WEBVTT 00:00:00.800 --> 00:00:07.680 JACK: Alright, light’s red. We’re recording. Hey, Tortoni. You’re looking great today. Still 00:00:07.680 --> 00:00:17.160 writing, I see. See, here in my studio, which is just my closet, I have a picture on the wall made 00:00:17.160 --> 00:00:25.000 by Edouard Manet. It’s a picture of a fine-looking gentleman sitting at a table writing something 00:00:25.000 --> 00:00:31.240 down. I call him Tortoni, but that’s not his name. This picture has captured my imagination 00:00:31.240 --> 00:00:39.200 and curiosity for countless hours. I stare into it and I just fall into an abyss. But the thing about 00:00:39.200 --> 00:00:46.840 this picture is that it’s not the content or even who made it. It’s that this picture was stolen 00:00:46.840 --> 00:00:53.680 from the Isabella Stewart Gardner Museum back in 1990, and it’s never been recovered. I don’t have 00:00:53.680 --> 00:00:58.040 the original; I just have a print of it. But the thieves didn’t just steal this picture; they took 00:00:58.040 --> 00:01:04.080 a bunch of others, too, and this was the biggest single heist of all time. They estimated that 00:01:04.080 --> 00:01:13.200 the art that was stolen is worth $500 million, and it still remains unsolved. I’m looking at 00:01:13.200 --> 00:01:21.160 this picture on my wall right now. There’s a $10 million reward for it. Yeah, mine I just got from 00:01:21.160 --> 00:01:27.760 my printer for like, five cents. It’s always been weird to me how art has so much value. 00:01:27.760 --> 00:01:32.640 I just don’t see how this picture, which is not that much bigger than a regular sheet of paper, 00:01:32.640 --> 00:01:44.320 is worth more than a mansion. But that’s no longer the biggest heist ever, because in 2022, a digital 00:01:44.320 --> 00:01:53.960 heist happened which set a new record high. (INTRO): [INTRO MUSIC] These are true stories from 00:01:53.960 --> 00:02:18.594 the dark side of the internet. I’m Jack Rhysider. This is Darknet Diaries. [INTRO MUSIC ENDS] 00:02:18.594 --> 00:02:27.320 JACK: Digital assets are fascinating to me. I’m no economist, but they behave in ways that don’t make 00:02:27.320 --> 00:02:34.160 sense to me. Let’s take audiobooks, for example. It takes a lot of work to make the first one, 00:02:34.160 --> 00:02:41.280 but then infinite copies can be made at zero cost after that. So, I don’t know, what happens 00:02:41.280 --> 00:02:47.840 when supply goes to infinity? It seems like the price would go down to nothing, but it’s not the 00:02:47.840 --> 00:02:53.240 case. Audiobooks are still $10, $20 each despite there being an infinite amount of them which costs 00:02:53.240 --> 00:02:59.360 nothing to make more of. That’s kind of wild, and you’d think that piracy would have destroyed the 00:02:59.360 --> 00:03:06.040 market for digital assets, too. With unlimited supply, demand should have gone way down. But no, 00:03:06.040 --> 00:03:10.640 the demand for digital goods is at an all-time high. Top-tier musicians are making more money now 00:03:10.640 --> 00:03:17.440 than they ever did before, and that’s because we all have mobile devices glued to our hands 24/7, 00:03:17.440 --> 00:03:22.960 and we’re continually thirsty for more digital content to consume. It almost seems like our 00:03:22.960 --> 00:03:28.640 whole lives are digital now; movies, shows, memes, music, books. Even the people we are closest to, 00:03:28.640 --> 00:03:33.760 we have a digital relationship with them. But I’m always wondering, of all the digital stuff in our 00:03:33.760 --> 00:03:41.200 lives, is any of it really ours to own? [MUSIC] Okay, so, I think anything that’s saved 00:03:41.200 --> 00:03:46.880 on your computer and you can use it offline — I’ll say that’s yours and you own that. 00:03:46.880 --> 00:03:53.760 Photos that are saved on your phone; that’s yours. Music saved in MP3 form; that’s yours, 00:03:53.760 --> 00:04:00.400 too. You own that. But the line is often blurry between what’s on our devices versus what’s on the 00:04:00.400 --> 00:04:06.360 internet. If you have an Android phone, it tries to get you to back up your photos to Google Drive, 00:04:06.360 --> 00:04:12.160 and it’s not always clear if your photo is on your phone or on Google’s servers. If it’s just 00:04:12.160 --> 00:04:18.800 on Google’s servers, then you don’t really own it, do you, since they have complete and full control 00:04:18.800 --> 00:04:24.640 of your photos. What about audiobooks? Let’s look at those for a minute. [MUSIC] Most audiobooks I 00:04:24.640 --> 00:04:29.240 listen to I can actually borrow from the library, and there are apps which let you check them out. 00:04:29.240 --> 00:04:33.400 You can listen to it for a few weeks and then return it digitally. It’s great. But often, 00:04:33.400 --> 00:04:38.600 my library doesn’t have the book I want, so I’ve got to buy it. When I buy an audiobook, 00:04:38.600 --> 00:04:43.680 the biggest marketplace for that is Audible, so I look there. What drives me crazy about 00:04:43.680 --> 00:04:50.120 buying books from Audible is, well, I don’t own that book, like at all. 00:04:50.120 --> 00:04:54.040 If I owned it, I should be able to save it locally, give it to a friend, 00:04:54.040 --> 00:04:59.800 donate it to my library, or resell it to someone else like a used audiobook. But all that is 00:04:59.800 --> 00:05:05.560 impossible to do through Audible. Of course, Audible could cancel your account at any time 00:05:05.560 --> 00:05:12.560 and you would lose all of the books that you ‘bought’. So, to me, the audiobooks that you ‘buy’ 00:05:12.560 --> 00:05:18.640 on Audible are not really yours. You don’t own them at all. So, let’s look at some other digital 00:05:18.640 --> 00:05:24.920 assets. How about my online accounts like Twitter or e-mail accounts or online gaming accounts? Do 00:05:24.920 --> 00:05:32.600 I own my Twitter username? No, I don’t think so. Twitter does, and they graciously let me use it, 00:05:32.600 --> 00:05:37.160 and at any moment they could terminate it or rip it out of my hands. I don’t have any actual 00:05:37.160 --> 00:05:41.880 ownership of it. Just look at what happened when Twitter changed their name to X; there 00:05:41.880 --> 00:05:46.640 was a user on Twitter who had the username X, and Twitter just ripped it right out of their hands 00:05:46.640 --> 00:05:52.760 and there was nothing that user could do to keep it, because Twitter owns everyone’s account. Yet, 00:05:52.760 --> 00:05:58.400 it’s interesting because even though you can’t own a Twitter account, they are still valuable 00:05:58.400 --> 00:06:03.640 and people are buying and selling Twitter accounts all the time. Let’s look at video 00:06:03.640 --> 00:06:08.480 games now. There are digital assets in video games, right? Imagine you’re playing an online 00:06:08.480 --> 00:06:12.800 game and when you level up your character you get all kinds of armor and weapons and gold. 00:06:12.800 --> 00:06:19.040 That character is yours, right? Well, I don’t think so. The game can ban you at any moment, 00:06:19.040 --> 00:06:23.800 and then what? What about those in-game items like gold and weapons? It feels like that 00:06:23.800 --> 00:06:29.680 stuff is yours, but it’s not really. You can’t save it offline or take it with you to another 00:06:29.680 --> 00:06:33.840 game. It’s strange because even though you don’t own that stuff in the game, 00:06:33.840 --> 00:06:40.560 those items still can have real-world value. I know I’ve bought an in-game weapon before for 00:06:40.560 --> 00:06:47.800 a hundred bucks. It’s ridiculous because I bought something I don’t actually own. [MUSIC] Alright, 00:06:47.800 --> 00:06:53.960 what about my website, darknetdiaries.com? Do I have ownership of that? Well, at first glance, 00:06:53.960 --> 00:06:59.320 sure. I purchased the domain and I can do whatever I want on it. I’m the admin. I can say what I want 00:06:59.320 --> 00:07:06.720 and nobody can stop me. But, no. First of all, I didn’t purchase the domain. I’m renting it. 00:07:06.720 --> 00:07:13.200 All domains have to be renewed yearly or every few years. Registrars control the domains and you pay 00:07:13.200 --> 00:07:18.720 them to get it. But then you have to keep paying them to maintain control of it. It seems like I 00:07:18.720 --> 00:07:24.280 don’t own it if I have to pay someone over and over to keep it mine. On top of that, governments 00:07:24.280 --> 00:07:29.920 can go to domain registrars and take over a domain that’s being used for illegal purposes. 00:07:29.920 --> 00:07:34.440 So, yeah, I’d say I don’t actually own my domain if someone else can rip it out of my 00:07:34.440 --> 00:07:40.280 hands like that or if it’ll expire after a while. But domains on the dark web are different. 00:07:40.280 --> 00:07:46.520 I’m talking about on Tor, the darknet. See, on the dark web, domains look awful. They’re 00:07:46.520 --> 00:07:51.440 a long string of random letters and numbers. You would never be able to memorize it, and then it 00:07:51.440 --> 00:08:00.280 ends in .onion. So, how do you get a domain on the dark web? Is there a central body like I can 00:08:00.280 --> 00:08:07.800 where you go to register domains with? Nope, no, not at all. You create the domain yourself. Yeah, 00:08:07.800 --> 00:08:13.880 that’s right. You generate a private public key pair, and that public key is your domain name. So, 00:08:13.880 --> 00:08:20.960 with this system, the person who has the private key controls that domain. Now, to me, 00:08:20.960 --> 00:08:28.800 this is true digital ownership and I love that. Unless someone comes and steals my key from me, 00:08:28.800 --> 00:08:35.360 nobody can ever take my .onion domain from me. It’s never going to expire and it can’t be seized 00:08:35.360 --> 00:08:41.560 by the feds. This is why a lot of people are drawn to the dark web, to have something on the internet 00:08:41.560 --> 00:08:47.800 that’s truly yours, and nobody can ever take it away from you. Another thing that I think gives 00:08:47.800 --> 00:08:53.960 you true digital ownership is cryptocurrency. [MUSIC] Not all money is like that. Your bank 00:08:53.960 --> 00:08:57.640 can refuse your service if they want. They can cancel your credit card and kick you out of the 00:08:57.640 --> 00:09:01.920 bank and freeze your money. I know PayPal has frozen my account before, trapping my money 00:09:01.920 --> 00:09:08.720 in there. But because cryptocurrency is built on decentralized blockchains, there’s no one managing 00:09:08.720 --> 00:09:14.240 it to kick anyone out or freeze an account or take over an account. Everyone and anyone 00:09:14.240 --> 00:09:21.600 is welcome at all times forever, and the best part is you truly own your crypto wallet. 00:09:21.600 --> 00:09:26.680 Because to get a cryptocurrency wallet, you just make it yourself by generating a random 00:09:26.680 --> 00:09:32.360 private key and then using that to derive a public key. When you do this, only you are the 00:09:32.360 --> 00:09:36.760 only person who’s ever seeing that private key, and whoever has that private key controls that 00:09:36.760 --> 00:09:42.560 public address or wallet. There’s no admin that can revoke your key or move your money without 00:09:42.560 --> 00:09:49.600 your permission. Your key is your key forever and ever. The blockchain is a fascinating invention 00:09:49.600 --> 00:09:54.160 and whether you love or hate cryptocurrency, the technology behind it is very interesting. 00:09:54.160 --> 00:09:59.880 Take the Ethereum blockchain, for example. It popularized something called smart contracts 00:09:59.880 --> 00:10:06.560 which allows people to add code into the blockchain, which means you can program money 00:10:06.560 --> 00:10:13.080 and even create apps integrated directly into cryptocurrencies. This is wild and it’s opening 00:10:13.080 --> 00:10:18.720 up a whole new future that we never imagined. For instance, people are making entire video games 00:10:18.720 --> 00:10:23.960 with these smart contracts where the whole game lives on the blockchain, which means the in-game 00:10:23.960 --> 00:10:31.040 currency is actually real cryptocurrency. Not only that, but the apps you make on the blockchain are 00:10:31.040 --> 00:10:37.200 truly yours, where nobody can ever seize it from you or stop you from making it. It’s time 00:10:37.200 --> 00:10:45.560 we step foot into this big, new, wild, digital world. I think the game Axie Infinity represents 00:10:45.560 --> 00:10:51.420 a fundamental shift in video game development. I spoke to Geoff White about this game. 00:10:51.420 --> 00:10:55.680 GEOFF: Hi, I’m Geoff White. I’m an author and investigative journalist, and I cover organized 00:10:55.680 --> 00:11:01.840 crime and technology. Yeah, so, Axie Infinity is not like the games that I used to play when I was 00:11:01.840 --> 00:11:06.280 a kid where they sell you the video game and then you go away and you play it and that’s it. Axie 00:11:06.280 --> 00:11:10.440 is an online game, as of course lots of them are, and you’re playing against other people online, 00:11:10.440 --> 00:11:14.960 which of course lots of games are. But the thing that made Axie different and quite radical, 00:11:14.960 --> 00:11:19.560 I think, for some people was that everything in the game was basically for sale. It was a 00:11:19.560 --> 00:11:24.160 whole marketplace. So, the way it worked was you have these Axies which are based 00:11:24.160 --> 00:11:29.680 on the axolotl salamander. You have a team of Axies, three Axies, and you basically 00:11:29.680 --> 00:11:34.600 wrestle them. You fight them against your opponent’s team of Axies, and if you win, 00:11:34.600 --> 00:11:41.600 you’re rewarded with Smooth Love Potion tokens which you can use to breed your Axies together 00:11:41.600 --> 00:11:45.720 to get them to be better fighting machines. It’s basically a bit like — do you remember those 00:11:45.720 --> 00:11:49.960 Tamagochi keyring things you had…? JACK: Yeah, I do; a little digital pet 00:11:49.960 --> 00:11:53.160 that you could level up and stuff. GEOFF: Exactly that. It’s like that mixed 00:11:53.160 --> 00:12:00.640 with WWF wrestling. So, that’s the idea. This game is hugely, hugely popular. 