I assume they stole just anything they got.

I'd assume any attacker would at least transfer everything to a BTC/whatever address generated offline, then figure out later how to launder it.

I'd love to read more about these money laundering operations like Tornado Cash. Are they just straight up 100% fraud companies? Do they have any pretense of a legitimate use case or does everyone just understand they're used for criminal activity? Are they regulated at all? I assume you have to trust your magic beans to them at some point; do the money launderers sometimes just steal them? What do they charge for their service?

Tornado Cash is a smart contract system that allows you to send fixed denominations of Ethereum, and receive a cryptographic "note" that allows someone who knows the note to withdraw the same amount of Ethereum from the smart contract.

Since zero-knowledge cryptography is used to ensure the generated note cannot be linked to the depositing transaction, it can be used to send money to yourself or another person without revealing the identity of the sender. There are criminal and non-criminal reasons to do this.

Because it is a smart contract system, you do not have to trust a person or organization with the money. You do have to trust the smart contracts defining the system are correct. The smart contracts are publicly available to read and have been reviewed by many people, including software audit organizations.

Interesting! I’m surprised the regulated exchanges don’t blacklist coins connected to that smartcontract because of the ease of facilitating laundering.

Since all crypto on smart contract platforms tumbles around in defi and the various decentralized exchanges all the time, this would effectively prevent anyone from depositing their crypto to those exchanges, which would make the exchange unusable.

To expand on that, say someone withdraws ETH from Tornado cash and purchases an NFT with it. The seller of the NFT then swaps their ETH for USDC on a decentralized exchange (the ETH then goes into a pool). Later, a liquidity provider to the ETH/USDC pool withdraws liquidity from that pool, and sends their ETH to an exchange, let's say Binance. If Binance blocked such deposits (and especially if they did so without refunding the user on-chain), no one would use Binance, and they'd also be the target of a lot of lawsuits.

It requires users to pay gas fees when making deposits, as well as for the services that "obfuscate" the withdrawals. Thats the payment. You trust that the nodes will obfuscate the transactions to receive the fees. The rest is basic smart contracts execution.

The compliance topic is tricky and deceptive. Only the user with a "Note" is able to link deposit and withdrawal. With this note the user can generate a proof of origin. This makes tornado cash compliant enough.

E.G. If the withdrawal address is under Money laundry suspicion, it may be urged to provide the origin of the transaction. That is possible [1] but there is no way of a 3rd party to Tag an account as "suspicious" based on the Tornado chain information (due to the obfuscation done by the Nodes that are getting the fees).

As far as I understand there is no accountability. The regulators would have to persecute all the nodes for helping out with the laundry. But there is no way for the nodes to know they're participating in laundry. So they cant be persecuted. Regulations needs to be invented for this kind of schema.

Please someone correct me if I said anything wrong. Im not an expert is just my conclusion based on some reading.

[1]: https://tornadocash.eth.link/compliance/

tornado.cash is a legitimate service, that happens to be used by hackers that steal ethereum.

Check out their code on github.

That's a pretty funny definition of "legitimate". By that standard, all of this malware is legitimate too! https://github.com/ytisf/theZoo

I'm sure someone can come up with some legitimate use for those. We came up with 'Linux isos' for torrents after all

How is it different from “TOR/some VPN is a legitimate service that happens to be used by some hackers to cover their tracks”?

If you don't need financial privacy can you please post your bank statement here for everyone to see?

That's quite an evasion of the question. Yet more evidence that there's approximately no legitimate use.

But I'm on record as being in favor of full financial transparency for everybody. Every charge, every bank statement. Money, after all, is inherently social. And full transparency, while causing some problems, would eliminate a ton of others. So if you can get a legislator to submit a bill, I'll happy call them up to back it.

I wonder what percentage of their total volume it is that “happens” to be used by hackers.

People who are not criminals deserve transaction privacy, as well.

What would be the point of "transaction privacy"?

Odd statement. It is on par that all your bank statement should be public and easily viewable. It is on par saying that people do need digital privacy at all, as they have nothing to hide. And those are trying to hide are really 'bad people'. Monero/Zcash/Dash/Firo/etc are used by legitimate users to hide their transactions from public blockchain.

Your bank statement is not private, your bank has it. You can pay with cash, but the other customers can see you right there paying, so that's not private either. I understand the need for private communications, but private transactions don't seem to make a lot of sense.

To avoid getting kidnapped and tortured because your crypto portfolio is visible to everyone?

There are plenty of examples of that: https://github.com/jlopp/physical-bitcoin-attacks

Haha tell that to the IRS they'd love it.