I simplified the employer side here. They would also use the UI, but for simplicity I assume they just put the salary in the smart contract manually, North Korea style.

The employee then uses the UI to retrieve the salary. That way their boss can't see what they do with it. This UI is hosted on a website*, some web3 magick where you use a browser plugin to connect your wallet. In addition to providing a nice user interface, it also picks a relayer for the employee.

A relayer is a third party smart contract that makes it easier and more private to withdraw. They get a percentage fee for that. It's non-custodial though! The DoJ hints that they're also after the people running them, but that's for another time.

* = slightly oversimplifying, because with web3 you could in theory put the whole site on IP (Inter Planetary File System) and have the smart contract point to it. But afaik that wasn't the case here (yet).

Im out of the loop on this one. Tornado cash was hacked ?

Idk if it's just my client (amethyst), bu it's really hard to read here...

use nostr dot com slash note code

But also irrelevant to the Dutch case; these are US sanctions. Though perhaps there's an indirect case for laundering the proceeds of a crime (violating sanctions law of a befriended country). In any case this is the first time I hear about it. Pretty sure the Dutch prosecutor would have brought this up in the courtroom full of journalists if she knew about it at the time.

Ok, that was quite possibly the worst move ever. Assuming it was unilateral move by Storm, now the other two co-founders are sitting on coins (fiat?) received after the sanctions were into effect. Which comes with onerous reporting requirements, $1000+ / hour lawyers and countless ways for an eager prosecutor to (selectively) make your life hell.

It's the kind of thing you do *after* you've all moved to a non-extradition tropical island of choice. Not when two of you are sitting ducks. (Not legal advice)

It seems like they're undermining their case here. Clearly the money is coming from investors, not money launderers. This should have been a securities case.

The SEC might have an opinion about that...

This last bit is highly relevant in the Dutch case since they're accused of laundering 'billions' and without the Lazarus funds that would drop to way less.

They keep playing this game fpr a while. But notice what's absent: there's no allegation, let alone evidence, that the North Koreans used the UI. In fact they had no reason to. It would save money for their great leader to just do it themselves. And if the UI ran on CloudFlare it wouldn't even work in NK.

Or they're really playing the same dirty trick as the Dutch prosecutor. First they pretend adding KYC to the UI would have been effective. Full well knowing that's false. Then, when it suits them, they suddenly argue it would NOT be effective.

The paper over this glaring contradiction with the red underlined nonsense. None of those things would have stopped the transactions. The developers understood this, so they didn't act. The prosecutor understands this too but hopes the jury doesn't. Or in the case of the Dutch system - where judges are way less educated on the topic and there's isn't a single attorney who can teach them - the judge doesn't.

Yeah I'm less concerned about the NSA type threat (if they want to "do" my github account I'm sure they can), more the "uh oh because of a bug in the auth protocol or the auth app, hackers can take over accounts" or something like that.

I mean, it is *2* FA, not 1 FA, so in theory it's not that simple, I'm just thinking in very vague terms about "central points of failure" and also "complexity is the enemy of security" (people end up often looking for shortcuts if you make security policies really burdensome).

Because the attorney in question was a moron. Tornado Cash is non-custodial and does not have possession. And there was nothing they could do.

Anyway, very hand-wavy argument from the prosecutor.

Ya'll better crowdfund them good lawyers. Because the same reasoning can be used against, say, a non-custodial phone wallet that doesn't have KYC.

The real threat is sim-swap attacks. I imagine the FBI can just request access to your github account with or without the 2FA.

Fwiw 2FA* saved my ass once, many years ago, when someone hijacked my domain**, set an email forward and reset the Github password.

* = and the hackers lazyness, they could have done way more damage

** = where I forgot to set 2FA AND probably reused a password, despite having stopped reusing passwords years before the hack - forgot to change that one

I had 2FA on phone long before they enforced it. US government already has acces to ,y stuff since it's Microsoft. So don't care about NSA backdoor in the 2FA app.

I'm not best pleased that github is going to enforce me to use 2FA in the next month or two.

Security through trusted third parties is attractive but danger is lurking within that model.

Anyway, has anyone decided to do anything other than the obvious "authenticator app on the phone"? Because I'm pretty wary of it.