00:12:00.640 --> 00:12:04.400 JACK: Okay, so how — so, I need a team of three of them. How do I get 00:12:04.400 --> 00:12:08.200 one of them? What’s the process? GEOFF: You buy. You have to buy the team, 00:12:08.200 --> 00:12:11.960 and you can’t — as far as I’m aware — get one. You have to buy a team of three ‘cause three is 00:12:11.960 --> 00:12:13.073 the magic number. JACK: Okay. 00:12:13.073 --> 00:12:15.240 GEOFF: In order to do this — and this is where it gets interesting with the sort 00:12:15.240 --> 00:12:19.880 of cryptocurrency aspect of it. If you have [inaudible] dollars for you, Jack, 00:12:19.880 --> 00:12:24.960 you can swap your dollars into ETH, the currency on the Ethereum blockchain, the cryptocurrency. 00:12:24.960 --> 00:12:29.320 It’s a bit like Bitcoin. That’s just number two, I think, to Bitcoin, ETH, I think I might say. 00:12:29.320 --> 00:12:35.480 You can then take that Ethereum money and you can put it into — transfer it into Axie Infinity, 00:12:35.480 --> 00:12:40.440 and then you could use that in-game currency to buy your Axies, to buy Smooth Love Potion. You 00:12:40.440 --> 00:12:46.280 can buy land in the game. So, it’s all — the whole game is based on cryptocurrency, and there’s an 00:12:46.280 --> 00:12:51.040 internal blockchain within the game that tracks who owns what and who sold what to who. 00:12:51.040 --> 00:12:56.840 JACK: I see. I like the ownership aspect of this. You really do digitally own one of these Axies 00:12:56.840 --> 00:13:01.120 since it’s all on the blockchain. There’s no way for anyone to take your Axies away from you if 00:13:01.120 --> 00:13:05.960 you own them unless they steal your private key. To me, this is interesting because look 00:13:05.960 --> 00:13:11.280 at the software world right now. You can’t buy Microsoft Word or Adobe Photoshop. You have to 00:13:11.280 --> 00:13:17.120 pay a monthly fee in order to use it. You don’t own a lot of the software or games today if you 00:13:17.120 --> 00:13:22.800 have to have an internet connection for it to work. As the meme goes, if purchasing isn’t 00:13:22.800 --> 00:13:27.880 ownership, then piracy isn’t theft. GEOFF: Axie Infinity was created by a company 00:13:27.880 --> 00:13:32.320 called Sky Mavis who are headquartered in Vietnam. I think the company is registered, 00:13:32.320 --> 00:13:37.200 though, in Singapore. This was five guys who had been part of the e-sports scene, 00:13:37.200 --> 00:13:43.120 so they’d been around gaming for a very long time. The idea of crypto-based video games 00:13:43.120 --> 00:13:47.240 wasn’t sort of radically new. I think CryptoKitties predates Axie Infinity, 00:13:47.240 --> 00:13:52.840 from what I’ve read of it. But basically what they did was they built this game and released it, 00:13:52.840 --> 00:13:58.160 and in a way they lucked out because they obviously got the benefit of video game 00:13:58.160 --> 00:14:02.600 obsession. People became obsessed with this game and started playing it and battling their Axies 00:14:02.600 --> 00:14:07.240 together and so on. They also got the benefit of a cryptocurrency boom, because this was 00:14:07.240 --> 00:14:15.120 sort of 2019, 2020, and crypto was starting to rise in value quite steeply at that point. So, 00:14:15.120 --> 00:14:18.760 people who were into videogaming got into Axie Infinity. But what was really interesting around 00:14:18.760 --> 00:14:23.600 the discussion boards around Axie Infinity is you start to see this change where people are 00:14:23.600 --> 00:14:28.400 discussing the game and then they start to discuss crypto investments and crypto speculation. So, 00:14:28.400 --> 00:14:33.320 suddenly people who are into crypto on the speculative side of it started to see this game as 00:14:33.320 --> 00:14:38.040 an opportunity, a money-making opportunity. [MUSIC] So, you’ve got this incredible whirlwind 00:14:38.040 --> 00:14:44.000 of obsessive gamers and also obsessive cryptocurrency speculators coming in, 00:14:44.000 --> 00:14:48.600 and this game just went up and up in value. I think at one point it was valued at $2 billion, 00:14:48.600 --> 00:14:54.000 I think I’m right in saying. It’s astonishing values. The other thing that fed into this was 00:14:54.000 --> 00:15:00.200 Covid, was lockdown, so during that period. The game was big in Southeast Asia, particularly big 00:15:00.200 --> 00:15:03.600 in Southeast Asia, because that’s where the company was headquartered, and it absolutely 00:15:03.600 --> 00:15:07.480 took off, particularly the Philippines. I think 40% of the players, apparently, 00:15:07.480 --> 00:15:12.240 were in the Philippines. During lockdown a lot of people lost work, weren’t able to go to work, were 00:15:12.240 --> 00:15:17.240 looking around for alternative sources of income, and they started to see that actually they could 00:15:17.240 --> 00:15:22.160 potentially play this video game and make money at it. So, you put all these factors together and 00:15:22.160 --> 00:15:27.280 you just get this explosive combination that just launched Axie Infinity into the stratosphere, must 00:15:27.280 --> 00:15:31.520 to the surprise, I think it’s fair to say, of the guys at Sky Mavis who made it. I don’t think they 00:15:31.520 --> 00:15:35.760 were expecting it to be such big of a hit. JACK: Now, because the in-game currency was the 00:15:35.760 --> 00:15:41.280 Ethereum cryptocurrency, this allowed for a whole in-game marketplace. You could buy or 00:15:41.280 --> 00:15:47.080 sell things to other players with cryptocurrency just directly on the blockchain. Ethereum wasn’t 00:15:47.080 --> 00:15:53.640 just for cryptocurrency but there were items on it now, Axies, for instance, and you could buy 00:15:53.640 --> 00:15:59.280 one from another person directly if you wanted, without having to go through any game to do it. 00:15:59.280 --> 00:16:03.760 How do people make money? Do you understand the complexities of this? Because if you’re 00:16:03.760 --> 00:16:07.660 battling someone and you win the battle, do you take money from the other person? 00:16:07.660 --> 00:16:11.600 GEOFF: No; the way it would work, as I understand it, is your Axies would become more and more 00:16:11.600 --> 00:16:15.960 valuable the more fights they won, and you could actually sell them to other people in the game. 00:16:15.960 --> 00:16:20.440 So, you could say, I’ve got this team of Axies. Look, they’ve got a fantastic track record of 00:16:20.440 --> 00:16:23.680 killing lots of other Axies. I don’t know actually whether killing was part of it, but winning the 00:16:23.680 --> 00:16:30.040 battles. Would you like to buy them off me? Also, there’s a trade in Smooth Love Potions. So, as you 00:16:30.040 --> 00:16:34.360 played the game, you got more Smooth Love Potion; you could sell the Smooth Love Potion to people. 00:16:34.360 --> 00:16:40.560 You could buy and sell plots of land on Lunacia which is the virtual environment in which the game 00:16:40.560 --> 00:16:46.320 is played. So, everything — almost everything was for sale, so the money was sort of being shared 00:16:46.320 --> 00:16:50.440 around by trading within the game. JACK: Now, you might be thinking, hold on, 00:16:50.440 --> 00:16:55.560 wait a minute. This is an awful idea, to bridge real money into a video game. Well, 00:16:55.560 --> 00:17:00.600 you’re not the only one to think that. The video game marketplace Steam has outright banned all 00:17:00.600 --> 00:17:05.720 crypto-based games from there. At first glance you might be thinking, oh, that’s because they 00:17:05.720 --> 00:17:10.040 don’t want people spending real money on games like that. It can ruin the in-game economy and 00:17:10.040 --> 00:17:15.440 it leads to speculative behavior. Also, isn’t it stupid to just buy video game assets like gold 00:17:15.440 --> 00:17:23.760 and weapons? But none of those are the reasons why Steam banned crypto-based games. [MUSIC] A 00:17:23.760 --> 00:17:30.200 very popular game on Steam is CS:GO. Or, I guess it’s now called Counter-Strike 2. Within Steam 00:17:30.200 --> 00:17:36.400 itself there’s a whole marketplace where you can buy and sell in-game Counter-Strike items from 00:17:36.400 --> 00:17:43.120 other players for real money. It’s like a giant marketplace on Steam. Thousands of purchases 00:17:43.120 --> 00:17:49.080 happen every day. Yeah, you can show up, type your credit card details in, and start buying items in 00:17:49.080 --> 00:17:55.680 the game from other players with real money. Steam has built this whole system, so clearly they are 00:17:55.680 --> 00:18:00.800 perfectly fine with people using real money to buy in-game items or be speculative in the game or 00:18:00.800 --> 00:18:07.480 mess up the game economy. However, when you sell an item, you don’t get the money from the sale. 00:18:07.480 --> 00:18:14.840 They give you Steam credits which can be used to buy other games on Steam. But players were like, 00:18:14.840 --> 00:18:18.600 wait a minute, if I’m selling this to someone who’s buying it with their credit card, 00:18:18.600 --> 00:18:24.000 why can’t I get the money they paid for it? Steam’s like, eh, we really don’t want to 00:18:24.000 --> 00:18:29.080 give you money. Game credits are much better for us. So players were like, 00:18:29.080 --> 00:18:34.000 you know what? Nobody can stop us from just trading among ourselves. So, player-to-player 00:18:34.000 --> 00:18:40.000 sales started happening. But how do you send money digitally? You can’t just give someone your credit 00:18:40.000 --> 00:18:45.680 card. It doesn’t work that way. So, players started trading using cryptocurrency, but this 00:18:45.680 --> 00:18:51.400 became unsafe. People were sending their money and not getting anything in the trade. So, websites 00:18:51.400 --> 00:18:55.800 started popping up saying, hey, we’ll broker the deal for you, and they started acting like 00:18:55.800 --> 00:19:01.760 the middle man in trades for Counter-Strike. That went on for a while and Steam was like, alright, 00:19:01.760 --> 00:19:09.160 here, we’ll make an API for the marketplace. This allowed secondary marketplaces to let players buy 00:19:09.160 --> 00:19:15.880 and sell in-game items with real money. Not only that; a lot of markets allowed you to buy and sell 00:19:15.880 --> 00:19:22.200 items with cryptocurrency. So, while Steam has banned crypto-based games, you can actually use 00:19:22.200 --> 00:19:29.080 crypto to buy things in Counter-Strike 2 or sell things and get crypto from it. This is all totally 00:19:29.080 --> 00:19:33.400 allowed by Steam. Steam could put an end to all this right now if they wanted. They could make 00:19:33.400 --> 00:19:38.360 it so players just can’t trade with each other anymore, but they won’t because they make far too 00:19:38.360 --> 00:19:44.200 much money from this whole system. So, why does Steam actually ban crypto-based games? 00:19:44.200 --> 00:19:49.800 I think it’s because the regulatory landscape is unclear. When you start accepting cryptocurrency, 00:19:49.800 --> 00:19:54.600 suddenly you get into these regulations that are very difficult to figure out. And don’t tell me 00:19:54.600 --> 00:20:00.400 that Steam bans crypto-based games because it keeps out the trashy, scammy type stuff. Well, 00:20:00.400 --> 00:20:06.040 have you seen the game Banana? As I’m saying this, it is the second-most popular game on Steam, 00:20:06.040 --> 00:20:11.480 and it’s possibly the world’s dumbest game. You just click a banana, and after a while 00:20:11.480 --> 00:20:17.080 you might get a banana for doing it which can be sold on the marketplace, and it’s making 00:20:17.080 --> 00:20:22.360 the creator a ton of money since people are buying bananas with real money for no reason. 