Transcription performed by LeahTranscribes[START OF RECORDING]
JACK: Alright, light’s red. We’re recording. Hey, Tortoni. You’re looking great today. Still writing, I see. See, here in my studio, which is just my closet, I have a picture on the wall made by Edouard Manet. It’s a picture of a fine-looking gentleman sitting at a table writing something down. I call him Tortoni, but that’s not his name. This picture has captured my imagination and curiosity for countless hours. I stare into it and I just fall into an abyss. But the thing about this picture is that it’s not the content or even who made it. It’s that this picture was stolen from the Isabella Stewart Gardner Museum back in 1990, and it’s never been recovered. I don’t have the original; I just have a print of it. But the thieves didn’t just steal this picture; they took a bunch of others, too, and this was the biggest single heist of all time. They estimated that the art that was stolen is worth $500 million, and it still remains unsolved. I’m looking at this picture on my wall right now. There’s a $10 million reward for it. Yeah, mine I just got from my printer for like, five cents. It’s always been weird to me how art has so much value. I just don’t see how this picture, which is not that much bigger than a regular sheet of paper, is worth more than a mansion. But that’s no longer the biggest heist ever, because in 2022, a digital heist happened which set a new record high.
(INTRO): [INTRO MUSIC] These are true stories from the dark side of the internet. I’m Jack Rhysider. This is Darknet Diaries. [INTRO MUSIC ENDS]
JACK: Digital assets are fascinating to me. I’m no economist, but they behave in ways that don’t make sense to me. Let’s take audiobooks, for example. It takes a lot of work to make the first one, but then infinite copies can be made at zero cost after that. So, I don’t know, what happens when supply goes to infinity? It seems like the price would go down to nothing, but it’s not the case. Audiobooks are still $10, $20 each despite there being an infinite amount of them which costs nothing to make more of. That’s kind of wild, and you’d think that piracy would have destroyed the market for digital assets, too. With unlimited supply, demand should have gone way down. But no, the demand for digital goods is at an all-time high. Top-tier musicians are making more money now than they ever did before, and that’s because we all have mobile devices glued to our hands 24/7, and we’re continually thirsty for more digital content to consume. It almost seems like our whole lives are digital now; movies, shows, memes, music, books. Even the people we are closest to, we have a digital relationship with them. But I’m always wondering, of all the digital stuff in our lives, is any of it really ours to own?
[MUSIC] Okay, so, I think anything that’s saved on your computer and you can use it offline — I’ll say that’s yours and you own that. Photos that are saved on your phone; that’s yours. Music saved in MP3 form; that’s yours, too. You own that. But the line is often blurry between what’s on our devices versus what’s on the internet. If you have an Android phone, it tries to get you to back up your photos to Google Drive, and it’s not always clear if your photo is on your phone or on Google’s servers. If it’s just on Google’s servers, then you don’t really own it, do you, since they have complete and full control of your photos. What about audiobooks? Let’s look at those for a minute. [MUSIC] Most audiobooks I listen to I can actually borrow from the library, and there are apps which let you check them out. You can listen to it for a few weeks and then return it digitally. It’s great. But often, my library doesn’t have the book I want, so I’ve got to buy it. When I buy an audiobook, the biggest marketplace for that is Audible, so I look there. What drives me crazy about buying books from Audible is, well, I don’t own that book, like at all.
If I owned it, I should be able to save it locally, give it to a friend, donate it to my library, or resell it to someone else like a used audiobook. But all that is impossible to do through Audible. Of course, Audible could cancel your account at any time and you would lose all of the books that you ‘bought’. So, to me, the audiobooks that you ‘buy’ on Audible are not really yours. You don’t own them at all. So, let’s look at some other digital assets. How about my online accounts like Twitter or e-mail accounts or online gaming accounts? Do I own my Twitter username? No, I don’t think so. Twitter does, and they graciously let me use it, and at any moment they could terminate it or rip it out of my hands. I don’t have any actual ownership of it. Just look at what happened when Twitter changed their name to X; there was a user on Twitter who had the username X, and Twitter just ripped it right out of their hands and there was nothing that user could do to keep it, because Twitter owns everyone’s account. Yet, it’s interesting because even though you can’t own a Twitter account, they are still valuable and people are buying and selling Twitter accounts all the time. Let’s look at video games now. There are digital assets in video games, right? Imagine you’re playing an online game and when you level up your character you get all kinds of armor and weapons and gold.
That character is yours, right? Well, I don’t think so. The game can ban you at any moment, and then what? What about those in-game items like gold and weapons? It feels like that stuff is yours, but it’s not really. You can’t save it offline or take it with you to another game. It’s strange because even though you don’t own that stuff in the game, those items still can have real-world value. I know I’ve bought an in-game weapon before for a hundred bucks. It’s ridiculous because I bought something I don’t actually own. [MUSIC] Alright, what about my website, darknetdiaries.com? Do I have ownership of that? Well, at first glance, sure. I purchased the domain and I can do whatever I want on it. I’m the admin. I can say what I want and nobody can stop me. But, no. First of all, I didn’t purchase the domain. I’m renting it. All domains have to be renewed yearly or every few years. Registrars control the domains and you pay them to get it. But then you have to keep paying them to maintain control of it. It seems like I don’t own it if I have to pay someone over and over to keep it mine. On top of that, governments can go to domain registrars and take over a domain that’s being used for illegal purposes. So, yeah, I’d say I don’t actually own my domain if someone else can rip it out of my hands like that or if it’ll expire after a while. But domains on the dark web are different.
I’m talking about on Tor, the darknet. See, on the dark web, domains look awful. They’re a long string of random letters and numbers. You would never be able to memorize it, and then it ends in .onion. So, how do you get a domain on the dark web? Is there a central body like I can where you go to register domains with? Nope, no, not at all. You create the domain yourself. Yeah, that’s right. You generate a private public key pair, and that public key is your domain name. So, with this system, the person who has the private key controls that domain. Now, to me, this is true digital ownership and I love that. Unless someone comes and steals my key from me, nobody can ever take my .onion domain from me. It’s never going to expire and it can’t be seized by the feds. This is why a lot of people are drawn to the dark web, to have something on the internet that’s truly yours, and nobody can ever take it away from you. Another thing that I think gives you true digital ownership is cryptocurrency. [MUSIC] Not all money is like that. Your bank can refuse your service if they want. They can cancel your credit card and kick you out of the bank and freeze your money. I know PayPal has frozen my account before, trapping my money in there. But because cryptocurrency is built on decentralized blockchains, there’s no one managing it to kick anyone out or freeze an account or take over an account. Everyone and anyone is welcome at all times forever, and the best part is you truly own your crypto wallet.
Because to get a cryptocurrency wallet, you just make it yourself by generating a random private key and then using that to derive a public key. When you do this, only you are the only person who’s ever seeing that private key, and whoever has that private key controls that public address or wallet. There’s no admin that can revoke your key or move your money without your permission. Your key is your key forever and ever. The blockchain is a fascinating invention and whether you love or hate cryptocurrency, the technology behind it is very interesting. Take the Ethereum blockchain, for example. It popularized something called smart contracts which allows people to add code into the blockchain, which means you can program money and even create apps integrated directly into cryptocurrencies. This is wild and it’s opening up a whole new future that we never imagined. For instance, people are making entire video games with these smart contracts where the whole game lives on the blockchain, which means the in-game currency is actually real cryptocurrency. Not only that, but the apps you make on the blockchain are truly yours, where nobody can ever seize it from you or stop you from making it. It’s time we step foot into this big, new, wild, digital world. I think the game Axie Infinity represents a fundamental shift in video game development. I spoke to Geoff White about this game.
GEOFF: Hi, I’m Geoff White. I’m an author and investigative journalist, and I cover organized crime and technology. Yeah, so, Axie Infinity is not like the games that I used to play when I was a kid where they sell you the video game and then you go away and you play it and that’s it. Axie is an online game, as of course lots of them are, and you’re playing against other people online, which of course lots of games are. But the thing that made Axie different and quite radical, I think, for some people was that everything in the game was basically for sale. It was a whole marketplace. So, the way it worked was you have these Axies which are based on the axolotl salamander. You have a team of Axies, three Axies, and you basically wrestle them. You fight them against your opponent’s team of Axies, and if you win, you’re rewarded with Smooth Love Potion tokens which you can use to breed your Axies together to get them to be better fighting machines. It’s basically a bit like — do you remember those Tamagochi keyring things you had…?
JACK: Yeah, I do; a little digital pet that you could level up and stuff.
GEOFF: Exactly that. It’s like that mixed with WWF wrestling. So, that’s the idea. This game is hugely, hugely popular.
JACK: Okay, so how — so, I need a team of three of them. How do I get one of them? What’s the process?
