Alright, light's red, we're recording. Hey, Tortoni, you looking great today. Still right, and I see. See, here in my studio, which is just my closet, I have a picture on the wall made by Edward Manet. And it's a picture of a fine-looking gentleman sitting at a table writing something down. I call him Tortoni, but that's not his name. This picture has captured my imagination and curiosity for countless hours. I stare into it and I just fall into
an abyss. But the thing about this picture is that it's not the content or even who made it. It's that this picture was stolen from the Isabella Stewart Gardner Museum back in 1990, and it's never been recovered. And I don't have the original. I just have a print of it. But the thieves didn't just steal this picture. They took a bunch of others too. And this was the biggest single heist of all time. They estimated that the art that was stolen is worth $500 million.
And it still remains unsolved. I'm looking at this picture on my wall right now. There's a $10 million reward for it. Yet mine, I just got from my printer for like five cents. It's always been weird to me how art has just so much value. Now I just don't see how this picture, which is not that much bigger than a regular sheet of paper, is worth more than a mansion? But that's no longer the biggest heist ever. Because in 2022, a digital heist happened,
which set a new record high. These are true stories from the dark side of the internet. I'm Jack Recyder. This is Dark Net Diaries. This episode is sponsored by Threat Locker. Ransomware, supply chain attacks, and zero-to-exploits can strike without warning, leaving your business's sensitive data and digital assets vulnerable. But imagine a world where your cybersecurity strategy could prevent these threats.
That's the power of Threat Locker, zero trust, endpoint protection platform. Threat Locker implements a proactive, denied by default, approach to cybersecurity, locking every action, process, and user unless specifically authorized by your team. This least privileged strategy mitigates the exploitation of trusted applications and ensures 24.7365 protection for your organization. The core of Threat Locker is its protect suite, including application, allow listing, ring fencing,
and network control. Additional tools like the Threat Locker Detect EDR, storage control, elevation control, and configuration manager, and hands-here cyber security posture, and streamline internal IT and security operations. To learn more about how Threat Locker can help mitigate unknown threats in your digital environments and align your organization with respected compliance frameworks, visit Threat Locker.com. That's Threat Locker.com.
This episode is sponsored by Mint Mobile. With big wireless providers, what you see is what you get. Somewhere between the store and your first month's bill, the price you thought you were paying magically skyrockets. With Mint Mobile, you'll never have to worry about gotchas ever again. When Mint Mobile says $15 a month when you purchase a three month plan, they mean it.
All plans come with high-speed data, unlimited talk and text, and you can use your own phone with any Mint Mobile plan and bring your phone number along with your existing contacts. To get this new customer offer with your new three month premium wireless plan for just 15 bucks a month, go to MintMobile.com slash darknet. That's MintMobile.com slash darknet. Cut your wireless bill to 15 bucks a month at MintMobile.com slash darknet.
$45 upfront payment required equivalent to $15 a month. New customers on first three month plan only, speed slower above 40 gigabytes on unlimited plan, additional taxes, fees, and restrictions apply, see Mint Mobile for details. Digital assets are fascinating to me. I'm no economist, but they behave in ways that don't make sense to me. Like, let's take audiobooks, for example. It takes a lot of work to make the first one,
but then infinite copies can be made at zero cost after that. So I don't know what happens when supply goes to infinity. It seems like price would go down to nothing, but it's not the case. Audio books are still $10, $20 each, despite there being an infinite amount of them which cost nothing to make more of. That's kind of wild. And you'd think that piracy would have destroyed the market for digital assets too. With unlimited supply, demand should have gone way down.
But no, the demand for digital goods is at an all time high. Top tier musicians are making more money now than they ever did before. And that's because we all have mobile devices glued to our hands 24, 7, and we're continually thirsty for more digital content to consume. It almost seems like our whole lives are digital now. Movies, shows, memes, music, books, even the people we are closest to, we have a digital relationship with them. But I'm always
wondering of all the digital stuff in our lives. Is any of it really ours to own? Okay, so I think anything that's saved on your computer and you can use it offline, I'll say that's yours and you own that. Photos that are saved on your phone, that's yours. Music saved an MP3 form. That's yours too. You own that. But the line is often blurry between what's on our devices versus what's on the internet? Like if you have an Android phone,
it tries to get you to back up your photos to Google Drive. And it's not always clear if your photo is on your phone or on Google's servers. If it's just on Google's servers, then you don't really own it, do you? Since they have complete and full control of your photos, what about audiobooks? Let's look at those for a minute. Most audiobooks I listen to I can actually borrow from the library. There are apps which let you check them out and you can listen to it for a few weeks and then
return it digitally. It's great. But often my library doesn't have the book I want. So I've got to buy it. And when I buy an audiobook, the biggest marketplace for that is Audible. So I look there. What drives me crazy about buying books from Audible is, well, I don't own that book. Like at all, if I owned it, I should be able to save it locally, give it to a friend, donate it to my library, or resell it to someone else like a used audiobook. But all that is impossible to do through Audible.
And of course, Audible could cancel your account at any time and you would lose all of the books that you bought. So to me, the audiobooks that you buy on Audible are not really yours. You don't own them at all. So let's look at some other digital assets. How about my online accounts? Like Twitter or email accounts or online gaming accounts. Do I own my Twitter username? No, I don't think so. Twitter does. And they graciously let me use it. And at any moment, they could terminate it or
rip it out of my hands. I don't have any actual ownership of it. I mean, just look at what happened when Twitter changed their name to X. There was a user on Twitter who had the username X and Twitter just ripped it right out of their hands. And there was nothing not user could do to keep it. Because Twitter owns everyone's account. Yet it's interesting because even though you can't own a Twitter account, they are still valuable. And people are buying and selling Twitter accounts all
the time. Let's look at video games now. There are digital assets in video games, right? Like imagine you're playing an online game and when you level up your character, you get all kinds of armor and weapons and gold. That character is yours, right? Well, I don't think so. I mean, the game can ban you at any moment and then what? What about those in-game items like gold and weapons? It feels like that stuff is yours. But it's not really. You can't save it offline or take it with
you to another game. And it's strange because even though you don't own that stuff in the game, those items still can have real world value. I know I've bought an in-game weapon before for a hundred bucks. And it's ridiculous because I bought something I don't actually own. All right, what about my website? darknetdirees.com. Do I have ownership of that? Well, at first glance, sure, I purchased the domain and I could do whatever I want on it.
I'm the admin. I can say what I want and nobody can stop me. But no, first of all, I didn't purchase the domain. I'm renting it. All domains have to be renewed like yearly or every few years registrars control the domains and you pay them to get it. But then you have to keep paying them to maintain control of it. Seems like I don't own it if I have to pay someone over and over to keep it mine. On top of that, governments can go to domain registrars and take over a domain that's
being used for illegal purposes. So yeah, I'd say I don't actually own my domain if someone else can rip it out of my hands like that or if it'll expire after a while. But domains on the dark web are different. I'm talking about on tour, the darknet. See, on the dark web, domains look awful. They're like a long string of random letters and numbers. You would never be able to memorize it and then it ends in.union. So how do you get a domain on the dark web? Is there a central body
like I can where you go to register domains with? No, no, not at all. You create the domain yourself. Yeah, that's right. You generate a private public key pair and that public key is your domain name. So with this system, the person who has the private key controls that domain. Now, to me, this is true digital ownership. And I love that. Unless someone comes and steals my key from me, nobody can ever take my.union domain from me. It's never going to expire and it can't be seized
by the feds. This is why a lot of people are drawn to the dark web to have something on the internet that's truly yours and nobody can ever take it away from you. Another thing that I think gives you true digital ownership is cryptocurrency. Not all money is like that. Your bank can refuse your service if they want. They can cancel your credit card and kick you out of the bank and freeze your
money. I know PayPal has frozen my account before trapping my money in there. But because cryptocurrency is built on decentralized blockchains, there's no one managing yet to kick anyone out or freeze an account or take over an account. Everyone and anyone is welcome at all times forever. And the best part is you truly own your crypto wallet. Because to get a cryptocurrency wallet, you just make it
yourself by generating a random private key and then using that to derive a public key. When you do this, only you are the only person who's ever seen that private key and whoever has that private key controls that public address or wallet. There's no admin that can revoke your key or move your money without your permission. Your key is your key forever and ever. The blockchain is a fascinating invention and whether you love or hate cryptocurrency, the technology behind it is very interesting.
