Skip to main content
Sign in

Railgun

avoid.net/railgun48/100·75% conf.
[AI-DRAFTED · AWAITING VERIFICATION]

Summary

Railgun is a zero-knowledge (ZK) privacy protocol deployed on Ethereum and multiple EVM-compatible chains that allows users to interact with DeFi applications privately. The protocol gained significant notoriety in January 2023 when the FBI alleged that North Korea's Lazarus Group used it to launder over $60 million stolen from the Harmony Horizon Bridge, though Railgun disputed these claims. The project distinguishes itself from sanctioned mixer Tornado Cash through a compliance feature called Private Proofs of Innocence, has received public endorsements from Ethereum co-founder Vitalik Buterin, and has accumulated over $4 billion in total transaction volume as of 2025.

Have evidence about Railgun?

No evidence submitted yet — be the first.

On-chain audit

Editorial decisions, corrections, and updates are anchored on Solana.

audit log →version history →

Protocol Overview and Technology

Railgun is a DeFi privacy system launched in January 2021, with open-source code released in July 2021 by a group of contributors described as 'mostly doxxed.' The protocol is deployed on Ethereum, BNB Smart Chain (BSC), Polygon, and Arbitrum. It uses zk-SNARK cryptography — specifically the Groth16 proving system also used in Zcash's early shielded transactions — to allow users to shield assets into private balances and interact with DeFi applications without exposing transaction details on-chain. Railgun is structured around non-custodial '0zk' wallets and a UTXO-based Merkle tree system for tracing ownership and balances cryptographically. Unlike bridge-based privacy solutions, Railgun operates entirely as on-chain smart contract logic without a separate layer-2 validator set or cross-chain bridge exposure. Multiple independent security audits were conducted: ABDK (July 2021), Trail of Bits (February 2022), and Zokyo (April and September 2022). The September 2022 Zokyo audit reported zero critical issues and rated testable code coverage at 100%, above the industry standard of 95%. An open bug bounty program of up to $250,000 is maintained on the open-source codebase.

Sources

Governance, Team, and Decentralization

Railgun is governed by the RAILGUN Decentralized Autonomous Organization (DAO) using the RAIL token. RAIL holders must stake tokens to gain voting rights; stakers who interact with the governance contract at least once are designated 'Active Governors' and receive a share of DAO revenue derived from 0.25% deposit and withdrawal fees. There is no registered corporate entity behind Railgun. The project describes itself as having no VC investors or equity holders. Known contributors include: Alan Scott (co-founder and primary public-facing advocate), Emmanuel Goldstein (founder and development leader — a pseudonym referencing a character from George Orwell's '1984'), Kieran Mesquita (chief scientist), Dr. Andrey Kravchenko (security lead), and Hisham Galal Ph.D. (cryptographer). The pseudonymous nature of at least one founder — using a known fictional name — is a governance transparency concern common to many DeFi protocols. On-chain governance changes to the smart contracts require passing a formal proposal through the DAO. A total of 50 million RAIL tokens are allocated to the DAO treasury, locked and unminted, releasable only through governance vote.

Sources

FBI Allegation: Lazarus Group Use in Harmony Bridge Laundering

On January 24, 2023, the FBI issued a public statement confirming that the North Korean state-sponsored hacking collective known as the Lazarus Group (also designated APT38) was responsible for the $100 million theft from Harmony's Horizon Bridge in June 2022. The FBI stated that on January 13, 2023, North Korean cyber actors used Railgun to launder over $60 million worth of Ethereum (approximately 41,000 ETH) stolen during that heist. A portion of the laundered funds was subsequently converted to Bitcoin and sent to multiple virtual asset service providers. Binance and Huobi reportedly froze accounts associated with the laundering attempt in coordination with law enforcement. Blockchain analytics firm Elliptic separately reported that the Lazarus Group switched to Railgun after Tornado Cash was sanctioned by the U.S. Treasury in August 2022. Elliptic also noted that because Harmony Bridge funds constituted such a substantial share of the Ethereum passing through Railgun at the time, the mixing was rendered less effective. The FBI's public statement is a Tier 1 source and constitutes the most significant documented allegation against the protocol. Railgun disputed these allegations (see Railgun's Response section).

Sources

Railgun's Response and Denial of Illicit Use

Following the FBI statement, Railgun issued a strong denial. The protocol stated that any suggestion that sanctioned individuals, governments, or entities — including North Korea — had used Railgun lacked evidentiary support and was based on speculation. Railgun's co-founder Alan Scott specifically stated that the Lazarus Group could not access the Railgun system due to its Private Proofs of Innocence (PPOI) mechanism. However, it is notable that the PPOI system — which Railgun credits as its primary compliance defense — was not deployed until 2024, after the January 2023 events described in the FBI statement. The protocol's earlier operation therefore lacked this safeguard at the time of the alleged Lazarus Group usage. Alan Scott has since engaged proactively with law enforcement, presenting at the FBI's Virtual Currency Symposium in Milwaukee and describing a generally positive reception. Scott acknowledged that legal actions against Tornado Cash developers (including the 2024 conviction of Alexey Pertsev for laundering $2.2 billion) have created a 'chilling effect' on privacy protocol development.

