Elliptic: Cross-Chain Payments Bridges Are DeFi’s Next Big AML Battleground

In case you thought the biggest problem with cross-chain bridges used to make payments between blockchains was that they are fantastically vulnerable to hackers, with a staggering $1.3 billion stolen in just the first six months of 2022, now it turns out they are excellent money laundering tools too.

So says Elliptic, a leading blockchain intelligence firm that released a report Wednesday (Aug. 10) alleging “that one cross-chain bridge in particular — RenBridge — has been used to launder at least $540 million in cryptoassets originating from theft, fraud, ransomware and various other types of criminal activity since 2020.”

That includes more than $153 million stolen in attacks attributed to state-sponsored North Korean agents. Tornado Cash was blacklisted by the Treasury Department Monday (Aug. 8) after the agency found evidence that the mixing service was helping to launder cryptocurrency stolen by North Korea’s Lazarus Group.

Read more: With Tornado Cash Sanctions, Feds Seek to Lift Crypto’s Veil of Anonymity

But mixing services are designed to do nothing but obscure the source of cryptocurrency. Bridges perform an increasingly important role in facilitating payments in the cryptocurrency world. Cross-chain bridges like RenBridge, meanwhile, have become a key part of the decentralized finance (DeFi) ecosystem. They are something of a cross between an exchange and a lending/borrowing service.

See more: When Privacy Counts, Crypto Users Turn to Mixing Services

They work this way: You deposit tokens — let’s say $100 worth of bitcoin — into a bridge program that you want to spend on a project built on Ethereum. The bridge program stores those bitcoins in a wallet and mints $100 worth of new tokens called “wrapped” ether that can be used just like real ether tokens. The wrapped ether can be returned to the bridge, which will burn it and release the bitcoin. Simple.

Chain Hopping

Bridges are a growing tool in a kind of crypto laundering called chain hopping, which is moving ill-gotten crypto from one blockchain to another to make it harder to track, Elliptic said.

Most cryptocurrencies are public, so any token can be tracked from one transaction to the next (although the owners identity remains obscured). Chain hopping breaks that transaction record, but most such transactions — especially large ones — must be done on crypto exchanges, which are implementing more and more sophisticated know your customer (KYC) and anti-money laundering (AML) tools.

Bridges are a simpler way to do that chain hopping, making the exchange in one transaction and providing a token that is both salable on exchanges and burned when a buyer turns it in for the original token.

It’s a technique that Sen. Elizabeth Warren of Massachusetts highlighted during a March 17 Senate Banking Committee hearing on the use of cryptocurrency in illicit finance as a way Russian oligarchs could bypass sanctions.

Read more: Use in Ukraine Lends Some Luster to Crypto’s Dark Side in Senate Hearing

So did the Financial Action Task Force (FATF), a global AML standards setter, Elliptic noted in January.

“Blockchain bridges such as RenBridge pose a challenge to regulators, since there is no central service provider that facilitates these cross-chain transactions,” Elliptic said in Monday’s cross-chain crime report. “Instead, transactions are processed by a network of thousands of pseudonymous validators known as ‘Darknodes.’”

Despite the FATF’s interest, Elliptic said “it remains to be seen how this type of activity could be regulated.”

Wobbly Rails

Beyond that, the decentralized projects have several weaknesses, the biggest being a lack of centralized management that has allowed glaring coding errors and weaknesses to creep in, enabling hackers to pounce.

See also: The $100M Hack and Crypto’s Cross-Chain Payments Problem

That $540 million that RenBridge was allegedly used to launder includes $2.4 million stolen in the Aug. 1 Nomad bridge hack, in which $190 million was looted. This was one of the best examples of that weak security, as the safety flaw was so egregious, hundreds of other thieves were able to cut-and-paste the original hack and steal more.

Read more: Hack of Crypto Payments Bridge Turns into $190M DeFi Free-for-All

The two biggest bridge hacks are April’s $625 million Ronin Network theft — the largest-ever crypto theft — and the $612 million Poly Network bridge hack in August 2021 (which turned out to have been a “white hat” attack that saw the hacker stealing the funds and then giving them all back).

See more: In $625M Hack, a Bigger Crypto Security Problem Is on Display

The second big problem is that cross-chain bridges are, by their very nature, a form of “hot wallet” — a digital asset wallet permanently connected to the internet and thus vulnerable — on steroids. Exchanges and crypto custody firms keep most funds in heavily guarded “cold wallets” not connected to the internet and thus unhackable. It’s what’s advised for any individual crypto owner.

Read more: What’s a Crypto Wallet and How You Can Avoid Losing a Quarter Billion Dollars?

For all PYMNTS Crypto coverage, subscribe to the daily Crypto Newsletter.