Forbes: Did DCG Profit from North Korean Hackers' Money Laundering Activities?
TechFlow Selected TechFlow Selected
Forbes: Did DCG Profit from North Korean Hackers' Money Laundering Activities?
DCG received approximately $430,000 in funds from the mixer Railgun since June last year.
Navigating Web3 tides with focused insightsBy Javier Paz, Forbes Staff
Translated by Luffy, Foresight News
In the world of cryptocurrency, privacy is a major concern. For those who wish to conceal certain activities, tools known as cryptocurrency mixers help asset owners hide their identities. Mixers work by pooling deposited cryptocurrencies, breaking the link between the funds and their original wallets, thereby obscuring the source of the money. In 2022, the most "notorious" mixer, Tornado Cash, was added to the U.S. Treasury's sanctions list after being accused of laundering billions of dollars for criminals, including a hacking group from North Korea.
U.S. law enforcement says a North Korean hacking group called Lazarus Group has been using mixers such as Blender.io, Tornado Cash, Railgun, and Sinbad.io to launder stolen cryptocurrency. The chart below shows that mixers have been used to launder $700 million in stolen funds from blockchain applications like the online game Axie Infinity, wallet software Atomic Wallet, and the cross-chain bridge Harmony Bridge. Harmony Bridge is a tool allowing users to transfer token assets from the Harmony blockchain to other networks such as Ethereum. According to The Wall Street Journal, Lazarus has stolen more than $3 billion worth of cryptocurrency in total.
The following chart lists, in chronological order, some incidents involving hackers (in red) and mixers (in green) suspected of money laundering. The green figures do not always match the red ones because the amount stolen does not necessarily equal the amount laundered, and some funds may be laundered multiple times.
Lazarus Group Cryptocurrency Hacking Incidents. Data sources: FBI, U.S. Department of the Treasury. Compiled by Forbes.
The Harmony Bridge hack stands out because, unlike the other mixers mentioned above, U.S. authorities have not yet sanctioned Railgun. The Treasury did not respond to requests for comment on Railgun. However, new information suggests that Digital Currency Group (DCG), the firm behind Grayscale—a fund managing $25 billion in crypto—may have profited from laundering via Railgun. A two-month investigation by Forbes, supported by data from blockchain intelligence firm ChainArgos, found that DCG received $436,906 from Railgun between June 2023 and now. This represents 18% of Railgun’s total payouts of $2.4 million during that period. According to crypto forensics firm Elliptic, the Railgun mixer may have facilitated up to $60 million in money laundering by Lazarus Group in 2023. A DCG spokesperson declined to comment. Forbes repeatedly reached out to Railgun for comment but received no response.
The Harmony Hack
In June 2022, the North Korean hacking group Lazarus Group stole $100 million in cryptocurrency—including Ethereum, USDC, WBTC, and 11 other tokens—from Harmony’s blockchain bridge, according to the U.S. Federal Bureau of Investigation (FBI). The attackers exploited a leaked password from a cloud storage service belonging to a bridge administrator, then used it to steal private keys protecting customer asset transfers. Elliptic stated: “The stolen funds sat idle for seven months before being sent through 71 accounts to Railgun relay contracts totaling 41,647 ETH between January 11 and 14, 2023.” Lazarus Group’s exit strategy from Railgun was traced back through “184 intermediary accounts, then deposited into multiple centralized crypto exchanges using 19 deposit addresses, primarily flowing into Huobi, Binance, and OKX.”
On April 16, 2024, Railgun, headquartered in the UK, denied these alleged mixing activities, calling them “false and inaccurate reporting.” Nonetheless, Railgun saw a dramatic spike in usage and fees at the beginning of 2023. Historically, Railgun processed between 1 and 5 ETH per day in mixing volume. On January 13, 2023, this surged to 41,000 ETH—coinciding with the suspected laundering—and Railgun has never approached that level since.
DCG’s Investment in Railgun
In January 2022, DCG invested $10 million in Railgun and received 5 million RAIL tokens—the native token of the Railgun network. Based on recent prices, DCG’s stake in RAIL is now worth $3.9 million, representing a loss of over 60%. DCG staked these tokens, meaning they locked them as collateral within the protocol, giving them voting rights on key future decisions and entitling them to a share of network fees paid by users. DCG’s RAIL tokens are stored across five separate Ethereum wallets:
-
0x5348b77cF55B90147CbB6a938e0058DD25cbF0CA
-
0x3decD5DA4bC6489dfe1e73d0469c59f281ED8811
-
0x54Aa22EaCB1da8Ee635Ab0E94C8DA77F49916b4E
-
0x02698237DDC5Cf63660DA2cfD10934C911433724
-
0xE82f012dd671f94094d0c33D9E8c99330D1D2B79
In addition, DCG donated $7.1 million worth of stablecoin DAI—pegged to the U.S. dollar—to Railgun’s protocol treasury for general operational use. “It’s rare for large investors to send funds to a fully decentralized DAO treasury without demanding management keys or a role in the multisig team,” said Edward Fricker, the lawyer who advised Railgun on the transaction, in a statement at the time.