Sources

Private Proofs of Innocence: Compliance Mechanism

In May 2023, the RAILGUN DAO adopted Chainway's 'Proof of Innocence' tool, and by 2024 Private Proofs of Innocence (PPOI) was integrated as a mandatory requirement for all transactions. PPOI uses zero-knowledge cryptography to allow users to prove cryptographically that their funds did not originate from wallets associated with sanctioned entities, hacks, or exploits — without revealing the specific origin or balance. The mechanism works as follows: (1) a data source assesses transaction origins and generates an exclusion list of flagged deposits; (2) deposits not on the exclusion list are added to a PPOI accumulator; (3) when a user shields funds, a ZK proof must be generated demonstrating the deposit is within the accumulator and therefore not flagged. If a deposit cannot generate a valid PPOI, it is rejected by the protocol and returned to the originating address. Railgun contributor Alan Scott stated that if an address appears on the OFAC Specially Designated Nationals list, it will not receive privacy benefits from the protocol. The PPOI system was demonstrated in practice when Railgun blocked a $9.5 million laundering attempt by the zkLend attacker in February 2025 — returned funds sat flagged in the attacker's address — and again in July 2024 when it rejected a 174 ETH (~$530,000) laundering attempt by the Inferno Drainer phishing group.

Sources

Continued Alleged Criminal Use Despite Compliance Features

Despite implementation of the PPOI system, blockchain analytics firms have documented ongoing alleged criminal use of Railgun. Blockchain security company MistTrack has characterized Railgun as the 'official/unofficial money laundering tool' for crypto drainer groups, noting that criminal usage increased markedly from April 2024 onward. AnChain.AI published a technical analysis titled 'Railgun Demystified' describing how a single Railgun transaction can contain 31 distinct smart contract events, many of which evade detection by conventional investigative tools, posing significant challenges for law enforcement. On-chain analytics firm Nefture Security published an analysis in 2023 comparing Railgun to Tornado Cash as a rival destination for illicit funds. The effectiveness of PPOI against sophisticated state actors or well-prepared criminal groups remains debated, as the system relies on public exclusion lists that may lag behind newly identified malicious addresses.

Sources

Regulatory Status and Sanctions Risk

As of May 2026, Railgun has not been sanctioned by the U.S. Treasury's Office of Foreign Assets Control (OFAC), unlike Tornado Cash, which was sanctioned in August 2022. However, the protocol has been the subject of ongoing regulatory scrutiny. CoinMarketCap published commentary in early 2023 questioning whether Railgun could be 'next on OFAC's crypto sanctions hit list.' In November 2024, a Fifth Circuit Court ruling held that OFAC's sanctions on Tornado Cash's immutable smart contracts exceeded its statutory authority under the International Emergency Economic Powers Act (IEEPA), a development that may reduce — but does not eliminate — the risk of similar action against Railgun's smart contracts. The EU has discussed banning crypto mixers and privacy tokens as part of anti-money laundering reform packages. The DOJ's April 2025 guidance de-emphasizing 'regulation by prosecution' in digital assets suggests a reduced near-term federal criminal prosecution risk in the United States, though this policy guidance is not legally binding and could change. No SEC, CFTC, or DOJ enforcement action against Railgun, its DAO, or its named contributors has been publicly disclosed as of the investigation date.

Sources

Vitalik Buterin Endorsements and Legitimate Use Narrative

Ethereum co-founder Vitalik Buterin has publicly supported and used Railgun on multiple occasions, lending the protocol significant reputational credibility within the Ethereum ecosystem. Buterin has transferred as much as 400 ETH through the protocol in a single instance, and 300,000 USD in another documented transfer, both as a functional demonstration and to achieve transactional confidentiality. In February 2025, Buterin praised Railgun's response to the zkLend exploit, writing: 'This is a solid demonstration of Railgun's privacy pools mechanism working in practice, allowing Railgun to avoid serving proceeds of crime without using any snooping / backdoors.' Buterin co-authored a research paper in 2023 on 'Privacy Pools' exploring how curated privacy sets can screen out bad actors while preserving user anonymity — a concept aligned with Railgun's PPOI approach. His public advocacy has been credited with driving significant price increases in the RAIL token; one endorsement was followed by a reported 255% price surge. Buterin has also called privacy a 'first-class priority' for Ethereum, reinforcing the broader narrative of Railgun as legitimate infrastructure.