GEOFF: You buy. You have to buy the team, and you can’t — as far as I’m aware — get one. You have to buy a team of three ‘cause three is the magic number.
JACK: Okay.
GEOFF: In order to do this — and this is where it gets interesting with the sort of cryptocurrency aspect of it. If you have [inaudible] dollars for you, Jack, you can swap your dollars into ETH, the currency on the Ethereum blockchain, the cryptocurrency. It’s a bit like Bitcoin. That’s just number two, I think, to Bitcoin, ETH, I think I might say. You can then take that Ethereum money and you can put it into — transfer it into Axie Infinity, and then you could use that in-game currency to buy your Axies, to buy Smooth Love Potion. You can buy land in the game. So, it’s all — the whole game is based on cryptocurrency, and there’s an internal blockchain within the game that tracks who owns what and who sold what to who.
JACK: I see. I like the ownership aspect of this. You really do digitally own one of these Axies since it’s all on the blockchain. There’s no way for anyone to take your Axies away from you if you own them unless they steal your private key. To me, this is interesting because look at the software world right now. You can’t buy Microsoft Word or Adobe Photoshop. You have to pay a monthly fee in order to use it. You don’t own a lot of the software or games today if you have to have an internet connection for it to work. As the meme goes, if purchasing isn’t ownership, then piracy isn’t theft.
GEOFF: Axie Infinity was created by a company called Sky Mavis who are headquartered in Vietnam. I think the company is registered, though, in Singapore. This was five guys who had been part of the e-sports scene, so they’d been around gaming for a very long time. The idea of crypto-based video games wasn’t sort of radically new. I think CryptoKitties predates Axie Infinity, from what I’ve read of it. But basically what they did was they built this game and released it, and in a way they lucked out because they obviously got the benefit of video game obsession. People became obsessed with this game and started playing it and battling their Axies together and so on. They also got the benefit of a cryptocurrency boom, because this was sort of 2019, 2020, and crypto was starting to rise in value quite steeply at that point. So, people who were into videogaming got into Axie Infinity. But what was really interesting around the discussion boards around Axie Infinity is you start to see this change where people are discussing the game and then they start to discuss crypto investments and crypto speculation. So, suddenly people who are into crypto on the speculative side of it started to see this game as an opportunity, a money-making opportunity.
[MUSIC] So, you’ve got this incredible whirlwind of obsessive gamers and also obsessive cryptocurrency speculators coming in, and this game just went up and up in value. I think at one point it was valued at $2 billion, I think I’m right in saying. It’s astonishing values. The other thing that fed into this was Covid, was lockdown, so during that period. The game was big in Southeast Asia, particularly big in Southeast Asia, because that’s where the company was headquartered, and it absolutely took off, particularly the Philippines. I think 40% of the players, apparently, were in the Philippines. During lockdown a lot of people lost work, weren’t able to go to work, were looking around for alternative sources of income, and they started to see that actually they could potentially play this video game and make money at it. So, you put all these factors together and you just get this explosive combination that just launched Axie Infinity into the stratosphere, must to the surprise, I think it’s fair to say, of the guys at Sky Mavis who made it. I don’t think they were expecting it to be such big of a hit.
JACK: Now, because the in-game currency was the Ethereum cryptocurrency, this allowed for a whole in-game marketplace. You could buy or sell things to other players with cryptocurrency just directly on the blockchain. Ethereum wasn’t just for cryptocurrency but there were items on it now, Axies, for instance, and you could buy one from another person directly if you wanted, without having to go through any game to do it. How do people make money? Do you understand the complexities of this? Because if you’re battling someone and you win the battle, do you take money from the other person?
GEOFF: No; the way it would work, as I understand it, is your Axies would become more and more valuable the more fights they won, and you could actually sell them to other people in the game. So, you could say, I’ve got this team of Axies. Look, they’ve got a fantastic track record of killing lots of other Axies. I don’t know actually whether killing was part of it, but winning the battles. Would you like to buy them off me? Also, there’s a trade in Smooth Love Potions. So, as you played the game, you got more Smooth Love Potion; you could sell the Smooth Love Potion to people. You could buy and sell plots of land on Lunacia which is the virtual environment in which the game is played. So, everything — almost everything was for sale, so the money was sort of being shared around by trading within the game.
JACK: Now, you might be thinking, hold on, wait a minute. This is an awful idea, to bridge real money into a video game. Well, you’re not the only one to think that. The video game marketplace Steam has outright banned all crypto-based games from there. At first glance you might be thinking, oh, that’s because they don’t want people spending real money on games like that. It can ruin the in-game economy and it leads to speculative behavior. Also, isn’t it stupid to just buy video game assets like gold and weapons? But none of those are the reasons why Steam banned crypto-based games. [MUSIC] A very popular game on Steam is CS:GO. Or, I guess it’s now called Counter-Strike 2. Within Steam itself there’s a whole marketplace where you can buy and sell in-game Counter-Strike items from other players for real money. It’s like a giant marketplace on Steam. Thousands of purchases happen every day. Yeah, you can show up, type your credit card details in, and start buying items in the game from other players with real money. Steam has built this whole system, so clearly they are perfectly fine with people using real money to buy in-game items or be speculative in the game or mess up the game economy. However, when you sell an item, you don’t get the money from the sale. They give you Steam credits which can be used to buy other games on Steam. But players were like, wait a minute, if I’m selling this to someone who’s buying it with their credit card, why can’t I get the money they paid for it?
Steam’s like, eh, we really don’t want to give you money. Game credits are much better for us. So players were like, you know what? Nobody can stop us from just trading among ourselves. So, player-to-player sales started happening. But how do you send money digitally? You can’t just give someone your credit card. It doesn’t work that way. So, players started trading using cryptocurrency, but this became unsafe. People were sending their money and not getting anything in the trade. So, websites started popping up saying, hey, we’ll broker the deal for you, and they started acting like the middle man in trades for Counter-Strike. That went on for a while and Steam was like, alright, here, we’ll make an API for the marketplace. This allowed secondary marketplaces to let players buy and sell in-game items with real money. Not only that; a lot of markets allowed you to buy and sell items with cryptocurrency. So, while Steam has banned crypto-based games, you can actually use crypto to buy things in Counter-Strike 2 or sell things and get crypto from it. This is all totally allowed by Steam. Steam could put an end to all this right now if they wanted. They could make it so players just can’t trade with each other anymore, but they won’t because they make far too much money from this whole system. So, why does Steam actually ban crypto-based games?
I think it’s because the regulatory landscape is unclear. When you start accepting cryptocurrency, suddenly you get into these regulations that are very difficult to figure out. And don’t tell me that Steam bans crypto-based games because it keeps out the trashy, scammy type stuff. Well, have you seen the game Banana? As I’m saying this, it is the second-most popular game on Steam, and it’s possibly the world’s dumbest game. You just click a banana, and after a while you might get a banana for doing it which can be sold on the marketplace, and it’s making the creator a ton of money since people are buying bananas with real money for no reason. The banana does nothing in the game. This is ten times dumber than any NFT game I’ve ever seen, and it’s not even an NFT game. The fact that Steam allows this is kinda breaking my brain, honestly. I bet there are a million teenagers today who are very fluent at understanding the market intricacies of V-Bucks or Robux, the virtual currencies for their favorite games. The thing about Steam credits or V-Bucks or Robux is you can only buy it. You can never sell it. It’s against the terms of service to trade that for real money, and that kind of frustrates me. It’s kind of like when you go to an arcade and they make you buy tokens to play the video games there. Video games can operate just fine on quarters. There’s no need to invent a whole new currency just to play them, and the currency can only be bought, never sold. It stinks when I come home from an arcade and there are a few extra tokens in my pocket.
These things are worthless except for one place in the entire world. So, Axie Infinity was built directly on the Ethereum cryptocurrency, utilizing smart contracts, but they soon hit a problem. [MUSIC] When you play video games, you want it to be fast. Ethereum transactions were slow, sometimes taking a few minutes to complete, and the fees on Ethereum were high, often costing $30 in fees just to buy an Axie from another player. So, to fix that, Sky Mavis, the creators of Axie Infinity, created a sidechain of Ethereum called the Ronin network. This sidechain was very compatible with Ethereum so players could move their money in and out between the Ronin network and the Ethereum network easily. That mechanism of moving money between the two, they named that the Ronin Bridge. The Ronin network was much faster and had very low fees, like less than a cent, making it much more ideal for a video game to be played on this blockchain. But for this Ronin network to operate, there needed to be nodes and validators. Sky Mavis didn’t want to be the only one controlling those nodes and validators because if they were, they could theoretically control the whole network. I guess if you have a majority control of the validators, you could manipulate the system if you wanted. The idea of a decentralized network is that nobody should ever have a majority of the validators so that it can’t be manipulated. So, they made sure to have people outside their control also running nodes and validators.