00:20:22.360 --> 00:20:29.080 The banana does nothing in the game. This is ten times dumber than any NFT game I’ve ever seen, 00:20:29.080 --> 00:20:36.800 and it’s not even an NFT game. The fact that Steam allows this is kinda breaking my brain, honestly. 00:20:36.800 --> 00:20:40.800 I bet there are a million teenagers today who are very fluent at understanding the market 00:20:40.800 --> 00:20:46.840 intricacies of V-Bucks or Robux, the virtual currencies for their favorite games. The thing 00:20:46.840 --> 00:20:53.240 about Steam credits or V-Bucks or Robux is you can only buy it. You can never sell it. It’s against 00:20:53.240 --> 00:20:59.560 the terms of service to trade that for real money, and that kind of frustrates me. It’s kind of like 00:20:59.560 --> 00:21:04.320 when you go to an arcade and they make you buy tokens to play the video games there. Video games 00:21:04.320 --> 00:21:08.760 can operate just fine on quarters. There’s no need to invent a whole new currency just to play them, 00:21:08.760 --> 00:21:14.160 and the currency can only be bought, never sold. It stinks when I come home from an arcade and 00:21:14.160 --> 00:21:18.640 there are a few extra tokens in my pocket. These things are worthless except for one place 00:21:18.640 --> 00:21:25.720 in the entire world. So, Axie Infinity was built directly on the Ethereum cryptocurrency, 00:21:25.720 --> 00:21:33.400 utilizing smart contracts, but they soon hit a problem. [MUSIC] When you play video games, 00:21:33.400 --> 00:21:39.840 you want it to be fast. Ethereum transactions were slow, sometimes taking a few minutes to complete, 00:21:39.840 --> 00:21:45.760 and the fees on Ethereum were high, often costing $30 in fees just to buy an Axie from 00:21:45.760 --> 00:21:50.640 another player. So, to fix that, Sky Mavis, the creators of Axie Infinity, 00:21:50.640 --> 00:21:57.200 created a sidechain of Ethereum called the Ronin network. This sidechain was very compatible with 00:21:57.200 --> 00:22:01.640 Ethereum so players could move their money in and out between the Ronin network and the Ethereum 00:22:01.640 --> 00:22:08.280 network easily. That mechanism of moving money between the two, they named that the Ronin Bridge. 00:22:08.280 --> 00:22:13.400 The Ronin network was much faster and had very low fees, like less than a cent, making it much 00:22:13.400 --> 00:22:19.480 more ideal for a video game to be played on this blockchain. But for this Ronin network to operate, 00:22:19.480 --> 00:22:24.560 there needed to be nodes and validators. Sky Mavis didn’t want to be the only one controlling those 00:22:24.560 --> 00:22:30.440 nodes and validators because if they were, they could theoretically control the whole network. 00:22:30.440 --> 00:22:34.840 I guess if you have a majority control of the validators, you could manipulate the system if 00:22:34.840 --> 00:22:40.160 you wanted. The idea of a decentralized network is that nobody should ever have a majority of 00:22:40.160 --> 00:22:46.680 the validators so that it can’t be manipulated. So, they made sure to have people outside their 00:22:46.680 --> 00:22:51.000 control also running nodes and validators. GEOFF: You could play on a browser. I think most 00:22:51.000 --> 00:22:53.840 people were playing on a phone. It got so popular that there were reports in the 00:22:53.840 --> 00:22:59.080 Philippines of people giving up their jobs just to play this game full time. Now, of course, 00:22:59.080 --> 00:23:03.480 as soon as that happens and it hits the headlines, you get this rush of people who all think, oh, 00:23:03.480 --> 00:23:07.440 I’ll do that. Of course, it became a pylon. People just went for this game, 00:23:07.440 --> 00:23:11.000 particularly in Southeast Asia. JACK: So, there’s this very valuable 00:23:11.000 --> 00:23:17.000 company with millions and maybe billions of dollars’ worth of cryptocurrency assets 00:23:17.000 --> 00:23:26.480 running through it, swapping around, moving fast, moving a lot. This will attract somebody 00:23:26.480 --> 00:23:30.920 who wants to steal that money. GEOFF: Inevitably. [MUSIC] As soon as 00:23:30.920 --> 00:23:35.800 you start to make scads of money as a video game, somebody tries to hack you, and that’s 00:23:35.800 --> 00:23:42.360 exactly what happened with Axie Infinity. JACK: A lot of scammers and thieves flocked to 00:23:42.360 --> 00:23:47.400 this game, trying to steal things from other players. Some players’ crypto wallets were 00:23:47.400 --> 00:23:52.560 loaded with tens of thousands of dollars of Axie Infinity assets, and scammers were trying hard to 00:23:52.560 --> 00:23:57.320 steal stuff from players’ wallets. One common tactic is to get an Axie Infinity player to 00:23:57.320 --> 00:24:01.840 connect their crypto wallet to the scammer’s website, maybe by saying something like, oh, 00:24:01.840 --> 00:24:06.840 we’re giving away a free, rare Axie. With some cleverly-crafted message, they can trick a 00:24:06.840 --> 00:24:11.680 person into giving them access into their wallet, which then the thief can drain everything from 00:24:11.680 --> 00:24:16.640 it. Hundreds if not thousands of Axie Infinity players were victim to this type of attack, and I 00:24:16.640 --> 00:24:22.240 should say that even though attacks on players and cryptocurrency-based games is very common, it’s 00:24:22.240 --> 00:24:27.520 not unique to only crypto-based games. I remember when I was playing World of Warcraft a long time 00:24:27.520 --> 00:24:33.960 ago, someone somehow got into my account and transferred all the gold and removable items from 00:24:33.960 --> 00:24:40.960 my character into whatever account they had. I got digitally robbed in World of Warcraft. If you hang 00:24:40.960 --> 00:24:46.360 out in the Counter-Strike forums or Roblox forums or Fortnite forums, you see people begging for 00:24:46.360 --> 00:24:52.440 help every day, saying their account got hacked or their stuff got stolen. There’s a lot of money in 00:24:52.440 --> 00:24:56.120 stealing video game assets. It’s crazy. GEOFF: Ideally what you want to do is you 00:24:56.120 --> 00:24:58.600 want to go to the source of all the money, the fount of all the money, 00:24:58.600 --> 00:25:04.600 which is Sky Mavis’ servers themselves. [MUSIC] So, the hackers targeted one of 00:25:04.600 --> 00:25:10.400 the engineering team — and carried out a very, very elaborate — or at least in my opinion, 00:25:10.400 --> 00:25:15.240 very elaborate social engineering exercise on this person; offered them a job. Now, 00:25:15.240 --> 00:25:21.440 that’s not an uncommon thing for crypto-developers to get. Game developers get poached all the time. 00:25:21.440 --> 00:25:26.520 So — a great job for you; a really big salary. Are you interested in talking to us? This employee 00:25:26.520 --> 00:25:32.280 said yes, started receiving details of the job, did apparently a couple of rounds of interviews 00:25:32.280 --> 00:25:39.320 for the job which I presume was webcams-off, but was interviewed by people for a job that 00:25:39.320 --> 00:25:44.760 seemed to exist. Of course, none of this was true. There was no job. This employee of Sky 00:25:44.760 --> 00:25:49.160 Mavis was being targeted by hackers who were trying to maneuver them to the point where 00:25:49.160 --> 00:25:56.040 they would effectively download malware. JACK: Hm. So, we don’t know how they made contact. 00:25:56.040 --> 00:26:00.160 My first thought was Discord. A ton of scammers are on Discord trying desperately to hack into 00:26:00.160 --> 00:26:06.520 people’s accounts. But in this case, I’m willing to bet the initial contact was made on LinkedIn. 00:26:06.520 --> 00:26:11.080 It’s kind of easy to find developers for Axie Infinity on there to begin with, then it’s only 00:26:11.080 --> 00:26:15.920 a few clicks away before you can message one of them, and it sounds like they messaged a developer 00:26:15.920 --> 00:26:21.240 offering them a job. So if that’s the case, it’s not so hard to create a fake persona on LinkedIn 00:26:21.240 --> 00:26:26.560 to look like you work for some prestigous company, making the whole story more believable. I mean, 00:26:26.560 --> 00:26:30.920 who gets job offers on Discord anyway, you know? LinkedIn is the place to go get job offers. 00:26:30.920 --> 00:26:35.000 GEOFF: The other thing you can do if you target someone in this way is you can say to them, 00:26:35.000 --> 00:26:39.240 hey, for this job we need to know that you can use this particular piece of software. Can you 00:26:39.240 --> 00:26:43.640 download it for us or can you click on this link and go to this private server so you can do this 00:26:43.640 --> 00:26:47.760 exercise as part of the job application? There’s lots of ways with a job application that you can 00:26:47.760 --> 00:26:52.080 sort of trick someone into doing something they wouldn’t necessarily have done, downloading stuff, 00:26:52.080 --> 00:26:56.480 clicking on links. So, I find that really — I think that was a really smart way of operating 00:26:56.480 --> 00:27:01.880 and one for people to watch out for. Eventually malware gets downloaded by this employee of 00:27:01.880 --> 00:27:09.760 Sky Mavis onto their work device. Now, full disclosure, I don’t think Sky Mavis have revealed 00:27:09.760 --> 00:27:16.920 how that specifically was done, but you can think of multiple ways whereby you’d be able to convince 00:27:16.920 --> 00:27:20.760 someone as part of the job application process to download something. There’s lots of ways to do 00:27:20.760 --> 00:27:25.680 that. Effectively, the malware allowed the hackers access to Sky Mavis’ computer systems, and because 00:27:25.680 --> 00:27:31.920 they targeted an engineer, you had what Sky Mavis describes as very deep-level access. It wasn’t 00:27:31.920 --> 00:27:35.800 like they’d hacked somebody in the HR department and had to work their way over to the development 00:27:35.800 --> 00:27:39.520 environment. They were already in. They’d hit the mother lode, effectively, and were already 00:27:39.520 --> 00:27:45.360 in at a very deep level inside Sky Mavis. JACK: Yeah, I mean, if you get malware onto a 00:27:45.360 --> 00:27:49.600 developer’s computer and then take control of their computer, then you can assume the 00:27:49.600 --> 00:27:55.160 role of that developer in that company. You have their access keys, their logins, 00:27:55.160 --> 00:28:01.240 their privileged access to the network. GEOFF: [MUSIC] With their deep-level access to 00:28:01.240 --> 00:28:06.160 Sky Mavis’ systems, the hackers start scoping out how Axie Infinity works 00:28:06.160 --> 00:28:11.040 and how this money is moving around. JACK: I bet they were looking for a central 00:28:11.040 --> 00:28:15.400 wallet like cold storage or something where Sky Mavis stores all the keys and has access 00:28:15.400 --> 00:28:22.040 to millions of dollars in crypto. But they couldn’t find that. So, the second thing was, 00:28:22.040 --> 00:28:27.360 with all this money flowing through the system, was there a way to grab it somehow? 00:28:27.360 --> 00:28:32.760 GEOFF: What they realize is — what we’ve covered earlier is there’s this internal blockchain 00:28:32.760 --> 00:28:38.800 within Axie Infinity monitoring the transactions between the players. There’s the external Ethereum 00:28:38.800 --> 00:28:43.600 blockchain which is effectively bringing in money that people — Ethereum, Ether currency that people 00:28:43.600 --> 00:28:48.920 are spending, into the game and then putting it out. So, there’s a conduit through which this 00:28:48.920 --> 00:28:54.360 is all happening, and that conduit is a thing called the Ronin Bridge. The Ronin Bridge’s job 00:28:54.360 --> 00:28:59.280 is basically — it’s to reconcile what’s going on in the game with what’s going on on this external 00:28:59.280 --> 00:29:05.640 Ethereum blockchain. Effectively, the Ronin Bridge is nine computers around the world, and those 00:29:05.640 --> 00:29:10.360 computers are looking at all the transactions inside and outside and reconciling the two ledgers 00:29:10.360 --> 00:29:15.680 together. So, basically, the hackers realize, very, very smartly, that’s the pinch point. 