Take the Ethereum blockchain, for example. It popularized something called smart contracts, which allows people to add code into the blockchain, which means you can program money and even create apps integrated directly into cryptocurrencies. And this is wild and it's opening up a whole new future that we never imagined. For instance, people are making entire video games with these smart contracts where the whole game lives on the blockchain, which means the in-game currency is actually
real cryptocurrency. Not only that, but the apps you make on the blockchain are truly yours where nobody can ever seize it from you or stop you from making it. It's time we step foot into this big new wild digital world. I think the game, actually Infinity, represents a fundamental shift in video game development. I spoke to Jeff White about this game. Hi, I'm Jeff White. I'm an author
and investigative journalist and I cover organized crime and technology. Yeah, so Axi Infinity is not like the games that I used to play when I was a kid where they sell you the video game and then you go away and you play it and that's it. Axi's an online game has of course lots of them are and you're playing against other people online, which of course lots of games are. But the thing that made Axi different and quite radical, I think, for some people was that everything in the game
was basically for sale. It was a whole marketplace. So the way it worked was you have these Axis, which are based on the Axelotl Salamander. You have a team of Axis, three Axis and you basically wrestle them. You fight them against your opponent's team of Axis. And if you win, you're rewarded with smooth love potion tokens, which you can use to breed your Axis together to get them to be better fighting machines. It's basically a bit like, to remember those Tamagotchi keyring things,
yeah, I do. But it's like digital pet that you can level up and stuff. Exactly that. It's like that mixed with WWF wrestling. So that's the idea of Axi. This game is hugely, hugely popular. Okay, so I need a team of three of them. How do I get one of them? What's the process? You buy, you have to buy the team and you can't, as far as I'm going to get one, you have to buy a team of three because three is a magic number. In order to do
this, this is where it gets interesting with the sort of cryptocurrency aspect to it. If you have opportunities, it's dollars for you, Jack, you can swap your dollars into East the currency on the Ethereum blockchain, the cryptocurrency, it's a bit like Bitcoin. As is number two, I think, to Bitcoin East, I think I might as well. You can then take that Ethereum money and you can put it into transfer into Axi Infinity and then you can use that in game currency to buy your Axis,
to buy smooth love potion, you can buy land in the game. So it's all the whole game is based on cryptocurrency and this is an internal blockchain within the game that tracks who owns Watson, who's sold what to whom I see. And I like the ownership aspect of this. You really do digitally own one of these Axis since it's all on the blockchain. There's no way for anyone to take your Axis away from you if you own them unless they steal your private key. To me, this is interesting
because look at the software world right now. You can't buy Microsoft Word or Adobe Photoshop. You have to pay a monthly fee in order to use it. You don't own a lot of the software or games today if you have to have an internet connection for it to work and as the meme goes, if purchasing isn't ownership, then piracy isn't theft. Axi Infinity was created by a company called SkyMavis who had called to the Vietnam. I think the company's registered though in Singapore.
And this was five guys who'd been part of the sort of esports scene. So they've been around gaming for a very long time. And the idea of crypto-based video games wasn't sort of radically new. I think crypto-kitties predates Axi Infinity for what I've read of it. But basically what they did was they built this game and released it. And in a way they locked out because they obviously got the benefit of video game obsession. People became obsessed with this game and started playing
it and battling their axes together and so on. They also got the benefit of a sort of cryptocurrency boom because it was sort of 2019, 2020. And crypto was starting to rise in value quite steeply at that point. So people who were into video game, you got into Axi Infinity. But what was really interesting around the discussion boards around Axi Infinity is you start to see this change where people are discussing the game and then they start to discuss crypto investments and crypto
speculation. So suddenly people who are into crypto and the speculative side of it started to see this game as an opportunity, money making opportunity. So you've got this incredible whirlwind of sort of obsessive gamers and also obsessive cryptocurrency speculators coming in. And this game just went up and up in value. I think at one point it was valued at two billion dollars. I think I'm right in saying it's astonishing values. And the other thing that fed into this was COVID,
it was lockdown. So during that period, the game was big into Southeast Asia, particularly big in Southeast Asia because that's where the company was headquartered and it absolutely took off. Particularly the Philippines, I think 40% of the players apparently were in the Philippines. And during lockdown, a lot of people lost work, weren't able to go to work, were looking around for alternative sources of income. And they started to see that actually they could potentially play
this video again and make money at it. So you put all these factors again together and you just get this explosive combination that just launched Axi Infinity into the stratosphere. Much the surprise I think it's fair to say of the guys in Sky Mavis who made it. I don't think they're expecting to be such big of a hit. Now because the in-game currency was the Ethereum cryptocurrency, this allowed for a whole in-game marketplace. You could buy or sell things to other
players with cryptocurrency, just like directly on the blockchain. Ethereum wasn't just for cryptocurrency, but there were items on it now. Axis, for instance, and you could buy one from another person directly if you wanted without having to go through any game to do it. How do people like make money? Do you understand the complexities of this because if you're battling someone and you win the battle,
do you take money from the other person? No, the way it would work is I understand it is your Axis would become more valuable, the more fights they won and you can actually sell them to other people in the game. I've got this team of Axis. Look, they've got a fantastic track record of killing lots of other Axis. I don't know actually whether killing was part of it, but winning the battles, would you like to buy them off me? Also, there's a trade in smooth love potions. As you
played the game, you got more smooth love potion. You could sell the smooth love potion to people. You could buy and sell plots of land on Lunacia, which the virtual environment to which the game is played. Almost everything was for sale. The money was being shed while trading within the game. Now, you might be thinking, hold on, wait a minute, this is an awful idea to bridge real money into a video game. Well, you're not the only one to think that. The video game marketplace Steam
has outright banned all crypto-based games from there. At first glance, you might be thinking, oh, that's because they don't want people spending real money on games like that. It can ruin the in-game economy, and it leads to speculative behavior. It's stupid to buy video game assets like gold and weapons. But none of those are the reasons why Steam banned crypto-based games.
A very popular game on Steam is CSGO, or I guess it's now called Counter Strike 2. Within Steam itself, there's a whole marketplace where you can buy and sell in-game counter-strike items from other players for real money. It's like a giant marketplace on Steam. Thousands of purchases have been every day. Yeah, you can show up, type your credit card details in and start
buying items in the game from other players with real money. Steam has built this whole system, so clearly they are perfectly fine with people using real money to buy in-game items or be speculative in the game or mess up the game economy. However, when you sell in-item, you don't get the money from the sale. They give you Steam credits, which can be used to buy other games on Steam. But players were like, wait a minute, if I'm selling this to someone who's buying it with their credit card,
why can't I get the money they paid for it? It seems like, eww, we really don't want to give you money. Game credits are much better for us. So players were like, well, you know what? Nobody can stop us from just trading among ourselves. So player-to-player sales started happening. But how do you send money digitally? You can't just give someone your credit card, it doesn't work that way. So players started trading using cryptocurrency. But this became unsafe. People were sending
their money and not getting anything in the trade. So websites started popping up saying, hey, we'll broker the deal for you. And they started acting like the middleman and trades for counter-strike. And that went on for a while and Steam was like, alright here, we'll make an API for the marketplace. And this allowed secondary marketplaces to let players buy and sell in-game items with real money. And not only that, a lot of markets allowed you to buy and sell items with cryptocurrency.
So while Steam has banned crypto-based games, you can actually use crypto to buy things in counter-strike 2 or sell things and get crypto from it. And this is all totally allowed by Steam. Steam could put it to end all this right now if they wanted. They could make it so players just can't trade with each other anymore. But they won't, because they make far too much money from this whole system. So why does Steam actually ban crypto-based games? I think it's because
the regulatory landscape is unclear. When you start accepting cryptocurrency suddenly, you get into these regulations that are very difficult to figure out. And don't tell me that Steam Bands crypto-based games because it keeps out the trashy scammy type stuff. Well, have you seen the game banana? As I'm saying this, it is the second most popular game on Steam. And it's possibly the world's dumbest game. You just click a banana. And after a while,
you might get a banana for doing it, which can be sold on the marketplace. And it's making the creator a ton of money since people are buying bananas with real money for no reason. The banana does nothing in the game. This is 10 times dumber than any NFT game I've ever seen. And it's not even an NFT game. The fact that Steam allows this is kind of breaking my brain, honestly. I bet there are a million teenagers today who are very fluent at understanding the market
intricacies of V-Box or Robux. The virtual currencies for their favorite games. And the thing about Steam credits or V-Box or Robux is you can only buy it. You can never sell it. It's against the terms of service to trade that for real money. And that kind of frustrates me. It's kind of like when you go to an arcade and they make you buy tokens to play the video games there. Video games can operate just fine on quarters. There's no need to invent a whole new currency just to play them.