GEOFF: You could play on a browser. I think most people were playing on a phone. It got so popular that there were reports in the Philippines of people giving up their jobs just to play this game full time. Now, of course, as soon as that happens and it hits the headlines, you get this rush of people who all think, oh, I’ll do that. Of course, it became a pylon. People just went for this game, particularly in Southeast Asia.
JACK: So, there’s this very valuable company with millions and maybe billions of dollars’ worth of cryptocurrency assets running through it, swapping around, moving fast, moving a lot. This will attract somebody who wants to steal that money.
GEOFF: Inevitably. [MUSIC] As soon as you start to make scads of money as a video game, somebody tries to hack you, and that’s exactly what happened with Axie Infinity.
JACK: A lot of scammers and thieves flocked to this game, trying to steal things from other players. Some players’ crypto wallets were loaded with tens of thousands of dollars of Axie Infinity assets, and scammers were trying hard to steal stuff from players’ wallets. One common tactic is to get an Axie Infinity player to connect their crypto wallet to the scammer’s website, maybe by saying something like, oh, we’re giving away a free, rare Axie. With some cleverly-crafted message, they can trick a person into giving them access into their wallet, which then the thief can drain everything from it. Hundreds if not thousands of Axie Infinity players were victim to this type of attack, and I should say that even though attacks on players and cryptocurrency-based games is very common, it’s not unique to only crypto-based games. I remember when I was playing World of Warcraft a long time ago, someone somehow got into my account and transferred all the gold and removable items from my character into whatever account they had. I got digitally robbed in World of Warcraft. If you hang out in the Counter-Strike forums or Roblox forums or Fortnite forums, you see people begging for help every day, saying their account got hacked or their stuff got stolen. There’s a lot of money in stealing video game assets. It’s crazy.
GEOFF: Ideally what you want to do is you want to go to the source of all the money, the fount of all the money, which is Sky Mavis’ servers themselves. [MUSIC] So, the hackers targeted one of the engineering team — and carried out a very, very elaborate — or at least in my opinion, very elaborate social engineering exercise on this person; offered them a job. Now, that’s not an uncommon thing for crypto-developers to get. Game developers get poached all the time. So — a great job for you; a really big salary. Are you interested in talking to us? This employee said yes, started receiving details of the job, did apparently a couple of rounds of interviews for the job which I presume was webcams-off, but was interviewed by people for a job that seemed to exist. Of course, none of this was true. There was no job. This employee of Sky Mavis was being targeted by hackers who were trying to maneuver them to the point where they would effectively download malware.
JACK: Hm. So, we don’t know how they made contact. My first thought was Discord. A ton of scammers are on Discord trying desperately to hack into people’s accounts. But in this case, I’m willing to bet the initial contact was made on LinkedIn. It’s kind of easy to find developers for Axie Infinity on there to begin with, then it’s only a few clicks away before you can message one of them, and it sounds like they messaged a developer offering them a job. So if that’s the case, it’s not so hard to create a fake persona on LinkedIn to look like you work for some prestigous company, making the whole story more believable. I mean, who gets job offers on Discord anyway, you know? LinkedIn is the place to go get job offers.
GEOFF: The other thing you can do if you target someone in this way is you can say to them, hey, for this job we need to know that you can use this particular piece of software. Can you download it for us or can you click on this link and go to this private server so you can do this exercise as part of the job application? There’s lots of ways with a job application that you can sort of trick someone into doing something they wouldn’t necessarily have done, downloading stuff, clicking on links. So, I find that really — I think that was a really smart way of operating and one for people to watch out for. Eventually malware gets downloaded by this employee of Sky Mavis onto their work device. Now, full disclosure, I don’t think Sky Mavis have revealed how that specifically was done, but you can think of multiple ways whereby you’d be able to convince someone as part of the job application process to download something. There’s lots of ways to do that. Effectively, the malware allowed the hackers access to Sky Mavis’ computer systems, and because they targeted an engineer, you had what Sky Mavis describes as very deep-level access. It wasn’t like they’d hacked somebody in the HR department and had to work their way over to the development environment. They were already in. They’d hit the mother lode, effectively, and were already in at a very deep level inside Sky Mavis.
JACK: Yeah, I mean, if you get malware onto a developer’s computer and then take control of their computer, then you can assume the role of that developer in that company. You have their access keys, their logins, their privileged access to the network.
GEOFF: [MUSIC] With their deep-level access to Sky Mavis’ systems, the hackers start scoping out how Axie Infinity works and how this money is moving around.
JACK: I bet they were looking for a central wallet like cold storage or something where Sky Mavis stores all the keys and has access to millions of dollars in crypto. But they couldn’t find that. So, the second thing was, with all this money flowing through the system, was there a way to grab it somehow?
GEOFF: What they realize is — what we’ve covered earlier is there’s this internal blockchain within Axie Infinity monitoring the transactions between the players. There’s the external Ethereum blockchain which is effectively bringing in money that people — Ethereum, Ether currency that people are spending, into the game and then putting it out. So, there’s a conduit through which this is all happening, and that conduit is a thing called the Ronin Bridge. The Ronin Bridge’s job is basically — it’s to reconcile what’s going on in the game with what’s going on on this external Ethereum blockchain. Effectively, the Ronin Bridge is nine computers around the world, and those computers are looking at all the transactions inside and outside and reconciling the two ledgers together. So, basically, the hackers realize, very, very smartly, that’s the pinch point. That’s the conduit. That’s where the money’s going across. If they can control the Ronin Bridge, they can effectively control the flow of money. Since there’s millions and millions of dollars inside Axie Infinity, they can control that money. Now, the thing about this is there were nine computers as part of the bridge.
It’s effectively nine — what they call — validators. Sky Mavis had sort of thought about the possibility of getting hacked, to give them credit, and they only controlled four out of those nine, which isn’t enough to give you majority control. So, you can’t just take over Sky Mavis, get control of the bridge, and take the money out. The hackers had to find a fifth computer so they have five out of nine, so they’ve got majority control. This is where things go wrong for Sky Mavis. [MUSIC] Sky Mavis had outsourced the other five validator computers to external companies. They weren’t in control of them. So, Sky Mavis didn’t hold all the cards, effectively. But one of the companies they’d outsourced to gave Sky Mavis a temporary access to its validator, and that temporary access was never revoked. The hackers somehow managed to realize all of this and thought, ah-ha, we’ve got four computers validating at Sky Mavis. We need a fifth to get majority control. There’s the fifth one; we’ve still got access to it via Sky Mavis. We’ve got five out of the nine computers, and guess what? We control the bridge, we control the money, and it’s time to steal.
JACK: Wow. I think the level of knowledge needed to pull this off is quite remarkable. This is not so simple as opening up a wallet and transferring the funds out. To take over five of the nine nodes of this sidechain and to know how to operate them in a way that will allow them to steal money takes a specific skill set. Whoever did this must have had to prepare quite a bit for an attack like this. It kind of reminds me of that one time my friend went and bought an antique for, I don’t know, $1,000 and something, and on his way home he stopped for lunch somewhere and his car got broken into. The thieves stole the loose change in his cupholder. They looked at that old antique and didn’t think it was worth anything and left it. Whoever was targeting Axie Infinity knew exactly where to look to extract the most amount of value they could from the system. They knew exactly where the value was, and I don’t think many of us would know how to work these controlling nodes even if we could take them over. [MUSIC] But when they took over these nodes, they got immediately to work setting up an attack which would allow them to transfer as much out of the Ronin network as they could and as fast as they could directly into the Ethereum wallets that were ready and waiting. They set up everything, and using their control of the bridge, deployed a command to transfer the money.
GEOFF: They stole ETH, ETH currency, and USDC, which at the time was valued at $625 million.
JACK: $625 million.
GEOFF: Yes.
JACK: I’m trying to think, is there a single cyber-heist that is more than $650 million? I can’t think of one.
GEOFF: I’ll go further from that. I’ve been a bit circumspect in the book, but I’m being less circumspect the more I go on. I think it’s the biggest theft of all time, and I want to — I’m gonna add a couple qualifiers to that ‘cause it is a big statement to make, right? I’m talking about one-off theft. Obviously ransomware was — well, you know has made billions over time, multiple victims. I’m talking about one victim, one hit, at the time the theft happened. ‘Cause obviously there’s the Bitfinex hack — you know, the one that Heather Morgan and Ilya Lichtenstein got sentenced for.
JACK: Oh, yeah.