00:29:15.680 --> 00:29:20.960 That’s the conduit. That’s where the money’s going across. If they can control the Ronin Bridge, 00:29:20.960 --> 00:29:25.520 they can effectively control the flow of money. Since there’s millions and millions of dollars 00:29:25.520 --> 00:29:32.440 inside Axie Infinity, they can control that money. Now, the thing about this is there were nine 00:29:32.440 --> 00:29:35.240 computers as part of the bridge. It’s effectively nine — what they 00:29:35.240 --> 00:29:40.000 call — validators. Sky Mavis had sort of thought about the possibility of getting hacked, 00:29:40.000 --> 00:29:44.960 to give them credit, and they only controlled four out of those nine, which isn’t enough to 00:29:44.960 --> 00:29:50.240 give you majority control. So, you can’t just take over Sky Mavis, get control of the bridge, 00:29:50.240 --> 00:29:55.820 and take the money out. The hackers had to find a fifth computer so they have five out of nine, 00:29:55.820 --> 00:30:02.080 so they’ve got majority control. This is where things go wrong for Sky Mavis. [MUSIC] Sky Mavis 00:30:02.080 --> 00:30:07.520 had outsourced the other five validator computers to external companies. They weren’t in control of 00:30:07.520 --> 00:30:12.480 them. So, Sky Mavis didn’t hold all the cards, effectively. But one of the companies they’d 00:30:12.480 --> 00:30:19.280 outsourced to gave Sky Mavis a temporary access to its validator, and that temporary access was never 00:30:19.280 --> 00:30:24.920 revoked. The hackers somehow managed to realize all of this and thought, ah-ha, we’ve got four 00:30:24.920 --> 00:30:30.200 computers validating at Sky Mavis. We need a fifth to get majority control. There’s the fifth one; 00:30:30.200 --> 00:30:34.960 we’ve still got access to it via Sky Mavis. We’ve got five out of the nine computers, 00:30:34.960 --> 00:30:40.360 and guess what? We control the bridge, we control the money, and it’s time to steal. 00:30:40.360 --> 00:30:48.920 JACK: Wow. I think the level of knowledge needed to pull this off is quite remarkable. This is not 00:30:48.920 --> 00:30:54.720 so simple as opening up a wallet and transferring the funds out. To take over five of the nine nodes 00:30:54.720 --> 00:30:59.640 of this sidechain and to know how to operate them in a way that will allow them to steal 00:30:59.640 --> 00:31:05.360 money takes a specific skill set. Whoever did this must have had to prepare quite a bit for 00:31:05.360 --> 00:31:11.520 an attack like this. It kind of reminds me of that one time my friend went and bought an antique for, 00:31:11.520 --> 00:31:15.360 I don’t know, $1,000 and something, and on his way home he stopped for lunch somewhere 00:31:15.360 --> 00:31:21.360 and his car got broken into. The thieves stole the loose change in his cupholder. They looked 00:31:21.360 --> 00:31:26.160 at that old antique and didn’t think it was worth anything and left it. Whoever was targeting Axie 00:31:26.160 --> 00:31:32.360 Infinity knew exactly where to look to extract the most amount of value they could from the system. 00:31:32.360 --> 00:31:37.160 They knew exactly where the value was, and I don’t think many of us would know how to work 00:31:37.160 --> 00:31:41.760 these controlling nodes even if we could take them over. [MUSIC] But when they took over these nodes, 00:31:41.760 --> 00:31:46.040 they got immediately to work setting up an attack which would allow them to transfer as 00:31:46.040 --> 00:31:51.080 much out of the Ronin network as they could and as fast as they could directly into the Ethereum 00:31:51.080 --> 00:31:57.040 wallets that were ready and waiting. They set up everything, and using their control of the bridge, 00:31:57.040 --> 00:32:04.760 deployed a command to transfer the money. GEOFF: They stole ETH, ETH currency, and USDC, 00:32:04.760 --> 00:32:12.060 which at the time was valued at $625 million. 00:32:12.060 --> 00:32:15.674 JACK: $625 million. GEOFF: Yes. 00:32:15.674 --> 00:32:21.880 JACK: I’m trying to think, is there a single cyber-heist that is more than 00:32:21.880 --> 00:32:26.440 $650 million? I can’t think of one. GEOFF: I’ll go further from that. I’ve been 00:32:26.440 --> 00:32:31.320 a bit circumspect in the book, but I’m being less circumspect the more I go on. I think it’s 00:32:31.320 --> 00:32:36.200 the biggest theft of all time, and I want to — I’m gonna add a couple qualifiers to that ‘cause it is 00:32:36.200 --> 00:32:40.600 a big statement to make, right? I’m talking about one-off theft. Obviously ransomware was — well, 00:32:40.600 --> 00:32:46.000 you know has made billions over time, multiple victims. I’m talking about one victim, 00:32:46.000 --> 00:32:53.240 one hit, at the time the theft happened. ‘Cause obviously there’s the Bitfinex hack — you know, 00:32:53.240 --> 00:32:57.840 the one that Heather Morgan and Ilya Lichtenstein got sentenced for. 00:32:57.840 --> 00:33:00.080 JACK: Oh, yeah. GEOFF: Well, that was — that ended up 00:33:00.080 --> 00:33:05.600 being $3 billion, I think. But at the time of the hack, it was $70 million. So, I’m talking about 00:33:05.600 --> 00:33:11.800 valuing a crime at the time was committed; a one-off crime, one victim. So, I’ve been 00:33:11.800 --> 00:33:16.040 doing — you know, you Google and you Google and you try and find these things, and there’s — the 00:33:16.040 --> 00:33:22.640 Isabella Stewart Gardner Museum heist is one of them. So, that was — I think ‘93, was it? They 00:33:22.640 --> 00:33:27.320 broke into the museum. They stole artworks. The artworks were valued at $500 million. Now, that’s 00:33:27.320 --> 00:33:33.640 often listed as being one of the most expensive heists of all time, and that’s only $500 million. 00:33:33.640 --> 00:33:39.000 So, I know I’m out on a limb here, but I do think it’s a serious — if it’s not the number one, it’s 00:33:39.000 --> 00:33:44.560 a very serious contender for biggest theft of all time based on one hack, one victim. One crime, one 00:33:44.560 --> 00:33:49.200 victim, valued at the time of the crime. JACK: Now, some of my listeners might be shaking 00:33:49.200 --> 00:33:52.840 their heads right now and think, no, Jack, none of this cryptocurrency is 00:33:52.840 --> 00:33:58.360 real money. This is not the biggest heist of all time. In fact, a lot of articles 00:33:58.360 --> 00:34:03.560 which list the biggest heists of all time don’t include any cryptocurrency heists. But the thing 00:34:03.560 --> 00:34:08.360 is these thieves immediately started exchanging it for traditional money. So, to me, if you can 00:34:08.360 --> 00:34:14.460 swap it quickly and easily for any currency you want, then, yeah, to me, it’s real money. 00:34:14.460 --> 00:34:17.920 GEOFF: Yeah, it may start off in crypto and you may turn your nose up at that, 00:34:17.920 --> 00:34:22.360 but it ends up in hard dollars and hard dollars that can be used to fund criminal activity, 00:34:22.360 --> 00:34:25.940 and some very serious — as we’re going to talk about, some very serious criminal activity. 00:34:25.940 --> 00:34:29.680 JACK: Maybe I should have mentioned this earlier, but the reason I’m talking with Geoff about all 00:34:29.680 --> 00:34:34.480 this is because he just published a book called Rinsed, which is all about money laundering in the 00:34:34.480 --> 00:34:39.960 modern world. I just finished reading it and it sent me down a wild, twisted tunnel into the world 00:34:39.960 --> 00:34:44.240 of money laundering. Now, what we’re talking about in this episode is a single chapter of the book, 00:34:44.240 --> 00:34:50.080 though. The biggest heist of all time, Axie Infinity, is interesting by itself, but the 00:34:50.080 --> 00:34:57.840 thieves are now faced with a staggeringly huge challenge. How do you cash out $625 million in 00:34:57.840 --> 00:35:01.680 stolen cryptocurrency? If you sent it all to an exchange, they might not be 00:35:01.680 --> 00:35:07.200 able to swap that much, or they might freeze your account and you could lose it all. So, 00:35:07.200 --> 00:35:11.960 while they immediately started sending some of it to an exchange, that was only a small amount, 00:35:11.960 --> 00:35:17.040 and they needed a big plan for the bulk of it. We’re gonna take a quick break here, 00:35:17.040 --> 00:35:22.760 but stay with us because after the break, someone’s going to prison. The news broke pretty 00:35:22.760 --> 00:35:31.240 fast — Axie Infinity’s Ronin Bridge hacked; $625 million stolen. Lots of people lost a lot of money 00:35:31.240 --> 00:35:37.680 and including Sky Mavis itself, but of course, everyone wanted to know, who did this? 00:35:37.680 --> 00:35:43.400 GEOFF: Good question. Obviously it very quickly hit the news this had happened, and in fairness, 00:35:43.400 --> 00:35:51.240 Sky Mavis did a rolling blog on what had happened and were filling people in. Of course, because 00:35:51.240 --> 00:35:56.800 it’s cryptocurrency and because all cryptocurrency moves across a blockchain which is almost always 00:35:56.800 --> 00:36:01.480 publicly available — particularly when the hackers transferred the money out from Sky Mavis, 00:36:01.480 --> 00:36:07.160 it was publicly-viewable — people start looking at the wallet addresses to which the money’s 00:36:07.160 --> 00:36:12.920 being sent. They start looking at the methodology behind the hack, and very quickly, the name that 00:36:12.920 --> 00:36:19.240 pops into the frame is North Korea. JACK: [MUSIC] North Korea. So, North Korea’s 00:36:19.240 --> 00:36:23.680 military has something called the Reconnaissance General Bureau. In it are believed to be where 00:36:23.680 --> 00:36:28.160 thousand of hackers are trained and tasked with completing military objectives. 00:36:28.160 --> 00:36:31.960 This isn’t the first time they’ve been accused of stealing millions of dollars in crypto, 00:36:31.960 --> 00:36:37.760 and it’s estimated that they’ve stolen over a billion dollars in cryptocurrency now. I can’t 00:36:37.760 --> 00:36:42.360 think of another country where their government is hacking for financial gain like this. 00:36:42.360 --> 00:36:47.840 GEOFF: No, that we know of. It’s certainly very rare for nation-state hackers to [inaudible] send 00:36:47.840 --> 00:36:51.320 for money. Of course, North Korea’s in this unique situation. North Korea’s unique for a 00:36:51.320 --> 00:36:55.840 lot of reasons, but the unique situation that they are under international financial sanctions, have 00:36:55.840 --> 00:37:02.560 been for a very long time, have, it seems, largely run out of money or run out of legitimate sources 00:37:02.560 --> 00:37:09.680 of money — and so, the accusation is that North Korea’s computer hackers are tasked with gaining 00:37:09.680 --> 00:37:14.360 currency by any means necessary, and that’s, from what we know of North Korea, not unusual. Its 00:37:14.360 --> 00:37:18.880 diplomats historically have been tasked with not just being diplomats but — you know, can you also 00:37:18.880 --> 00:37:25.160 make a bit of money on the side, please? JACK: Hm. But now that I said that out loud that 00:37:25.160 --> 00:37:28.520 I don’t know of another country that hacks for financial gain, 00:37:28.520 --> 00:37:35.840 I’m reminded of an episode I did with a CIA agent. It was Episode 116, called Mad Dog. In it, a CIA 00:37:35.840 --> 00:37:42.440 agent told me he tricked a diplomat from another country to give him information on an upcoming 00:37:42.440 --> 00:37:47.320 trade deal between the US and that country. He saw what their bottom line was, the lowest amount that 00:37:47.320 --> 00:37:52.720 they would accept in the trade deal, and he gave this information to the US who in turn used that 00:37:52.720 --> 00:37:59.200 information to save the US billions of dollars in the trade deal. Is this hacking for financial 00:37:59.200 --> 00:38:07.240 gain? Social engineering for profit, maybe? I guess economic security falls under national 00:38:07.240 --> 00:38:13.080 security, and countries will go to great lengths to keep their economic security going well. 00:38:13.080 --> 00:38:18.080 GEOFF: When you steal cryptocurrency, one of the hazards of this is it’s inevitably going to be on 00:38:18.080 --> 00:38:22.400 a blockchain somewhere, and that’s almost never to be — going to be public. So, it’s almost like 00:38:22.400 --> 00:38:28.400 you’ve gone into the bank and stolen a whole bunch of bank notes, but they’re all fluorescent yellow 00:38:28.400 --> 00:38:31.840 and people can see in your pocket that you’ve got these bank notes. So, 00:38:31.840 --> 00:38:37.160 your key task as a cryptocurrency thief is to launder the money, and that’s why I’ve written 00:38:37.160 --> 00:38:41.320 a book about money laundering. JACK: Well, hang on a second now. So, 00:38:41.320 --> 00:38:46.360 they have 170,000 Ethereum tokens. They need to turn that into dollars so they 00:38:46.360 --> 00:38:51.920 can buy whatever. Why don’t they just set up an exchange in North Korea that they can just 00:38:51.920 --> 00:38:57.960 send it to and be like, alright, done? GEOFF: That’s a very good point, and one of the 00:38:57.960 --> 00:39:02.640 things that people have spoken about is the idea of North Korea sort of setting up a cryptocurrency 00:39:02.640 --> 00:39:09.720 exchange. I guess the answer to that would probably be — firstly there’s this idea I 00:39:09.720 --> 00:39:13.440 think with all these thefts that are attributed to North Korea that North Korea gets the money back 00:39:13.440 --> 00:39:18.720 to Pyongyang and that’s where its destination is. Well, there’s nothing to buy in Pyongyang. There’s 00:39:18.720 --> 00:39:25.000 no point in sending it there. Yes, you could set up a cryptocurrency exchange in Pyongyang, send 