And the currency can only be bought, never sold. And it stinks when I come home from an arcade and there are a few extra tokens on my pocket. These things are worthless except for one place in the entire world. So Axi Infinity was built directly on the Ethereum cryptocurrency, utilizing smart contracts. But they soon had a problem. When you play video games, you want it to be fast. Ethereum transactions were slow, sometimes taking a few minutes to complete, and the fees on Ethereum were
high. Like often costing $30 on fees just to buy an Axi from another player. So to fix that, SkyMavis, the creators of Axi Infinity, created a side chain of Ethereum called the Ronin Network. This side chain was very compatible with Ethereum so players could move their money in and out between the Ronin Network and the Ethereum Network easily. And that mechanism of
moving money between the two, they named that the Ronin Bridge. The Ronin Network was much faster and had very low fees like less than a cent, making a much more ideal for a video game to be played on this blockchain. But for this Ronin Network to operate, there needed to be nodes and validators. SkyMavis didn't want to be the only one controlling those nodes and validators because if they were, they could theoretically control the whole network. I guess if you have a majority control of
validators, you could manipulate the system if you wanted. The idea of a decentralized network is that nobody should ever have a majority of the validators so that it can't be manipulated. So they made sure to have people outside their control also running nodes and validators. You can play on a browser, I think most people play on a phone. It got so popular that we were ports in the Philippines of people giving up their jobs just to play this game full-time.
Now, of course, as soon as that happens and hits the headlines, you get this rush of people who all think, oh, I'll do that. And of course, it came with a pile-on. People just went for this game, particularly in Southeast Asia. So there's this very valuable company with millions and maybe billions of dollars worth of cryptocurrency assets running through it, swapping around, moving fast, moving a lot. This will attract somebody who wants to steal that money. Inevitably,
as soon as you start to make scams of money, it's a video game somebody tries to hack you. And that's exactly what happened with Axi Infinity. A lot of scammers and thieves flocked to this game, trying to steal things from other players. Some players, crypto wallets, were loaded with tens of thousands of dollars of Axi Infinity assets. And scammers were trying hard to steal stuff from
players' wallets. One common tactic is to get an Axi Infinity player to connect their crypto wallet to the scammers website, maybe by saying something like, oh, we're giving away a free rare Axi. With some cleverly crafted message, they can trick a person into giving them access into their wallets. Which then the thief can drain everything from it. Hundreds, if not thousands,
of Axi Infinity players were victim to this type of attack. And I should say that even though attacks on players and cryptocurrency-based games is very common, it's not unique to only crypto based games. I remember when I was playing World of Warcraft a long time ago, someone somehow got into my account and transferred all the gold and removable items from my character into whatever
account they had. I got digitally robbed in World of Warcraft. And if you hang out in the counter-strike forums or Roblox forums or Fortnite forums, you see people begging for help every day saying they're a cow-gut hacked or their stuff got stolen. There's a lot of money in stealing video game assets. It's crazy. Ideally, what you want to do is you want to go to the source of all the money, the fount of all the money, which, you know, Sky-maybe sort of serves themselves.
And so the hack is targeted one of the engineering team. And carried out a very, very elaborate, or at least in my opinion, very elaborate social engineering exercise on this person, offered them a job. Now that's not an uncommon thing for, you know, crypto developers to get. Game developers get poached all the time. And so this is a great job for you. Really big salary, you know, are you interested in talking to us? And this employee said,
yes, started receiving details of the job. Did apparently a couple of rounds of interviews for the job, which I presume was webcams off, but, you know, was interviewed by people for a job that seemed to exist. Of course, none of this was true. There was no job. This employee of Sky-maybe this was being targeted by hackers who were trying to maneuver them to the point where they would, effectively download malware. So we don't know how they made contact. My first thought was
Discord. A ton of scammers are on Discord trying desperately to hack into people's accounts. But in this case, I'm willing to bet the initial contact was made on LinkedIn. It's kind of easy to find developers for actually infinity on there to begin with. Then it's only a few clicks away before you can message one of them. And it sounds like they message the developer offering them a job. So if that's the case, it's not so hard to create a fake persona on LinkedIn to look like you work
for some prestigious company, making the whole story more believable. I mean, who gets job offers on Discord anyway? LinkedIn is the place to go get chat about first. The other thing you can do if you target someone in this way is you can say to them, hey, for this job, we need to know that you can use this particular piece of software. Can you download it for us? Or can you click on this link
and go to this private server so you can do this exercise as part of the job application? There's lots of ways with the job application that you can trick someone into doing something they wouldn't necessarily have done downloading stuff, clicking on links. So I find that really, I think that was a really smart way of operating. One for people to watch out for. Eventually, malware gets downloaded by this employee of SkyMavis onto their work device. Now, full disclosure, I don't think SkyMavis
have revealed how that specifically was done. But you can think of multiple ways whereby you will be able to convince someone as part of the job application process to download something. There's lots of ways to do that. In fact, if the malware allowed the hackers access to SkyMavis as computer systems, and because they targeted an engineer who had what SkyMavis describes as very deep level access, it wasn't like they hacked somebody in the HR department that had to work
their way over to the development environment. They were already and they'd hit the motherload effectively and were already in at a very deep level inside SkyMavis. Yeah, I mean, if you get malware onto a developer's computer and then take control of their computer, then you can assume the role of that developer in that company. You have their access keys, their logins, their
privileged access to the network. With that, so deep level access to SkyMavis systems, the hackers start scoping out how at-seen-finity works and how this money's moving around. I bet they were looking for a central wallet like cold storage or something where SkyMavis stores all the keys and has access to millions of dollars in crypto. But they couldn't find that. So the second thing was, with all this money flowing through the system, was there a way to grab it somehow?
And what they realize is what we've covered earlier is there's this internal blockchain within action-finity, monitoring the transactions between the players. There's the external sort of Ethereum blockchain, which is effectively bringing in money that people have Ethereum, Etherco and see that people are spending into the game and then putting it out. So there's a conduit through which this is all happening. And that conduit is a thing called the Ronin
bridge. The Ronin bridge's job is basically, it's to reconcile what's going on in the game with what's going on in this external Ethereum blockchain. Effectively, the Ronin bridge is nine computers around the world. And those computers are looking at all the transactions inside and outside and reconciling the two ledges together. So basically, the hackers realize very, very smartly, that's the pinch point, that's the conduit, that's where the money is going across. If they can
control the Ronin bridge, they can effectively control the flow of money. And since there's millions and millions of dollars inside action-finity, they can control that money. Now the thing about this is, there were nine computers as part of the bridge. It's effectively nine what they call validators. And SkyMavis sort of thought about the possibility of getting hacked to give them credit and they only controlled four out of those nine, which isn't enough to give
you majority control. So you can't just take over SkyMavis, get control of the bridge and take the money out. The hackers had to find a fifth computer, so they have five out of nine, so they've got majority control. And this is where things go wrong for SkyMavis. SkyMavis had outsourced the other five validator computers to external companies, so they weren't in control of them.
You know, so SkyMavis didn't hold all the cards effectively. But one of the companies that outsourced to gave SkyMavis a temporary access to its validator, and that temporary access was never revoked. The hackers somehow managed to realize all of this and thought, aha, we've got four computers validating as SkyMavis. We need a fifth to get majority controlled. There's the fifth one. We still got access to it. Vios, SkyMavis. We've got five out of the night computers. And guess what?
We control the bridge. We control the money and it's time to steal. Wow, I think the level of knowledge needed to pull this off is quite remarkable. This is not so simple as opening up a wallet and transferring the funds out to take over a five of the nine nodes of this side-chain and to know how to operate them in a way that will allow them to steal money, takes a specific skill set. Whoever did this must have had to prepare quite a
bit for an attack like this. It kind of reminds me of that one time my friend went and bought an antique for, I don't know, $1,000 or something. On his way home, he stopped for lunch somewhere and his car got broken into and the thieves stole the loose change in his cup holder. They looked at that old antique and didn't think it was worth anything and left it. Whoever was targeting Axi Infinity knew exactly where to look to extract the most amount of value they could from the system.
