It’s Glitch 16! Time sure flies when you’re having fun. Hey, don’t forget: if you love Project Glitch, consider becoming a paying subscriber. Either way, thanks for being here!
In this issue:
Mixers, Kim Jong Un, and the fight for the future of financial privacy technology
How Elusiv’s privacy protocol is designed to root out bad actors
ODDS/ENDS
Advocates are preparing for a legal fight over crypto ‘mixers.’ But there may also be a longshot technological fix.
Crypto fans are mad, mad, mad at the US government. Again. And to be fair, the Department of Treasury’s latest proposed rule targeting cryptocurrency “mixers” has backed enthusiasts and developers into a corner. A drawn-out fight in the courts seems likely.
On the other hand, some believe the same cryptographic capabilities that the government has targeted could also help crypto get out of this particular pickle.
In October, the Department of Treasury filed a notice that it intended to create a rule requiring financial institutions to submit detailed reports about transactions involving platforms or services known as mixers. Mixers pool deposits from multiple users before letting individuals withdraw the same amount as they deposited, but stripped of any information that may identify them. People use mixers to do things like make anonymous donations—and, yes, launder money.
Under the proposed rule, if a crypto account at a regulated financial institution were to transact with a mixer and the institution so much as “suspects” that the transaction involved a non-US jurisdiction, it would be required to submit a report to the Treasury’s Financial Crimes Enforcement Network (FinCEN). The report would need to include the amount, personal information about the customer, and information about the mixer the customer used, among other data points.
This kind of thing does not go over well with crypto users, who tend to also be privacy advocates. As written, the rule would “baselessly tar many legitimate transactions as criminal,” crypto policy think tank Coin Center argued in its public comment last week.
The proposal “seeks to vilify a particular technology rather than address the root cause,” argued LeXpunK, an advocacy group made up of crypto lawyers and developers. Treasury’s actions, including the sanctions it imposed against Ethereum-based mixer Tornado Cash last year, have had “a material chilling impact on privacy and the development of privacy-preserving technology, particularly in the US,” the group added.
It is true that Treasury has drafted a broad definition of “mixing” that could encompass a large portion of all day-to-day cryptocurrency transactions. And based on my reporting, Treasury’s actions have legitimately raised fears among developers that working on crypto privacy technologies could get them in trouble with American law enforcement. As I’ve argued before, this stuff has implications for the future of online privacy generally, not just cryptocurrency.
But let’s acknowledge the elephant in the room.
It seems clear that Kim Jong Un’s regime in North Korea has forced the US government’s hand here. If the Lazarus Group, North Korea’s notorious state-sponsored hacker collective, had not been one of the biggest users of Tornado Cash, we may not even be having this conversation.
So, if crypto developers could come up with their own way of preventing North Korea from stealing and laundering cryptocurrency to fund its nuclear weapons program, maybe Uncle Sam wouldn’t be so bent out of shape. (Okay, the key word is “maybe.” Call it a plausible theory.)
Mixers are bad … mkay?
Treasury’s proposed rule would draw on authority provided by the Patriot Act, a sweeping anti-terrorism law created in the wake of the 9/11 attacks. It would classify “transactions involving convertible virtual currency (CVC) mixing” as “transactions of primary money laundering concern.”
“Over the past few years, Treasury has monitored, and expressed concern with, the increasing use of CVC mixing by illicit actors,” the department stated in October. “In particular, the (Democratic People’s Republic of Korea)—already under pressure from robust United States, European Union, United Kingdom, and United Nations sanctions—relies upon CVC mixing to launder the proceeds of cyber heists in order to finance the DPRK’s WMD program.”
This is where details get murky and there’s simply a ton of information that the feds probably have that we, the public, definitely do not. In August, when the Treasury imposed sanctions on Tornado Cash, it claimed that the Lazarus Group had used the service to launder more than $500 million in stolen crypto. Public reporting from blockchain analytics firms suggests that North Korea has raised well over a billion dollars over the past several years by stealing cryptocurrency. Late last year, during a hearing focused on combating illicit finance, Senator Mark Warner implied that the government has more knowledge of these activities than it has revealed, and said he’d try to get more declassified. “Unfortunately crypto is being used in a disproportionate way” by “rogue regimes” including North Korea, Warner said.