00:39:25.000 --> 00:39:29.240 all the cryptocurrency there, withdraw it in — I think it’s still — the won is the currency they 00:39:29.240 --> 00:39:34.320 use. But then you’ve got North Korean currency in North Korea. What are you gonna buy? What was the 00:39:34.320 --> 00:39:39.600 point of that? What you want is to ship the money to — I don’t know, you want to buy widgets in 00:39:39.600 --> 00:39:45.400 Frankfurt, ball bearings in Frankfurt. You want to pay somebody off in Brazil. You want to get hold 00:39:45.400 --> 00:39:52.840 of missile technology secrets in Afghanistan. You want the money mobile, you want it flexible, so, 00:39:52.840 --> 00:39:59.440 you want to be able to move it around. Also, $625 million is a huge quantity of money. You’ve got to 00:39:59.440 --> 00:40:04.960 take it somewhere where there’s enough liquidity that somebody will buy that cryptocurrency off 00:40:04.960 --> 00:40:12.080 you in exchange for cash. Well, for, yeah, money, dollars, pounds, yen, whatever. So, 00:40:12.080 --> 00:40:17.120 this was the challenge that North Korea was faced with, if indeed it was they behind the hack, 00:40:17.120 --> 00:40:22.440 that they were trying to take this money somewhere that could absorb it and turn it around and give 00:40:22.440 --> 00:40:27.520 it back to them in cold, hard currency. JACK: Okay, so North Korea has $625 million 00:40:27.520 --> 00:40:31.949 in stolen cryptocurrency, specifically Ethereum and USDC. 00:40:31.949 --> 00:40:35.080 GEOFF: Let me just say these are allegations. North Korea denies these allegations, obviously, 00:40:35.080 --> 00:40:37.480 being involved in these hacks. JACK: Okay, so it’s supposedly North 00:40:37.480 --> 00:40:42.800 Korea. A lot of evidence points to them, but we don’t know for certain. I think it was. Now, 00:40:42.800 --> 00:40:48.120 the way these cryptocurrencies work is there’s no way to recover that money. This is real ownership, 00:40:48.120 --> 00:40:51.680 as I was saying earlier. There’s no central bank that can reverse the transfer or pull the 00:40:51.680 --> 00:40:58.600 money back out. The money is North Korea’s and there’s nothing anyone can do about that ever. 00:40:58.600 --> 00:41:04.320 Except, North Korea is under strict sanctions, which means it’s forbidden to do business with 00:41:04.320 --> 00:41:10.560 them. On top of that, it’s stolen money, and those wallets were flagged. So, exchanges won’t 00:41:10.560 --> 00:41:16.040 simply let them exchange it into cash. What they need is a chop shop. [MUSIC] The only 00:41:16.040 --> 00:41:20.000 reason why I know about chop shops is because of playing Grand Theft Auto, and when I was playing 00:41:20.000 --> 00:41:23.920 the game and I stole a car and the police were chasing after me, I could take that car into a 00:41:23.920 --> 00:41:28.120 chop shop. They’d scratch off the VIN, paint the car a different color, and give it a new 00:41:28.120 --> 00:41:32.720 license plate. Then when I got back on the road, I could drive right past the police without them 00:41:32.720 --> 00:41:37.760 knowing it’s the same stolen car, since it looks entirely different. But with cryptocurrency, 00:41:37.760 --> 00:41:41.680 you can’t hide very well by just transferring the money into a fresh wallet. There’s a big, 00:41:41.680 --> 00:41:46.800 glaring transfer displayed publicly for anyone to see. Moving it into a new wallet doesn’t do 00:41:46.800 --> 00:41:51.720 anything to hide your tracks. They somehow needed to clean this money so it can’t be linked back 00:41:51.720 --> 00:41:57.240 to the money stolen from Axie Infinity. GEOFF: By this point, the wallets into which the 00:41:57.240 --> 00:42:00.920 crypto have been transferred — the stolen money from Axie had been transferred into 00:42:00.920 --> 00:42:06.600 crypto wallets, and those wallets were flagged as being recipients of crime. The law enforcement had 00:42:06.600 --> 00:42:11.480 acted quite quickly and gone around to the major exchanges, the big, legitimate crypto exchanges, 00:42:11.480 --> 00:42:15.640 and said, hey, if anybody tries to transfer you money from that wallet there, don’t take 00:42:15.640 --> 00:42:21.200 it ‘cause it was stolen from Axie. So, they tried, I think, $60 million dollars’ worth 00:42:21.200 --> 00:42:27.200 of exchanges, the hackers, at legitimate, above-the-line, above-the-board exchanges, 00:42:27.200 --> 00:42:30.640 and that money all got frozen because of course as soon as the exchanges received the money, 00:42:30.640 --> 00:42:36.120 they went, oh, this is the stolen Axie money. Yeah, we’re keeping this. So, the hackers lost 00:42:36.120 --> 00:42:40.920 tens of millions of the stolen money because they tried to pump it through the legitimate system, 00:42:40.920 --> 00:42:44.640 and the legitimate system just froze it. So, then they needed to find somewhere else. Where can you 00:42:44.640 --> 00:42:51.320 go with hundreds of millions of dollars of stolen crypto and just put it in, no questions asked? 00:42:51.320 --> 00:42:58.080 That’s what led them to Tornado Cash. JACK: [MUSIC] Tornado Cash? I’ve used Tornado 00:42:58.080 --> 00:43:04.160 Cash before. Let me tell you why. Okay, so, I was going for a coffee a while back in my town, and I 00:43:04.160 --> 00:43:09.600 noticed they accepted Ethereum cryptocurrency. I was like, hot diggity. People have been donating 00:43:09.600 --> 00:43:15.120 Ethereum to my podcast; I’m gonna use it to buy some coffee. So I started to get it going, 00:43:15.120 --> 00:43:23.480 but I thought, wait a minute, hold on. No way. This is a bad idea. My donation wallet is public, 00:43:23.480 --> 00:43:29.760 so anyone can see where I spend my money, and if they see I spent it on coffee in my town, 00:43:29.760 --> 00:43:36.920 that might expose where I live. I go to extreme lengths to keep my private life and public life 00:43:36.920 --> 00:43:43.800 separate. So, I need a way to move this money into a personal wallet so I can spend it without people 00:43:43.800 --> 00:43:49.520 able to see where I’m spending it. So, what are my options? I could send it to an exchange and 00:43:49.520 --> 00:43:54.800 then send it to a fresh wallet, but to use an exchange, I have to give them my personal 00:43:54.800 --> 00:43:59.720 details like my driver’s license and stuff, which seems a bit much just to buy a cup of 00:43:59.720 --> 00:44:06.040 coffee. Isn’t there a simpler system, one that’s more privacy-focused? Yeah, Tornado Cash. 00:44:06.040 --> 00:44:10.760 Tornado Cash is great. You send your money to it, it gets thrown in a pool with a bunch 00:44:10.760 --> 00:44:15.440 of other people’s money, and you get sort of a claim ticket. At any moment, you can use your 00:44:15.440 --> 00:44:20.840 claim ticket to get your money back out into a fresh wallet. Essentially, this allows you 00:44:20.840 --> 00:44:25.480 to transfer your money into a new wallet, but it removes the tracks of where it came from. What’s 00:44:25.480 --> 00:44:29.760 great about it is that it’s all automatic. I was telling you about smart contracts before, 00:44:29.760 --> 00:44:34.680 where you can add code to the Ethereum blockchain. Money is programmable now. So, 00:44:34.680 --> 00:44:39.760 I can see the Tornado Cash code, verify it looks okay, and then get my wallet to interact with it 00:44:39.760 --> 00:44:45.440 directly, giving it my money, and getting that claim ticket back. The way Tornado Cash worked 00:44:45.440 --> 00:44:51.880 is that they purposely built it so the creators themselves never took control of your money. The 00:44:51.880 --> 00:44:56.760 only person who would ever have control of your money is you. The smart contract is programmed 00:44:56.760 --> 00:45:01.400 to handle the money, but the creators built it so that they can’t even control the smart contract 00:45:01.400 --> 00:45:08.500 anymore. They literally coded all zeroes in for who can control it, which means nobody can. 00:45:08.500 --> 00:45:12.760 GEOFF: As the stories have emerged, one of the people who had used this particular mix was 00:45:12.760 --> 00:45:17.960 Vitalik Buterin, who, of course, came up with the Ethereum protocol, I think co-developed 00:45:17.960 --> 00:45:23.360 it. He said, look, this is exactly what I did. I wanted to donate to Ukraine. I didn’t want to do 00:45:23.360 --> 00:45:28.480 it publicly, and that is the hazard of using crypto, is it is public, so I used a mixer 00:45:28.480 --> 00:45:34.080 because I want to preserve my privacy. There are good, privacy-preserving reasons to use something 00:45:34.080 --> 00:45:38.280 like Tornado Cash, and that’s, I suspect, the reason Tornado Cash was set up, largely, 00:45:38.280 --> 00:45:42.560 was for those privacy-preserving reasons. JACK: Okay, so you might be thinking, hold on, 00:45:42.560 --> 00:45:46.760 this is just a Bitcoin tumbler, a mixer for money laundering, and there have been lots of them in 00:45:46.760 --> 00:45:52.200 the past. Weren’t they all illegal, anyway? Yeah, that’s the thing. [MUSIC] This one was different, 00:45:52.200 --> 00:45:57.080 very different. The ones in the past were typically custodial mixers, meaning 00:45:57.080 --> 00:46:01.920 someone is actually in possession of your money. If someone put a gun to their head, 00:46:01.920 --> 00:46:06.760 they could hand over all your money. These kind of mixers are illegal because the person holding 00:46:06.760 --> 00:46:11.840 the money should know whose money they’re holding. Like, if I give you something illegal to hold, you 00:46:11.840 --> 00:46:16.400 could be in just as much trouble for holding it as me. Yeah, a bunch of people were running these 00:46:16.400 --> 00:46:21.240 mixers and were caught by the police and arrested for running unlicensed money-transmitters, 00:46:21.240 --> 00:46:26.440 and the police were able to shut down those services. The difference here is very important. 00:46:26.440 --> 00:46:32.160 A custodial mixer is where you give your money to some person to hold for when you want it back, 00:46:32.160 --> 00:46:38.400 while a non-custodial mixer — the money is held on the blockchain, not in anyone’s possession, 00:46:38.400 --> 00:46:42.520 kind of like if you just stashed your money in a locker somewhere and then you gave the key 00:46:42.520 --> 00:46:46.720 to someone else and they got it out. The place that owned those lockers had no 00:46:46.720 --> 00:46:51.360 idea what you put in there, so they can’t be held liable for whatever was in there, 00:46:51.360 --> 00:46:58.120 kind of like a dead drop. Now, I imagine the makers of Tornado Cash saw that custodial mixers 00:46:58.120 --> 00:47:02.800 had been shut down and arrested in the past, and they probably knew full well that a service like 00:47:02.800 --> 00:47:09.480 this might be abused by people. So, Tornado Cash developers were like, we have to be absolutely 00:47:09.480 --> 00:47:15.680 certain that we’re never in possession of anyone’s money, ever. We can never have custody since those 00:47:15.680 --> 00:47:20.960 kind of mixers are illegal. So, it’s only with the invention of smart contracts that they were 00:47:20.960 --> 00:47:26.960 able to make a service like this, that they could be completely hands-off, a service that nobody 00:47:26.960 --> 00:47:32.840 was operating or running. It was headless. The developers could never touch anyone’s money even 00:47:32.840 --> 00:47:38.480 if they wanted. It was coded that way. In no way, shape, or form are they ever in possession of 00:47:38.480 --> 00:47:42.760 anyone’s money, and they went to great lengths to prove that. Not only that; they wanted this thing 00:47:42.760 --> 00:47:48.520 to be extremely resilient and impossible to be taken down, as they felt that privacy tools like 00:47:48.520 --> 00:47:53.440 this were very important to people. Also, a lot of these mixers in the past were 00:47:53.440 --> 00:47:59.200 tailored for criminals. AlphaBay, for example, was a darknet marketplace where people could buy and 00:47:59.200 --> 00:48:04.680 sell illegal items. Well, the site had its own crypto mixer specifically designed to help you 00:48:04.680 --> 00:48:10.640 hide your illegal purchases, and in the world of cyber crime, intention matters. If you are 00:48:10.640 --> 00:48:15.520 building something specifically for criminals to conduct crimes with, that’s racketeering and 00:48:15.520 --> 00:48:21.360 you could get RICO charges against you. But the developers of Tornado Cash held on strong that 00:48:21.360 --> 00:48:27.040 this was a privacy tool. That was their point, and to make that clear, they didn’t hide in the 00:48:27.040 --> 00:48:32.120 shadows of the darknet. They were open about their service and made it easily accessible. I mean, 00:48:32.120 --> 00:48:37.560 they even had a Twitter account and a normal website which all clearly said this is a way to 00:48:37.560 --> 00:48:45.400 have private transactions on Ethereum. So, as you can see, as a person who values my own