They knew exactly where the value was. And I don't think many of us would know how to work these controlling nodes even if we could take them over. But when they took over these nodes, they got immediately to work, setting up an attack which would allow them to transfer as much out of the Ronin network as they could and as fast as they could directly into the Ethereum wallets that were ready and waiting. They set up everything and using their control of the bridge deployed a
command to transfer the money. They stole ETH ETH currency and USDC which at the time was valued at $625 million. $625 million. Yes, I'm trying to think, is there a single? Or is there a single cyber heist that is more than $650 million? I can't think of one. I'll go further from that. I've been a bit circumspect in the book but I'm being less circumspect the more I go on. I think it's the biggest theft of all time. And I want to add a couple of
qualifiers to that because that is a big statement to make. I'm talking about one-off theft. Obviously you ran somewhere as well. You know it was made billions over time by multiple victims. I'm talking about one victim, one hit. At the time the theft happened. Obviously there's the bit for next hack. The one that Heather Morgan and Ilylishton Stein got sent for. That ended up being $3 billion I think but at the time of the hack it was $70 million. I'm talking about valuing a crime.
At the time the crime was committed, one off crime, one victim. So I've been doing you Google and you Google and you try to find these things. The Isabella Stewart Garden Museum heist is one of them. So that was I think 93 was it? They broke into the museum and they stole artworks. The artworks were valued at 500 million. Now that's often listed as being one of the most expensive heists of all time. That's only 500 million. So I know I'm out on a limb here but
I do think it's a series. If it's not the number one it's a very serious contender for biggest theft of all time based on one hack, one victim, one crime, one victim valued at the time of the crime. Now some of my listeners might be shaking their heads right now and think no Jack none of this cryptocurrency is real money. This is not the biggest heist of all time and in fact a lot of articles which list the biggest heists of all time don't include any cryptocurrency heists.
But the thing is these thieves immediately started exchanging it for traditional money. So to me if you can swap it quickly and easily for any currency you want then yeah to me it's real money. Yeah it may start off in crypto and you may turn your nose up at that but it ends up in hard dollars and hard dollars that can be used to fund criminal activity and some very serious
as we're going to talk about some very serious criminal activity. Maybe I should have mentioned this earlier but the reason I'm talking with Jeff about all this is because he just published a book called RINST which is all about money laundering in the modern world and I just finished reading
it and it sent me down a wild twisted tunnel into the world of money laundering. Now what we're talking about in this episode is a single chapter of the book though the biggest heist of all time axi infinity is interesting by itself but the thieves are now faced with a staggeringly huge challenge. How do you cash out 625 million dollars in stolen cryptocurrency if you sent it all to an exchange they might not be able to swap that much or they might freeze your account and you could
lose it all. So while they immediately started sending some of it to an exchange that was only a small amount and they needed a big plan for the bulk of it. We're going to take a quick break here but stay with us because after the break someone's going to prison. This episode is sponsored by Threat Locker. RANSTAMWARE, Supply Chain Attacks and 0-2 exploits can strike without warning living your business's sensitive data and digital assets vulnerable but imagine a
world where your cybersecurity strategy could prevent these threats. That's the power of Threat Locker, 0 trust, endpoint protection platform. Threat Locker implements a proactive, denied by default approach to cybersecurity, blocking every action, process, and user unless specifically authorized by your team. This least privileged strategy mitigates the exploitation
of trusted applications and ensures 24-7365 protection for your organization. The core of Threat Locker is its protect suite, including application, allow listing, ring fencing, and network control. Additional tools like the Threat Locker Detect EDR Storage Control, Elevation Control, and Configuration Manager and Hansir Cybersecurity Posture and Streamline Internal IT and Security
Operations. To learn more about how Threat Locker can help mitigate unknown threats in your digital environments and align your organization with respected compliance frameworks, visit Threat Locker dot com. The news broke pretty fast. Axi and Fennity's Rowan and Bridge hacked $625 million stolen. Lots of people lost a lot of money and including Sky Mavis itself. But of course, everyone wanted to know who did this. Good question. I mean obviously it very quickly hit the news. This had happened.
Fennity and Fennity's Sky Mavis did a sort of rolling blog on what had happened and were filling people in. And of course, because it's cryptocurrency and because all cryptocurrency moves across a blockchain which is almost always publicly available, particularly when the hack has transferred the money out from Sky Mavis, it was publicly viewable. People start looking at the wallet
addresses to which the money is being sent. They start looking at the methodology behind the hack and very quickly the name that pops into the frame is North Korea. North Korea. So North Korea's military has something called the Reconnaissance General Bureau. In it are believed to be where thousands of hackers are trained and tasked with completing
military objectives. This isn't the first time they've been accused of stealing millions of dollars in crypto and it's estimated that they've stolen over a billion dollars in cryptocurrency now. And I can't think of another country where their government is hacking for a financial gain like this. No, that we know of. It's certainly very rare for for nation state hackers to be put on the
send for money. Of course North Korea is in this unique situation. North Korea is unique for a lot of reasons, but the unique situation that they are under international financial sanctions have been for a very long time. Have it seems largely run out of money or run out of legitimate sources of money. And so the accusation is that North Korea's computer hackers are tasked with gaining currency by any means necessary. And that's from what we know of North Korea not unusual.
It's diplomats historically have been tasked with not just being diplomats, but can you also make a bit of money on the side please. But now that I said that out loud that I don't know of another country that hacks for a financial gain, I'm reminded of an episode I did with a CIA agent. It was episode 116 called Mad Dog. In it, a CIA agent told me he tricked a diplomat from another country to give him information on an upcoming trade deal between the US and that country. He saw what
their bottom line was the lowest amount that they would accept in the trade deal. And he gave this information to the US who in turn used that information to save the US billions of dollars in the trade deal. Is this hacking for financial gain, social engineering for profit maybe? I guess economic security falls under national security and countries will go to great lengths to keep their economic security going well. When you steal cryptocurrency, one of the hazards of this is it's inevitably
going to be on a blockchain somewhere and that's almost inevitably going to be public. And so it's almost like you've gone into the bank and stolen a whole bunch of bank notes but they're all fluorescent yellow and people can see in your pocket that you've got these bank notes. So you're key task as a cryptocurrency thief is to loan the money and that's why I've written a book about money. Well, hang on a second now. So they have a hundred and seventy thousand ethereum tokens.
They need to turn that into dollars so that they can buy whatever. Why don't they just set up an exchange in North Korea that they can just send it to and be like, all right done. That's a very good point. One of the things that people have spoken about is the idea of North Korea sort of setting up a cryptocurrency exchange. I guess the answer to that would probably be firstly, there's this idea I think with all these thefts that were attributed to North Korea that
North Korea gets the money back to Pyongyang and that's where destination is. Well, there's nothing to buy in Pyongyang. There's no point sending it there. Yes, you could set up a cryptocurrency exchange in Pyongyang. Send all the cryptocurrency there with draw it in, I think it's still one is the currency that they use. But then you've got North Korean currency in North Korea. What are you
going to buy? What's the point of that? What you want is to ship the money to, I don't know, you want to buy widgets in Frankfurt, ball bearings in Frankfurt, you want to pay somebody off in Brazil, you want to get hold of missile technology secrets in Afghanistan, you want the money mobile, you want it flexible, so you want to be able to move it around. Also, 625 million dollars is a huge quantity of money. You've got to take it somewhere where there's enough liquidity that
somebody will buy that cryptocurrency off you in exchange for cash. Well, for that money, dollars, pounds, yen, whatever. This was the challenge that North Korea was faced with if indeed it was they behind the hack, that they were trying to take this money somewhere that could absorb it and turn it around and give it back to them in cold hard currency. So North Korea
has 625 million dollars on stalling cryptocurrency, specifically Ethereum and USDC. I mean, just say there's allegations, North Korea denies these allegations obviously being involved in these hacks. Okay, so it's supposedly North Korea. A lot of evidence points to them, but we don't know for certain, I think it was. Now, the way these cryptocurrencies work is there's no way to recover that money. This is real ownership, as I was saying earlier, there's no central bank that can
reverse the transfer or pull the money back out. The money is North Korea's and there's nothing anyone can do about that ever. Except North Korea is under strict sanctions, which means it's forbidden to do business with them. On top of that, it's stolen money and those wallets were flagged. So exchanges won't simply let them exchange it into cash. What they need is a chop shop.