GEOFF: Well, that was — that ended up being $3 billion, I think. But at the time of the hack, it was $70 million. So, I’m talking about valuing a crime at the time was committed; a one-off crime, one victim. So, I’ve been doing — you know, you Google and you Google and you try and find these things, and there’s — the Isabella Stewart Gardner Museum heist is one of them. So, that was — I think ‘93, was it? They broke into the museum. They stole artworks. The artworks were valued at $500 million. Now, that’s often listed as being one of the most expensive heists of all time, and that’s only $500 million. So, I know I’m out on a limb here, but I do think it’s a serious — if it’s not the number one, it’s a very serious contender for biggest theft of all time based on one hack, one victim. One crime, one victim, valued at the time of the crime.
JACK: Now, some of my listeners might be shaking their heads right now and think, no, Jack, none of this cryptocurrency is real money. This is not the biggest heist of all time. In fact, a lot of articles which list the biggest heists of all time don’t include any cryptocurrency heists. But the thing is these thieves immediately started exchanging it for traditional money. So, to me, if you can swap it quickly and easily for any currency you want, then, yeah, to me, it’s real money.
GEOFF: Yeah, it may start off in crypto and you may turn your nose up at that, but it ends up in hard dollars and hard dollars that can be used to fund criminal activity, and some very serious — as we’re going to talk about, some very serious criminal activity.
JACK: Maybe I should have mentioned this earlier, but the reason I’m talking with Geoff about all this is because he just published a book called Rinsed, which is all about money laundering in the modern world. I just finished reading it and it sent me down a wild, twisted tunnel into the world of money laundering. Now, what we’re talking about in this episode is a single chapter of the book, though. The biggest heist of all time, Axie Infinity, is interesting by itself, but the thieves are now faced with a staggeringly huge challenge. How do you cash out $625 million in stolen cryptocurrency? If you sent it all to an exchange, they might not be able to swap that much, or they might freeze your account and you could lose it all. So, while they immediately started sending some of it to an exchange, that was only a small amount, and they needed a big plan for the bulk of it. We’re gonna take a quick break here, but stay with us because after the break, someone’s going to prison. The news broke pretty fast — Axie Infinity’s Ronin Bridge hacked; $625 million stolen. Lots of people lost a lot of money and including Sky Mavis itself, but of course, everyone wanted to know, who did this?
GEOFF: Good question. Obviously it very quickly hit the news this had happened, and in fairness, Sky Mavis did a rolling blog on what had happened and were filling people in. Of course, because it’s cryptocurrency and because all cryptocurrency moves across a blockchain which is almost always publicly available — particularly when the hackers transferred the money out from Sky Mavis, it was publicly-viewable — people start looking at the wallet addresses to which the money’s being sent. They start looking at the methodology behind the hack, and very quickly, the name that pops into the frame is North Korea.
JACK: [MUSIC] North Korea. So, North Korea’s military has something called the Reconnaissance General Bureau. In it are believed to be where thousand of hackers are trained and tasked with completing military objectives. This isn’t the first time they’ve been accused of stealing millions of dollars in crypto, and it’s estimated that they’ve stolen over a billion dollars in cryptocurrency now. I can’t think of another country where their government is hacking for financial gain like this.
GEOFF: No, that we know of. It’s certainly very rare for nation-state hackers to [inaudible] send for money. Of course, North Korea’s in this unique situation. North Korea’s unique for a lot of reasons, but the unique situation that they are under international financial sanctions, have been for a very long time, have, it seems, largely run out of money or run out of legitimate sources of money — and so, the accusation is that North Korea’s computer hackers are tasked with gaining currency by any means necessary, and that’s, from what we know of North Korea, not unusual. Its diplomats historically have been tasked with not just being diplomats but — you know, can you also make a bit of money on the side, please?
JACK: Hm. But now that I said that out loud that I don’t know of another country that hacks for financial gain, I’m reminded of an episode I did with a CIA agent. It was Episode 116, called Mad Dog. In it, a CIA agent told me he tricked a diplomat from another country to give him information on an upcoming trade deal between the US and that country. He saw what their bottom line was, the lowest amount that they would accept in the trade deal, and he gave this information to the US who in turn used that information to save the US billions of dollars in the trade deal. Is this hacking for financial gain? Social engineering for profit, maybe? I guess economic security falls under national security, and countries will go to great lengths to keep their economic security going well.
GEOFF: When you steal cryptocurrency, one of the hazards of this is it’s inevitably going to be on a blockchain somewhere, and that’s almost never to be — going to be public. So, it’s almost like you’ve gone into the bank and stolen a whole bunch of bank notes, but they’re all fluorescent yellow and people can see in your pocket that you’ve got these bank notes. So, your key task as a cryptocurrency thief is to launder the money, and that’s why I’ve written a book about money laundering.
JACK: Well, hang on a second now. So, they have 170,000 Ethereum tokens. They need to turn that into dollars so they can buy whatever. Why don’t they just set up an exchange in North Korea that they can just send it to and be like, alright, done?
GEOFF: That’s a very good point, and one of the things that people have spoken about is the idea of North Korea sort of setting up a cryptocurrency exchange. I guess the answer to that would probably be — firstly there’s this idea I think with all these thefts that are attributed to North Korea that North Korea gets the money back to Pyongyang and that’s where its destination is. Well, there’s nothing to buy in Pyongyang. There’s no point in sending it there. Yes, you could set up a cryptocurrency exchange in Pyongyang, send all the cryptocurrency there, withdraw it in — I think it’s still — the won is the currency they use. But then you’ve got North Korean currency in North Korea. What are you gonna buy? What was the point of that? What you want is to ship the money to — I don’t know, you want to buy widgets in Frankfurt, ball bearings in Frankfurt. You want to pay somebody off in Brazil. You want to get hold of missile technology secrets in Afghanistan. You want the money mobile, you want it flexible, so, you want to be able to move it around. Also, $625 million is a huge quantity of money. You’ve got to take it somewhere where there’s enough liquidity that somebody will buy that cryptocurrency off you in exchange for cash. Well, for, yeah, money, dollars, pounds, yen, whatever. So, this was the challenge that North Korea was faced with, if indeed it was they behind the hack, that they were trying to take this money somewhere that could absorb it and turn it around and give it back to them in cold, hard currency.
JACK: Okay, so North Korea has $625 million in stolen cryptocurrency, specifically Ethereum and USDC.
GEOFF: Let me just say these are allegations. North Korea denies these allegations, obviously, being involved in these hacks.
JACK: Okay, so it’s supposedly North Korea. A lot of evidence points to them, but we don’t know for certain. I think it was. Now, the way these cryptocurrencies work is there’s no way to recover that money. This is real ownership, as I was saying earlier. There’s no central bank that can reverse the transfer or pull the money back out. The money is North Korea’s and there’s nothing anyone can do about that ever. Except, North Korea is under strict sanctions, which means it’s forbidden to do business with them. On top of that, it’s stolen money, and those wallets were flagged. So, exchanges won’t simply let them exchange it into cash. What they need is a chop shop. [MUSIC] The only reason why I know about chop shops is because of playing Grand Theft Auto, and when I was playing the game and I stole a car and the police were chasing after me, I could take that car into a chop shop. They’d scratch off the VIN, paint the car a different color, and give it a new license plate. Then when I got back on the road, I could drive right past the police without them knowing it’s the same stolen car, since it looks entirely different. But with cryptocurrency, you can’t hide very well by just transferring the money into a fresh wallet. There’s a big, glaring transfer displayed publicly for anyone to see. Moving it into a new wallet doesn’t do anything to hide your tracks. They somehow needed to clean this money so it can’t be linked back to the money stolen from Axie Infinity.
GEOFF: By this point, the wallets into which the crypto have been transferred — the stolen money from Axie had been transferred into crypto wallets, and those wallets were flagged as being recipients of crime. The law enforcement had acted quite quickly and gone around to the major exchanges, the big, legitimate crypto exchanges, and said, hey, if anybody tries to transfer you money from that wallet there, don’t take it ‘cause it was stolen from Axie. So, they tried, I think, $60 million dollars’ worth of exchanges, the hackers, at legitimate, above-the-line, above-the-board exchanges, and that money all got frozen because of course as soon as the exchanges received the money, they went, oh, this is the stolen Axie money. Yeah, we’re keeping this. So, the hackers lost tens of millions of the stolen money because they tried to pump it through the legitimate system, and the legitimate system just froze it. So, then they needed to find somewhere else. Where can you go with hundreds of millions of dollars of stolen crypto and just put it in, no questions asked? That’s what led them to Tornado Cash.