privacy, 00:48:45.400 --> 00:48:52.200 I found this tool to be helpful and important. Decentralization is very fascinating to me, 00:48:52.200 --> 00:48:58.600 too. My website, darknetdiaries.com, is hosted on a single server somewhere, but Tornado Cash was 00:48:58.600 --> 00:49:04.000 kept up by hundreds of thousands of people running Ethereum validators, and there’s something amazing 00:49:04.000 --> 00:49:08.920 and beautiful about that. We can put something on the blockchain and you know it’ll permanently be 00:49:08.920 --> 00:49:13.240 there as long as Ethereum exists. GEOFF: You’ve understood exactly. That’s 00:49:13.240 --> 00:49:19.200 precisely what it is. At least, that’s what the claim was from inside Tornado Cash. As we’ll 00:49:19.200 --> 00:49:23.760 talk about later on, others have cast a lot of doubt on that. But certainly that was the claim, 00:49:23.760 --> 00:49:30.280 that Tornado Cash is this headless organization and once you use it, you’re effectively using 00:49:30.280 --> 00:49:33.680 an automated machine. It’s like going up to a vending machine, sticking your money in, and 00:49:33.680 --> 00:49:38.480 getting the can out. The vending machine’s been forgotten by whichever company was meant 00:49:38.480 --> 00:49:43.520 to own it. It just runs on its own. JACK: Well, clearly I wasn’t the only one 00:49:43.520 --> 00:49:48.920 to use Tornado Cash. The people who stole the $600 million from Axie Infinity also 00:49:48.920 --> 00:49:54.945 noticed Tornado Cash and sent hundreds of millions of dollars to it. 00:49:54.945 --> 00:49:59.040 GEOFF: [MUSIC] Now, this has obviously presented a lot of problems for the — particularly the United 00:49:59.040 --> 00:50:05.240 States government, because they can see that the money’s gone from — the stolen — the money’s 00:50:05.240 --> 00:50:09.440 gone — from Axie Infinity had been stolen and sent to Tornado Cash. They believe it’s North Korea 00:50:09.440 --> 00:50:16.240 behind this, but who do you prosecute? There’s nobody behind Tornado Cash at this time. That’s 00:50:16.240 --> 00:50:20.320 what they thought. So, it’s like, what do we do about this? So, they did the next best thing, 00:50:20.320 --> 00:50:26.840 the US government; they put Tornado Cash under sanctions and basically said, look, this mixer, 00:50:26.840 --> 00:50:31.600 this Tornado Cash mixer, is working for the North Koreans, we believe, we claim, and therefore 00:50:31.600 --> 00:50:35.080 anybody who interacts with this mixer and sends money to it or receives money, anybody who 00:50:35.080 --> 00:50:40.200 interacts who’s in the US — people, organizations, doesn’t matter — they are breaching sanctions as 00:50:40.200 --> 00:50:46.560 well. We can’t shut Tornado Cash down but we can freeze it out by saying, you cannot interact with 00:50:46.560 --> 00:50:50.920 anybody in the US anymore, and anybody in the US who interacts with Tornado Cash, you’ve committed 00:50:50.920 --> 00:50:56.840 an offense and we can come after you. JACK: Sanctions, what? The privacy tool I use 00:50:56.840 --> 00:51:03.000 got sanctioned? Hold on, hold on. This does not feel right. Okay, I need some 00:51:03.000 --> 00:51:08.160 names. Who created Tornado Cash? GEOFF: Yes, three people, it seems, 00:51:08.160 --> 00:51:14.280 created it. They are Andre Pertsev, Roman Storm, and Roman Semenov. They worked for a company 00:51:14.280 --> 00:51:20.400 called PepperSec, and I think it’s — as we’ll get into, there’s some legal proceedings around 00:51:20.400 --> 00:51:24.720 this that we have to be quite careful about, but I think it’s fairly uncontronversial that they 00:51:24.720 --> 00:51:30.560 set up PepperSec and they created Tornado Cash. But the key thing is they created it, they say, 00:51:30.560 --> 00:51:34.840 to preserve privacy, and having created it, they got to a certain stage and said, okay, 00:51:34.840 --> 00:51:39.280 we now burn our passwords lists, we step back. We have nothing more to do with this. It’s running 00:51:39.280 --> 00:51:45.720 on its own, the Tornado Cash DAO. JACK: Oh, it was a DAO. Of course. DAOs are 00:51:45.720 --> 00:51:53.200 fascinating. What I’m saying is an acronym, D-A-O, DAO, and it stands for decentralized autonomous 00:51:53.200 --> 00:51:59.280 organization, and this is a perfect example of one. [MUSIC] The internet has changed everything 00:51:59.280 --> 00:52:04.560 about our lives. You know that already. Every day I get online and I chat with loads of people from 00:52:04.560 --> 00:52:08.800 all around the world and I visit websites from other countries, and it never feels like I’m 00:52:08.800 --> 00:52:14.440 traveling far away to another country to interact with them. It’s just right here on the screen in 00:52:14.440 --> 00:52:20.120 my bedroom, just milliseconds away. The internet has connected us in a way where national borders 00:52:20.120 --> 00:52:26.080 just don’t seem to exist anymore. So, if you were to start an online business that exists 00:52:26.080 --> 00:52:31.440 only online and there’s no physical product or reason to have a home base — and maybe you start 00:52:31.440 --> 00:52:35.520 it with two other people. Like, one person is from Europe, another is from Asia, and the third 00:52:35.520 --> 00:52:41.640 is from the US. What country do you establish your business in? Forget it. Why not just make 00:52:41.640 --> 00:52:47.840 it an online company not part of any nation at all? Is that possible? I mean, traditionally you 00:52:47.840 --> 00:52:54.040 needed to make a company like an LLC or something in order to get a business bank account to do 00:52:54.040 --> 00:53:02.040 business with the world. But since this service is all cryptocurrency-based, you don’t need a bank, 00:53:02.040 --> 00:53:06.960 and autonomous means the company can continue to operate without anyone controlling it. 00:53:06.960 --> 00:53:13.880 Tornado Cash was one of these DAOs. It was decentralized and autonomous. It existed 00:53:13.880 --> 00:53:19.040 only online and was capable of operating all by itself. This is another new thing in the world 00:53:19.040 --> 00:53:26.120 that didn’t exist ten years ago. These DAOs exist online only. It’s a business that isn’t seeded in 00:53:26.120 --> 00:53:31.760 any specific country. Why should it be? If people are getting paid from a DAO, then those people can 00:53:31.760 --> 00:53:37.960 just report their income on their taxes and say they’re contractors for that organization. So, 00:53:37.960 --> 00:53:42.960 the US federal authorities were mad that hundreds of millions of dollars were stolen and then sent 00:53:42.960 --> 00:53:48.520 through Tornado Cash. They wanted to seize the funds and shut down the service. But like I said, 00:53:48.520 --> 00:53:54.040 Tornado Cash was built in a way that it was impossible to turn off and they never had 00:53:54.040 --> 00:54:00.720 control of the funds ever. So, the only tool the US authorities had to try to stop it was 00:54:00.720 --> 00:54:08.120 to sanction it, which, I don’t even think you can sanction an app, a piece of code. I mean, 00:54:08.120 --> 00:54:13.840 it’s still there on GitHub for anyone to see right now. So, if it’s illegal, why is it on GitHub? 00:54:13.840 --> 00:54:19.400 Code is just words and symbols, so in essence here, they’ve sanctioned a bunch of words that 00:54:19.400 --> 00:54:25.360 in a certain combination has meaning? So, can you even sanction a page with words on it? Isn’t there 00:54:25.360 --> 00:54:30.720 a free-speech violation in here somewhere? But not only did they sanction the code; 00:54:30.720 --> 00:54:36.760 they decided to arrest the people who started it. But what was their intention for starting 00:54:36.760 --> 00:54:41.840 Tornado Cash? Because as I said earlier, in the world of cyber crime, intention matters. 00:54:41.840 --> 00:54:46.440 GEOFF: It really does, and, well, there’s two sides to this. You can go on the back 00:54:46.440 --> 00:54:51.120 of what they’ve said and what their defenders say, which is this was a privacy-preserving 00:54:51.120 --> 00:54:56.520 tool. The intention was never to enable money laundering. However, the counter-argument from 00:54:56.520 --> 00:55:02.400 the authorities which they’re making very strongly and in court is it doesn’t matter. If you’re gonna 00:55:02.400 --> 00:55:08.520 run a money-transmitting business dealing with, as Tornado Cash was, hundreds of millions of dollars, 00:55:08.520 --> 00:55:13.440 you are obliged to think about money laundering. You can’t just naively set the thing up and hope 00:55:13.440 --> 00:55:18.040 no criminals are gonna use it. That’s not how it works, buddy. You have to obey money-laundering 00:55:18.040 --> 00:55:22.200 laws. So, we’ve got arguments on both sides. We’ve got arguments the intention was never 00:55:22.200 --> 00:55:26.200 there. We’ve got the argument on the other side saying it doesn’t matter. You’re on the hook for 00:55:26.200 --> 00:55:30.360 this if you set up these businesses. As you can tell, I’m being diplomatic about this. A; ‘cause 00:55:30.360 --> 00:55:35.840 there’s legal procedures about it. B; also because I hear both sides. I do genuinely hear both sides, 00:55:35.840 --> 00:55:40.710 and that’s the thing. It’s a fascinating debate. That’s why it’s a fascinating story. 00:55:40.710 --> 00:55:48.440 JACK: Hm, the police are saying intention doesn’t matter here. The act of creating open-source code 00:55:48.440 --> 00:55:54.440 and putting it on the blockchain to help make your financial transactions private was illegal because 00:55:54.440 --> 00:56:00.320 someone misused their tool. I want to point out here that the US government isn’t clear on whether 00:56:00.320 --> 00:56:06.440 cryptocurrency is even money or not. The Commodity Futures Trading Commission, the CFDC, classifies 00:56:06.440 --> 00:56:14.040 it as a commodity. The SCC classifies it as a security. The IRS classifies it as property, and 00:56:14.040 --> 00:56:19.800 FinCEN, the Financial Crimes Enforcement Network, classifies it as money, which is what requires 00:56:19.800 --> 00:56:26.440 people to follow the anti-money-laundering laws. The government has made all this so confusing. I 00:56:26.440 --> 00:56:32.480 hate being in this position. I don’t want to take the side of criminals who stole this money, 00:56:32.480 --> 00:56:38.680 but because I want to live in a world where financial privacy exists, I feel like sanctioning 00:56:38.680 --> 00:56:43.040 privacy tools hurts me. GEOFF: Yes, but the cost of that, 00:56:43.040 --> 00:56:47.720 that’s — if you do 100% privacy, you have to protect people you don’t like as well. It’s 00:56:47.720 --> 00:56:50.640 a fascinating debate. This is why it goes around and around in my head in the same way it sounds 00:56:50.640 --> 00:56:53.360 like it’s going in yours, as well. JACK: Because the money-transmitting rules 00:56:53.360 --> 00:56:58.880 they were supposed to follow was KYC, which stands for ‘know your customer’. For them to 00:56:58.880 --> 00:57:05.240 operate this legally, they would have had to ask everyone who uses the service for their real name, 00:57:05.240 --> 00:57:10.440 identity — upload your driver’s license, tell them your address, and when you do all that, 00:57:10.440 --> 00:57:15.640 now it’s not so private anymore. Now creators have to maintain a database and a whole back 00:57:15.640 --> 00:57:20.840 end full of people’s personal information. I don’t want my personal information in a 00:57:20.840 --> 00:57:26.400 database somewhere just so I can privately buy a cup of coffee. The best privacy tools are the 00:57:26.400 --> 00:57:33.520 ones who know nothing about who I am. When the financial system becomes a surveillance system, 00:57:33.520 --> 00:57:39.560 we start having big problems. [MUSIC] Look at China, for example. They have this social credit 00:57:39.560 --> 00:57:44.440 system where if you do things the government doesn’t like, they can restrict what you buy. 00:57:44.440 --> 00:57:49.640 They can also see everything you buy and make judgements about your character based on it, 00:57:49.640 --> 00:57:55.320 restricting other areas of your life, or even targeting you as a problem citizen. A government 00:57:55.320 --> 00:58:02.800 that is watching your every purchase is not encouraging of a free society. Let’s look at some 00:58:02.800 --> 00:58:07.800 legitimate use cases for why you’d want to use Tornado Cash to hide your transactions. You heard 00:58:07.800 --> 00:58:12.920 me say that I like to have this buffer between my public life and my private life. The internet 00:58:12.920 --> 00:58:18.400 is a big, old, dangerous place, and if you don’t believe me, listen to the previous 146 episodes 00:58:18.400 --> 00:58:24.560 of this podcast. It’s important that we secure our stuff and take our privacy seriously. 00:58:24.560 --> 00:58:28.240 Also, imagine going to buy something from someone and as soon as you give them the money, 00:58:28.240 --> 00:58:33.880 they can look to see how much money is in your bank account and all your previous purchases. 