The only reason why I know about chop shops is because of playing Grand Theft Auto, and when I was playing the game and I stole a car and the police were chasing after me, I could take that car into a chop shop and they'd scratch off the van, paint the car a different color and give it a new license plate. Then when I got back on the road, I could drive right past the police without them knowing it's the same stolen car since it looks entirely different.
But with cryptocurrency, you can't hide very well by just transferring the money into a fresh wallet. There's a big glaring transfer displayed publicly for anyone to see. Moving it into a new wall, it doesn't do anything to hide your tracks. They somehow needed to clean this money, so I can't be linked back to the money stolen from Axi and Finity. By this point, the wallets into which the crypto had been transferred, the stolen money from Axi had been transferred into crypto wallets, and
those wallets were flagged as being recipients of crime. The law enforcement had acted quite quickly, and gone round to the major exchanges, the big legitimate crypto exchanges and said, hey, if anybody tries to transfer you money from that wallet there, don't take it because it was stolen from Axi. They tried, I think, $60 million worth of exchanges, the hackers, at legitimate
sort of above the line, above the board exchanges. That money all got frozen. Because of course, as soon as the exchanges received the money, they went, oh, this is the stolen Axi money, yeah, we're keeping this. The hackers had lost tens of millions of the stolen money because they tried to pump it through the legitimate system. The legitimate system just froze it. Then they needed to find somewhere else, where can you go with hundreds of millions of dollars of stolen crypto
and just put it in no questions asked. That's what led them to NATO cash. Tornado cash? I've used tornado cash before. Let me tell you why. Okay, so I was going for a coffee a while back in my town, and I noticed they accepted Ethereum cryptocurrency. I was like, hot dig it people have been donating Ethereum to my podcast. I'm going to use it to buy some coffee. So I started to get it going, but I thought, wait a minute, hold on, no way, this is a bad idea.
My donation wallet is public. So anyone can see where I spend my money. And if they see I spent it on coffee in my town, that might expose where I live. I go to extreme lengths to keep my private life and public life separate. So I need a way to move this money into a personal wallet so I can spend it without people able to see where I'm spending it. So what are my options?
I could send it to an exchange and then send it to a fresh wallet, but to use an exchange, I have to give them my personal details like my driver's license and stuff, which seems a bit much just to buy a cup of coffee. Isn't there a simpler system? One that's more privacy focused? Yeah, tornado cash. Tornado cash is great. You send your money to it. It gets thrown in a pool with a bunch of other people's money and you get sort of a claim ticket. And at any moment,
you can use your claim ticket to get your money back out into a fresh wallet. Essentially, this allows you to transfer your money into a new wallet, but it removes the tracks of where it came from. What's great about it is that it's all automatic. I was telling you about smart contracts before where you can add code to the theory of blockchain. Money is programmable now. So I can see the tornado cash code verifying. It looks okay. And then get my wallet to interact with it directly,
giving it my money and getting that claim ticket back. And the way tornado cash worked is that they purposely built it. So the creators themselves never took control of your money. The only person who would ever have control of your money is you. The smart contract is programmed to handle the money, but the creators built it so that they can't even control the smart contract anymore. They literally coded all zeros in for who can control it, which means nobody can.
As this story sort of emerged, one of the people who'd used this particular mixer was Vitalik Bouture, who of course came up with the Ethereum protocol. I think code developed it. And he said, look, this is exactly what I did. I wanted to do an IT crane. I didn't want to do it publicly. And that is the hazard of using crypto is it is public. So I used a mixer because I want to preserve my privacy. They were good privacy preserving reasons to use something like tornado cash.
And that's I suspect the reason tornado cash was set up largely was for those privacy preserving reasons. Okay, so you might be thinking, hold on, this is just a big coin tumbler, a mixer for money laundering. And there have been lots of them in the past. And weren't they all illegal anyway? Yeah, that's the thing. This one was different. Very different. The ones in the past were typically custodial mixers, meaning someone is actually in possession of your money. If someone put a gun
to their head, they could hand over all your money. These kind of mixers are illegal because the person holding the money should know who's money they're holding. Like if I give you something illegal to hold, you could be in just as much trouble for holding it as me. And yeah, a bunch of people were running these mixers and were caught by the police and arrested for running unlicensed money transmitters. And the police were able to shut down those services. The difference here is
very important. A custodial mixer is where you give your money to some person to hold for when you want it back. While a non custodial mixer, the money is held on the blockchain, not in anyone's possession. Kind of like if you just stashed your money in a locker somewhere and then you gave the key to someone else and they got it out. The place that owned those lockers had no idea what you put in there. So they can't be held liable for whatever was in there. Kind of like a dead drop.
Now I imagine the makers of tornado cash saw that custodial mixers had been shut down and arrested in the past. Then they probably knew full well that a service like this might be abused by people. So tornado cash developers were like, we have to be absolutely certain that we're never in possession of anyone's money ever. We can never have custody since those kind of mixers are illegal. So it's only with the invention of smart contracts that they were able to make a service
like this that they could be completely hands off. A service that nobody was operating or running. It was headless and the developers can never touch anyone's money even if they wanted. It was coded that way. In no way, shape or form are they ever in possession of anyone's money and they went to great lengths to prove that. Not only that, they wanted this thing to be extremely resilient and impossible to be taken down as they felt that privacy tools like this were very important to people.
Also, a lot of these mixers in the past were tailored for criminals. So alpha bay, for example, was a dark net marketplace where people could buy and sell illegal items. Well, the site had its own crypto mixer specifically designed to help you hide your illegal purchases. And in the world of cybercrime, intention matters. If you are building something specifically for criminals to conduct crimes with, that's racketeering. And you could get recocharges against you.
But the developers of tornado cash held on strong that this was a privacy tool. That was their point. And to make that clear, they didn't hide in the shadows of the dark nets. They were open about their service and made it easily accessible. I mean, they even had a Twitter account and a normal website, which all clearly said, this is a way to have private transactions on Ethereum. So as you can see, as a person who values my own privacy, I found this tool to be helpful and important.
Gisentralization is very fascinating to me too. My website, darknetdys.com, is hosted on a single server somewhere. But tornado cash was kept up by hundreds of thousands of people running Ethereum validators. And there's something amazing and beautiful about that. We can put something on the blockchain and you know it'll permanently be there as long as Ethereum exists. You've understood exactly that's precisely what it is. At least that's what the claim was
from inside tornado cash. As we'll talk about later on, others have cast a lot of doubt on that. But suddenly that was the claim. Look, tornado cash is this headless organization. And once you use it, you effectively using an automated machine. It's like going up to a vending machine, sticking your money and getting the can out. And the vending machine has been forgotten by whichever company was meant to own it. It just runs on its own. Well clearly, I wasn't the only one to use
tornado cash. The people who stole the $600 million from vaccine affinity also noticed tornado cash and sent hundreds of millions of dollars to it. Now this is obviously presented a lot of problems for the particularly United States government because they can see that the money's gone from the stolen money's gone from the Axi infinitive and stolen sent to tornado cash. They believe it's North Korea behind this. But who do you prosecute? Who do you prosecute? Nobody behind tornado cash
at this time. That's what they thought. So what do we sort of do about this? So they did the next best thing the US government. They put tornado cash under sanctions. And Basie said, look, this, this mix of this tornado cash mixer is working for the North Koreans we believe we claim. And therefore, anybody who interacts with this mixer and sends money to it receives money from anybody who interacts who's in the US. People organizations doesn't matter. They are breaching sanctions
as well. We can't shop tornado cash down, but we can freeze it out by saying you cannot interact with anybody in the US anymore. And anybody in the US who interacts with tornado cash, you've committed an offense and we can come after you. Sanctions. What? The privacy tool I use got sanctioned. Hold on, hold on. This does not feel right. Okay, I need some names. Who created tornado cash? Yes. Three people. It seems created it. They are Andre Pertzerv,
Womans Storm and Womans Seminoff. They worked for a company called Peppa Sec. And I think it's it's as we'll get into the some legal proceedings around this. We have to be quite careful about. But I think it's fairly uncontroversial that they set up Peppa Sec and they created tornado cash. But the key thing is they created it. They say to preserve privacy and having created it. They go to a certain stage and said, okay, we now burn our passwords to this. We step back. We have
nothing more to do with this. It's running on its own. The tornado cash down. Oh, it was a down. Of course, the cows are fascinating. What I'm saying is an acronym, DAO, Dow, and it stands for decentralized autonomous organization. And this is a perfect example of one. The internet has changed everything about our lives. You know that already. Every day I get online and I chat with loads of people from all around the world and I visit websites from other countries.
