Happy Wednesday! We can’t stop thinking about the future of crypto compliance, which is a lot more sci-fi than it sounds. Also, a frightening notion is haunting the AI agent hype.

Crypto and the US have a common interest in countering Lazarus

The anti-crypto army may have fallen, but crypto’s number one adversary—North Korea’s band of state-sponsored hackers known as Lazarus—is thriving. Since North Korea is also an enemy of the US government, there’s an opportunity for collaboration, argues Michael Mosier.

Mosier has seen the issue from nearly every seat at the table. He worked as a lawyer for the blockchain analytics firm Chainalysis, served as acting director at the US Treasury Department’s Financial Crimes Enforcement Network (FinCEN), and was the top attorney at Ethereum Layer 2 builder Espresso before launching his own law firm, Arktouros.

In some ways, the situation isn’t complicated. Lazarus has mastered the art of stealing and laundering cryptocurrency, and it keeps improving—last month’s billion-dollar hack of the crypto exchange Bybit was its most sophisticated yet. The industry must find ways to counter this threat, because it is bad for business when the same criminal group keeps walking off with huge amounts of customers’ money. The US government also wants this to stop, though for a slightly different reason: the stolen money is funding North Korea’s nuclear weapons program.

That may help explain why the Department of Justice is prosecuting Roman Storm, one of the developers of the Ethereum-based privacy tool Tornado Cash, which Lazarus has used to hide their tracks after stealing crypto. Many crypto advocates see the Storm prosecution as a hostile government overreach.

But maybe Lazarus ultimately represents an opportunity to work together. There is “a very natural non-coercive alignment with the US government and the crypto industry writ large,” Mosier said on the podcast.

The central problem is that traditional anti-money laundering measures—like requiring someone to submit a government ID and other identifying documents before opening a new account—aren’t working. Acquiring false identity credentials good enough to fool modern know-your-customer (KYC) systems is easy and cheap.

On top of that, traditional approaches lean on intermediaries (banks, etc.), requiring them to maintain lots of information about their customers and submit reports documenting large and/or “suspicious” transactions. In genuine decentralized systems, such intermediaries do not exist, and reporting suspicious transactions after the fact is often too late.

On the other hand, Mosier said, public blockchains provide law enforcement officials with a wealth of transaction data that can be analyzed and acted on. Systems that can automatically detect bad actors based on characteristic behaviors and other “malicious indicators” can be used to prevent them from moving money. It’s possible to use “activity-based indicators” to ascertain, for example, that “this wallet is probably Lazarus because of the way they are moving the money,” he said.

As we’ve discussed at length in this newsletter (and all day long at the inaugural DC Privacy Summit last October), it’s also possible, using zero-knowledge cryptography, to verify identifying information about someone without collecting the underlying personal data. That could be an effective way to do certain kinds of automated compliance checks in real time. It might also save firms on compliance costs since they wouldn’t have to pay to store and secure so much sensitive data.

This is not marketing for the crypto industry. It’s an argument that by using information and tools available thanks to cryptocurrency technology, it’s possible to devise systems that can be more effective at mitigating a risk that the government needs to get more effective at mitigating. Nonetheless, trying to convince a critical mass of policymakers to change their mindset on this issue has felt like “banging your head against the wall,” according to Mosier’s fellow podcast guest Rebecca Rettig, a longtime DeFi lawyer who is now chief legal officer at Jito Labs.

The Bank Secrecy Act, which imposes KYC requirements in the US, and other compliance programs “are so entrenched in people’s minds as ‘what works,’” Rettig said. That’s been an obstacle to progress toward something that “both legislators and good actors in the industry really want,” she said: “Just a system that detects, documents, and deters good actors.” —Mike Orcutt

Share

Meredith Whittaker: ‘AI agent’ hype threatens privacy

There is no buzzier term in the crypto world than “AI agents,” but the hype spreads well beyond crypto. A Salesforce ad featuring Matthew McConaughey and Woody Harrelson tells us how these little artificial guys can do amazing things for us, like avoid booking an outdoor table at a restaurant on a rainy day.

Unfortunately, the commercial does not explain why the restaurant would still be seating people in the pouring rain, how exactly an agent would work, or what an AI agent even is. The main message is that relying on AI agents is what cool people do now. No details, no devil. Wave it in.

Hold up, says Meredith Whittaker. The president of the Signal Foundation and chief advisor to the AI Now institute, a policy think tank, warned a rapt audience at South by Southwest last month that the “introduction of this sort of notion of agentic AI into our devices and lives” is dangerous and threatens privacy.

Consider the initial sales pitch: AI agents are supposed to be able to do things like research flights and hotels, make reservations, note it all down in our calendars, and message relevant friends and colleagues.