JACK: [MUSIC] Tornado Cash? I’ve used Tornado Cash before. Let me tell you why. Okay, so, I was going for a coffee a while back in my town, and I noticed they accepted Ethereum cryptocurrency. I was like, hot diggity. People have been donating Ethereum to my podcast; I’m gonna use it to buy some coffee. So I started to get it going, but I thought, wait a minute, hold on. No way. This is a bad idea. My donation wallet is public, so anyone can see where I spend my money, and if they see I spent it on coffee in my town, that might expose where I live. I go to extreme lengths to keep my private life and public life separate. So, I need a way to move this money into a personal wallet so I can spend it without people able to see where I’m spending it. So, what are my options? I could send it to an exchange and then send it to a fresh wallet, but to use an exchange, I have to give them my personal details like my driver’s license and stuff, which seems a bit much just to buy a cup of coffee. Isn’t there a simpler system, one that’s more privacy-focused? Yeah, Tornado Cash.
Tornado Cash is great. You send your money to it, it gets thrown in a pool with a bunch of other people’s money, and you get sort of a claim ticket. At any moment, you can use your claim ticket to get your money back out into a fresh wallet. Essentially, this allows you to transfer your money into a new wallet, but it removes the tracks of where it came from. What’s great about it is that it’s all automatic. I was telling you about smart contracts before, where you can add code to the Ethereum blockchain. Money is programmable now. So, I can see the Tornado Cash code, verify it looks okay, and then get my wallet to interact with it directly, giving it my money, and getting that claim ticket back. The way Tornado Cash worked is that they purposely built it so the creators themselves never took control of your money. The only person who would ever have control of your money is you. The smart contract is programmed to handle the money, but the creators built it so that they can’t even control the smart contract anymore. They literally coded all zeroes in for who can control it, which means nobody can.
GEOFF: As the stories have emerged, one of the people who had used this particular mix was Vitalik Buterin, who, of course, came up with the Ethereum protocol, I think co-developed it. He said, look, this is exactly what I did. I wanted to donate to Ukraine. I didn’t want to do it publicly, and that is the hazard of using crypto, is it is public, so I used a mixer because I want to preserve my privacy. There are good, privacy-preserving reasons to use something like Tornado Cash, and that’s, I suspect, the reason Tornado Cash was set up, largely, was for those privacy-preserving reasons.
JACK: Okay, so you might be thinking, hold on, this is just a Bitcoin tumbler, a mixer for money laundering, and there have been lots of them in the past. Weren’t they all illegal, anyway? Yeah, that’s the thing. [MUSIC] This one was different, very different. The ones in the past were typically custodial mixers, meaning someone is actually in possession of your money. If someone put a gun to their head, they could hand over all your money. These kind of mixers are illegal because the person holding the money should know whose money they’re holding. Like, if I give you something illegal to hold, you could be in just as much trouble for holding it as me. Yeah, a bunch of people were running these mixers and were caught by the police and arrested for running unlicensed money-transmitters, and the police were able to shut down those services. The difference here is very important. A custodial mixer is where you give your money to some person to hold for when you want it back, while a non-custodial mixer — the money is held on the blockchain, not in anyone’s possession, kind of like if you just stashed your money in a locker somewhere and then you gave the key to someone else and they got it out.
The place that owned those lockers had no idea what you put in there, so they can’t be held liable for whatever was in there, kind of like a dead drop. Now, I imagine the makers of Tornado Cash saw that custodial mixers had been shut down and arrested in the past, and they probably knew full well that a service like this might be abused by people. So, Tornado Cash developers were like, we have to be absolutely certain that we’re never in possession of anyone’s money, ever. We can never have custody since those kind of mixers are illegal. So, it’s only with the invention of smart contracts that they were able to make a service like this, that they could be completely hands-off, a service that nobody was operating or running. It was headless. The developers could never touch anyone’s money even if they wanted. It was coded that way. In no way, shape, or form are they ever in possession of anyone’s money, and they went to great lengths to prove that. Not only that; they wanted this thing to be extremely resilient and impossible to be taken down, as they felt that privacy tools like this were very important to people.
Also, a lot of these mixers in the past were tailored for criminals. AlphaBay, for example, was a darknet marketplace where people could buy and sell illegal items. Well, the site had its own crypto mixer specifically designed to help you hide your illegal purchases, and in the world of cyber crime, intention matters. If you are building something specifically for criminals to conduct crimes with, that’s racketeering and you could get RICO charges against you. But the developers of Tornado Cash held on strong that this was a privacy tool. That was their point, and to make that clear, they didn’t hide in the shadows of the darknet. They were open about their service and made it easily accessible. I mean, they even had a Twitter account and a normal website which all clearly said this is a way to have private transactions on Ethereum. So, as you can see, as a person who values my own privacy, I found this tool to be helpful and important. Decentralization is very fascinating to me, too. My website, darknetdiaries.com, is hosted on a single server somewhere, but Tornado Cash was kept up by hundreds of thousands of people running Ethereum validators, and there’s something amazing and beautiful about that. We can put something on the blockchain and you know it’ll permanently be there as long as Ethereum exists.
GEOFF: You’ve understood exactly. That’s precisely what it is. At least, that’s what the claim was from inside Tornado Cash. As we’ll talk about later on, others have cast a lot of doubt on that. But certainly that was the claim, that Tornado Cash is this headless organization and once you use it, you’re effectively using an automated machine. It’s like going up to a vending machine, sticking your money in, and getting the can out. The vending machine’s been forgotten by whichever company was meant to own it. It just runs on its own.
JACK: Well, clearly I wasn’t the only one to use Tornado Cash. The people who stole the $600 million from Axie Infinity also noticed Tornado Cash and sent hundreds of millions of dollars to it.
GEOFF: [MUSIC] Now, this has obviously presented a lot of problems for the — particularly the United States government, because they can see that the money’s gone from — the stolen — the money’s gone — from Axie Infinity had been stolen and sent to Tornado Cash. They believe it’s North Korea behind this, but who do you prosecute? There’s nobody behind Tornado Cash at this time. That’s what they thought. So, it’s like, what do we do about this? So, they did the next best thing, the US government; they put Tornado Cash under sanctions and basically said, look, this mixer, this Tornado Cash mixer, is working for the North Koreans, we believe, we claim, and therefore anybody who interacts with this mixer and sends money to it or receives money, anybody who interacts who’s in the US — people, organizations, doesn’t matter — they are breaching sanctions as well. We can’t shut Tornado Cash down but we can freeze it out by saying, you cannot interact with anybody in the US anymore, and anybody in the US who interacts with Tornado Cash, you’ve committed an offense and we can come after you.
JACK: Sanctions, what? The privacy tool I use got sanctioned? Hold on, hold on. This does not feel right. Okay, I need some names. Who created Tornado Cash?
GEOFF: Yes, three people, it seems, created it. They are Andre Pertsev, Roman Storm, and Roman Semenov. They worked for a company called PepperSec, and I think it’s — as we’ll get into, there’s some legal proceedings around this that we have to be quite careful about, but I think it’s fairly uncontronversial that they set up PepperSec and they created Tornado Cash. But the key thing is they created it, they say, to preserve privacy, and having created it, they got to a certain stage and said, okay, we now burn our passwords lists, we step back. We have nothing more to do with this. It’s running on its own, the Tornado Cash DAO.
JACK: Oh, it was a DAO. Of course. DAOs are fascinating. What I’m saying is an acronym, D-A-O, DAO, and it stands for decentralized autonomous organization, and this is a perfect example of one. [MUSIC] The internet has changed everything about our lives. You know that already. Every day I get online and I chat with loads of people from all around the world and I visit websites from other countries, and it never feels like I’m traveling far away to another country to interact with them. It’s just right here on the screen in my bedroom, just milliseconds away. The internet has connected us in a way where national borders just don’t seem to exist anymore. So, if you were to start an online business that exists only online and there’s no physical product or reason to have a home base — and maybe you start it with two other people. Like, one person is from Europe, another is from Asia, and the third is from the US. What country do you establish your business in? Forget it. Why not just make it an online company not part of any nation at all? Is that possible? I mean, traditionally you needed to make a company like an LLC or something in order to get a business bank account to do business with the world. But since this service is all cryptocurrency-based, you don’t need a bank, and autonomous means the company can continue to operate without anyone controlling it. Tornado Cash was one of these DAOs.
It was decentralized and autonomous. It existed only online and was capable of operating all by itself. This is another new thing in the world that didn’t exist ten years ago. These DAOs exist online only. It’s a business that isn’t seeded in any specific country. Why should it be? If people are getting paid from a DAO, then those people can just report their income on their taxes and say they’re contractors for that organization. So, the US federal authorities were mad that hundreds of millions of dollars were stolen and then sent through Tornado Cash. They wanted to seize the funds and shut down the service. But like I said, Tornado Cash was built in a way that it was impossible to turn off and they never had control of the funds ever. So, the only tool the US authorities had to try to stop it was to sanction it, which, I don’t even think you can sanction an app, a piece of code. I mean, it’s still there on GitHub for anyone to see right now. So, if it’s illegal, why is it on GitHub? Code is just words and symbols, so in essence here, they’ve sanctioned a bunch of words that in a certain combination has meaning? So, can you even sanction a page with words on it? Isn’t there a free-speech violation in here somewhere? But not only did they sanction the code; they decided to arrest the people who started it. But what was their intention for starting Tornado Cash? Because as I said earlier, in the world of cyber crime, intention matters.