Based on data from ChainArgos and Elliptic, Forbes calculated that the $60 million in transactions allegedly laundered by the North Korean hacking group would have incurred at least $260,000 in fees, which became available for withdrawal from Railgun’s fee pool by January 21, 2023. However, DCG did not claim its share of these fees until June 2023. During that time, 26 other wallet addresses had already withdrawn fees from Railgun.
Did DCG deliberately wait five months to distance itself from the alleged illegal activity? DCG did not respond to Forbes. Jonathan Reiter, CEO of ChainArgos, said: “Law enforcement would certainly not be pleased if you could legally collect fees generated from mixer-based money laundering simply by waiting a few weeks.”
But it doesn’t matter. Railgun’s code automatically binds accumulated fees to staking or recipient addresses. Matthew Sampson, co-founder of blockchain analytics firm Gray Wolf, said: “There is clear evidence that DCG benefited from the alleged January 2023 laundering event. The Railgun smart contract determines who receives rewards, and those rewards were reserved for DCG during that period—claimable at any time.”
The image below shows Railgun’s recent disbursement of fee rewards to DCG wallets. Not all of Railgun’s fee income comes from alleged illicit activity.
Railgun Rewards to DCG. Source: Data compiled by Forbes from Ethereum and Arkham.
The rewards earned from staked RAIL in the five wallets above were delegated to address 0xFED429FB7d243380B25bC11B10561D5A27f42D8E, through which DCG’s receipt of Railgun rewards can be tracked. Each receiving address received rewards in three types of tokens: stablecoin DAI (49%), governance token RAIL (30%), and wrapped ETH (WETH, 21%). One stablecoin unit equals one unit of a specific fiat currency—in this case, the U.S. dollar. The RAIL governance token grants holders voting rights on protocol proposals, similar to proxy voting in traditional stock companies. WETH is a “wrapped” version of ETH with equivalent value, enabling it to move across multiple blockchain protocols beyond its native Ethereum network.
DeFi Compliance Challenges
DCG’s alleged involvement in Railgun-related money laundering is just one example illustrating how decentralized finance (DeFi) applications in crypto—which replicate banking functions on blockchains—struggle to balance privacy tools with the need to block bad actors from their systems. Creators of these platforms often claim they are decentralized, thus uncontrollable and open to all. However, this argument rarely satisfies law enforcement, especially in the United States.
According to U.S. authorities’ October 2021 guidance on Bank Secrecy Act (BSA) responsibilities, “members of the virtual currency industry are responsible for ensuring they do not engage directly or indirectly in transactions prohibited by the Office of Foreign Assets Control (OFAC), such as dealings with blocked persons or property, or engaging in prohibited trade or investment-related transactions.” A spokesperson from the IRS Criminal Investigation division, speaking specifically about DeFi projects, told Forbes: “These platforms require ongoing maintenance and development to keep pace with technology and prevent criminal abuse, which requires the companies behind DeFi platforms to monitor platform activity and ensure compliance with laws and regulations.”
Violations of the Bank Secrecy Act are often difficult to detect, partly due to understaffing within the U.S. government. “FinCEN has long been under-resourced, with at most 10 people overseeing thousands of money service businesses—including crypto exchanges—some of which process trillions of dollars annually,” said Amanda Wick, former DOJ regulator and head of Incite Consulting.
“Government resources are stretched thin while crime rises,” added Victor Fang, CEO and co-founder of blockchain analytics firm Anchain, who works closely with IRS-CI teams tracking financial crimes. “In the U.S. alone, law enforcement has 50,000 cases pending. How exactly are they supposed to use Chainalysis or other data providers to handle this workload? It’s impossible.”
Railgun appears to be developing a technical solution to improve compliance. In May 2023, Railgun partnered with Chainway Labs, creator of “Proof of Innocence,” to launch a new feature aimed at increasing regulatory alignment. The Proof of Innocence solution, also known as a privacy pool, allows users to voluntarily provide cryptographic proof that their tokens do not originate from sanctioned wallets. The idea is that legitimate users will opt in, while bad actors will avoid providing proof. The problem is that bad actors can easily create numerous new unsanctioned wallets, layered away from their illicit activities, to circumvent such systems.
“There can never be a permissionless compliant system; otherwise, you’ll always be one step behind when trying to blacklist or catch bad actors,” said Patrick Tan, General Counsel at ChainArgos.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News
Forbes
