Podcast

Why North Korea Is Winning Crypto Crime and How to Fight Back | Ari Redbord, TRM Labs

North Korea isn’t just hacking crypto anymore, it’s studying it, infiltrating it, and turning DeFi’s weakest links into a state-run revenue machine.

May 11, 2026 • 62 min read

🎬 DEBRIEF | RYAN & DAVID BREAKDOWN THE EPISODE
https://youtu.be/9YGH1sDPsPY

TRANSCRIPT
Ari:
[0:00] I've kind of rejected this idea that these are North Korea state-sponsored,

Ari:
[0:04] right? I would never use that term in our writing or the way we talked about these things. These are state actors, hard stop. When I talk about the enemies of the United States and our allies, I think about China and Russia and Iran. And I put North Korea in there as well, which is crazy, right? This is a country with absolutely no economy whatsoever. And yet they're competing on the global stage because they've professionalized cyber crime, essentially.

Ari:
[0:30] There is absolutely no economy, so it's always been how do we steal and then ultimately launder funds, and crypto is just the latest iteration of that.

Ryan:
[0:42] Welcome to Bankless, where today we explore why North Korea is winning crypto crime and how we fight back. This is Ryan Sean Adams. I'm here with David Hoffman, and we're here to help you become more bankless.

David:
[0:54] Big topic today. It seems to be that every single day there is a hack in DeFi. At least there was almost one every single day for the month of April. And this is all North Korea and a Lazarus group. But over in the world of Operation Economic Fury, we also have the IRGC getting their assets frozen on Tron. And just a few months ago, there was $15 billion in Bitcoin seized out of the pig butchering scam out of Cambodia. So there's just a lot to talk about when it comes to crypto crime and what all the worst people in the world and how they're using crypto and what we're doing to fight back against them. So this is the subject today for Ari Redboard from TRM Labs. Let's go ahead and get right into that conversation with Ari.

Ryan:
[1:34] Bankless Nation, excited to introduce you to Ari Redboard. He is the global head of policy at TRM Labs. This is a blockchain analytics firm. It's used by governments, major exchanges. Their goal is really to trace illicit crypto. He's an expert in all of these things. He's had 11 years prosecuting national security money laundering cases at the DOJ. He's been a senior advisor at the Treasury. He's probably the single most authoritative voice that we found in the world on illicit finance and crypto. So we are here to learn a few things. Ari, welcome to Bankless.

Ari:
[2:10] Hey, Ryan. Thank you so much for having me. Really, really looking for the conversation and honored to be on the show.

Ryan:
[2:15] I almost don't know where to start. So in April, it was the highest ever purported DeFi cases of hacks. Let's actually start with the Drift hack, okay? So to give some context to listeners, on April 1st, North Korea drained $285 million from a protocol. This is a perps protocol called Drift. They did this in 12 minutes. Last week, your team published a report saying these two accounts, This Drift report account and then the Kelp DAO one that we saw two weeks ago accounted for 76% of all the 2026 hack value so far. And what was eerie about the Drift hack to me as I was reading about this was it seemed like North Korea, who we'll talk about more now, Their groups, their hacking groups, are hunting and stalking high-value targets. So again, 76% of the value from two targets, they were hunting the drift protocol for months. Can we talk about the means that they went through in order to pick out the drift protocol? Like, it seems like North Korea is hunting and assassinating almost individual high value targets in a very methodical, sophisticated way.

Ryan:
[3:31] Tell us about this case.

Ari:
[3:32] Yeah, it's really extraordinary. And I think it is a watershed here. Although I think it's important to go back a little bit. I mean, North Korea has essentially professionalized crypto hacking and cybercrime. You know, when I was a prosecutor for years with DOJ, we'd look at North Korea cases involving counterfeit $100 bills and counterfeit cigarettes. They hacked Sony Pictures and tried to steal a billion dollars from the Bank of Bangladesh. So this is something that has been going on for a really long time. I think what North Korea has realized, say, over the last five, six, seven years is that, you know, they could hack Sony or some type of business and steal PII, essentially usernames and passwords. But in the age of crypto, this is bank robbery at the speed of the internet, right? So what they've now done over the last five or six years is stolen, essentially averaging about a billion dollars a year. So we're talking six, seven billion dollars to use for weapons proliferation and destabilizing activity. So when you talk about the targeting, it's moved from sort of targeting the technology to really social engineering at scale. And that's what you saw in the Drift case, where they're meeting developers at conferences, right, using...

Ari:
[4:48] Using other people that they sort of bring in to play that role. They're getting access to private keys to those who have the ability to validate transactions on these exchanges. So what we've really moved from is sort of just going after the technology to going after the people. And it's really social engineering at scale.

Ryan:
[5:10] That's what's so unnerving about this case, actually, is because many of the people listening, many people in crypto, they go to conferences. They think they know, you know, people in the crypto space in real life. And you wrote this. This was a line from Coindesk. North Korean proxy sitting across a table from protocol employees over a period of months. We're talking about the Drift hack. That is, to my knowledge, unprecedented. So they met some of the Drift team members at conferences?

Ari:
[5:37] Apparently, look, like right after this, I was at Paris Blockchain Week, right? Standing around, sort of, you know, chatting with people. You get paranoid. But that's apparently really what was happening here. They sent proxies to these conferences to meet individuals who were building these protocols. I think the other sort of scary piece to this is if this happened to Drift, this obviously was happening to many, many more teams of developers out there who are building in DeFi. And I'm very concerned that this is sort of the tip of the iceberg and we really need to take action. So, okay.

Ryan:
[6:09] So they met, I just can't get over meeting them in person because I always think of kind of North Korea Lazarus Group as just they're offshore, they're the actual shadowy super coders out there. They don't manifest in real life. But you're saying they were hiring proxies, I guess, paid actors, individuals who, you know, didn't, it didn't seem like they were from North Korea, maybe, maybe same, seemed westernized in some way.

Ari:
[6:38] Essentially, yeah, I was gonna say, essentially, essentially, it had to be right. I mean, this, this was something, to be honest, when I read, and I think it was a report that Drift themselves put out that described actually their investigation. And that was, that was the chilling part for me too, right? Because there's this whole idea that like you basically have folks sitting in, you know, in military type offices within North Korea who are dealing with this, maybe some in China, you know, but that's about it. And here what you had was clearly proxies, right? No one's going to engage with someone from North Korea directly. So there's obviously proxies being used here. There's a couple examples of this over the years. We saw an arrest of a US person for facilitating the IT workers that were ultimately infiltrating a number of different crypto and tech projects who were U.S. Persons that were kind of supporting this effort. So there are examples of this, but to me, this was pretty extraordinary and really chilling that North Korea

Ari:
[7:35] could get Westerners essentially to do their bidding.

Ryan:
[7:37] Can you talk about how the social engineering actually led to one of the largest hacks, I think the largest hack on Solana in the drift case? So what were the further details there in that story.

Ari:
[7:48] Ultimately, what they were able to do was gain access to the protocol itself. And that's where you took that social engineering piece to then have to have that really sort of technical attack. On March 27th, Drift migrated its security council to a new two out of five threshold configuration, which meaning you only needed access to two of the five validators on that platform. And North Korea was able to get access and breach there. And what was also so extraordinary is this is programmatic. On April 1st, there were pre-signed transactions were deployed, which resulted in 31 withdrawals in 12 minutes. And then those funds start moving.

Ryan:
[8:35] So this turned into a hack of $285 million, I believe. And this was a drain that lasted just for 12 minutes and then it was kind of over. A pretty incredible hack and I suppose a big win maybe for the hackers. I'm curious to learn a bit more about them. So oftentimes we hear about, it's just like North Korea. Sometimes we hear about a subgroup called Lazarus. I've also heard about Trader, Trader, Bureau 121, like all of these different subgroups. And when I've heard people talk about this previously, it almost seems like there are these decentralized groups within the North Korean government that maybe operate somewhat autonomously, but sometimes in a coordinated way.

Ryan:
[9:24] Can you give us a lay of the land for all of these various groups in North Korea? How they're incented, how they're structured, like what do we know about them?

Ari:
[9:35] Absolutely. And it's interesting. I think my own views of this have evolved over time, particularly recently. You know, going back even a few years, I've just always thought to myself, this is North Korea. And I've kind of rejected this idea that these are North Korea state sponsored, right? I would never use that term in our writing or the way we talked about these things. These are state actors, hard stop, right? This is the North Korea government who's realized that, you know, stepping back for a moment, right? Like when I talk about the enemies of the United States and our allies, I think about China and Russia and Iran. And I put North Korea in there as well, which is crazy, right? This is a country with absolutely no economy whatsoever. And yet they're competing on the global stage because they've professionalized cyber crime, essentially. There is absolutely no economy. So it's always been, how do we steal and then ultimately launder funds? And crypto is just the latest iteration of that. So what they've done is they've built a cyber army, essentially, and it has different names. And you're right, that it's becoming more and more decentralized where these groups are acting on their own. They have certain signatures of the way they ultimately launder funds, the way they steal funds. But I think that the easiest way to understand this is this is just North Korea.