And it never feels like I'm traveling far away to another country to interact with them. It's just right here on the screen in my bedroom. Just milliseconds away. The internet has connected us in a way where national borders just don't seem to exist anymore. So if you were to start an online business, that exists only online and there's like no physical product or reason to have a home base. And maybe you start it with two other people like one
person is from Europe and others from Asia and the third is from the US. What country do you establish your business in? Forget it. Why not just make it an online company? Not part of any nation at all. Is that possible? I mean, traditionally, you needed to make a company like an LLC or something in order to get a business bank account to do business with like the world. But since this service is all cryptocurrency based, you don't need a bank. And autonomous means the company can continue
to operate without anyone controlling it. Tornado Cash was one of these dows. It was decentralized and autonomous. It existed only online and was capable of operating all by itself. This is another new thing in the world that didn't exist 10 years ago. These dows exist online only. It's a business that isn't seated in any specific country. Why should it be? If people are getting paid from a Dow, then those people can just report their income on their taxes and say their
contractors for that organization. So the US federal authorities were mad that hundreds of millions of dollars were stolen and then sent through tornado cash. They wanted to seize the funds and shut down the service. But like I said, tornado cash was built in a way that it was impossible to turn off and they never had control of the funds ever. So the only tool the US authorities had to try to stop it was to sanction it. Which I don't even think you can sanction an app,
a piece of code. I mean, it's still there on GitHub for anyone to see right now. So if it's illegal, why is it on GitHub? And code is just words and symbols. So in essence here, they've sanctioned a bunch of words that in a certain combination has meaning. So can you even sanction a page with words on it? It's in there like a free speech violation and here's somewhere. But not only did they sanction the code, they decided to arrest the people who started it. But what was their intention
for starting tornado cash? Because as I said earlier, in the world of cybercrime, intention matters. It really does. And well, there's two sides to this. You can go on the back of what they've said and what they defend to say, which is this was a privacy preserving tool. The intention was never to enable money laundering. However, the counter-argument from the authorities, which they're making very strongly and in court, is it doesn't matter if you're going to run a money transmitting
business that's dealing with as tornado cash was hundreds of millions of dollars. You are obliged to think about money laundering. You can't just naively set the thing up and hope no criminals are going to use it. That's not how it works, buddy. You have to obey money laundering laws. So we've got arguments on both sides. We've got arguments. The intention was never there. We've got the argument on the other side saying, it doesn't matter. You're on the hook for this if you set up
these businesses. As you can tell, I'm being diplomatic about this, A, because as legal for you, it's about it. B, also because I hear both sides. I do genuinely hear both sides. And that's the thing. It's a fascinating debate. So that's a fascinating story. The police are saying intention doesn't matter here. The act of creating open source code and putting it on the blockchain to help make your financial transactions private was illegal because someone misused their tool.
And I want to point out here that the US government isn't clear on whether cryptocurrency is even money or not. The commodity futures trading commission, the CFTC, classifies it as a commodity. The SEC classifies it as a security. The IRS classifies it as property. And Fin Sen, the financial crimes enforcement network, classifies it as money, which is what requires people to follow the anti-money laundering laws. The government has made all this so confusing.
I hate being in this position. I don't want to take this side of criminals who stole this money. But because I want to live in a world where financial privacy exists, I feel like sanctioning privacy tools hurts me. But the cost of that. That's saying, if you do 100% privacy, you have to protect people you don't like as well. It's fascinating debate. This is why it goes round and round in my head and the same way it
sounds like it's going in your walls as well. Because the money transmitting rules they were supposed to follow was KYC, which stands for Know Your Customer. For them to operate this legally, they would have had to ask everyone who uses a service for their real name, identity, upload your drivers license, tell them your address. And when you do all that, now it's not so private anymore. Well, now creators have to maintain a database and a whole back end full of people's personal
information. I don't want my personal information in a database somewhere just so I can privately buy a cup of coffee. The best privacy tools are the ones who know nothing about who I am. When the financial system becomes a surveillance system, we start having big problems. Look at China, for example. They have this social credit system where if you do things the government doesn't like, they can restrict what you buy. They can also see everything you buy and make
judgments about your character based on it. Restricting other areas of your life or even targeting you as a problem citizen, a government that is watching your every purchase is not encouraging of a free society. I mean, let's look at some legitimate use cases for why you'd want to use tornado cash to hide your transactions. You heard me say that I like to have this buffer between my public life and my private life. The internet is a big, old, dangerous place and if you don't believe me,
listen to the previous 146 episodes of this podcast. It's important that we secure our stuff and take our privacy seriously. Also, imagine going to buy something from someone and as soon as you give them the money, they can look to see how much money is in your bank account and all your previous purchases. This is how Ethereum works by default, so we need a way to shield our purchases from the rest of our transaction history. You heard how Vitalik, the creator of Ethereum, wanted to donate to
Ukraine but wanted to do so privately without anyone knowing. There's another reason. He's a public figure. He wants to keep his political activities to himself. There are nonprofits that I know of who go to great lengths to keep their donors private because donors don't want the public to know what causes their giving towards and don't want any extra solicitation from people asking them for more money. But I keep thinking about stories of people living in oppressive regimes,
China, Russia, Iran. If you live there and speak up against the government, you could easily go to jail and these governments want strict control over their citizens so monitoring financial transactions is crucial to keeping a strong grip on them. So the centers and activists in these countries absolutely need a way to send and receive money in a private way. To support their cause and educate people in the atrocities of their own government, their life depends on private financial
transactions. Churches and charities don't care if you deliver them a big bag of cash as an anonymous donor and that's none of anyone's business if I want to donate anonymously, I want the same thing for digital transactions. I think taking down privacy tools like tornado cash hurts regular people. Which was exactly the basis on which the crypto campaigners sued the United States
Treasury and Janet Ellen individually after the sanctioning of tornado cash. This decision to sanction tornado cash went down very, very badly with large sways of the crypto community as to be said. For exactly the reasons you've outlined, one of the key arguments in a fascinating argument is to what extent are you responsible for the downstream effects of code that you create and make available? The people who saw this decision by the Treasury of the US Treasury of Distinction
to NEDO cash said, well, you can't sanction code. You can sanction the person who misuses the code. If somebody gets stabbed, you don't prosecute the person who made the knife, you prosecute the person who did the stabbing. That was the argument on which the US Treasury, one of the arguments on which the US Treasury was being sued. The other line of argument was that code, as you said, is
freedom of speech and freedom of speech is constitutionally protected. Those cases, by the way, that the attempts to sue the Treasury over its decision on tornado cash got rejected, have not done well, but are being appealed as far as I'm aware at the moment. They lost in the first, at least one round, maybe two rounds, but they're continuing that campaign because they argue exactly the same as you're saying, which is, this is code. You don't prosecute code because if you
do, you dampen freedom of speech, you stop people inventing code. There's a chilling effect. That's the risk here, and that argument's still playing out in the course. I wanted to take a step back here and note that this story wasn't possible like 10 years ago. This is such a novel new world we're in. Money used to only be physical, but with credit cards, it's turned virtual. With everything being online today, we need digital money. Money used to be controlled by governments, but now
with cryptocurrency is controlled by the people. It's like we're in the middle of a major revolution here. Money is power, and the governments are losing their power as cryptocurrency becomes more widespread. So of course, they'd want to put up a fight against it. Now with smart contracts and dows, businesses can be fully autonomous and always online. How crazy is that that a company can exist and make money as an act as an online service and it doesn't need to be maintained or controlled
by anyone? This is an entirely new kind of problem for the US government to deal with, and they don't really have a good way to combat against it, other than sanctioning the code. If you aren't familiar with how sanctions work, it means the US Department of the Treasury's Office of Foreign Assets Control, which is OFAC, has declared that you are forbidden to interact with tornado cash. If you do, you might get arrested, but it also means your money may become frozen if you send it
to an exchange. I mean, typically when I buy things or go online, I don't ever think about whether or not I'm violating sanctions. Like, for instance, if North Korea is sanctioned, I don't expect North Korean made goods to be in my supermarket where I can buy them and break sanctioned codes or something. I assume the shop owner knows not to buy sanctioned items to try to sell them to me, so it's completely off my radar. Here's a situation which I think is the first time ever that an