00:58:33.880 --> 00:58:38.080 This is how Ethereum works by default, so we need a way to shield our purchases from 00:58:38.080 --> 00:58:43.360 the rest of our transaction history. You heard how Vitalik, the creator of Ethereum, wanted to 00:58:43.360 --> 00:58:47.640 donate to Ukraine but wanted to do so privately without anyone knowing. There’s another reason; 00:58:47.640 --> 00:58:51.480 he’s a public figure. He wants to keep his political activities to himself. There are 00:58:51.480 --> 00:58:56.760 non-profits that I know of who go to great lengths to keep their donors private because donors don’t 00:58:56.760 --> 00:59:01.000 want the public to know what causes they’re giving towards and don’t want any extra solicitation from 00:59:01.000 --> 00:59:05.160 people asking them for more money. But I keep thinking about stories of people living in 00:59:05.160 --> 00:59:11.280 oppressive regimes; China, Russia, Iran. If you live there and speak up against the government, 00:59:11.280 --> 00:59:15.600 you could easily go to jail. These governments want strict control over their citizens, 00:59:15.600 --> 00:59:20.800 so monitoring financial transactions is crucial to keeping a strong grip on them. So, dissenters 00:59:20.800 --> 00:59:27.320 and activists in these countries absolutely need a way to send and receive money in a private way 00:59:27.320 --> 00:59:31.640 to support their cause and educate people in the atrocities of their own government. Their 00:59:31.640 --> 00:59:37.480 life depends on private financial transactions. Churches and charities don’t care if you deliver 00:59:37.480 --> 00:59:43.120 them a big bag of cash as an anonymous donor, and it’s none of anyone’s business if I want to donate 00:59:43.120 --> 00:59:49.360 anonymously. I want the same thing for digital transactions. I think taking down privacy tools 00:59:49.360 --> 00:59:54.600 like Tornado Cash hurts regular people. GEOFF: Which was exactly the basis on which 00:59:54.600 --> 01:00:01.280 the crypto-campaigners sued the United States Treasury and Janet Yellen individually after the 01:00:01.280 --> 01:00:07.760 sanctioning of Tornado Cash. This decision to sanction Tornado Cash went down very, 01:00:07.760 --> 01:00:10.720 very badly with large swathes of the crypto community, it has to be said, 01:00:10.720 --> 01:00:15.840 for exactly the reasons you’ve outlined. One of the key arguments and a fascinating argument is to 01:00:15.840 --> 01:00:22.920 what extent are you responsible for the downstream effect of code that you create and make available? 01:00:22.920 --> 01:00:28.280 The people who saw this decision by the Treasury, the US Treasury, to sanction Tornado Cash, said, 01:00:28.280 --> 01:00:33.720 well, you can’t sanction code. You can sanction the person that misuses the code. You don’t — if 01:00:33.720 --> 01:00:37.040 somebody gets stabbed, you don’t prosecute the person who made the knife. You prosecute 01:00:37.040 --> 01:00:42.560 the person who did the stabbing. So, that was the argument on which the US Treasury — one of 01:00:42.560 --> 01:00:46.600 the arguments on which the US Treasury was being sued. The other line of argument was that code, 01:00:46.600 --> 01:00:52.000 as you said, is freedom of speech and freedom of speech is constitutionally protected. Those cases, 01:00:52.000 --> 01:00:58.120 by the way, the attempts to sue the Treasury over its decision on Tornado Cash, got rejected, 01:00:58.120 --> 01:01:02.360 have not done well, but are being appealed, as far as I’m aware, at the moment. So, 01:01:02.360 --> 01:01:07.480 they lost in the first — at least one round, maybe two rounds, but they’re continuing that campaign 01:01:07.480 --> 01:01:13.560 because they argue exactly the same as you’re saying which is this is code. You don’t prosecute 01:01:13.560 --> 01:01:17.200 code because if you do, you dampen freedom of speech. You stop people inventing code. There’s 01:01:17.200 --> 01:01:21.920 a chilling effect. That’s the risk here, and that argument’s still playing out in the court. 01:01:21.920 --> 01:01:27.320 JACK: I want to just take a step back here and note that this story wasn’t possible ten 01:01:27.320 --> 01:01:32.520 years ago. This is such a novel, new world we’re in. Money used to only be physical, 01:01:32.520 --> 01:01:36.880 but with credit cards it’s turned virtual, and with everything being online today, 01:01:36.880 --> 01:01:41.760 we need digital money. Money used to be controlled by governments, but now with cryptocurrency, it’s 01:01:41.760 --> 01:01:48.160 controlled by the people. It’s like we’re in the middle of a major revolution here. Money is power, 01:01:48.160 --> 01:01:51.960 and the governments are losing their power as cryptocurrency becomes more widespread. So, 01:01:51.960 --> 01:01:56.480 of course they’d want to put up a fight against it. Now with smart contracts and DAOs, 01:01:56.480 --> 01:02:02.000 businesses can be fully-autonomous and always online? How crazy is that that a company can 01:02:02.000 --> 01:02:06.520 exist and make money and act as an online service and it doesn’t need to be maintained or controlled 01:02:06.520 --> 01:02:11.160 by anyone? This is an entirely new kind of problem for the US government to deal with, 01:02:11.160 --> 01:02:18.240 and they don’t really have a good way to combat against it other than sanctioning the code. 01:02:18.240 --> 01:02:23.800 If you aren’t familiar with how sanctions work, it means the US Department of the Treasury’s Office 01:02:23.800 --> 01:02:30.040 of Foreign Assets Control, which is OFAC, has declared that you are forbidden to interact with 01:02:30.040 --> 01:02:36.080 Tornado Cash. If you do, you might get arrested, but it also means your money may become frozen 01:02:36.080 --> 01:02:42.880 if you send it to an exchange. Typically when I buy things or go online, I don’t ever think 01:02:42.880 --> 01:02:47.640 about whether or not I’m violating sanctions. For instance, if North Korea is sanctioned, 01:02:47.640 --> 01:02:53.400 I don’t expect North-Korean-made goods to be in my supermarket where I could buy them and break 01:02:53.400 --> 01:02:58.960 sanction codes or something. I assume the shop owner knows not to buy sanctioned items to try 01:02:58.960 --> 01:03:04.120 to sell them to me. So, it’s completely off my radar. But here’s a situation which I think is 01:03:04.120 --> 01:03:12.000 the first time ever that an online application is sanctioned. This is unprecedented. So, 01:03:12.000 --> 01:03:19.240 now I don’t know how to navigate this world. Am I supposed to check the sanctions list every time I 01:03:19.240 --> 01:03:24.660 go online, visit a website, buy something, use an online service? This breaks my brain. 01:03:24.660 --> 01:03:29.240 GEOFF: You are clearly not the only person who feels this, because in the wake of the 01:03:29.240 --> 01:03:36.600 US government sanctioning Tornado Cash, somebody clearly felt even more — felt very concerned by 01:03:36.600 --> 01:03:40.760 this and very put out by it and thought the whole thing was ridiculous, this idea of sanctioning. 01:03:40.760 --> 01:03:47.600 So, they set up a stunt, which is another bizarre wrinkle to this story and an intriguing one. So, 01:03:47.600 --> 01:03:51.320 the thing about Tornado Cash is even though the government — the US government sanctioned it, 01:03:51.320 --> 01:03:56.880 it’s still up and running. You can still use it. It’s code on the internet. The website went down 01:03:56.880 --> 01:04:01.320 but that doesn’t matter ‘cause the protocol — you can still send money to the protocol, 01:04:01.320 --> 01:04:08.720 effectively, and it will do what it’s programmed to do and effectively mix the money and anonymize 01:04:08.720 --> 01:04:13.560 the money. So, the thing about that is if I know, Jack, your Ethereum wallet address, 01:04:13.560 --> 01:04:17.480 I can use Tornado Cash to send you money, and there’s nothing you can do about it. It just 01:04:17.480 --> 01:04:21.480 gets sent to you automatically. So, someone somewhere — we still don’t know who did this, 01:04:21.480 --> 01:04:25.040 and I’m waiting for the day, actually, Jack, when they turn up on your podcast. 01:04:25.040 --> 01:04:31.880 Somebody took $50,000 and started randomly sending it in tiny bits, tiny, tiny amounts, to 01:04:31.880 --> 01:04:38.000 anybody who was famous who had an Ethereum wallet, including Jimmy Fallon, the comedian Jimmy Fallon, 01:04:38.000 --> 01:04:42.360 Shaquille O’Neal, basketball star Shaquille O’Neal. They started receiving — and of course, 01:04:42.360 --> 01:04:46.160 it shows up on the blockchain. You can’t hide it ‘cause you see Shaquille O’Neal’s address and you 01:04:46.160 --> 01:04:53.640 can see it’s received money from Tornado Cash. That’s all logged. So, technically, I guess you 01:04:53.640 --> 01:04:58.240 could argue Jimmy Fallon and Shaquille O’Neal have breached sanctions, are sanctions dodging, 01:04:58.240 --> 01:05:03.200 or — and I guess you could say they should be prosecuted for that. But the whole point of 01:05:03.200 --> 01:05:08.800 this exercise was to show how ridiculous it was that anybody, even famous people who have done 01:05:08.800 --> 01:05:14.640 clearly nothing wrong, can then, as a result of this sanction of Tornado Cash, get implicated in 01:05:14.640 --> 01:05:21.320 sanctions-busting. The idea was to illuminate how ridiculous this was. So, I don’t know what Jimmy 01:05:21.320 --> 01:05:26.080 Fallon and Shaquille O’Neal have done about that, but it’s tricky. It was a fascinating 01:05:26.080 --> 01:05:30.880 stunt that emerged as part of this. JACK: So, North Korea sent about $450 01:05:30.880 --> 01:05:35.360 million worth of crypto to Tornado Cash to try to mix it. 01:05:35.360 --> 01:05:39.400 GEOFF: There’s cryptocurrency-tracing companies who claim they left it in for about four weeks 01:05:39.400 --> 01:05:44.960 and then extricated it. What we don’t know, of course, is who it went to thereafter. So, 01:05:44.960 --> 01:05:50.120 you can — with mixers, and particularly when you’re mixing a huge amount like $450 million, 01:05:50.120 --> 01:05:54.040 there are companies that track crypto, and one of the things they do with mixers is they look 01:05:54.040 --> 01:05:59.760 at the amount going in and the amount going out. Now, you can’t link — this cryptocurrency payment 01:05:59.760 --> 01:06:04.520 is linked to that one going out, but you can see the volume. You can see the amounts going in, the 01:06:04.520 --> 01:06:08.120 amounts going out. So, I think that’s what they’ve done, is they’ve looked and gone, look, $450 01:06:08.120 --> 01:06:14.760 million goes in. We can look at the outflows. Sure enough, four weeks later, $450 million comes out, 01:06:14.760 --> 01:06:21.000 to put it in very simple terms. So, that money is now somewhere in cryptocurrency wallets. 01:06:21.000 --> 01:06:25.360 The other interesting thing is, well, then who do you take that to to cash out? You’ve got to say to 01:06:25.360 --> 01:06:31.280 somebody, right, here’s $450 million which came from Tornado Cash; don’t know where else. Could 01:06:31.280 --> 01:06:36.960 you transfer that and change it into pounds or dollars or yuan or whatever? There are people out 01:06:36.960 --> 01:06:43.240 there who will do that no questions asked. They’ll take a big cut. But doing that to $450 million, 01:06:43.240 --> 01:06:47.800 you’ve gotta have some brokers that have got some serious, serious liquidity on their hands to be 01:06:47.800 --> 01:06:53.040 able to change that. So, the theory, I think, from some people, is that there’s a bit of a glut now 01:06:53.040 --> 01:06:57.960 of stolen money that the North Koreans are accused of stealing that they’re trying to cash out but 01:06:57.960 --> 01:07:03.440 they can’t cash out quickly enough. There’s nobody that can — who can buy it off them for the $450 01:07:03.440 --> 01:07:07.320 million or whatever they’d need. So, that’s where that’s ended up, all that money. 