Ari:
[10:51] People ask me all the time, how have they done this? There's an amazing podcast called Lazarus Heist on the BBC, which walks through two seasons of how essentially they've built this capacity. But essentially what it is, is they raise kids from a really young age to be hackers, to be cyber warriors. Think Russian gymnast in the 1980s. They take you if you show the abilities in STEM. And they, you have access to the internet, which most North Koreans don't have. Maybe they'll send you to China to compete or for education. And they are building this essentially army of cyber warriors that now are attacking crypto exchanges, right? You know, a couple of years ago, they were involved in other types of activity. And, and it's, it's really, it's really crazy. And I think the most troubling part is unlike the hacks that occur from time to time, right? In sort of more of the private way, you know, the money stealing that we see in crypto, the scams. This is to fund weapons proliferation, right? This is to destabilize the Korean Peninsula. So this is North Korea. This is not a situation where you have China or Russia, where there are maybe groups where the government turns the other way.

Ari:
[12:05] This is actually the government. This is the army.

David:
[12:08] How much of this behavior out of North Korea just comes from the fact that they just like don't, economically they don't really have any other options like if you ask me what north korea's biggest exports are i have no clue i have no clue how north korea makes money except for the fact that they steal hundreds of millions of dollars all the time from the crypto industry and so like this is just like born out of necessity from north korea they just didn't have any other options and so they learned that like there's money on the internet that they can go steal how much of this just came out of the fact that like this is just what they need to do to survive

Ari:
[12:42] That's so much what it all has come out of. But what's interesting is you just watch the sort of progress of this. And I mentioned, you know, in we've looked back at North Korea, you know, people ask me all the time, hey, how did you get into crypto? Right. And I wish I had the better origin story where I like, you know, bought in 2011 or whatever, you know, I would be driving around in my Lambo like everybody else. But for me, it was actually North Korea. I was a national security prosecutor at the U.S. Attorney's Office in D.C. And we started to look at money laundering cases involving North Korea. And we started to see Bitcoin in those cases. And this was way before these sort of really, you know, attacks at scale, certainly before DeFi. And I said to myself, wow, this is really cool technology where you can move funds cross border at the speed of the Internet and try to start to understand like, wait, wow, how could we use this for good? But also at the same time, realizing this is really a technology we need to keep out of the hands of bad actors. So North Korea has really been early here. But you're absolutely right. It's born out of necessity.

David:
[13:42] Just going back and just labeling some quick hacks, $1.5 billion in February 2025 from Bybit, the $300 million recently from Kelptow. I think that sounded $200 million. There's the Ronin Bridge. I think that was also North Korea. Substantial numbers, multi-billion dollars. I don't know if you have off the top of the head like a total amount of some.

Ryan:
[14:01] Six billion is what you said, right? Yeah.

Ari:
[14:03] Six billion. We just put out a report, I think last week, that said six billion over the last, you know, five years, something around that.

David:
[14:10] What and how do they do with their money? What happens next with $6 billion in crypto assets held by North Korea? How do they turn that into something productive?

Ari:
[14:23] So that becomes the challenge. And for TRM, at least, the most interesting piece of the puzzle, what we're focused on, right? So the attack happens, and we can get into maybe how we can stop those at some level. But then the laundering begins. And North Korea launders differently than certain actors. They want to move the funds as fast as they can. They're going to use services, mixers, and other types of services to obfuscate the transactions, but they're actually less worried. Well, they're not worried at all about getting caught. What they were worried about is getting those funds off-ramped as fast as they can in order to use them. And it's hard to say what exactly they're being used for, but everything in North Korea is being used for weapons research, for missiles, who knows, for Crown Royal, for the regime. It is being used to prop up a rogue regime, essentially. But that is really sort of the interesting laundering piece. North Korea needs to move the funds as fast as they can to get them to off-ramp, to use them. And they're going to lose some of that. We see that in the Bybit case. We see that in the Ronin Bridge case.

Ari:
[15:27] But they'll get enough off where this certainly becomes very, very valuable.

David:
[15:31] Was there like a before after moment in the just power and capabilities of North Korea after crypto? So like once they started hacking hundreds of millions of dollars, I would imagine as we kind of discussed this prowess, this capacity for, you know, hacking the internet and stealing the funds came out of crypto and came out of necessity because they didn't really have any other economic engine for themselves. Has North Korea become substantially more powerful and their military, their weapons, whatever, is this more capable because they have all these billions of dollars coming in Florida? What can we say about how crypto has impacted the arc of North Korea?

Ari:
[16:10] Certainly hard to say, but I don't know that there's been any economy within North Korea over the last couple of decades that could have done a billion dollars a year on average for the regime. And I think what we're really concerned about right now in this moment, right? Why we're having this conversation is that, you know, this year, now North Korea is the vast majority of hacks and the drift hack feels like a playbook. And how many of these are in line, essentially, in tow right now in order to try to go after? So my concern is that there have been a number of really key moments when it comes to North Korea. You mentioned the Ronin Bridge. It was a $600 million hack, which at the time was absolute game changer. And I actually think it got the U.S. government at least very focused on the issue. We had a number of meetings with U.S., Korean, and Japanese leaders in order to figure out how we can come together as sort of a trilateral to go after these guys. That was a huge moment. You mentioned the Bybit hack in February of 2025. That was the largest event. Bank robbery in human history. And it wasn't even close, right? 1.5 billion just walking out the door. And then I think we're in this moment right now where DeFi is the target, where we're seeing them move slightly differently. The social engineering piece has always been there, but now it's more pronounced. So I think that now we're seeing another one of these moments and we got to stop this.

Ryan:
[17:34] Yeah, that's what's so scary about that drift hack. Keep coming back to that. It's almost like the idea of you could have sleeper cells out there, like infiltrated in your company. I mean, they waited months to pull this off. It almost had the sophistication of, like you read about Massad and what they're doing, what they did with kind of the, you know, the pager attack, for instance. It's that level of nation state sophistication and impatience. Like they set up a fake partnership, like a shell company with all of these, you just like fake.

Ari:
[18:01] They made an investment in the company. They made an investment in the project.

Ryan:
[18:04] Yeah. Just like incredible. And a significant investment.

Ari:
[18:07] I want to say they said it was about a million dollars or something.

Ryan:
[18:09] Yeah, yeah, yeah. Okay, so a few other things. Another way to ask the question David was asking is like, is $6 billion a lot of money for North Korea?

Ari:
[18:18] $6 billion is a huge amount of money for North Korea. Okay, I thought so. There are many countries in the world where that might not be true. Right. That is a huge amount of money for North Korea.

Ryan:
[18:27] Okay, okay. That's what I thought. So this is a major funder of their weapons program then.

David:
[18:32] So they're not stopping anytime soon.

Ari:
[18:34] They're not stopping. In fact, I think they're very bullish after this last month.

Ryan:
[18:38] Oh my God, very bullish. Okay, so what does national security... At the U.S. to think about this. So under a less crypto favorable administration, we used to hear murmurings that, you know, the White House national security wanted to sort of shut DeFi down, shut crypto down, partially because of these types of hacks, right? It's just like, look, if you guys can't secure your programs, your DeFi and your crypto assets, like this is becoming a national security threat to the US. And like, we might have to just come in and shut you down. Like, I don't think I ever heard that kind of statement exactly, but you almost felt that sentiment or there was rumors possibly.

Ryan:
[19:25] What about that is true, I guess? What does national security think about the state of crypto right now? Are they kind of pissed that this is happening?

Ari:
[19:34] Look, the folks that I've been talking to on this are very much like, well, how do we stop this from happening, essentially? And it's not so much, hey, we're going to shut down these services. I think the reality is, and I kind of went through this, right, like North Korea has attacked every sector. You know, they have attacked banks, they have attacked tech companies, they've stolen PII. We're not going to shut down hospitals because they're victims of ransomware attacks at scale, right? Hospitals are the number one target. I think it's like 50% of all targets are hospitals for ransomware attacks. So I think the question really becomes, And the questions we've had with the White House, the Treasury Department, the national security community is how do we stop it? And I at least advocate for sort of two ways to think about that. The first is hardening cyber defenses, which we all know needs to happen. I think the DeFi community is having a conversation over the last couple of weeks in a pretty meaningful way about we might not have standards, but as a community, we need to come together and at least come up with best practices, you know, for protecting these platforms. So I think that's a really critical piece. Cybersecurity should be built in to a protocol. But the second is the one I'm more focused on. And it's like, we got to stop blaming the victims here, right? You know, essentially North Korea is attacking these projects at scale. We got to attack North Korea.