No matter how you slice it, crypto is in a pickle: one of America’s nuclear-armed adversaries is inarguably using the technology to its advantage, activating national security policies that expand the government’s power to impose restrictions on certain kinds of financial transactions. Private cryptocurrency transactions, utilized by many folks who are not committing crimes or undermining the US, are in the crosshairs.
For example, suppose someone holding crypto in an account at an exchange wants to donate some of that money to a politically controversial cause and doesn’t want their name attached to the transaction. They might send money to a mixer first. Under this rule, the exchange would have to report details about that transaction to FinCEN.
The “primary money laundering concern” designation “carries real economic consequences,” Coin Center wrote, “such as financial account limits, blocks, and closures, as well as the moral condemnation and reputational harm that is likely to stem from being labeled a presumptive money launderer and criminal.”
If the government doesn’t narrow the category of transactions for which this designation would apply, “there will be abundant opportunities to expand the case law on the due process rights of persons wrongly designated as a [primary money laundering concern],” Coin Center wrote. “In all past cases the designation has been specific to a finite foreign geographical region or a particular financial institution rather than, as here, a broad and vaguely-defined category of activities in which many ordinary Americans engage.”
FinCEN says that a given entity will only need to submit reports when it “knows, suspects, or has reason to suspect a transaction involves CVC mixing within or involving a jurisdiction outside the United States.” But an institution could not “know” this—that’s the point of a mixer. Similarly, how is an institution supposed to have enough information to “suspect, or have reason to suspect” involvement of a foreign jurisdiction? “The rulemaking is silent on the question,” Coin Center noted.
Put a ZKP on it
Is the only prescription … more crypto?
“FinCEN’s concerns can be addressed through a technological solution centered around zero-knowledge proof (ZKPs),” argued the DeFi Education Fund (DEF), another crypto policy advocacy group. This technology, which is also at the heart of Tornado Cash, lets one party verify a secret for another party without revealing the secret itself. “ZKPs can be customized to prove that a withdrawal is not associated with illicit activities by proving that the withdrawn funds do not originate from deposits on a ‘black list,’” the DEF explained in its public comment.
This proposal is essentially the same one that Ethereum co-creator Vitalik Buterin, crypto developer Ameen Soleimani, and others have referred to as “privacy pools” or “proof-of-innocence.”
“The core idea…is to allow users to publish a zero-knowledge proof, demonstrating that their funds (do not) originate from known (un-)lawful sources, without publicly revealing their entire transaction graph,” wrote Buterin, Soleimani, and three other co-authors in a recent academic paper examining the privacy pools concept. Before withdrawing from a mixer to an exchange, a user could, for example, prove their deposit was part of a set that included deposits from customers at legitimate banks—confirming that a bank had run anti-money-laundering checks—without revealing which deposit it was. Or they could prove that their deposit was not part of a blacklisted set that included addresses known to be associated with criminals or national security threats like the Lazarus Group.
Like so many crypto things, that sounds very cool and very … theoretical. The DEF provided few details about how FinCEN could make it work practically. But projects are working on making the idea a reality, including Soleimani’s Privacy Pools and the private payment protocol Railgun. If they succeed, the next trick would be convincing the normies in Washington that something called a “zero-knowledge proof” is something they can trust—before they get the chance to mess things up with imprecise regulation. —Mike Orcutt
WARNING: TECHNICAL
Name: The Zero-Knowledge Encrypted User Safeguarding (ZEUS) Network
Brains behind it: Elusiv, a crypto privacy startup building on Solana
What it is: A protocol for enabling anonymous blockchain transactions, featuring a “decentralized compliance” system that can retroactively decrypt transactions linked to known criminal activity or national security threats.
According to Elusiv co-founder Yannik Schrade, there’s a problem with the notion (described in the article above) that illicit actors can be rooted out of decentralized privacy protocols like Tornado Cash: timing.