01:07:07.320 --> 01:07:11.560 JACK: I guess a chop shop wouldn’t even work here because it’s more like you’ve 01:07:11.560 --> 01:07:16.640 stolen a giant bus and no matter what color you change it, you’re going to look like a giant bus 01:07:16.640 --> 01:07:19.400 coming out the other side. GEOFF: Yeah, yeah, exactly. So, 01:07:19.400 --> 01:07:23.880 ideally you want a chop shop that can convert your big, yellow bus into a bunch of tiny, little 01:07:23.880 --> 01:07:31.840 smart cars or whatever. Just going back, as well, this idea that Tornado Cash was leaderless is now 01:07:31.840 --> 01:07:37.400 being thoroughly challenged in the courts. The first thing that happened was a guy called Andre 01:07:37.400 --> 01:07:46.520 Pertzev was arrested in Holland and accused by the Dutch government of running Tornado Cash. Roman 01:07:46.520 --> 01:07:50.280 Semenov is also indicted by the US government. He’s believed to be in the Russian Federation, 01:07:50.280 --> 01:07:55.920 so he hasn’t faced trial. I’ve tried to contact Roman Semenov; I haven’t heard back from him. 01:07:55.920 --> 01:08:01.040 Subsequently, after the sanctioning of Tornado Cash, the US government charged Roman Storm who’s 01:08:01.040 --> 01:08:06.000 in the US and is, I think, currently being tried and is in prison. Again, a fascinating 01:08:06.000 --> 01:08:10.560 trial. The same arguments are coming up in his trial as we’ve talked about, 01:08:10.560 --> 01:08:15.040 people saying, look, he did not run this. He was trying to preserve privacy. That’s why he 01:08:15.040 --> 01:08:20.960 set it up. Now, going against that idea that these guys didn’t ‘run’ — in inverted commas — Tornado 01:08:20.960 --> 01:08:26.240 Cash, is a slightly inconvenient fact which is that according to the US government, they owned a 01:08:26.240 --> 01:08:34.000 lot of the voting tokens and crypto tokens inside Tornado Cash. So, the way this works is Tornado 01:08:34.000 --> 01:08:39.760 Cash is leaderless. It’s done by vote. Any changes to Tornado Cash get done by vote using tokens. I 01:08:39.760 --> 01:08:43.040 think part of the US government’s argument is, well, hang on, a lot of those tokens were in 01:08:43.040 --> 01:08:48.320 the hands of these three individuals. So, they may say they didn’t have control, but actually, 01:08:48.320 --> 01:08:52.320 we think they did. Also, they say that they were still making money out of Tornado Cash. So, all 01:08:52.320 --> 01:08:57.000 this leads to trying to knock down this argument the defendants have which is that, oh, we didn’t 01:08:57.000 --> 01:09:00.580 run it. The US government is saying, no, you did run it, and here’s the evidence why. 01:09:00.580 --> 01:09:05.480 JACK: So, the guys who started Tornado Cash — two have been arrested and in May of this year, 01:09:05.480 --> 01:09:11.560 the first verdict came in. Alexey Pertsev was tried in the Netherlands, and the judge found 01:09:11.560 --> 01:09:18.320 him guilty and sentenced him to five years and four months in prison. The cops took his Porsche 01:09:18.320 --> 01:09:24.720 and €1.9 million in cryptocurrency. The press statement from the Netherlands government says, 01:09:24.720 --> 01:09:29.840 quote, “Tornado Cash is not a legitimate tool that has unintentionally been abused 01:09:29.840 --> 01:09:35.120 by criminals.” End quote. Not a legitimate tool. In fact, the judge said specifically 01:09:35.120 --> 01:09:43.620 he could not find any legitimate use for this tool, as if privacy itself is a crime. 01:09:43.620 --> 01:09:47.760 GEOFF: What’s fascinating about this is it all starts with the hack on a video game to do with 01:09:47.760 --> 01:09:56.440 salamanders, and it ends up in this kind of epic battle royale over freedom of speech and privacy. 01:09:56.440 --> 01:10:02.560 Yeah, I find it really, really, fascinating. It’s almost like the kaleidoscopic story. You look into 01:10:02.560 --> 01:10:06.160 it and it’s got everything in it. JACK: Yeah, we’ve gone all over the 01:10:06.160 --> 01:10:08.760 road here, haven’t we? GEOFF: [LAUGHING] How are you 01:10:08.760 --> 01:10:12.480 gonna edit this one down? I’ve no idea. Mate, I do not envy you that task. 01:10:12.480 --> 01:10:17.280 JACK: Another way to look at this is that the feds are saying that the developers of the tool are 01:10:17.280 --> 01:10:23.920 responsible for how users use it, and that’s a bit crazy, if you ask me. It’s like saying a lighter 01:10:23.920 --> 01:10:28.600 company is responsible any time someone uses their lighter to commit arson, or a drone-maker 01:10:28.600 --> 01:10:32.680 is responsible any time someone uses their drone illegally like spying on people, flying in the 01:10:32.680 --> 01:10:38.520 wrong airspace, or dropping a bomb on someone. Or, it’s like saying a VPN provider gets arrested, 01:10:38.520 --> 01:10:44.840 shut down, sanctioned, because some of their users went online and did something illegal. Or, 01:10:44.840 --> 01:10:50.400 my goodness, is an encrypted messaging app responsible for people doing criminal activities 01:10:50.400 --> 01:10:59.000 on it? We know criminals use iPhones. Apple knows criminals use their phones. In all these cases, 01:10:59.000 --> 01:11:05.800 the tech itself is neutral and it’s up to the user to use it responsibly. Governments have 01:11:05.800 --> 01:11:11.640 never faced anything like this before and they simply have no precedent to act on here, and in my 01:11:11.640 --> 01:11:16.640 opinion, they’re just drawing really fuzzy lines arbitrarily. They can’t even come to a consensus 01:11:16.640 --> 01:11:21.120 on whether cryptocurrency is money or not. GEOFF: The worst example you could possibly think 01:11:21.120 --> 01:11:24.880 of, maybe with the exception of child sexual abuse, one of the worst examples you could 01:11:24.880 --> 01:11:32.160 think of would be a country using this kind of technology to get nukes. Oh yes, we’ve got that. 01:11:32.160 --> 01:11:38.520 So, it’s almost like your privacy-defending hat, your privacy-defending head, is being put to the 01:11:38.520 --> 01:11:42.880 most extreme test. It’s like, you want privacy; right. What about North Korea and nukes? It’s 01:11:42.880 --> 01:11:46.480 almost like that’s immediately what’s happened, is it’s gone to — you know when you’re arguing 01:11:46.480 --> 01:11:49.640 with somebody and they just go to the most extreme example of comparing it to Hitler 01:11:49.640 --> 01:11:54.440 or whatever. It’s like that’s happened. Now it’s North Korea. What are you going to say now? It’s, 01:11:54.440 --> 01:11:58.560 yeah, fascinating, genuinely fascinating. JACK: Okay, I don’t buy that argument. Why? 01:11:58.560 --> 01:12:03.440 Because all this happened and they didn’t catch the real criminals here. In fact, 01:12:03.440 --> 01:12:08.760 I think even if they implemented KYC, North Korea would just have used some fake ID and it wouldn’t 01:12:08.760 --> 01:12:13.240 have helped catch them or slow them down at all. North Koreans are still on the loose with their 01:12:13.240 --> 01:12:19.360 fresh and clean $400 million, and they’re the real criminals here. Go after them. It’s crazy 01:12:19.360 --> 01:12:23.680 that this story starts with someone stealing hundreds of millions of dollars, and the people 01:12:23.680 --> 01:12:28.880 who end up in prison are the privacy advocates. As I’m researching all this, I had to refresh exactly 01:12:28.880 --> 01:12:34.040 what does money laundering mean. The act of money laundering is to hide the cash you have that was 01:12:34.040 --> 01:12:39.400 involved in some illegal activity, stolen money or drug money or something like that. Me trying 01:12:39.400 --> 01:12:47.040 to hide my transactions isn’t a crime. It’s only a crime if I’m trying to hide criminal activity. By 01:12:47.040 --> 01:12:52.080 the way, Tornado Cash, despite being sanctioned, is still up and running, because that’s how it was 01:12:52.080 --> 01:12:56.840 designed, fully autonomous and decentralized. In fact, there’s YouTube videos out there that 01:12:56.840 --> 01:13:01.680 explain how to still use Tornado Cash despite it being sanctioned, basically showing you how 01:13:01.680 --> 01:13:08.520 to get around sanctions. Videos like that surely should be illegal, right? It just makes me wonder 01:13:08.520 --> 01:13:16.640 if these sanctions have any teeth at all. If you ever hear of anyone who gets arrested for 01:13:16.640 --> 01:13:22.880 violating the Tornado Cash sanction, please tell me. I would love to know, because what’s the point 01:13:22.880 --> 01:13:28.520 of all this if the government isn’t going to enforce the sanction at all? Because it almost 01:13:28.520 --> 01:13:35.680 feels like the government is powerless here. It has no ability to stop or control cryptocurrency 01:13:35.680 --> 01:13:42.280 or from people using apps like this. This is what permissionless money is like, and I don’t see any 01:13:42.280 --> 01:13:48.480 evidence that the government is even trying to enforce sanctions. The sanctioned code is still 01:13:48.480 --> 01:13:56.520 there on GitHub. YouTube happily hosts videos on how to avoid sanctions and still use Tornado Cash. 01:13:56.520 --> 01:14:03.360 What is happening here? Just a month ago, the SCC approved the Ethereum ETF. This means you 01:14:03.360 --> 01:14:08.080 can buy this stock on the regular stock exchange and they’ll buy ETH for you. It’s a way to invest 01:14:08.080 --> 01:14:12.640 in Ethereum without actually holding Ethereum. So, there’s this wallet out there which holds 01:14:12.640 --> 01:14:18.360 all the ETH from this ETF. Well, guess what? As soon as the internet figured out which wallet 01:14:18.360 --> 01:14:25.440 is holding the money for the ETF, someone sent a whole ETH token worth over $3,000 through Tornado 01:14:25.440 --> 01:14:32.560 Cash and then to the ETF wallet, which in my opinion means the wallet is now violating 01:14:32.560 --> 01:14:40.040 sanctions and can no longer buy or sell on an exchange. They did it to protest these sanctions, 01:14:40.040 --> 01:14:46.840 to show that there’s absolutely no way to enforce this. I guess this means Tornado Cash 01:14:46.840 --> 01:14:54.760 won. There’s no way to stop it or to stop people from using it. So, today, there’s still millions 01:14:54.760 --> 01:14:59.480 of dollars flowing through Tornado Cash. GEOFF: It’s gone down. Don’t get me wrong, 01:14:59.480 --> 01:15:06.360 the amount it’s processing has gone down, and therefore it makes it a less efficient mixer. You 01:15:06.360 --> 01:15:11.640 want your mixer to have lots of liquidity, lots of volume going through. The less it’s used, the less 01:15:11.640 --> 01:15:19.960 efficient of a mixer it’s going to be. However, it is now a criminal mixer. So, it’s a sanctioned 01:15:19.960 --> 01:15:24.280 mixer, according to the US government, and so, anybody who uses it is gonna be a crook. What 01:15:24.280 --> 01:15:28.640 that means, of course, is if you use Tornado Cash, you’re gonna really struggle to send the money 01:15:28.640 --> 01:15:33.920 onwards, ‘cause whoever sees money coming at them from Tornado Cash is gonna go, no way I’m going to 01:15:33.920 --> 01:15:39.600 accept that, unless it’s somebody who doesn’t care about dealing with sanctioned entities, in which 01:15:39.600 --> 01:15:46.720 case you’re in a slightly murky world. JACK: It is a very murky world, because let’s say, 01:15:46.720 --> 01:15:50.680 hey, I’m selling something online and someone’s like, I’ll buy it, and they send me the 01:15:50.680 --> 01:15:56.240 cryptocurrency that’s been mixed through Tornado Cash. Am I supposed to say, whoa, wait a minute, 01:15:56.240 --> 01:15:59.560 before you send me the money, let me analyze your wallet to make sure it doesn’t have any 01:15:59.560 --> 01:16:04.720 sanctioned crypto in it. This is bonkers. This is like running the serial number on every dollar 01:16:04.720 --> 01:16:09.920 bill you ever get to see if it’s ever been used by someone who’s been sanctioned in the past. That 01:16:09.920 --> 01:16:17.040 would be a nightmare to have to do, yet that’s what I feel like we have to do from now on. Yeah, 01:16:17.040 --> 01:16:22.240 so, suddenly I’m wondering why the US is even involved, right? Axie Infinity 01:16:22.240 --> 01:16:26.340 is based in Philippines, so I could see the Philippine police being upset. 01:16:26.340 --> 01:16:31.080 GEOFF: Vietnam. JACK: Oh, Vietnam. Okay, so I could 01:16:31.080 --> 01:16:34.880 see the Vietnamese being like, alright, we gotta sanction this ‘cause we don’t have any other way, 01:16:34.880 --> 01:16:40.040 right? Then you’ve got the creators of Tornado Cash. They’re not US-based, are they? 01:16:40.040 --> 01:16:46.520 GEOFF: Yes, Roman Storm is based in the US, but actually at the point where they sanctioned it, I 01:16:46.520 --> 01:16:52.040 don’t think that’d had been confirmed. Look, with sanctioning — sanctioning is a really interesting 01:16:52.040 --> 01:16:58.880 power in that basically any time money transfers across the US, the US can exert control in terms 01:16:58.880 --> 01:17:03.440 of sanctions. So, it’s extremely difficult to avoid if the US government wants to go after 01:17:03.440 --> 01:17:07.840 you on sanctions. It’s extremely difficult to avoid. That’s the US government’s argument, 01:17:07.840 --> 01:17:13.240 is that there would be US users using this service. Money transactions would have gone across 01:17:13.240 --> 01:17:19.760 the US territory. Also, as far as I’m aware, sanctions — the sanctions-dodging accusations 01:17:19.760 --> 01:17:27.080 that the US puts at the foot of North Korea gives the US government huge scope to go after it around 01:17:27.080 --> 01:17:31.960 the world. Wherever North Korea tries to dodge sanctions, it seems the US government can go with 01:17:31.960 --> 01:17:34.680 its sanctions legislation.