Ari:
[20:50] So, you know, to me, if North Korea steals $285 million from Drift, we need to go steal it back. And what does that look like? It looks like offensive cyber. And we have the capabilities within the national security community. I believe we're using some of those, but we need to be doing it. In a much more meaningful way. I felt this after the Bybit hack, right? They could steal 1.5 billion from an exchange. Let's go get it back. Let's target the bad actors. And that's mostly what we're kind of hearing out there. Just like, again, like backing up for one moment. I think about this all the time. I think we're in this really interesting moment in human history where the private sector has all of the data, right? Like we have this rich data set of blockchain data, AI, and the government has all of the authorities. And what we need to do at TRM is we try to ensure that the government has all the data they need. But we also need some of these authorities. The private sector moves very, very quickly. Give us the opportunity, give SEAL, give some of these other, give Zach, XBT, give us some of the authorities to actually go after these bad actors ourselves. And I think we could really make a dent in this issue.

David:
[22:04] Well, I love how badass that sounds and definitely what I want. My reservation is that it feels somewhat asymmetric where the Lazarus Group is attacking our DeFi protocols, which are complex. They have attackable surface areas. There's ways to penetrate them. And then once North Korea gets their hands on the crypto assets, what do they do? They just hold it in raw Ether or raw Bitcoin. How do we attack that? And so it seems somewhat asymmetric. So while I love the notion, I think I will need further convincing that that's even like a feasible thing to do.

Ari:
[22:38] I love that. I think there's probably a ton of ways around this. And it's not easy and I don't want to make it seem easy. But let me give you an example, right? After the Colonial Pipeline ransomware attack, which is probably the most famous ransomware attack ever, right? I don't know about you guys, but I was having trouble getting gas in D.C. For a couple of days, right? It was pretty significant. I think it moved the cyber crime, cyber attack conversation to a very mainstream conversation. But ultimately, what we were able to do is track and trace the ransom payment. And law enforcement and national security agencies were actually able to use tools to take them back. Essentially, you know, and I don't have access to those tools, but essentially crack private keys. Did they beat them out of someone? Did they actually have access to them through a hack on a computer system? These same bad actors, China and others, are attacking our computer systems for our government agencies, right? The U.S. Treasury Department recently evicted them there. So I think there are things that we can do that aren't necessarily like, hey, we're going to breach a DeFi protocol that North Korea is using in some way. But I do think we could breach their computer systems that are potentially holding at least information that can allow us to do some of that. This is a little outside of my area of expertise, but I really want to empower the private sector and the public sector to work together on this.

Ryan:
[24:06] I love that idea. Even the idea of empowering the private sector is like, what is that? You know, commission bounty hunters or something?

Ari:
[24:12] Exactly. So letters of mark, right? So this is what I'm advocating for. What? Letters of mark? During the U.S. Revolution and the War of 1812, what we would do is we would actually commission privateers to go after pirates on the high seas. Okay. Why? Because... Because we can move faster because, you know, private individuals with boats can just go get them.

Ryan:
[24:39] Also with incentives, you know, hey, you get a 5% cut of that.

Ari:
[24:44] With incentives. So think cyber letters of Mark. You know, pirates today are on blockchains and in cyberspace. Let us with the tools and the training and the expertise go after those guys where they live.

Ryan:
[24:57] Hell yeah, I love that idea, actually. And in fact, maybe I'm most excited about that versus all of the other defense, you know, which we need to do. It's like basketball, right?

Ari:
[25:07] Like defense wins championships, I get that. That's how we're going to stop this in the long term. But we got to also play offense here.

Ryan:
[25:14] Did we do some of that? So actually, I wasn't aware that the Colonial Pipeline

Ryan:
[25:18] ransomware had kind of a happy ending and some of the funds were recovered. But I did see a story. I think this was back in October of 2015. David and I talked about it on a Bankless show. This was FBI, DOJ successfully seized 15 billion in Bitcoin from a massive international pig butchering ring. That was the very famous Chen Xi pig butchering ring, I believe. And somehow, mysteriously... Assets were recovered. 127,000 Bitcoin was recovered. $15 billion. That's.

Ari:
[25:56] Got to be one of the

Ryan:
[25:56] Largest asset seizures by the DOJ and FBI in history. And it's like mysterious as to how they actually recovered those funds. I saw blockchain forensic analysts being like, huh, this is weird. It's almost like they somehow got their hands on the private keys. I wonder how they did that. Do you know anything about this?

Ari:
[26:16] Yeah, you know, look, I talk about this case a lot. I think it's really a great example of so many of the things that we're calling for. First and foremost, we need a whole of government approach, right? This is scams and fraud are now a national security issue. We're seeing transnational criminal organizations. You mentioned Shenzi and the Prince Group, which is out of Cambodia, was running these massive scam compounds that were stealing billions of dollars from Americans.

Ryan:
[26:44] When you say massive, you're talking about thousands of employees, almost in like call center, data center.

Ari:
[26:50] Thousands of employees, many of whom are human trafficking victims themselves, who are lured to these places. This is like the worst financial crime scourge that we've seen, certainly in my lifetime. And I've been doing this stuff for a really long time.

Ryan:
[27:03] And you talk about things we need to use every national security tool.

Ari:
[27:07] But we really did in the Prince Group case. And when people ask me what we should do, I'm like, actually, we have the playbook, right? DOJ indicted Shenzi, who was the ringleader here, who actually operated at the highest levels of the Cambodian government. We did the largest forfeiture action in human history, $15 billion, right, that you mentioned. I mean, unbelievable. But then OFAC also sanctioned Prince Group. We saw FinCEN actually take down their primary money laundering facilitator called We Won. And it was really this whole of government agency approach to go after these bad actors. And it's a win. The problem is there's like 10, 15 more Prince groups out there throughout Southeast Asia and the world. But in terms of the taking the $15 billion itself, you know, it's hard to say how exactly we did that. I will say I highly recommend reading the forfeiture action and the indictment in the case. There's a really interesting paragraph in there that talks about an insider who had access to some of these funds and Shenzi at one point getting very upset with this person and kind of wondering how that maybe dovetails into some of how we were ultimately able to to seize and then forfeit these funds. But I think there's a lot of nuance there, a lot going on. But I think it's a playbook for how we can go after these scam compounds.

Ryan:
[28:28] I love that. And part of that is something that only another nation state can actually do, is to actually just, I don't know, I saw pictures of the guy. What's his name again?

Ari:
[28:38] Shenzi.

Ryan:
[28:39] Shenzi being arrested. I mean, you got the sense that there was cooperation with the government. the special forces kind of like came in and just like picked this guy up and brought him to justice.

Ari:
[28:50] Well, what's interesting about that case, so just to be clear, so he was not arrested. Oh, he wasn't? So he was indicted. I'll tell you what you saw. He was indicted by the U.S. That's not like

Ryan:
[28:59] A bag over his head. Maybe. And it was, you're just like, was it China actually arresting him? Okay.

Ari:
[29:05] So he was, and we can talk about this a little bit. So he was indicted by the U.S. And then ultimately China swooped in in and brought him to China. And I think this is kind of the China narrative in my mind. And that is, if you read the indictment, you read the forfeiture order, there's reference throughout to Chinese national security agencies in there and how they were connected to Cambodian government, how they were connected to the Prince group. And I think the reality is that for China's taste, Shenzi just flew too close to the sun. you know it's one thing it's one thing to operate this way likely sending funds back to China but you can't get caught, and you definitely cannot get indicted and brought back to the U.S.

David:
[29:50] So parts of China were complicit here.

Ari:
[29:54] Very likely, or at a minimum, certainly looking the other way.

David:
[29:58] Or too close, or just something that's a bad look for China. It's a bad

Ari:
[30:02] Look for China. So they grabbed him so we couldn't, was essentially how I, that's my interpretation of what happened. And since this is bankless, we can, you know, We'll take it a little further than I might normally. But I think that is essentially what happened there in terms of the arrest. But I do want to point one thing out that's important. We are seeing a shift, and I think it's a really good shift. We at TRM held our public sector summit last week where I got out in front of about 250 mostly U.S. Federal law enforcement and national security agencies. And we actually talked about this point. And we're finally seeing a shift to the way we go about our business. It's always been from a law enforcement perspective, you've got to arrest someone, right? Handcuffs on people, prosecutions, you know, potentially going to jail. I think we've seen a shift to asset seizure and forfeiture, which to me is really important because you're not going to get your hands on the drift protocol hackers. They're in North Korea. They're in China. It's never happening. You're not going to get your hands on Russian cyber criminal groups that are doing ransomware attacks in darknet markets. you're not going to get your hands on, you know, Cambodians running scam compounds likely because they're in countries that are just not going to extradite to the United States. But what you can do is you can take the money And that is a huge impact, right? I mean, ask any drug dealer on the street who had their Escalade taken. They're probably more concerned with that than doing the time in jail. And I think that's a really powerful tool.

Ryan:
[31:28] You can take the money. That's right. I do think that's a powerful tool. That's part of the offense that you were talking about. But can we talk about the victims here? Because it's always been unclear to me where that $15 billion goes, right? Does the U.S. government just seize it and take it? And hey, now it's part of the strategic Bitcoin reserve. of like, you're welcome, everybody. The reality is that $15 billion was taken from hundreds of thousands of individuals, US citizens, other citizens of the world through these like intricate pig butchering campaigns. For those not familiar with that, it's like, I think it's the idea that you sort of, you fatten up the victim by treating them nicely, socially engineering them, catfishing them, pretending to be an interested party, business relationship, girlfriend, something like this. And then you sort of milk them for their funds, right? Socially engineered. So people are losing their money. And it's hard to kind of trace that back to individual victims. I'm wondering in these types of cases with the seized assets,

Ryan:
[32:29] do victims ever get some of that remuneration, some of their money back? Or is it just too impossible to handle something at that scale?