What if a given blockchain address is run by a bad actor—it’s just not known yet? That user would be able to prove their deposits didn’t come from an address on a blacklist, and withdraw funds from the privacy protocol without any issue. But the very next day, US law enforcement might find evidence that drug traffickers used the address to facilitate illegal sales in the US. On-chain analytics would be able to quickly reveal that this address had sent funds to the protocol. It’s not acceptable to let that user get away with money laundering just because their link to criminal activity wasn’t known before they withdrew their funds, Schrade argues.
Elusiv’s protocol uses zero-knowledge proofs to enable private blockchain transactions, to which it attaches an encrypted “memo” featuring the details of the transaction such as the sender, recipient, and amount, Schrade explains. ZEUS, which is still in beta testing, is a separate decentralized network that can, under certain conditions, use a method called multi-party computation (MPC) to decrypt the memo.
How it works: Every node holds a share of a cryptographic key. Once it becomes public knowledge that a given address engaged in illicit activity and used the protocol, the nodes can collectively decide to decrypt the suspicious transactions. If enough nodes input their shares of the key, the network can reconstruct the decryption key and use it to lift the veil on the transaction details.
Of course, now the user has a new thing they have to trust. In theory, the ZEUS Network could somehow wrongfully identify them. Here’s where things get really complicated and you may have to, well, trust Elusiv that it knows what it is doing. In short, the company has come up with certain “trust minimization” measures. For instance, periodically the cryptographic key shares are destroyed and new ones are generated. And over time, the threshold of nodes required to decrypt a transaction increases until eventually the transaction can no longer be decrypted.
Though the ZEUS Network is still under development, Elusiv’s private payment protocol is live on Solana. It limits the amount that users can deposit and send to $5,000. —Mike Orcutt
ODDS/ENDS
Electric Capital’s 2023 Crypto Developer Report, which tracks the number of people working on all the various crypto networks, is generating a lot of buzz in crypto circles. The top line, according to the VC firm, is that although the total number of developers dropped 24% in 2023, the number of developers who have spent at least two years in crypto continues to steadily rise. The fastest growing ecosystem (minimum 150 monthly developers), according to the report, is Scroll, a network that uses zero-knowledge cryptography to improve the throughput of Ethereum transactions.
The yearslong legal fight between the US crypto industry and regulators over whether crypto-tokens should be regulated like stocks and bonds, “is edging closer to a resolution,” according to the New York Times. In January, federal judges held hearings in two cases some see as “existential” for the industry.
The EU is close to finalizing new regulations that would restrict crypto payments from “self-hosted” wallets and ban privacy-focused cryptocurrencies like Zcash and Monero. The Anti-Money Laundering Regulation will work in tandem with another regulation, the Markets in Crypto-Assets regulation (known as “MiCA”), and is expected to take effect between 2026 and 2027, according to DLNews.
Despite a government ban, crypto trading “remains widespread” in China, according to the Wall Street Journal. Traders in China, using “a mix of location-masking technology, lax exchange controls and secretive meetings in cafes and other public places”, received $86 billion in cash from crypto activity between July 2022 and June 2023, according to the report.
The US Treasury’s Office of Foreign Assets Control imposed more sanctions on Hamas, targeting “networks of Hamas-affiliated financial exchanges in Gaza, their owners, and associates, and particularly financial facilitators that have played key roles in the funds transfers, including cryptocurrency transfers” from Iran’s Islamic Revolutionary Guard Corps-Qods Force (IRGC-QF) to Hamas.
“The metaverse has opened up opportunities for criminals to commit new types of crime,” according to INTERPOL, which calls this new class “metacrime.” From NFT scams and identity theft involving deepfakes to “robbery from an avatar” and “trespassing in a private virtual space,” metacrime will apparently require that investigators collect new kinds of evidence, like data from VR headsets and haptic devices.
Undetectable malware generated by AI could already be in the hands of nation-states, warns the UK’s cybersecurity agency.
Ingonyama, a startup focused on software and hardware that accelerates the use of zero-knowledge proofs, raised $21 million in seed funding. The company has a long-term goal of making chips specifically designed for zero-knowledge applications.
Follow us on Twitter