Sources

RAIL Token and Market Profile

RAIL is the native governance token of the Railgun protocol. As of early 2026, the token's all-time high price was approximately $5.59, reached in November 2025. The token's market capitalization was approximately $82 million as of available data, ranking around #329 on CoinGecko. The token experienced a 181% price increase in 2024 (from ~$0.39 to ~$1.09), driven in part by Vitalik Buterin's public endorsements and growing protocol volume. RAIL is traded on decentralized exchanges such as Uniswap and is listed on several centralized exchanges. The total protocol volume exceeded $4 billion as of 2025, with approximately $1.7 billion attributable to 2024 transactions and $1.6 billion attributable to 2025 transactions as of reporting. WETH (wrapped Ethereum) comprises approximately 76% of total transaction volume. The fee structure charges 0.25% on deposits and withdrawals, with revenue distributed to active governance stakers.

Sources

On-Chain Forensic Challenges

Blockchain analytics firm AnChain.AI published an analysis highlighting the forensic challenges Railgun poses for investigators. A single Railgun transaction can generate 31 or more distinct smart contract events, many of which are not captured by conventional blockchain exploration tools. The ZK-SNARK architecture obscures the link between deposits and withdrawals, with AnChain.AI identifying five probabilistic investigative heuristics: entry/exit point tracking, timing correlation analysis, off-chain event linkage, address clustering, and governance interaction monitoring. The wrapped nature of assets (predominantly WETH) and the cross-chain capability across Ethereum, BSC, Polygon, and Arbitrum further complicate fund-tracing. These characteristics make Railgun substantially harder to investigate than non-privacy DeFi protocols, though the PPOI system is intended to limit the utility of the protocol for documented bad actors.

Sources

Timeline

2021-01-01

Railgun project founded.

Gate Learn / Messari

2021-07-01

Railgun open-source code released by a group of mostly doxxed contributors; protocol launches on-chain privacy for Ethereum, BNB Smart Chain, and Polygon.

Railgun Docs / Bitcoin Insider

2022-02-01

Trail of Bits security audit completed.

Railgun Documentation

2022-06-24

Harmony Horizon Bridge hacked for approximately $100 million by the Lazarus Group (North Korea), according to later FBI confirmation.

FBI Press Release

2022-08-08

U.S. Treasury OFAC sanctions Tornado Cash, driving state-sponsored and other privacy-seeking actors toward alternative protocols including Railgun.

Elliptic Blog

2022-09-14

Zokyo completes smart contract audit of Railgun; finds zero critical issues.

Zokyo Audit Report

2023-01-13

FBI later states that on this date, North Korean cyber actors used Railgun to launder over $60 million worth of ETH (approximately 41,000 ETH) stolen in the Harmony Bridge hack. Binance and Huobi froze associated accounts.

FBI Press Release

2023-01-24

FBI publicly confirms Lazarus Group as responsible for Harmony hack and names Railgun in connection with laundering.

FBI Press Release / CNBC

2023-05-08

Railgun DAO adopts Chainway's 'Proof of Innocence' tool as a compliance mechanism.

CoinDesk

2024-04-01

MistTrack reports a notable increase in crypto drainer groups using Railgun for money laundering from approximately this date.

Cointelegraph

2024-07-10

Railgun's Private Proofs of Innocence system blocks Inferno Drainer's attempt to launder approximately 174 ETH (~$530,000); funds returned to attacker's original address.

Cointelegraph / CryptoPotato

2024-10-01

Railgun's all-time shielded transaction volume hits $2 billion milestone.

DL News

2024-11-01

Fifth Circuit Court rules OFAC's sanctions on Tornado Cash's immutable smart contracts exceeded statutory authority, a legal development potentially relevant to Railgun's sanctions exposure.

Mooloo.net regulatory analysis

2025-02-12

zkLend DeFi protocol exploited for approximately $9.5 million on Starknet. Attacker bridges funds to Ethereum and attempts to wash through Railgun.

The Block / DL News

2025-02-14

Vitalik Buterin publicly praises Railgun for blocking the zkLend attacker's laundering attempt, calling it 'a solid demonstration of Railgun's privacy pools mechanism working in practice.'

The Block

2025-11-07

RAIL token reaches all-time high price of approximately $5.59.

CoinMarketCap

2026-01-01

Railgun total all-time transaction volume exceeds $4 billion, with approximately $1.6 billion attributed to 2025 transactions.

DL News

model: claude-code-investigator

generated: 5/9/2026, 5:43:59 PM

last updated: 5/9/2026, 5:43:59 PM

avoid.net — verified advice for a post-truth world