“So what would it need to do that? Well, it would need access to our browser, an ability to drive that. It would need our credit card information to pay for the tickets. It would need access to our calendar—everything we are doing, everyone we are meeting. It would need access to Signal to open and send that message to our friends. And it would need to be able to drive that across our entire system with something that looks like root permission.”

There’s no current way to do all that encrypted, Whittaker said. And a sufficiently powerful AI model would not be able to run on the user’s device, she warned. “That’s almost certainly being sent to a cloud server where it’s being processed and sent back.”

Whittaker’s pessimism is a welcome counterbalance to the commercial depicting McConaughey moping in the rain because he didn’t use an agent. Marketers want you to think AI agents are a matter of inevitable technological progress. Not only is that not true, but given the obvious and thorny questions they raise about privacy, agents seem in many ways to be anathema to the values of crypto. At least until it’s possible to do all that stuff Whittaker described while preserving users’ privacy, that is.

Her dire warning was part of a larger argument she made during the fireside chat, which is that thus far the progress of artificial intelligence has been “predicated” on corporate surveillance by big tech companies. Agents are an immediate concern in that vein, she said.

“There’s a profound issue with security and privacy that is haunting this sort of hype around agents,” she said. The trend threatens to “break the blood-brain barrier between the application layer in the OS … in the name of this sort of, you know, magic genie bot that’s going to take care of the exigencies of life.” —Mike Orcutt

Share Project Glitch

Headline Watcher

ICERAID: Report immigrants, get paid in crypto. A project called ICERAID—which promises to pay crypto rewards for uploading images of “criminal illegal alien activity” to Immigration and Customs Enforcement (ICE)—is a thing, apparently. It went viral recently after right-wing activist Laura Loomer advertised it on her podcast. We don’t have anything pithy to say about this one other than … yikes. (via The Rage)

0xbow unveils ‘Privacy Pools,’ a new blockchain privacy tool drawing from Vitalik Buterin’s research. In 2023, Buterin and 0xbow cofounder Ameen Soleimani and a few other researchers co-authored a paper describing a method for using zero-knowledge cryptography to make “association sets” containing wallets previously screened for any links to known criminal activity. This concept is the heart of Privacy Pools, which is meant to enable Tornado Cash-like privacy, but only for users who can prove their money is untainted. (via The Block)

PS: At last October’s DC Privacy Summit, Solemani and 0xbow cofounder Zak Cole explained why they developed the technology and how it works.

Sen. Gillibrand warns against a “watered-down” stablecoin bill. “You have to think through all the ways this can go wrong,” the senator from New York and top Democrat behind the bipartisan Guiding and Establishing National Innovation for US Stablecoins (GENIUS) Act said at a conference in Washington, DC last week. “Do not think that a watered-down bill will help your industry,” she added, according to CoinDesk. “It will destroy your industry.”

Trump’s crypto venture introduces new digital currency. World Liberty Financial says it will launch a stablecoin called USD1. As the New York Times puts it, the stablecoin adds to a “messy knot of business conflicts” the president has created with his various forays into the crypto industry. One example: Congress is considering crypto and stablecoin-specific legislation that has a legitimate shot at reaching Trump’s desk this year.

Crypto bill to combat illicit activity gets new push after passing US House in 2024. Republican member Zach Nunn of Iowa and Democrat Jim Himes of Connecticut have reintroduced the Financial Technology Protection Act, which would set up an “interagency working group to collaborate with industry experts to disrupt the use of emerging financial technologies by bad actors.” (via CoinDesk)

Polymarket’s $7 million Ukraine mineral deal debacle traced to oracle whale. Mad libs headline, anyone? Apparently someone holding an enormous number of governance tokens for the oracle that Polymarket uses to resolve its prediction markets was able to cast 25% of the votes and force through a “yes” resolution on a bet over whether the US and Ukraine would agree to a mineral deal—even though no outcome has yet been reached. Those betting “yes” have made more than $7 million, according to The Defiant. Polymarket is not issuing refunds because “this wasn’t a market failure,” but promised to make sure the “unprecedented situation” never happens again. Glitchy AF.

‘Hawk Tuah’ girl off the hook for hawking meme coin!!! Yes, that’s the real headline from the TMZ exclusive. The SEC had been investigating Haliey Welch’s memecoin, which pumped before whoever pumped it dumped within hours of launching in December. “For the past few months, I’ve been cooperating with all the authorities and attorneys, and finally, that work is complete,” Welch told TMZ, which reports that she has “parted ways with the LLC behind the coin.”

Amazon’s AGI lab reveals its first work: advanced AI agents. Amazon has quietly created its own AI lab in San Francisco. Now it has revealed its first project: “A new AI model capable of powering some of the most advanced AI agents available anywhere,” Wired reports. The new system is a version of Amazon’s proprietary large language model, Nova. The company is using a training method called reinforcement learning to “improve Nova’s agential abilities,” according to the article.

Follow us on Twitter and Bluesky—or get corporate with us on LinkedIn.