GEOFF: It really does, and, well, there’s two sides to this. You can go on the back of what they’ve said and what their defenders say, which is this was a privacy-preserving tool. The intention was never to enable money laundering. However, the counter-argument from the authorities which they’re making very strongly and in court is it doesn’t matter. If you’re gonna run a money-transmitting business dealing with, as Tornado Cash was, hundreds of millions of dollars, you are obliged to think about money laundering. You can’t just naively set the thing up and hope no criminals are gonna use it. That’s not how it works, buddy. You have to obey money-laundering laws. So, we’ve got arguments on both sides. We’ve got arguments the intention was never there. We’ve got the argument on the other side saying it doesn’t matter. You’re on the hook for this if you set up these businesses. As you can tell, I’m being diplomatic about this. A; ‘cause there’s legal procedures about it. B; also because I hear both sides. I do genuinely hear both sides, and that’s the thing. It’s a fascinating debate. That’s why it’s a fascinating story.
JACK: Hm, the police are saying intention doesn’t matter here. The act of creating open-source code and putting it on the blockchain to help make your financial transactions private was illegal because someone misused their tool. I want to point out here that the US government isn’t clear on whether cryptocurrency is even money or not. The Commodity Futures Trading Commission, the CFDC, classifies it as a commodity. The SCC classifies it as a security. The IRS classifies it as property, and FinCEN, the Financial Crimes Enforcement Network, classifies it as money, which is what requires people to follow the anti-money-laundering laws. The government has made all this so confusing. I hate being in this position. I don’t want to take the side of criminals who stole this money, but because I want to live in a world where financial privacy exists, I feel like sanctioning privacy tools hurts me.
GEOFF: Yes, but the cost of that, that’s — if you do 100% privacy, you have to protect people you don’t like as well. It’s a fascinating debate. This is why it goes around and around in my head in the same way it sounds like it’s going in yours, as well.
JACK: Because the money-transmitting rules they were supposed to follow was KYC, which stands for ‘know your customer’. For them to operate this legally, they would have had to ask everyone who uses the service for their real name, identity — upload your driver’s license, tell them your address, and when you do all that, now it’s not so private anymore. Now creators have to maintain a database and a whole back end full of people’s personal information. I don’t want my personal information in a database somewhere just so I can privately buy a cup of coffee. The best privacy tools are the ones who know nothing about who I am. When the financial system becomes a surveillance system, we start having big problems. [MUSIC] Look at China, for example. They have this social credit system where if you do things the government doesn’t like, they can restrict what you buy. They can also see everything you buy and make judgements about your character based on it, restricting other areas of your life, or even targeting you as a problem citizen. A government that is watching your every purchase is not encouraging of a free society. Let’s look at some legitimate use cases for why you’d want to use Tornado Cash to hide your transactions. You heard me say that I like to have this buffer between my public life and my private life. The internet is a big, old, dangerous place, and if you don’t believe me, listen to the previous 146 episodes of this podcast. It’s important that we secure our stuff and take our privacy seriously.
Also, imagine going to buy something from someone and as soon as you give them the money, they can look to see how much money is in your bank account and all your previous purchases. This is how Ethereum works by default, so we need a way to shield our purchases from the rest of our transaction history. You heard how Vitalik, the creator of Ethereum, wanted to donate to Ukraine but wanted to do so privately without anyone knowing. There’s another reason; he’s a public figure. He wants to keep his political activities to himself. There are non-profits that I know of who go to great lengths to keep their donors private because donors don’t want the public to know what causes they’re giving towards and don’t want any extra solicitation from people asking them for more money. But I keep thinking about stories of people living in oppressive regimes; China, Russia, Iran. If you live there and speak up against the government, you could easily go to jail. These governments want strict control over their citizens, so monitoring financial transactions is crucial to keeping a strong grip on them. So, dissenters and activists in these countries absolutely need a way to send and receive money in a private way to support their cause and educate people in the atrocities of their own government. Their life depends on private financial transactions. Churches and charities don’t care if you deliver them a big bag of cash as an anonymous donor, and it’s none of anyone’s business if I want to donate anonymously. I want the same thing for digital transactions. I think taking down privacy tools like Tornado Cash hurts regular people.
GEOFF: Which was exactly the basis on which the crypto-campaigners sued the United States Treasury and Janet Yellen individually after the sanctioning of Tornado Cash. This decision to sanction Tornado Cash went down very, very badly with large swathes of the crypto community, it has to be said, for exactly the reasons you’ve outlined. One of the key arguments and a fascinating argument is to what extent are you responsible for the downstream effect of code that you create and make available? The people who saw this decision by the Treasury, the US Treasury, to sanction Tornado Cash, said, well, you can’t sanction code. You can sanction the person that misuses the code. You don’t — if somebody gets stabbed, you don’t prosecute the person who made the knife. You prosecute the person who did the stabbing. So, that was the argument on which the US Treasury — one of the arguments on which the US Treasury was being sued. The other line of argument was that code, as you said, is freedom of speech and freedom of speech is constitutionally protected. Those cases, by the way, the attempts to sue the Treasury over its decision on Tornado Cash, got rejected, have not done well, but are being appealed, as far as I’m aware, at the moment. So, they lost in the first — at least one round, maybe two rounds, but they’re continuing that campaign because they argue exactly the same as you’re saying which is this is code. You don’t prosecute code because if you do, you dampen freedom of speech. You stop people inventing code. There’s a chilling effect. That’s the risk here, and that argument’s still playing out in the court.
JACK: I want to just take a step back here and note that this story wasn’t possible ten years ago. This is such a novel, new world we’re in. Money used to only be physical, but with credit cards it’s turned virtual, and with everything being online today, we need digital money. Money used to be controlled by governments, but now with cryptocurrency, it’s controlled by the people. It’s like we’re in the middle of a major revolution here. Money is power, and the governments are losing their power as cryptocurrency becomes more widespread. So, of course they’d want to put up a fight against it. Now with smart contracts and DAOs, businesses can be fully-autonomous and always online? How crazy is that that a company can exist and make money and act as an online service and it doesn’t need to be maintained or controlled by anyone? This is an entirely new kind of problem for the US government to deal with, and they don’t really have a good way to combat against it other than sanctioning the code.
If you aren’t familiar with how sanctions work, it means the US Department of the Treasury’s Office of Foreign Assets Control, which is OFAC, has declared that you are forbidden to interact with Tornado Cash. If you do, you might get arrested, but it also means your money may become frozen if you send it to an exchange. Typically when I buy things or go online, I don’t ever think about whether or not I’m violating sanctions. For instance, if North Korea is sanctioned, I don’t expect North-Korean-made goods to be in my supermarket where I could buy them and break sanction codes or something. I assume the shop owner knows not to buy sanctioned items to try to sell them to me. So, it’s completely off my radar. But here’s a situation which I think is the first time ever that an online application is sanctioned. This is unprecedented. So, now I don’t know how to navigate this world. Am I supposed to check the sanctions list every time I go online, visit a website, buy something, use an online service? This breaks my brain.
GEOFF: You are clearly not the only person who feels this, because in the wake of the US government sanctioning Tornado Cash, somebody clearly felt even more — felt very concerned by this and very put out by it and thought the whole thing was ridiculous, this idea of sanctioning. So, they set up a stunt, which is another bizarre wrinkle to this story and an intriguing one. So, the thing about Tornado Cash is even though the government — the US government sanctioned it, it’s still up and running. You can still use it. It’s code on the internet. The website went down but that doesn’t matter ‘cause the protocol — you can still send money to the protocol, effectively, and it will do what it’s programmed to do and effectively mix the money and anonymize the money. So, the thing about that is if I know, Jack, your Ethereum wallet address, I can use Tornado Cash to send you money, and there’s nothing you can do about it. It just gets sent to you automatically. So, someone somewhere — we still don’t know who did this, and I’m waiting for the day, actually, Jack, when they turn up on your podcast.