Ari:
[32:38] It's the most important question. And I'm so glad you're asking it. Like when I think about these cases. And I've testified really recently once, about a week or so ago, before the House Homeland Security Committee on just this, on how transnational criminal networks are stealing billions of dollars from Americans. And then prior to that, actually, I testified before the New York State Senate on how New Yorkers specifically were being attacked. And I said the same thing, essentially, is like, we need to build a victim compensation fund. We need to have a way where we can do this and do it at scale. I think the biggest challenge right now is how do you associate, even with blockchain tracing, how do you associate a specific individual victim with a specific compound, right? Hey, we took down KK Park, so we know that this is part of your funds, or we took down Prince Group, so we know these are part of your funds. So what I advocate for, and one of the recommendations I made in that testimony, I would encourage folks to read it. It's on our site. It's like a very detailed perspective to include letters of Mark, to include other types of legislation that I think could be helpful. But I think we need a victim restoration fund. And it's contemplated by the executive order that came out recently on scams. The Trump administration put out an executive order on cyber-enabled scams. And one of the recommendations or one of the call for a victim restitution fund So people ask me, how does this work? Because you're absolutely right, Ryan, like this is tough.

Ari:
[34:02] And it's funny enough, when I was a baby lawyer, it was after my first year of law school. So this was like 30 years ago. I couldn't get a job anywhere in the Justice Department, but I really wanted to work there. And I finally found this really, really random office called the Office of Vaccine Restoration. and essentially what it was was like there was a public good of not allowing people to sue vaccine companies in tort, right? So if you're hurt from a vaccine, we don't want you to be able to sue the company and put them out of business because we need vaccines, right? So instead, for every vaccine that's sold, I think 76 cents went to this fund, okay? And ultimately, a victim, you know, a child with an encephalopathy, some type of other damages, would petition the Department of Justice that ran the fund, and ultimately lawyers there would decide whether this claim was valid and pay out the fund. I see a victim restoration fund like that as the future for this. It's for everybody. Any victim, U.S. person who's a victim of a scam, can submit to this fund and try to get restitution there. So that I think is the vision I love that the executive order talks about it because I think that that makes it very real. I think we'll get some legislation from Congress on this and I think we'll start to move. But it's so important and I don't know that, well, it is not happening fast enough now. Can we take

David:
[35:27] A step back and just paint for the listener and myself what it actually looks like to work with law enforcement? So TRM Labs, just to kind of like speed run, correct me, whatever I get wrong, but just to speed run like what you guys do. You guys just take in all

Ari:
[35:40] Of the blockchain

David:
[35:41] Data. You guys have mapped out who are the illicit actors with some degree of certainty. You guys do like risk scoring. So like these addresses are likely North Korea. These addresses are likely some sanctioned actor. You give that data out to exchanges so they can know what's up. But then also you guys work with like law enforcement and the FBI. Can you just like paint a picture of what working with law enforcement looks like?

Ari:
[36:05] Absolutely. Let me just back you up for one second because there's one part of that you nailed it, but it's so interesting. How do we do that attributing addresses? We have a team of threat hunters. We have someone who focuses full-time on ransomware. She's a former FBI analyst. We have someone who focuses full-time on Iran. I would say he's the foremost expert on Iran and the use of crypto today. We have a guy named Nick Carlson who is a former FBI analyst I worked with when I was a prosecutor who is the foremost expert in my mind in the world in North

Ari:
[36:35] Korea and money laundering. And what they're doing is they're out there attributing illicit crypto addresses. So for example, we have someone who focuses full time on terror financing. He is actually communicating on password protected telegram channels and rocket chat with Mujahideen, with ISIS fighters, trying to get them to send him crypto addresses so we can attribute them in our tool terror financing. We then provide that data to basically three main buckets, to law enforcement, and I'll kind of get into your question in a moment, who use it in that sort of like, to me, like the sexy use case, right? The tracking, the tracing, the building, the investigations, the going after bad guys. To regulators who use it to make licensing determinations, right?

Ari:
[37:19] Places like the Monetary Authority of Singapore or New York Department of Financial Services. We then also provide that information to compliance teams at large financial institutions, at crypto businesses. So that's kind of the secret sauce. In terms of working with law enforcement, it's a couple ways. First, we're providing them the software. So first and foremost, we're a software company. So we're selling that data with a cool UI that allows for the tracking and tracing on top of it. But we also have a really cool global investigations team that's sourced from some of the finest crypto investigators, you know, of all time. I think a lot of people know Chris Czerncheski. He and I were in a very cool Netflix documentary together called The Biggest Heist Ever. He was the protagonist in Andy Greenberg's book, Tracers in the Dark. Chris is our head of global investigations. And he has a team of former global law enforcement from Met Police and Korean National Police who are working side by side with our law enforcement partners to track and trace illicit proceeds and help them build investigations.

David:
[38:21] This question is a little bit squishy, but how dominant is crypto and therefore like TRM Labs and maybe also Chainalysis, a company that's very similar to yours, how dominant is that when it comes to just international, transnational financial crime? So like maybe one scenario is like there is transnational financial crime and I don't know what it looks like for it to not be in crypto, but like maybe that is like some amount of the cases. Or is it like, oh, if there is transnational financial crime, it's probably some component at the very least is in crypto. And so you guys are always involved or very frequently involved in some of the highest level cases. Like how big is this world?

Ari:
[39:02] Yeah, it's a great question. It's funny, I usually start with this, but I think Ryan just got into drift so fast. We were just rocking and rolling. But, you know, we put out a crypto crime report a couple months ago, it basically said we saw 158 billion in crypto crime in 2025. That is a record setting year. Okay. And that's always the headline, right? 158 billion record year in crypto crime. That only makes up about 1.3% of all activity within the crypto ecosystem. So we're still talking about 98, 99% of activity within crypto is lawful. To give you a sense of that, it's much harder to tell this in fiat. But normal numbers are somewhere between 3% and 6% is kind of what you see out there. But right, so there's that piece of just like the pure data piece.

Ari:
[39:50] The other piece is, look, when I was a prosecutor, I wasn't investigating crypto cases. It just wasn't what was happening at the time. I was investigating cases involving networks of shell companies and hawalas and bulk cash smuggling and high value art and real estate, right? ISIS was stealing antiquities in Syria and elsewhere.

Ryan:
[40:09] We might call that trad money laundering. Yes.

Ari:
[40:13] I just call it money laundering. I just call it money laundering. And I'll tell you, there's no TRM to track and trace those things. And I think that- There's no trad TRM? What we now are able to do here, because every transaction is logged and immutable and traceable and trackable on a public ledger, I'm sure you've discussed this before over the years, we can do this much better in my mind.

David:
[40:39] So when there is a big transnational crime case and it does touch crypto, organizations like the CIA or the FBI,

Ari:
[40:50] Are they like stoked?

David:
[40:51] It's like, oh, yes, this one has a crypto footprint. That means we have extra tools to

Ryan:
[40:56] Go get these guys that we.

David:
[40:58] Otherwise wouldn't had it been trad crime.

Ari:
[41:00] I think they absolutely are with this sort of caveat, right? We don't live in a world yet, and who knows if we will, where all activity occurs on chain. Every case is a mix of on and off chain activity. And what we are really good at at TRM is enabling law enforcement and others to see every transaction that occurs on chain. Where we lose visibility is where funds move off-chain through networks of OTC brokers in China, through, you know, Huala's, you know, crypto-like Huala's, when you can move it to cash.

Ari:
[41:39] And I think one thing I've always really tried to explain is that like these tools are not a silver bullet. They're one tool in a toolbox that a great investigator has, right? So if funds are moving through an exchange, what law enforcement does is serves a subpoena on that cryptocurrency exchange to get that underlying user information. And once they have it, then they reach out to Google for their Gmail. They reach out to, you know, their cell phone provider. Maybe they're able to actually figure out their location by triangulating cell tower data, right? They're using all the tools that law enforcement has used for a really long time. I mean, one example of this, and it hasn't played out sadly, but I got asked a lot when there was a Bitcoin ransom demand in the Nancy Guthrie letter about how essentially this would work, right? The most mainstream case that we've seen probably in a decade in terms of people really wanting to understand how this worked. And what I would explain was like, yes, there's a Bitcoin demand. Yes, if funds move, we can track and trace them. But law enforcement is going to need to use their entire toolbox. Because so far, these funds aren't moving. And there's got to be other means in order to investigate this case.

Ryan:
[42:54] By the way, I'm just curious, did the Nancy Guthrie case get resolved? That was kind of in my feed and it was big news and then I never followed that through to resolution.

