Cryptohack Roundup: Tornado Cash, Privacy PoolsAlso: Web3's August Losses, Stake, Binance
Every week, Information Security Media Group rounds up cybersecurity incidents in digital assets. This week, Tornado Cash's co-founder reportedly pleaded not guilty to all charges, Vitalik Buterin and others published a law-abiding alternative to the sanctioned mixer, a report says hackers stole over $23 million in August, Stake resumed operations after a multimillion-dollar hack, Binance is set to delist privacy coins in Belgium, and a U.S. judge has made new orders against Celsius CEO Alex Mashinsky.
Tornado Cash co-founder Roman Storm pleaded not guilty to charges of money laundering, U.S. sanctions violations and operating an unlicensed money transmitting business, Inner City Press reported. His alleged co-conspirator and mixer co-founder Roman Semenov, who was also accused of facilitating North Korean hackers in laundering stolen funds on the platform, is at large. Tornado developer Alexey Pertsev, who was arrested in 2022 on similar charges, was released from jail in April and is currently under house arrest, awaiting trial.
A new research paper proposes an alternative to Tornado Cash called Privacy Pools that would give users financial privacy while being compliant with regulations. The paper is co-authored by Ethereum co-founder Vitalik Buterin, developer Ameen Soleimani, researcher Jacob Illum from Chainalysis, and academics Matthias Nadler and Fabian Schar. They describe the protocol as "a novel smart contract-based privacy-enhancing protocol" that uses zero-knowledge proofs to determine if the funds on the platform originated from lawful sources without revealing the complete transaction history, filtering transactions linked to illicit activities.
Web3 August Losses
Hackers stole $23.4 million in August, and Coinbase-incubated Base network, Ethereum and BNB Chain accounted for 62% of all chain losses in the month, bug bounty platform Immunefi said. Hacks made up nearly $15.8 million of the August total, while fraud accounted for $7.6 million. Decentralized finance became the primary target, and centralized finance steered clear of "major exploits." So far in 2023, Web3 companies have suffered a total loss of $1.25 billion across 211 cybersecurity and fraud incidents, the report said.
Crypto betting platform Stake said it had resumed transactions on its platform five hours after hackers pilfered millions of dollars from it on Monday. The company did not detail the cause of the exploit or how much was stolen, but said that user funds remained safe. Blockchain security firm Beosin estimated the theft amount to be $41.35 million.
The FBI attributed the theft to North Korean state hackers known as the Lazarus Group.*
Binance is set to delist privacy coins in Belgium on Sept. 21, months after it halted trading of the tokens in France, Italy, Poland and Spain. The delisted coins include Monero, MobileCoin, Firo and Horizen. The company confirmed the move to The Block. Privacy coins anonymize transactions, making it harder to track the source and destination of funds, as well as the transaction value - a feature that makes the coins attractive for hackers looking to launder stolen funds.
A federal judge on Tuesday ordered that law enforcement freeze bank accounts and property connected to Alex Mashinsky, co-founder of bankrupt crypto firm Celsius Network. District Judge John G. Koeltl of the U.S. District Court for the Southern District of New York said the Department of Justice could freeze the former CEO's accounts at Goldman Sachs and Merrill Lynch under the names of holding companies as well as accounts at First Republic Securities, SoFi Bank and SoFi Securities under his own name. Also included in the order is a house in Austin, Texas, which has been for sale since July 2022, around the time the company filed for bankruptcy. The company is no longer allowed to do business in the United States following separate actions by the Federal Trade Commission and the Securities and Exchange Commission in July.
*Update Sept. 7, 2023 20:02 UTC: Adds FBI attribution of Stake.com theft to the Lazarus Group.