Somebody took $50,000 and started randomly sending it in tiny bits, tiny, tiny amounts, to anybody who was famous who had an Ethereum wallet, including Jimmy Fallon, the comedian Jimmy Fallon, Shaquille O’Neal, basketball star Shaquille O’Neal. They started receiving — and of course, it shows up on the blockchain. You can’t hide it ‘cause you see Shaquille O’Neal’s address and you can see it’s received money from Tornado Cash. That’s all logged. So, technically, I guess you could argue Jimmy Fallon and Shaquille O’Neal have breached sanctions, are sanctions dodging, or — and I guess you could say they should be prosecuted for that. But the whole point of this exercise was to show how ridiculous it was that anybody, even famous people who have done clearly nothing wrong, can then, as a result of this sanction of Tornado Cash, get implicated in sanctions-busting. The idea was to illuminate how ridiculous this was. So, I don’t know what Jimmy Fallon and Shaquille O’Neal have done about that, but it’s tricky. It was a fascinating stunt that emerged as part of this.
JACK: So, North Korea sent about $450 million worth of crypto to Tornado Cash to try to mix it.
GEOFF: There’s cryptocurrency-tracing companies who claim they left it in for about four weeks and then extricated it. What we don’t know, of course, is who it went to thereafter. So, you can — with mixers, and particularly when you’re mixing a huge amount like $450 million, there are companies that track crypto, and one of the things they do with mixers is they look at the amount going in and the amount going out. Now, you can’t link — this cryptocurrency payment is linked to that one going out, but you can see the volume. You can see the amounts going in, the amounts going out. So, I think that’s what they’ve done, is they’ve looked and gone, look, $450 million goes in. We can look at the outflows. Sure enough, four weeks later, $450 million comes out, to put it in very simple terms. So, that money is now somewhere in cryptocurrency wallets.
The other interesting thing is, well, then who do you take that to to cash out? You’ve got to say to somebody, right, here’s $450 million which came from Tornado Cash; don’t know where else. Could you transfer that and change it into pounds or dollars or yuan or whatever? There are people out there who will do that no questions asked. They’ll take a big cut. But doing that to $450 million, you’ve gotta have some brokers that have got some serious, serious liquidity on their hands to be able to change that. So, the theory, I think, from some people, is that there’s a bit of a glut now of stolen money that the North Koreans are accused of stealing that they’re trying to cash out but they can’t cash out quickly enough. There’s nobody that can — who can buy it off them for the $450 million or whatever they’d need. So, that’s where that’s ended up, all that money.
JACK: I guess a chop shop wouldn’t even work here because it’s more like you’ve stolen a giant bus and no matter what color you change it, you’re going to look like a giant bus coming out the other side.
GEOFF: Yeah, yeah, exactly. So, ideally you want a chop shop that can convert your big, yellow bus into a bunch of tiny, little smart cars or whatever. Just going back, as well, this idea that Tornado Cash was leaderless is now being thoroughly challenged in the courts. The first thing that happened was a guy called Andre Pertzev was arrested in Holland and accused by the Dutch government of running Tornado Cash. Roman Semenov is also indicted by the US government. He’s believed to be in the Russian Federation, so he hasn’t faced trial. I’ve tried to contact Roman Semenov; I haven’t heard back from him. Subsequently, after the sanctioning of Tornado Cash, the US government charged Roman Storm who’s in the US and is, I think, currently being tried and is in prison. Again, a fascinating trial. The same arguments are coming up in his trial as we’ve talked about, people saying, look, he did not run this.
He was trying to preserve privacy. That’s why he set it up. Now, going against that idea that these guys didn’t ‘run’ — in inverted commas — Tornado Cash, is a slightly inconvenient fact which is that according to the US government, they owned a lot of the voting tokens and crypto tokens inside Tornado Cash. So, the way this works is Tornado Cash is leaderless. It’s done by vote. Any changes to Tornado Cash get done by vote using tokens. I think part of the US government’s argument is, well, hang on, a lot of those tokens were in the hands of these three individuals. So, they may say they didn’t have control, but actually, we think they did. Also, they say that they were still making money out of Tornado Cash. So, all this leads to trying to knock down this argument the defendants have which is that, oh, we didn’t run it. The US government is saying, no, you did run it, and here’s the evidence why.
JACK: So, the guys who started Tornado Cash — two have been arrested and in May of this year, the first verdict came in. Alexey Pertsev was tried in the Netherlands, and the judge found him guilty and sentenced him to five years and four months in prison. The cops took his Porsche and €1.9 million in cryptocurrency. The press statement from the Netherlands government says, quote, “Tornado Cash is not a legitimate tool that has unintentionally been abused by criminals.” End quote. Not a legitimate tool. In fact, the judge said specifically he could not find any legitimate use for this tool, as if privacy itself is a crime.
GEOFF: What’s fascinating about this is it all starts with the hack on a video game to do with salamanders, and it ends up in this kind of epic battle royale over freedom of speech and privacy. Yeah, I find it really, really, fascinating. It’s almost like the kaleidoscopic story. You look into it and it’s got everything in it.
JACK: Yeah, we’ve gone all over the road here, haven’t we?
GEOFF: [LAUGHING] How are you gonna edit this one down? I’ve no idea. Mate, I do not envy you that task.
JACK: Another way to look at this is that the feds are saying that the developers of the tool are responsible for how users use it, and that’s a bit crazy, if you ask me. It’s like saying a lighter company is responsible any time someone uses their lighter to commit arson, or a drone-maker is responsible any time someone uses their drone illegally like spying on people, flying in the wrong airspace, or dropping a bomb on someone. Or, it’s like saying a VPN provider gets arrested, shut down, sanctioned, because some of their users went online and did something illegal. Or, my goodness, is an encrypted messaging app responsible for people doing criminal activities on it? We know criminals use iPhones. Apple knows criminals use their phones. In all these cases, the tech itself is neutral and it’s up to the user to use it responsibly. Governments have never faced anything like this before and they simply have no precedent to act on here, and in my opinion, they’re just drawing really fuzzy lines arbitrarily. They can’t even come to a consensus on whether cryptocurrency is money or not.
GEOFF: The worst example you could possibly think of, maybe with the exception of child sexual abuse, one of the worst examples you could think of would be a country using this kind of technology to get nukes. Oh yes, we’ve got that. So, it’s almost like your privacy-defending hat, your privacy-defending head, is being put to the most extreme test. It’s like, you want privacy; right. What about North Korea and nukes? It’s almost like that’s immediately what’s happened, is it’s gone to — you know when you’re arguing with somebody and they just go to the most extreme example of comparing it to Hitler or whatever. It’s like that’s happened. Now it’s North Korea. What are you going to say now? It’s, yeah, fascinating, genuinely fascinating.
JACK: Okay, I don’t buy that argument. Why? Because all this happened and they didn’t catch the real criminals here. In fact, I think even if they implemented KYC, North Korea would just have used some fake ID and it wouldn’t have helped catch them or slow them down at all. North Koreans are still on the loose with their fresh and clean $400 million, and they’re the real criminals here. Go after them. It’s crazy that this story starts with someone stealing hundreds of millions of dollars, and the people who end up in prison are the privacy advocates. As I’m researching all this, I had to refresh exactly what does money laundering mean. The act of money laundering is to hide the cash you have that was involved in some illegal activity, stolen money or drug money or something like that. Me trying to hide my transactions isn’t a crime. It’s only a crime if I’m trying to hide criminal activity. By the way, Tornado Cash, despite being sanctioned, is still up and running, because that’s how it was designed, fully autonomous and decentralized. In fact, there’s YouTube videos out there that explain how to still use Tornado Cash despite it being sanctioned, basically showing you how to get around sanctions. Videos like that surely should be illegal, right? It just makes me wonder if these sanctions have any teeth at all.
If you ever hear of anyone who gets arrested for violating the Tornado Cash sanction, please tell me. I would love to know, because what’s the point of all this if the government isn’t going to enforce the sanction at all? Because it almost feels like the government is powerless here. It has no ability to stop or control cryptocurrency or from people using apps like this. This is what permissionless money is like, and I don’t see any evidence that the government is even trying to enforce sanctions. The sanctioned code is still there on GitHub. YouTube happily hosts videos on how to avoid sanctions and still use Tornado Cash. What is happening here? Just a month ago, the SCC approved the Ethereum ETF. This means you can buy this stock on the regular stock exchange and they’ll buy ETH for you. It’s a way to invest in Ethereum without actually holding Ethereum. So, there’s this wallet out there which holds all the ETH from this ETF. Well, guess what? As soon as the internet figured out which wallet is holding the money for the ETF, someone sent a whole ETH token worth over $3,000 through Tornado Cash and then to the ETF wallet, which in my opinion means the wallet is now violating sanctions and can no longer buy or sell on an exchange. They did it to protest these sanctions, to show that there’s absolutely no way to enforce this. I guess this means Tornado Cash won. There’s no way to stop it or to stop people from using it. So, today, there’s still millions of dollars flowing through Tornado Cash.