Ari:
[43:03] Yeah, I think sadly it hasn't at all been resolved. And my sense is that folks don't know where she is or what's going on with the case.

Ryan:
[43:11] Wow, chilling. Can we go back to what you were talking about with respect to on-chain money laundering and how this process, this flow works? So North Korea has hacked and stolen $6 billion. We've seen a few cases in April, the Lyft case, the Kelp Dow case, some other details we'll get into. What do they do after they acquire the cryptocurrency? So just like one thing that we often see is they will move to the highest security, most decentralized chain possible, it seems like. So if they're on something like Tron, they might move to Ethereum and then later possibly even to Bitcoin. So that seems to be something that happens at least that I've seen. They also seem to use some of the on-chain privacy type tools. So Tornado Cash is often cited. So if they have Ether on Ethereum, then they'll try to move some of that through Tornado Cash.

Ryan:
[44:15] Oftentimes, it also seems like they then move some funds to Bitcoin and they use something called ThorChain in order to move across kind of that bridge. Can you just And then I'm not sure what happens after that. Is it just like tainted Bitcoin somewhere or is it, you know,

Ryan:
[44:33] cleaned ether if it's on the other side of tornado cash? Like what happens and how do they get that into the kind of the real economy in order to purchase weapons and nuclear capabilities and that sort of thing? Can you take us through that flow?

Ari:
[44:46] Absolutely. I mean, Ryan, you nailed it on the laundering piece for sure. And that's exactly what is going on today. Yeah. Thinking of it like slightly broadly here, North Korea is trying to move funds as fast as they can. And they have a different playbook. You mentioned the Thor chain is a service that's being used quite frequently right now. And I think part of this is with Bitcoin being completely decent. Bitcoin comes with benefits and issues when it comes to laundering funds, right? It's historically volatile. And bad actors want to move their funds into more stable assets, just like the rest of us, to use them. But at the same time, stablecoin issuers like Tether, like Circle, have unique capabilities when it comes to essentially what I refer to as burning and reissuing their native token, what some people call freezing or blocking. Essentially, you know, Tether is able to essentially freeze, burn, which means take the token out of your wallet and move it into an inaccessible wallet and then ultimately reissue to the government or to a victim or something like that.

Ryan:
[45:48] Right. It would be insane for North Korea to keep those funds in USDT.

Ari:
[45:52] That's exactly right. So, but what's interesting is for years, that's the narrative, right? Like, hey, all bad actors are using USDT. It's certainly still happening because of, I think, for two main reasons, liquidity and the stability issue, right? Bad guys want to move their funds, but they need to offer those funds to more usable currencies quickly so that they're not getting blocked. And we're seeing Tether really act at scale more and more now on these types of cases. So we are seeing, you know, look at the Bybit hack is a great example. I think that that changed a lot for us in terms of how we were watching laundering. Essentially, North Korea stole 1.5 billion in Ethereum. And within the first 72 hours, converted almost all of that to Bitcoin. And then started using the services that North Korea typically uses. One thing that's really important to note is oftentimes North Korea, the pig butchering networks that David was talking about earlier

Ari:
[46:49] Cartels are actually transferring their funds at some point to professional money launderers. And that is how they're ultimately off-ramping those funds. They're using networks of casinos, of OTC brokers. They're getting them into the Chinese money laundering networks that have essentially professionalized money laundering prior to crypto, and now we're getting more and more involved in crypto. If you look, and this is to me like, this is the most startling thing. If you look on chain at cartel activity, North Korea hacks, and these big butchering networks, you see wallet addresses that are being used in all three of those laundering typologies or those threat categories. That we associate with Chinese money laundering networks. These professional organizations run by the triads and other types of like Chinese organized crime. So oftentimes like North Korea will steal the money, but ultimately turn it over, essentially sell the funds to one of these networks.

Ryan:
[47:55] Okay, so in the Bybit hack, as an example, 1.5 billion Ether were stolen within 72 hours. Most of that was on in Bitcoin on the Bitcoin blockchain by route of what Thor chain.

Ari:
[48:08] I believe Thor chain was right. It was in that case. Yes. And honestly, and we've seen that playbook play out in kelp as well in this recent, in this most recent heist.

Ryan:
[48:17] And they prefer Bitcoin just because of what versus raw ether, because it's, it's got more connections into the kind of the, the OTC Chinese crime money laundering type world.

Ari:
[48:29] That's one piece of it. Is that? That's one piece of it. The other piece, North Korea over the years has been used to using some of the services that are on Bitcoin to launder fund some of the more centralized mixing services. Obviously, we saw North Korea use Tornado Cash for years. We see that less so today on Ethereum. So we see them do a lot of different types of, use a lot of different services.

Ryan:
[48:52] But then ultimately, this ends up off-chain. So they're not keeping the Bitcoin in Bitcoin. They are moving this off-chain through various actions.

Ari:
[49:03] That's right and sometimes it takes days to get some amount off chain sometimes it takes weeks but we've seen in cases where it takes months or even years where North Korea right To me, one of the ways we can solve the money laundering problem when it comes to North Korea is doing everything we can to create a really strong perimeter, right? Because the challenge for North Korea is always, it's not just North Korea, these big butchering networks and cartels and others is how do you off-ramp the funds? And they're looking to the weakest points to do that. I think Russia-based exchanges that do no KYC, that don't use tools like TRM to monitor transactions or don't care. We've seen Treasury actually sanction a whole host of these services. Think Chatex and Garantex and Bitslotto and so many others. So we see that. We see Chinese-based OTC brokers where they're trying to off-ramp those funds. But to me, the real question becomes, how do we build that perimeter around crypto to stop these bad actors from being able to off-ramp those funds? Can I give you like a cool example?

David:
[50:09] Yeah.

Ari:
[50:11] So after Bybit, just exactly to your question, we saw the laundering. We saw North Korea move faster than ever before. It was clear to us that they had more access to liquidity than ever before. I think that's a result of these Chinese criminal networks that are laundering the funds. And we basically said, how can we move as fast as they are? Because they were moving faster than compliance teams. That's the reality. We were seeing them move at unprecedented speed. We were seeing them do programmatic money laundering. So we reached out to Coinbase and Binance, to me, the most significant exchanges in the world, and said, how are we going to keep funds on chain? How are we going to stop bad actors from using these platforms? And we formed something called the Beacon Network. And the Beacon Network accounts for about 85% of all centralized crypto today. So think Kraken, OKX, HDX, Poloniex, Blockchain.com, Crypto.com, Ripple, host of other services. But then we also added fintechs like Stripe and Robinhood and PayPal, DeFi protocols, Rhinofi, OneInch. And what we're doing is, and we married that group with about 70 global law enforcement agencies. And those law enforcement agencies are flaggers. So when illicit proceeds are moving in real time, they're flagging that address. And an alert, think Lighthouse, think Beacon, goes out to those exchanges. And when they get that Beacon alert, they're required as part of their membership to block that.

Ari:
[51:38] And ultimately work with law enforcement to seize those funds back.

Ari:
[51:42] So, you know, we're definitely laying out a lot of the issues, like the problems today. But I think that, like, we could do things differently and better. And, you know, you start to combine that with some of these other ideas, right? The offensive cyber, protect the perimeter, you know, use AI in our own workflows to stop bad actors. I think you start to have, like, a tech-driven response to some of this.

David:
[52:02] With this perimeter concept that you bring up, how does ThorChain fit into that perimeter or break open that perimeter? What do you think about ThorChain?

Ari:
[52:13] Yeah, I think it's a challenge that, I mean, part of what works on this network like this is that you have buy-in, that, you know, no matter what your views are on centralization or your role in the ecosystem, that when it comes to really bad actors, we need to stop funds from moving off-chain. We need to stop bad actors from using these services. I think ThorChain has clearly taken a different view of all of that.

Ari:
[52:39] That said, I think there's probably things that we could all work on together there. You're always going to be as, you're only going to be as strong as your weakest link. And I think those weak links have always been sort of like, for lack of better,

Ari:
[52:52] like the non-compliant pieces of all of this. But I will say one thing when it comes to that, I was like, there is no one who's been sort of a more, no community of people that have been more supportive of Beacon than the DeFi community. You know, DeFi Education Fund and others, you know, I've briefed members of Congress with those guys talking about how we can do better when it comes to sort of, you know, compliance and anti-money laundering than we can in the traditional world, right? If you're a DeFi service that's a member of Beacon, we have a whole bunch today, they're not working with law enforcement, right? Like that's not the nature of how DeFi works. But what they are able to do is block funds that are going to hit that platform. And the bad actor might go elsewhere. But then what we want to do is we want to follow the money and then onboard that next service where the bad actors go. So my hope is that we could get as many people on board here as possible to really build the most solid perimeter. But I think the DeFi community, look, I think at the end of the day, it's like you want to solve problems using the technology, not over-regulating the space.

Ryan:
[53:55] I mean, this is where I sort of don't have it settled in my own mind. And I'm just curious kind of what.

