The U.S. Government’s Treasury recently sanctioned Tornado Cash, a popular cryptocurrency mixer. According to a press release from the Treasury’s Office of Foreign Assets Control (OFAC), Tornado cash has been used to launder over $7 billion since its creation in 2019. Additionally, the report claimed that notorious North Korean state-sponsored cyber attackers, the Lazarus Group, usually launder stolen funds via Tornado cash, the most recent being the Harmony bridge attack that saw the protocol lose over $100 million.
Despite the increased sophistication of DeFi and Blockchain technology, security has remained a pressing concern in 2022; with over $2 billion in losses in 2022, DeFi security has left much to be desired. Furthermore, although cryptocurrency mixers claim that they help to achieve absolute anonymity on blockchain transactions, it is unfortunate that these protocols are huge tools for criminals to move their stolen funds without leaving a digital trail. Hence, despite the need for zero regulations and absolute anonymity in crypto transactions, many users tilt in favor of the U.S. government banning cryptocurrency mixing protocols.
However, DeFi insecurity didn’t start with Tornado cash or crypto mixing services; hence, the big question lies, “can money laundering be really eliminated in DeFi,” or perhaps, can it be beaten down to the barest minimum without making people lose millions of dollars in a single hack.
Regulation, A Solution To Mitigate The Concerning State of DeFi Security?
Several debates have lasted for years on whether DeFi should be regulated or not. Unlike traditional finance, DeFi is not facilitated by any centralized third party that brokers transactions; instead, smart contracts run the show. As a result, transactions between two or more people happen without requiring any regulator.
One of the foundational building blocks of Blockchain technology is the absence of centralized regulations. Validating the authenticity of transactions is usually carried out by decentralized nodes connected to the blockchain, ensuring that proof of everything is on the blockchain and no one cheats the other. However, this security is limited to ensuring fidelity in transactions, i.e., it can help to ensure that in the process of sending Bitcoin from Mr. A to Mr. B, no one sends twice, and no one is cheated. The proof of a successful transaction is present on the public ledger, and no one has to argue.
On the other hand, individuals are responsible for securing tokens in their wallets. Hence, the Bitcoin Mr. B has received in his wallet can only be secured adequately by him. If his private keys get compromised, he could lose his tokens; similarly, if he connects his wallet to a DeFi protocol, he and the protocol are responsible for securing his tokens. As a result of this increased responsibility given to individual users and DeFi protocols, cyber attackers look for loopholes to penetrate funds kept in individual or pooled wallets and cart them away.
Of course, Decentralized Applications (dApps) can be created by anybody who can code in the needed smart contract language, and if the user makes the slightest mistake of erroneously signing a fraudulent contract, it will be confirmed on the blockchain, and the transaction will pass through. So, for example, if someone hacks into your internet banking platform and transfers money to another account, the general server at your bank has no way of knowing if it was you or not; hence, it is approved. Similarly, in crypto and blockchain technology; once security is breached and the wallets are stolen, the blockchain validators (or miners) confirm the transaction as normal.
The difference between blockchain and regular traditional transactions is that the theft can be easily caught since there is a central database with zero anonymity. Hence, if a person hacks into your account and sends money into their account, the authorities can easily track the transaction and arrest the culprit, but it’s a different ball game with crypto and blockchain.
How Do People Launder Money With Cryptocurrency?
Unlike traditional finance, blockchain transactions are pseudonymous (slightly anonymous). Hence, when an attacker steals cryptocurrency and transfers it to their non-custodial wallet address (e.g., exodus wallet), the transaction is registered on the blockchain; however, nobody can really ascertain the owner of the wallet because anyone can open an exodus wallet without needing a name, email address, or any personal details – hence, at this point the transaction is anonymous.
However, attackers face problems when they want to take out the stolen cryptocurrency into centralized exchanges (e.g., Binance). To use a CEX like Binance, you must register with your legal name and a government-issued ID. Hence, it is similar to a bank account where all transactions can be tracked to see “who sent what.”
Attackers cannot convert their stolen cryptocurrency to cash without exchanges; sending the stolen crypto directly from their wallet will blow their cover; hence, they employ the service of a cryptocurrency mixer. This literally mixes the cryptocurrency sent to it, such that the trail is lost, and the attacker can take out mixed cryptocurrency and spend them like they were clean.
Crypto mixers are the most common tools notorious for aiding attackers in laundering money; hence, many Centralized exchanges have banned transfers to and from these mixers, as it counters the Anti-Money Laundering (AML) policies of these exchanges. In addition, the latest sanctions of the U.S. treasury on Tornado cash will see a huge decline in exchanges that support mixers.
Is The Desire for Absolute Anonymity Synonymous to Having Malicious Intent?
Typically, anonymity isn’t evil. For people who want to keep some details of their transaction extremely discreet, working with crypto mixers or privacy blockchains makes it very possible. However, in the guise of seeking anonymity, many malicious attackers have laundered money.
Blockchain technology was initially created to bypass government censorship and regulation; however, considering the security challenges associated with DeFi, many industry players are calling for some level of regulation to protect investors. On the other hand, Blockchain purists are vehemently against the idea, claiming that increased regulation is against the foundational reasons for creating Bitcoin.
Is There A Solution?
An ideal solution to counter money laundering in cryptocurrency would be one that addresses the underlying issue without introducing a central authority into DeFi transactions. However, so far, there has been none. At this point, a fine balance is being struck to restrict the access of mixers to and from Centralized Exchanges so that it becomes more difficult for them to cash out money to fiat without getting exposed. However, this only makes the process more difficult; it doesn’t entirely stop them from stealing or moving stolen funds.
Perhaps, the more pressing solution is to tighten up DeFi security and drastically reduce thefts on DeFi protocols. So, if it becomes more difficult to steal, there will be less money to launder. However, if the thefts remain at a high level, the attackers will always find a way to move their money.