly established one blendar.io.
Bottom line, and this is my personal take, regulatory actions against 100% DeFi schemes remain in-effective – q.e.d. Hence, such measures should not be considered from the outset. Better tooling need to be developed by the regulators and industry to fight the malicious actors, without, in the same time, throwing the baby out with the bathwater.
Exiting times, more to come, stay tuned …