Ari:
[54:02] You think here,

Ryan:
[54:02] Right? So I don't think anyone listening wants North Korea or bad guys or, you know, theft to happen on chain. They want to see the bad guys get prosecuted. And yet, oftentimes, I mean, you mentioned like things like Ethereum and Bitcoin being a double-edged sword. You know, if you take something like privacy, that also seems to be a double-edged sword and cut against some of those things that you mentioned, which is being able to track and identify the bad guys. You take something like ThorChain and your response seemed to indicate, you know, what you wish was that ThorChain would actually participate in kind of the beacon group and help stop some of this nefarious activity, right? And that implies maybe that ThorChain has some centralization vectors in their protocol in which humans can intervene or inject code or kind of do that. And I'm not actually sure if they do or not. That's kind of, take that as another entire podcast that we could talk about. I do know that there are some protocols where you absolutely do not have that ability. You know, one of which is Tornado Cash, for instance, which is a privacy protocol on Ethereum. Right now we have a developer who's in a criminal case in the US about this, Roman Storm, we've talked about that often. Then you also have entire networks, like say the Zcash network, which they sort of exist to be an encrypted version of Bitcoin. And there is this move that like.

Ryan:
[55:28] If you are a crypto user, don't you deserve, don't you want some level of privacy on top of your transactions? And by the way, this is a safety mechanism for legitimate use cases too. It keeps out the corporate surveillers. It keeps out the possibility of people hacking you or even wrench attacks in real life. I mean, there's some real civil liberties at stake here when it comes to, you know, moving all of your funds being transparent and available for the whole world to see. Like, that's not that's not a good steady state either. And so I'm wondering how you feel about some of these, we'll leave Thor chain aside, but some of these much more decentralized solutions to just encrypting all of the stuff that, you know, is on chain in a way that that you can't see it. You can't track. I mean, is this just, in your mind, giving a gift to the bad guys? Do you see some upside here? Like, what would be your take specifically on something like Tornado Cash or Zcash?

Ari:
[56:24] I love the question. And honestly, I think it's the most important question that we've been grappling with as an industry over the last, let's say, three or four years. It's interesting. I think the sanctions against Tornado Cash really got this conversation started in a meaningful way years ago. Those sanctions have since been lifted, but 2021, somewhere in that timeframe. frame. Look, I mean, post 9-11, we had this conversation right on city streets and in airports. And I think today we're having it across blockchains. I fundamentally believe that in a open financial system, people are going to need and demand privacy in order to transact. None of this works without privacy. I'm not sure I'd say I'm a privacy maxi, but there are very few people who believe more in being able to transact privately than I do or we do at TRM.

Ryan:
[57:14] A couple months ago.

Ari:
[57:15] We put out a 70-page white paper on privacy, which I've encouraged folks to read. It's awesome. And it really goes into, like, how to leverage the technology. So I'll tell you just really quickly sort of how I think about this. First, at TRM, we don't associate individuals with their alphanumeric address. We would never say, hey, that's Ryan's address, that's David's address. We associate addresses with really two categories. Entities, so lawful entities like Coinbase or Tornado Cash or Uniswap. And illicit activity, terror financing, sanctions, North Korea. In order to get the underlying user information, that individual would have to transact with some type of centralized service and law enforcement would

Ari:
[57:58] be able to serve a subpoena, lawful process in order to get that underlying user information. So that's sort of one way I think about this. I don't think we should ever be in a world where we're associating individuals with their alphanumeric crypto addresses. I think it becomes dangerous when people are associating those addresses with themselves on social media and other places. And I think that's when you talk about wrench attacks, that's someplace I preach about being very, very careful on. The other piece is I think we need to leverage the technology.

Ari:
[58:27] I think the challenge for regulators and policymakers and all of us is how do we stop bad actors from using services like Tornado Cash, but allowing lawful users to use them for the privacy they need for all the things that you mentioned, right? Dissidents, you know, corporate surveillance, you know, humanitarian aid.

Ari:
[58:47] Quite frankly, the U.S. government sending funds to informants in war zones, right? We need that level of privacy. I think the technology is the solution. And I really lean into Beacon. Beacon is just about tracking illicit proceeds and blocking them and then allowing for lawful process to play itself out. And when it comes to DeFi, Beacon's a great example of how you can maintain privacy, right? That transaction is just blocked if it's illicit. Don't let it hit our platform. And then they've got to move to the next place in order to transact. So I think the technology is a big piece of this. I think the Canton network chains, it's just one example now. And I know there's all kinds of interesting conversations around that. That's probably been a show or will be another show too. But it's not just Canton. It's like, hey, should we be building privacy chains that we allow, that we build in tools like TRM? Should we be doing private transactions on permissionless open blockchains, but that we allow some visibility into for money laundering purpose. So I say all of this to say we're thinking a lot about zero knowledge proofs, I think could be such an important part of the puzzle. Just give enough information

Ari:
[1:00:02] To let a decision be made about whether an actor is good or bad without giving up all of your PII. So I think there's a lot, like I really lean in hard to the technology and definitely not over, over, over regulating the space.

Ryan:
[1:00:16] I do think there are a lot of technical solutions that can give a lot of people what they want, right? Zero knowledge proofs. There's a riff on something like Tornado Cash, You know, people like Amin Soleimani, I think Privacy Pool, Xerox, BOW, I believe is what it's called. And what they're doing is they use a ZK proof to prove that the funds actually aren't OFAC sanctioned, right? So they don't identify an individual user, but they prove any of the funds that go into this pool.

Ari:
[1:00:45] It's a great example.

Ryan:
[1:00:46] And that's a good compromise. But I still want to push you on this a little bit. Which is just like, let's say you no longer have the ability at all to see any data. No government agents do nothing. Let's say it's a version of Ethereum and privacy maxis actually win on that. And everything on Ethereum has the ability to be completely encrypted without any, what privacy maxis would say, government surveillance or backdoors. All right. You lose this ability completely. It's just like Bitcoin or Ethereum, except everything is encrypted. In fact, Zcash is kind of this model when they move into sort of shielded transactions. What do you think about that? Is that a net good? Is that a net bad?

Ari:
[1:01:35] It's an interesting world. You know, I think when we first started TRM or start thinking about TRM, I think one thing we knew fundamentally was that we have more visibility than we're ever going to have. You know, we used to talk about like how It was sort of one of these old Western towns where you could see completely from one end of the town to the other, right, with that. And I think the vision is that we're going to have more cities. And I think we're starting to see that play out, although it's still early. And by cities, I mean where there's actually infrastructure being built in a meaningful way on chain, where you can't see around every corner, where it's going to be harder to have that full visibility. Is that a good thing or a bad thing? I ultimately like am a big believer in the technology and sort of this thing playing itself out. I can't imagine a world where we've built this incredible technology where every transaction is trackable, traceable, and immutable. And we can't add enough privacy for individual users to feel like they're not putting their credit card statement on chain. And yet at the same time, ensuring that governments can stop North Korea can stop terror financing. I'll say this. I mean, I think that this has been such a cool conversation, by the way. You know, just thinking about the ground we've covered, we started talking about North Korea and attacking the DeFi ecosystem.

Ari:
[1:02:56] I don't know that any of this works. I don't know that any user is going to put their funds on a service, you know, staking, investing, you know, their mortgage on chain. If we believe that North Korea can attack this ecosystem at scale, it's deal billions of dollars.

Ryan:
[1:03:13] Agreed.

Ari:
[1:03:13] So I think that it's got to be a compromise. And the compromise might, it's not about privacy or security. I fundamentally believe you could have both. But the compromise is like we need to be ensuring that we're using the tools to keep North Korea off these platforms. both, and it's not just North Korea, it's any criminal element, but North Korea is, I think, is the biggest threat right now when it comes to DeFi. But, so my view is just like from a pure market perspective, people aren't going to engage with an ecosystem where they can lose all their money, you know, at the click of a button. And I think we're going to have to figure out how to sort of balance that. But I don't, but to be really clear, I don't think it's a security versus privacy balance. To me, you could have absolutely both of those things. You know, we've never had a financial system that is anonymous. I don't believe we should. But we should have a financial system that's pseudonymous. And I think that's why crypto works so well in order to sort of like balance that privacy and security piece.

Ryan:
[1:04:08] One last question on this, which is maybe a question with respect to who's responsible for this or where does the liability lie? It's been really interesting to observe the Tornado Cash Roman Storm case. And it seems like the prosecutors, DOJ, Southern District of New York, are making the case that he actually, you know, was involved with this and partially responsible for money laundering due to North Korea's actions because he partook in developing this protocol. Then you had last week the acting attorney general go to Bitcoin, a Bitcoin conference and say, code is not a crime. Non-custodial software developers shouldn't have to sleep with one eye open. And there's a question of like, if North Korea uses a protocol like Tornado Cash, or if they use DeFi, or if they use Ethereum, or if they use Bitcoin, are the developers who made these tools responsible in any way when bad guys use their tools? Have you thought about this? I'm not sure. Does your privacy 70 page paper like cover this? And what do you think the government actually thinks about this? Because on the one hand, they're saying things like code is not a crime. But on the other hand, they're also prosecuting Roman Storm. And so I think the community is somewhat confused as to what the U.S. Government's perspective on this is.