online application is sanctioned? This is unprecedented. And so now, I don't know how to navigate this world. Am I supposed to check the sanctions list every time I go online, visit a website, buy something, use an online service? This breaks my brain. You are clearly not the only person who feels this, because in the wake of the US government sanctioning tornado cash, somebody clearly felt even more, felt very concerned by this and very put out by it and thought the whole thing
was ridiculous, this idea of sanctioning. And so they set up a stunt, which is another bizarre wrinkle to this story and intriguing one. So the thing about tornado cash is even though the US government sanctioned it, it's still up and running. You can still use it, it's code on the internet. The website went down, but that doesn't matter because the protocol, you can still send money to the protocol effectively and it will do what it's programmed to do and effectively
mix the money and anonymize the money. So the thing about that is, if I know Jack, you're a theory of wallet address, I can use tornado cash to send you money and there's nothing you can do about it, it just gets sent to you automatically. So someone somewhere, we still know who did this, and I'm on wake for the day, actually, Jack, when they turn up on your podcast, somebody took $50,000 and started randomly sending it in tiny bits, tiny, tiny amounts to anybody who was famous
who had an Ethereum wallet, including Jimmy Fallon, the comedian Jimmy Fallon, Shaquille O'Neal, basketball star Shaquille O'Neal, they started receiving and of course it shows up on the blockchain, you can't hide it because you see Shaquille O'Neal's address and you can see it's received money from tornado cash, that's all logged. And so technically, technically, I guess you could argue Jimmy Fallon and Shaquille O'Neal have breached sanctions or sanctions dodging or and they got to guess you
can say they should be prosecuted for that. But the whole point of this exercise was to show how ridiculous it was that anybody, even famous people who've done clearly nothing wrong, can then as a result of this sanction or tornado cash get implicated in sanctions busting, the idea was just to illuminate how ridiculous this was. And so I don't know what Jimmy Fallon Shaquille O'Neal had done about that, but it's tricky. It was fascinating sort of stunt that
emerged as part of this. So North Korea sent about $450 million worth of crypto to tornado cash to try to mix it. As cryptocurrency tracing companies who claim they left it in for about four weeks and then extricated it, what we don't know of course is who it went to their after. So you can with mixes, I mean particularly when you're mixing a huge amount like for 50 million, there were companies that track crypto, one of the things they do with mixes is they look at the
amount going in the amount going out. Now you can't link this cryptocurrency payment is linked to that one going out, but you can see the volume and you can see the amounts going in the amounts going out. And so I think that's what they've done is they've looked and gone look for 150 million goes in, we can look at the outflows and show enough for weeks later, 450 million comes out to put it in very simple terms. And so that money is now somewhere in cryptocurrency wallets. The other
interesting thing is well then who do you take that to to cash out? You've got to say to somebody what you know here's here's $450 million which came from tornado cash. Don't know where else could you transfer that and change it into pounds or dollars or you are or whatever. There are people out there who'll do that. No questions asked that they'll take a big cut. But doing that to $450 million, you've got to have some brokers that've got some serious
liquidity on their hands to be able to change that. So the theory I think from some people is that there's a bit of a glut now of stolen money that the North Koreans are accused of stealing that they're trying to cash out. But they can't cash out quickly enough. There's nobody can you know who can buy it off them for the phone and 50 million or whatever they need. So that's where
that's ended up all that money. I guess a chop shop won't even work here because it's where like you stole it a giant bus and no matter what color you change it you're going to look like a giant bus coming out the other side. Yeah, yeah exactly. So ideally what a chop shop that can convert your big yellow bus into you know a bunch of tiny little smart calls or whatever. So just going back as well this idea that tornado cash was sort of leaderless is now being thoroughly challenged in the courts.
The first thing that happened was a guy called Andre Pertsev was arrested in Holland and accused by the Dutch government of running tornado cash. Women's Seminoff is also indicted by the US government. He's believed to be in the Russian Federation so hasn't faced trial. I've tried to contact with Man Seminoff. I've heard back from him. Subsequently after the sanctioned of tornado cash the US government charged with Man Storm who's in the US and is I think currently
being tried and is imprisoned. Again, fascinating trial. The same arguments are coming up in his trial as we've talked about. People saying look he did not run this. He was trying to preserve privacy. That's why he set it up. Now going against that idea that these guys didn't run in inverted commas tornado cash. It's a slightly inconvenient fact which is that according to the US government they owned a lot of the voting tokens and crypto tokens inside tornado cash. So the way this works
is you know tornado cash is leaderless. It's done by vote. Any changes to tornado cash get done by vote using tokens. I think part of the US government's argument is we'll hang on. A lot of those tokens were in the hands of these three individuals. So they may say they didn't have control but actually we think they did. Also they say that they were still making money out of tornado cash. So all this leads to trying to knock down this argument that the defendants have which is that
oh we didn't run it. The US government is saying no you did run it and here's the evidence why. So the guys who started tornado cash two have been arrested and in May of this year the first verdict came in. Alexi Perzsev was tried in the Netherlands and the judge found him guilty and sentenced him to five years and four months in prison. The cops took his Porsche and 1.9 million euros in
cryptocurrency. The press statement from the Netherlands government says quote tornado cash is not a legitimate tool that has unintentionally been abused by criminals and quote not a legitimate tool. In fact the judge said specifically he could not find any legitimate use for this tool as if privacy itself is a crime. What's fascinating about this it sort of starts with the hack on a video game to do a salamanders and it ends up in this kind of epic battle royale over freedom of
speech and privacy and yeah I find it really really fascinating. It's almost like it's almost like the kaleidoscopic story you look into it and it's got everything in it. Yeah we've gone all over the road here haven't we. How are you going to let it come down? I do not envy you that that's awesome. Another way to look at this is that the feds are saying that the developers of the tool
are responsible for how users use it and that's a bit crazy if you ask me. It's like saying a lighter company is responsible anytime someone uses their lighter to commit arson or a drone maker is responsible anytime someone uses their drone illegally like spying on people flying in the wrong aerospace or dropping a bomb on someone or it's like saying a VPN provider gets arrested shut down sanctioned because some of their users went online and did something illegal or my goodness
is an encrypted messaging app responsible for people doing criminal activities on it. I mean we know criminals use iPhones Apple knows criminals use their phones in all these cases the tech itself is neutral and it's up to the user to use it responsibly governments have never faced anything
like this before and they simply have no precedent to act on here and in my opinion are just drawing really fuzzy lines arbitrarily they can't even come to a consensus on whether cryptocurrency is money or not the worst example you could possibly think of maybe you know with the exception of
child sexual abuse one of the worst examples you could think of would be you know a country using this kind of technology to get nukes as like oh yes we've got that so it's it's almost like your your privacy defending hat your privacy defending head is being put to the most extreme test
is like you want privacy right what about North Korea nukes it's almost like that's immediately what's happened is it's gone to you know what you arguing with somebody and they just go to the most extreme example of comparing you to Hitler or whatever it's like that's happened now it's North
Korea what are you going to say now it's yeah fascinating genuinely fascinating okay I don't buy that argument why because all this happened and they didn't catch the real criminals here in fact I think even if they implemented KYC North Korea would just have used like some fake ID and it
wouldn't have helped catch them or slow them down at all North Koreans are still on the loose with their fresh and clean four hundred million dollars and they're the real criminals here go after them it's crazy that this story starts with someone stealing hundreds of millions of dollars
and the people who end up in prison are the privacy advocates and as I'm researching all this I had to refresh exactly what does money laundering mean the act of money laundering is to hide the cash you have that was involved in some illegal activity stolen money or drug money or something like that
me trying to hide my transactions isn't a crime it's only a crime if I'm trying to hide criminal activity and by the way tornado cash despite being sanctioned is still up and running because that's how it was designed fully autonomous and decentralized in fact there's YouTube videos out there that explain how to still use tornado cash despite it being sanctioned basically showing you how to get around sanctions I mean videos like that surely should be illegal right and it just makes me wonder
these sanctions have any teeth at all if if you ever hear of anyone who gets arrested for violating the tornado cash sanction please tell me I would love to know because what's the point of all this if the government isn't going to enforce the sanction at all because it almost feels like the
government is powerless here it has no ability to stop or control cryptocurrency or from people using apps like this this is what permissionless money is like and I don't see any evidence that the government is even trying to enforce sanctions the sanctioned code is still there on get up
YouTube happily hosts videos on how to avoid sanctions and still use tornado cash what is happening here just a month ago the SEC approved the Ethereum ETF this means you can buy this stock on the regular stock exchange and they'll buy ETH for you it's a way to invest in Ethereum without actually