GEOFF: It’s gone down. Don’t get me wrong, the amount it’s processing has gone down, and therefore it makes it a less efficient mixer. You want your mixer to have lots of liquidity, lots of volume going through. The less it’s used, the less efficient of a mixer it’s going to be. However, it is now a criminal mixer. So, it’s a sanctioned mixer, according to the US government, and so, anybody who uses it is gonna be a crook. What that means, of course, is if you use Tornado Cash, you’re gonna really struggle to send the money onwards, ‘cause whoever sees money coming at them from Tornado Cash is gonna go, no way I’m going to accept that, unless it’s somebody who doesn’t care about dealing with sanctioned entities, in which case you’re in a slightly murky world.
JACK: It is a very murky world, because let’s say, hey, I’m selling something online and someone’s like, I’ll buy it, and they send me the cryptocurrency that’s been mixed through Tornado Cash. Am I supposed to say, whoa, wait a minute, before you send me the money, let me analyze your wallet to make sure it doesn’t have any sanctioned crypto in it. This is bonkers. This is like running the serial number on every dollar bill you ever get to see if it’s ever been used by someone who’s been sanctioned in the past. That would be a nightmare to have to do, yet that’s what I feel like we have to do from now on. Yeah, so, suddenly I’m wondering why the US is even involved, right? Axie Infinity is based in Philippines, so I could see the Philippine police being upset.
GEOFF: Vietnam.
JACK: Oh, Vietnam. Okay, so I could see the Vietnamese being like, alright, we gotta sanction this ‘cause we don’t have any other way, right? Then you’ve got the creators of Tornado Cash. They’re not US-based, are they?
GEOFF: Yes, Roman Storm is based in the US, but actually at the point where they sanctioned it, I don’t think that’d had been confirmed. Look, with sanctioning — sanctioning is a really interesting power in that basically any time money transfers across the US, the US can exert control in terms of sanctions. So, it’s extremely difficult to avoid if the US government wants to go after you on sanctions. It’s extremely difficult to avoid. That’s the US government’s argument, is that there would be US users using this service. Money transactions would have gone across the US territory. Also, as far as I’m aware, sanctions — the sanctions-dodging accusations that the US puts at the foot of North Korea gives the US government huge scope to go after it around the world. Wherever North Korea tries to dodge sanctions, it seems the US government can go with its sanctions legislation.
JACK: Yeah.
GEOFF: It seems odd but in a way it doesn’t surprise me one jot that the US has managed to try and do this.
JACK: Right. I don’t know if — there’s the word ‘tradcri’, but traditional crime is based with people in countries and those countries deal with that or whatever, and here we have a new kind of crime which is — there is no boundary. There is no country. There is no head of some company. There is no person controlling the code. I don’t even know if it is a crime. We haven’t even established that. There’s laws that are established to avoid money laundering that may have been — I don’t know what’s going on. It’s another person in another country that did it, right? So, it’s…
GEOFF: But this is why sanctions are such a useful weapon and why the US is resorting to them more and more. We’ve had Bitcoin Fog; there’s a prosecution in that case recently, another crypto mixer. This is why the US government is using them, is we can’t nick these people. We can’t lock them up and put them in handcuffs most of the time. We can use financial — frankly, financial warfare. This is what we do now.
JACK: Financial warefare?
GEOFF: We can’t police the code. We can’t police the people. But it’s all about money, so we are just gonna use that sanctions power which is a really big, broad power to use. As soon as I started seeing this and I started realizing what was going on, it’s like, oh, that makes perfect sense. You’ve got so few weapons to bring to the battle, but you’ve got this weapon and it’s really good and you can use it wherever. It makes perfect sense.
JACK: You know, as I was researching this episode, I saw more stories like this. Another privacy service just like this called Samourai Wallet was also shut down by the US federal authorities, and the people who started it were arrested. This was a coin join on a Bitcoin network which isn’t the same as a smart contract system, but it is a autonomous system and it’s non-custodial, and it was also open source. Here you have people who have contributed to an open-source project who are getting arrested because the feds are accusing them of running an illegal money-transmitting service. As my eyes become tuned into this, I’m seeing more and more stories like this. The Phoenix wallet decided to remove themselves from the App Store, not saying a reason why. IBEX Pay is shutting themselves down, not saying why, either. MetaMask received an enforcement action letter from the SCC, and they’re countersuing the SCC over that. [MUSIC] Something big is going on here. Privacy advocates have fought the government in the past before and won.
The story of Phil Zimmerman comes to mind. Phil created a fantastic encryption program called PGP which allowed you to send an e-mail to someone encrypted, so only you and the receiver could see what was in it. Yeah, well, the US government hated this kind of encryption that gave us privacy. Encryption? That’s only for the military. How dare civilians try to use it? So, they classified PGP as a munition and they called it a regulated arm as if it was a weapon, which allowed them to say, look, Phil, unless you get an arms export control license, you can’t go distributing encryption code online, because what happens if criminals use it? They could hide their communications. Nobody wants that, right? The FBI began investigating Phil. Well, the privacy community was outraged that the government was restricting us from encrypting our own messages, and they started being vocal about how important privacy was. Someone suggested to Phil that he should publish the PGP code in a book. Phil’s like, what? Why? It’s a program. It’s code. Just download it online. Jeez, if I were to put it in a book, that would take 800 pages to print it. But the thing was books weren’t considered regulated munition. Books were protected under free speech law, so if he were to publish the source code in a book, that would give him protections that what he’s written is just words and not, in fact, a regulated arm.
So, he published it in a book, and it was 800 pages of code. Well, enough people voiced their support for encryption and privacy that the government finally gave in and let Phil off the hook, and even took encryption off the regulated arms list. It was a big victory for our privacy, and thank goodness, because encryption is inherent in everything we do online now. Even what you’re hearing right now, this podcast, was delivered to you encrypted so that anyone who intercepted the packets along the way wouldn’t know what you’re listening to. It would have been illegal for me to use encryption on this podcast in the nineties without an export license. I did a whole episode on this, actually. That’s Episode 12, called Crypto Wars. What Phil showed us is that code can be printed in a book and if it’s printable like that, it’s protected under free speech. So, once again, it’s unprecedented that the government would put a sanction on code, which has always been free speech until now. Until now. I don’t know, the crypto space is so complex that if I send it to your wallet and you sent it to my mom’s wallet and she sent it to my wallet and then I sent it to the exchange, is the exchange gonna know that still came from Tornado Cash?
GEOFF: Very good question, and that comes down to how much liability the exchange has. So, in the situation you described there, that’s, what, four hops? I think given the cryptocurrency tracing is fairly well-developed, I think the authorities would say, well, hang on, you should still have known it came from that. But if you’re doing about a hundred hops or a thousand hops, maybe that’s enough hops that the authorities say, well, yes, you had no way of knowing this, back in the day.
JACK: Okay, well, transfer it to Polygon and then back to ETH and now you’ve got a new wallet, and it’s — I don’t know if that’s traceable. There’s just a lot of ways to get around that even still.
GEOFF: Now you’re thinking like a money-launderer, Jack. That’s what I’d hoped we’d get in this conversation, where you finally — that’s what the book’s about.
JACK: Yes, the book. Now, Geoff has released a book called Rinsed, which goes into the modern ways criminals are laundering money. It’s full of things that make you think about the new future that we’re facing. I deviated quite a bit from it here, but what Geoff told us today was a single chapter from the book, so you can imagine how much more you learn from getting this book and diving in. So, go read Rinsed today and let me know what you think of it. I’ll leave you with this very important warning from the FBI, which was issued April 25, 2024. This is PSA I-042524. ‘The FBI warns Americans to avoid cryptocurrency money-transmitting services that do not collect your name, ID, address, and other personal information.’ To me, this is akin to the FBI advising against driving on roads without license plate readers or walking on sidewalks without facial recognition cameras. It’s like being told not to wear sunglasses on a sunny day or to avoid using curtains in your house. By cautioning us against privacy tools, they aren’t just infringing on our rights. They’re asking us to live in a glass house, exposed and vulnerable. This isn’t just a warning. It’s a push towards a future where privacy is a relic of the past. Is that the world we want to live in?
(OUTRO): [OUTRO MUSIC] A big thank-you goes to Geoff White for sharing this story with us. You can find a link to his book, Rinsed, in the show notes. Go check it out. This episode was created by me, the firewall fidgeter, Jack Rhysider. Our editor is the router rigger, Tristan Ledger, mixing done by Proximity Sound, interim music by the mysterious Breakmaster Cylinder. I was moving my stuff the other day and I had to carry my computer down some stairs, but I dropped it and it tumbled down the stairs, smashing itself to bits all the way down. At the bottom of the stairs was just a big mess of broken parts. The only thing that was salvageable was a stick of RAM, so at least I have the memory of it. This is Darknet Diaries.
[END OF RECORDING]