Ari:
[1:05:29] I think there's a range, clearly. There's really clearly a range. And I've been actually surprised with Attorney General Blanche's statements. And not just this one. When he was Deputy Attorney General, he made a similar statement several, maybe a couple years ago now. And I thought that would have a huge impact on the prosecution. It clearly has not. And I think they're going to have to sort of work out where they're really, if they're really landing on, is this a policy position? And to what extent are U.S. Attorney's Office is going to sort of need to heed it? My own personal view, I'm pretty aligned with the Attorney General with this caveat. And that is, we need to make sure the developers aren't conspiring with bad actors in order to launder funds, okay? So if you're building a decentralized service, non-custodial, for people to use for lawful reasons, then no, you should not be prosecuted if bad actors are using your platform. But, you know, there are great examples of this. Helix, which was a Bitcoin mixer that was being advertised by a guy named Larry Harmon on AlphaBay saying, hey, this is the perfect place to launder all these drug proceeds that you have on this darknet market. No, like, no, that is over there.

Ryan:
[1:06:47] Like Kim Jong-un can't be your target user.

Ari:
[1:06:50] Yeah, yeah, yeah. That's exactly right. You know, people may disagree with this, but Bitcoin fog, similar circumstances, okay? That service was actually conspiring on darknet markets with bad actors in order to launder funds. This is, Tornado Cash is different.

Ari:
[1:07:08] And that's what's always been such an, why this has been the most interesting question in my mind, maybe for you guys too, in my entire time in this space. Because I think there's a challenge. How do regulators stop North Korea from using a service to launder billions of dollars and yet at the same time allow lawful users the opportunity to do it? I don't think we go after builders who are literally just building tech or just building or just writing code. But at the same time, you know, I think a strong prosecution in this case, there could potentially be emails saying, hey, we don't care. We're going to keep doing this. We see the funds going through. We want our service to be a place that is known for this. I haven't seen any of that type of evidence come out. But to me, that's the type of evidence you would need to really prosecute a case like this in a meaningful way. Intent, criminal intent. I mean, that's what our system demands. So if you have criminal intent, I don't care what you're developing. You should be potentially prosecuted for money laundering conspiracy. That's different than some of these other money transmitter laws that I think also have folks concerned. But just from a pure criminal standpoint, I'm most concerned with the money laundering conspiracy piece.

David:
[1:08:23] We'd be remiss to not talk about some of the biggest current events that are happening at the time of the recording,

Ari:
[1:08:28] Which is the IRG. Have we not been?

David:
[1:08:30] Even more recent. There's a lot going on, guys. Even more recent. There is a lot going on. I'm sure, Ari, you've probably been the most busy that you've ever been with just North Korea, the Lazarus Group, always being persistently active. But with Operation Economic Fury out of the White House, I think there's probably also something to talk about with Everon's use of just crypto in illicit ways. Just two weeks ago, $344 million of USCT on Tron was frozen. We mentioned that. I think we're all kind of confused about why they were using Tether on Tron, but maybe that's a different question for a different day. One of the big things that happened here was OFAC directly named the Iranian central bank, a central bank controlled wallet on the SDN list. And so like just in the same way that like, you know, North Korea's Lazarus group, these aren't like, you know, proxies. This is North Korea itself. We actually like sanctioned an Iranian central bank crypto wallet. So unprecedented. presented. Can you talk about what it was just like to be in your shoes during a lot of this activity? I think you guys are on just the front lines here. You guys have a lot of the data.

David:
[1:09:35] What's Operation Economic Fury like from TRM's perspective?

Ari:
[1:09:38] Yeah, no, absolutely. You know, it's interesting. It goes to sort of what Ryan and I were just talking about to some extent in that this is an only in crypto story, right? You're not seizing 344 billion, 344 million, um, of fiat from Iran. You may sanction the central bank, which has been sanctioned for years. Their entire financial sector is sanctioned. But actually enforcing those sanctions and getting back funds, that's an only in crypto type story. And it's interesting that you mentioned that we're particularly busy. Over the last bunch of years, every geopolitical issue, every major geopolitical issue in the world, everyone's wanting to know, what is the crypto nexus? So Russia invades Ukraine. It's how is Russia going to use crypto to evade sanctions? Hamas attacked Israel on October 7th. It was how is Hamas funding its operations using crypto? And this is the most recent example. But I think there's a fair amount to say, and that is a couple of years ago, you would see IRGC sort of one-off transactions, right? Hey, we have some funds. We want to send them. We want to try to off-ramp them. Israel actually seized about 100 addresses associated with IRGC a year or so ago, we've seen a shift. And we wrote a piece on two UK registered exchanges, ZX and ZXION,

Ari:
[1:10:57] Which actually ultimately were sanctioned after we wrote our report by the US Treasury Department. And essentially, to me, that actually showed a bit of a playbook. And that is, instead of just one-off transactions, Iran was using crypto infrastructure at scale. They basically were using these two exchanges to launder a billion dollars through them. So it wasn't just like, hey, we're going to send money. It's we're going to actually essentially use these as shell companies. At one point, I want to say almost 80% of all transactions through these exchanges were IRGC related. So I think we see that. And then the central bank of Iran is sort of just the latest example where we see essentially Iran's central bank –

Ari:
[1:11:43] You know, spinning up crypto addresses and trying to move funds that way in order to circumvent the U.S. financial system. There's a couple other examples like this recently where we're seeing this with Iran, this reporting, which I struggle with a little bit around the Strait of Hormuz, is Iran going to collect tolls in crypto? I haven't seen any really significant evidence of that. And we've been looking everywhere we possibly can on chain. But the fact that Iran is trying to experiment with that just shows that they're trying to do anything they possibly can. There was a report There was a report today in the Wall Street Journal about the financial facilitator, a guy named Larjani, that we actually name in our Zedsex report, who actually was released from a death sentence, I think, in prison 10 years ago or something in Iran, because he's so good at money laundering. And he has essentially discovered crypto. So he was the one behind Zedsex, possibly behind these central bank transactions. And he's the go-to money launderer for IRGC. So I say all that to say that I think, like, you know, we started with, I'm sorry, we started with North Korea. We could go just as deep on Russia, to be honest. And now with Iran, we're seeing nation state actors really think through how to build crypto infrastructure, not just like, hey, we're going to send some funds to this wallet address that we spun up.

David:
[1:13:07] The tension that I feel might be there is that crypto offers the good guys, you guys, the State Department, the FBI, a lot of capabilities and information and power to get some funds back. As you've been underscoring this entire podcast, like only in crypto do we actually recover funds so directly from any of these state actors that stole it from innocent people. And I remember one of the reasons why the whole CZ Binance versus Department of Justice story was such a big story was because CZ was looking a blind eye, I think, towards IRGC and Iranian money laundering through Binance. Well, now Binance has been brought to heel. Now Binance is kind of like inside the fold of the people who are providing data to the good guys, to the government. And so crypto seems to be, as you've been saying, establishing a pretty strong perimeter around these state actors. . But nonetheless, the state actors continue to use them. And so clearly, crypto is benefiting the state actors in some particular way, despite how strong our capabilities are, the good guy side of things. Square this for me. If crypto is being such a good tool for information for the FBI and OFAC and all this, how come Iran and North Korea and China and Russia and all of them, how come they're still using them? It seems like it's not actually good territory for them to do their operations in.

Ari:
[1:14:32] Yeah, look, I think it's interesting, right? You know, the promise of cryptocurrency is cross-border value transfer at the speed of the internet. And the reality is that, like, for all the reasons it's such a transformative technology for remittances, for humanitarian aid, for payments at scale.

Ari:
[1:14:50] Bad actors also want to use it to move funds faster and in larger amounts than ever before. The difference is that we now can track and trace those funds. So the reality is that it's always going to be this cat and mouse game that has always existed between law enforcement, right? Bad guys can now move funds faster and in larger amounts than ever before. And law enforcement now is going to need to track them.

Ari:
[1:15:13] I mean, I think bad guys have always been early adopters of transformative technology. And I think we're in that moment right now with crypto and maybe even more recently AI. One of my favorite stories is that in 1908, the Model T rolled off the assembly line. And in that same year, we created the Bureau of Investigation, which is the modern FBI, because policing had always been a local issue, right? But all of a sudden, bad actors could move cross-border, cross-state lines at unprecedented speed and scale. Think Al Capone and Machine Gun Kelly and Bonnie and Clyde. And we need to create a national police force in order to run them down. I think we're seeing that now, right? It's just a new technology that bad guys can now move funds faster than ever before. And it's a bit of this cat and mouse game, this whack-a-mole that prosecutors talk about. But at the same time, I think that bad guys are going to improve their technology and so are the good guys.