holding Ethereum so there's this wallet out there which holds all the ETH from this ETF well guess what as soon as the internet figured out which wallet is holding the money for the ETF someone sent a whole ETH token worth over $3,000 through tornado cash and then to the ETF wallet which in my
opinion means the wallet is now violating sanctions and can no longer buy or sell on an exchange they did it to protest these sanctions to show that there's absolutely no way to enforce this and I guess this means tornado cash one there's no way to stop it or to stop people from using it
and so today there's still millions of dollars flowing through tornado cash it's gone down don't get me wrong that the amount it's processing has has gone down and therefore it makes a less efficient mixer you know that you want your mix to have lots of liquidity lots of volume going through
the less it's used the less efficient of a mixer it's going to be however it is now a criminal mixer and so you know it's a sanctioned mixer going to the US government and so anybody uses it it's going to be a cook what that means of course is if you use tornado cash you're going to really
struggle to send the money onwards because whoever sees money coming that coming at them from tornado cash is going to go no way I'm going to accept that unless it's somebody who doesn't care about dating with sanctioned entities in which case you know you're even a slightly murky world
it is a very murky world because let's say hey I'm selling something online and someone's like I'll buy it and they send me the cryptocurrency that's been mixed through tornado cash am I supposed to say oh wait a minute before you send me the money let me analyze your wallet
to make sure it doesn't have any sanctioned crypto in it this is bonkers this is like running the serial number on every dollar bill you ever get to see if it's ever been used by someone who's been sanctioned in the past that would be a nightmare to have to do yet that's what I feel like we
have to do from now on yeah so suddenly I'm wondering why the US has even involved right so axiomfinity is based in Philippines so I could see the Philippine police being upset Vietnam Vietnam and okay so the V I could see the Vietnamese being like all right we got a sanction
this because we don't have any other way right and then you've got the creators of tornado cash they're not US based are they yes romance storm is based in the US but actually at the point where they sanctioned it I don't think that had been confirmed I look with sanctioning sanctioning
is a really interesting power in that basically anytime money transfers across the US the US can exert control in terms of so it's extremely difficult to avoid if the US government wants to go off to your sanctions you know it's extremely difficult to avoid that's the US government argument
is look there would be US users using this service you know money transactions would have gone across the US territory also as far as I'm aware sanctions the sanctions dodging accusations that the US puts the hot the foot of North Korea gives the US government huge scope to go after it
around the world wherever North Korea tries to dodge sanctions it seems the US government can go with its sanctions legislation so yeah it seems odd but in a way it doesn't surprise me at one one job that the US has managed to try and do this right I don't know if there's the word
tread cry but traditional crime is based with you know people in countries and those countries can deal with that or whatever and here we have a new kind of crime which is there is no boundary there is no country there is no head of some company there is no person controlling the code
I don't know if it is a crime like we haven't even established that there's laws that are established to avoid money laundering that may have been what's going on I think it's another person another country that did it right so it's but this is why sanctions this is why sanctions
are such a useful weapon and why the US is resorting to more more we've had Bitcoin fog there's a prosecution in that case recently another another crypto mixer this is why the US government is using them is we can't nick these people we can't lock them up but in handcuffs most of the time
we can use financial frankly financial warfare this is what we do now we need to war for you we can't please the code we can't please the people but it's all about money so we are just going to use that sanctions power which is a really big board power to use it as soon as I started
seeing this and I started realizing what was going on it's that that makes perfect sense you know you've got you've got so few weapons to bring to the battle but you've got this weapon and it's really good and you can use it wherever it makes perfect sense and you know as I was researching
this episode I saw more stories like this another privacy service just like this called Samurai Wallet was also shut down by the US federal authorities and the people who started it were arrested this was a coin join on the Bitcoin network which isn't the same as the smart contract system
but it is autonomous system and it's non custodial and it was also open source and here you have people who have contributed to an open source project or get arrested because the feds are accusing them of running any legal money transmitting service and as my eyes become tuned into this
I'm seeing more and more stories like this the Phoenix Wallet decided to remove themselves from the App Store not saying a reason why Ibex pay is shutting themselves down not saying why either men of mass received an enforcement action letter from the SEC and their countersuing the SEC
over that something big is going on here privacy advocates have fought the government in the past before and one the story of Phil Zimmerman comes to mind Phil created a fantastic encryption program called PGP which allowed you to send an email to someone encrypted so only you and the receiver
could see what was in it yeah well the US government hated this kind of encryption that gave us privacy encryption that's only for the military how dare civilians try to use it so they classified PGP as a munition and they called it a regulated arm as if it was a weapon which allowed them to say
look Phil unless you get an arm's export control license you can't go distributing encryption code online because you know what happens of criminals use it they could hide their communications nobody wants that right the FBI began investigating Phil well the privacy community was outraged
that the government was restricting us from encrypting our own messages when they started being vocal about how important privacy was someone suggested to Phil that he should publish the PGP code in a book and feels like what why it's program it's code just downloaded online Jesus if I were
to put it in a book it would take 800 pages to print it but the thing was books weren't considered regulated munition books were protected under free speech law so if he were to publish the source code in a book that would give him protections that what he's written is just words and not in
factor regulated arm so he published it in a book and it was 800 pages of code well enough people voiced their support for encryption and privacy that the government finally gave in and let Phil off the hook and even took encryption off the regulated arms list it was a big victory for our
privacy and thank goodness because encryption is inherent in everything we do online now even what you're hearing right now this podcast was delivered to you encrypted so that anyone who intercepted the packets along the way wouldn't know what you're listening to it would have been
illegal for me to use encryption on this podcast in the 90s without an export license I did a whole episode on this actually that's episode 12 called crypto wars what Phil showed us is that code can be printed in a book and if it's printable like that it's protected on your free speech and so once
again it's unprecedented that the government would put a sanction on code which has always been free speech until now until now I don't know the crypto space is so complex that if I sent it to your wallet and you sent it to my mom's wallet and she sent it to my wallet and then I sent it
to the exchange is the exchange going to know that still came from tornado cash very good question and that comes down to how much liability the exchange has so in the situation described there that's what four hops I think given that cryptocurrency tracing is fairly well developed I think the
authorities would say well hang on you should still have known it came from that but if you're saying about 100 what hops or a thousand hops maybe that's enough hops that the authorities say well yes you had no way of knowing this okay well then we just took it transfer to polygon and then
back to eth and now you've got a new wallet and it's I don't know if that's traceable I think there's just a lot of ways to get around that even still now you're thinking like a money laundromatia that's that's why I hope we get in this conversation way you finally that's what the book's about
yes the book now Jeff has released a book called rinsed which goes into the modern ways criminals are laundering money it's full of things that make you think about the new future that we're facing I deviated quite a bit from it here but what Jeff told us today was a single chapter from the book
so you can imagine how much more you learn from getting this book and diving in so go read rinsed today and let me know what you think of it and I'll leave you with this very important warning from the FBI which was issued April 25th 2024 this is psa i-042524 the FBI warns Americans to
avoid cryptocurrency money transmitting services that do not collect your name i.d address another personal information to me this is a kin to the FBI advising against driving on roads without license plate readers or walking on sidewalks without facial recognition cameras it's like being
told not to wear sunglasses on a sunny day or to avoid using curtains in your house by cautioning us against privacy tools they aren't just infringing on our rights they're asking us to live in a glass house exposed and vulnerable this isn't just a warning it's a push towards a future where
privacy is a relic of the past is that the world we want to live in a big thank you goes to Jeff White for sharing this story with us you can find a link to his book rinsed in the show notes go check it out this episode was created by me the firewall
fidgeter jack recider our editor it's the router rigor tristan ledger mixing done by prexemity sound intro music by the mysterious break master cylinder i was moving my stuff the other day and i had to carry my computer down some stairs but i dropped it and it tumbled down the stairs smashing itself
to bits all the way down at the bottom of the stairs was just a big mess of broken parts the only thing that was salvageable was a stick of ram so at least i have the memory of it this is dark net diaries