Ryan:
[1:16:11] One thing I just want to clarify is, you know, David's framing in terms of bad guys and good guys, you know. It may not always be the case that your government is the good guy. And this is the entire reason we have the Bill of Rights and the Constitution and civil liberties and things like decentralized technology, like Ethereum and Bitcoin, is because when the government actually becomes the bad guys, you need freedom tools to resist their badness. And so far, we've talked in terms of good guys and bad guys. I just want to make it clear that the entire purpose of this technology and this movement is to have the freedom to escape centralized authorities as they become bad guys and as they move across that spectrum. One question I wanted to ask you about the Iran case and the IRGC specifically is why in the world they were using Tether and Tron because it seemed incredibly obvious in 2026 that they're just asking to get their assets frozen. And if their next maneuver is just going to be to do the thing that North Korea does, which is move their assets to something like Bitcoin, and then if they move their assets to Bitcoin and they accept the volatility, I mean, less volatile than their local currency, we might point out, much less volatile.

Ryan:
[1:17:40] What do nation states do as a reaction to that? So the U.S. government is the most powerful nation state in the world. I was very interested in this exchange between a Texas Republican who asked the Secretary of War, Pete Hegseth, about Bitcoin, framing it as kind of a matter of national security. Does he think so? And Hegseth said, yes, I do think so. And then he added this, a lot of things we are doing, enabling it or defeating it, he's referring to Bitcoin are classified efforts that are ongoing inside our department.

Ari:
[1:18:15] This is kind

Ryan:
[1:18:16] Of interesting to me, the idea of defeating something like Bitcoin. And it just struck me last week that this could be the moment that cryptocurrency networks like a Bitcoin or an Ethereum are tested in ways that they haven't been tested. I mean, part of the purported value of this technology is that they have sovereignty and decentralization and nation state grade level security. And I kind of wonder if they will actually pass this test or not.

Ryan:
[1:18:45] And what Hegseth might mean when he's talking about defeating something like Bitcoin. So say the IRGC keeps their next $350 million in assets in Bitcoin on the Bitcoin network instead. Does the Department of war have a way to defeat that, to access that? Is that maybe what we were talking about earlier in our conversation? Like, what do you think about this?

Ari:
[1:19:12] Yeah, that's interesting. I quite frankly don't know what he would have been talking about necessarily with that statement in terms of the defeating piece. You know, when someone says something like that to me and like, I am not an expert on quantum and I do not play one on TV. So like that might be a really cool conversation for the show at some point. But I would say that's where my head goes immediately to that type of technology as opposed to the way I think about it. And I think about how do we harness the technology? How do we use open permissionless blockchains in order to do, you know, to go after bad actors? How do we create that perimeter to keep the funds from going off chain for the use of weapons proliferation? How do we go after Chinese money laundering networks, right? So that's an interesting one to me in terms of beating the technology. And I am not sure where I'm not sure the origins of that.

Ryan:
[1:20:09] So you're not aware of any kind of classified super secret way that the US government has to defeat Bitcoin in some way?

Ari:
[1:20:16] I don't think I'm, these days I am not privy to any of that

David:
[1:20:20] Type of information. If he told you, he'd have to kill you.

Ari:
[1:20:23] If I told you, I would have still been in the government. I think that I'm long done with that life. But I would say that like, to me, it's always just like, hey, how do we harness the technology? And quite frankly, it's more and more AI too. You know, I think AI plays a huge role in the way we can supercharge a lot of these operations. But in terms of like defeating the tech itself, it's like, no, we need to defeat the adversary. And that's what I just like, I always come back to that. Right. Like, what are we doing to go after the central bank of Iran? Right. I mean, literally, I mentioned North Korea hacked the bank of Bangladesh years ago. Like, let's hack the central bank of Iran. Let's take the money. Right. So I think that that that's really how I'm thinking about it always is going after the bad actors. And I was actually I was a little discouraged, even on Twitter, which I should not spend as much time on or X.

Ryan:
[1:21:11] You know, there was a lot of.

Ari:
[1:21:12] The conversation was entirely around what Drift should have or could have done or Kelp could or should have done. And there's plenty, right? And I think bringing in cyber from day one is absolutely critical. But my focus was immediately on, let's go after North Korea. Let's go after Iran. Let's go after Russian cyber criminals.

Ryan:
[1:21:31] That would be so cool. I got to tell you.

Ari:
[1:21:33] That would be so cool. So if it happens, you know, or you keep hearing about Cyber Letters of Mark, Chris Perkins is awesome on this. Chris Giancarlo's written on this. This is not me being a crazy person talking about pirates. Like, I think there's some real, I know Tevano, there's a whole handful of other

Ari:
[1:21:46] folks that are very supportive of this idea. And yeah, I'm excited about the prospect of it.

Ryan:
[1:21:52] Okay, so as we wrap this up and bring this to a close, so as I mentioned in the outset, April was DeFi's worst month ever, maybe over 600 million in hacks. I don't know about total volume size, but just in the number, there was one hack every 27 hours. Okay. So basically a daily occurrence. And one has to think AI is just speeding up and accelerating the efforts of these incredibly talented North Korean hackers, it seems like. I mean, they are winning right now. So what does DeFi do? Just maybe summarize this. If you're addressing everybody in the crypto space who cares about it, We just had a DeFi United campaign and it was fantastic. It was a coming together of all of decentralized finance and they were trying to make the Kelp DAO asset whole, RSETH. And they did that. They raised $300 million in commitments. That was fantastic. And I just couldn't help but think, as great as this is and as fantastic as this is, if this happens every month, we're not going to last, okay? Like this can't happen again, can't happen many more times. And so in addition to DeFi United being about kind of getting RSEth claimant's hole, we also have to have a DeFi United for securing our space. What recommendations do you have? Like how does this get better? And if there is a happy case here, what do you think it looks like?

Ari:
[1:23:18] Yeah, I know. It's a great question. I'm not familiar with DeFi United, but I love this concept because I think that's where we have to go. And it should be more than kind of paying back lost funds. You know, I'm not naive enough to think we're going to have standards anytime soon for sort of DeFi protocols or developers. But I do believe that we could come together as a community and agree to best practices. You know, years ago after Colonial Pipeline, the White House actually brought together a community of businesses, the largest businesses in the world, and started talking about here are 10 bullets for what good cyber hygiene, cyber controls can look like. I think we need to do that for DeFi today, whether that's through this group or whether it's through something else. So it's best practices, but agree and align to them. I hope part of that is being involved in an information sharing, interdiction, disruption type network like Beacon. So on the defensive side, I think it's a combo of like building out Beacon plus really, really getting granular on what DeFi protocols can build from the ground up, from a cyber defense perspective.

David:
[1:24:26] I know crypto in some ways has presented challenges towards the State Department and investigators just because of the way that it is. But as we've underscored throughout this entire podcast, it also gives them some tools and some assets and some information that they don't have in the trad financial world. Do you think the state, FBI, CIA, OFAC, Treasury, do you think they are actually kind of pro- moving on chain in the sense that, like, you know, let's get all the people on chain because it's actually a better substrate for us to do our job if more of global finance moves on chain. Do you think they think that?

Ari:
[1:25:05] I do. I also think there's a certain inevitability around it, right? Like, what's interesting to me, and I think that this is a very, this moment state, every major law enforcement agency, many in the world, but certainly every U.S. Federal law enforcement agency, think FBI, IRSCI, DEA, Secret Service, Homeland Security investigations, they all have a cadre of investigators who are sort of power users of TRM, who have all the tools and the training and the true experts. I think there's, I believe, I think you guys do too, that there's inevitability about this space, right? Just in the last year with institutional adoption and so much happening, and we see more activity moving on chain, that means like it can't just be a cadre anymore. It has to be like every investigator has to have the capabilities because every crime is a financial crime. And that means every crime is going to involve crypto in one way or another. So my view is that like, yes, but they don't have the resourcing necessarily today that they need if that's the direction we're headed in.

Ryan:
[1:26:01] As much as I don't like North Korea, and I appreciate the work that you guys are doing to catch the bad guys. I got to say, I don't know how encouraged I feel that the CIA and FBI wants us all to come on chain. Okay, so I will voice that at the end of this podcast that trust definitely

Ryan:
[1:26:18] needs to be earned there. But Ari, thank you so much for joining us today and telling us all about what is going on in crypto and for your work to catch the bad guys. We appreciate it.

Ari:
[1:26:28] Hey, love joining you. Thank you for the conversation.

Ryan:
[1:26:30] Gotta let you know, Bankless Nation, of course, none of this has been financial advice. Crypto is risky. You could lose what you put in, but we are headed west. This is the frontier. It's not for everyone, but we're glad you're with us on the Bankless Journey. Thanks a lot.

Not financial or tax advice. This newsletter is strictly educational and is not investment advice or a solicitation to buy or sell any assets or to make any financial decisions. This newsletter is not tax advice. Talk to your accountant. Do your own research.

Disclosure. From time-to-time I may add links in this newsletter to products I use. I may receive commission if you make a purchase through one of these links. Additionally, the Bankless writers hold crypto assets. See our investment disclosures here.

Published in Bankless

There’s a revolution in the world of money. Ethereum, Bitcoin, crypto, open finance, DeFi—a bankless revolution. And you want part of it.