In a first for crypto regulations, the U.S. Treasury Department’s Office of Foreign Assets Control sanctioned Tornado Cash — a tool for concealing the origins of cryptocurrency transactions — for its role in laundering $7 billion, or 300,160 ETH, in digital assets since its 2019 inception.
The sanctions barred all stateside individuals and entities from using the decentralized privacy tool, which “failed to impose effective controls designed to stop it from laundering funds,” according to a Treasury press release.
Before the sanctions were announced on August 8, the federal agency had never listed an open-source, software protocol on their Specially Designated Nationals and Blocked Persons List. Customarily, the OFAC targets a person or entity (like narcotics traffickers or terrorists) — not code.
“This represents the first outright ban on a software application itself,” said Marcel Harmann, founder and CEO of non-custodial, cross-chain compatible wallet THORWallet DEX. “Never before has an arm of government outlawed a computer program that is distinct from an entity controlled by a group or an individual.”
Mixers, which are programmed to conceal the origin of a transaction using a pooling technique, are lightning rods for police intervention. Other mixer services have had run-ins with the Department of Justice for facilitating multi-million laundering scheme. Blender.io, for instance, was sanctioned due to its use by North Korean cybercrime collective, the Lazarus Group.
Earlier this year, the Lazarus Group was also linked to Tornado Cash in the largest “virtual currency heist” to date on record, according to a Treasury Department press release. Of the $620 million attack, $455 million filtered through Tornado Cash — flagging cause for shutdown, with the Treasury designating the platform a “significant threat to national security.”
But one successful hit doesn’t cover the whole story.
Why Was Tornado Cash Sanctioned?
As it turns out, nearly 75 percent of all laundered funds across the Ethereum network were processed through Tornado Cash, according to a mid-year report by blockchain security firm SlowMist.
Currently, an estimated $437 million worth of assets, made up of stablecoins, ether and wrapped Bitcoin, are vaulted behind locked smart contract addresses, Coin Telegraph reports. Regulation responsibilities have been deferred to issuers, now uncomfortably positioned as middlemen expected to block their users from moving or withdrawing their own assets, in compliance with sanction orders.
Penalties include monetary fines ranging from thousands of dollars to several millions and up to 30 years imprisonment.
In wake of the ruling, six crypto users filed a lawsuit against the OFAC, alleging that prohibiting all American persons from interacting Tornado Cash was an overreach. Funded by Coinbase, the lawsuit, according to Coindesk, claims that the governing arm violated the Administrative Procedures Act, first amendment rights to “engage in important, socially valuable speech” and fifth amendment rights, which protect against self-incrimination. Per the lawsuit, no notice was issued prior to their assets being frozen.
Shortly after the formal accusations, the Treasury updated its FAQs to reiterate that “interacting with open-source code itself” is not illegal, as long as it does not include a prohibited transaction.
Whether it was the correct dose of justice or a breach of constitutional rights — with many citing legitimate use cases, like anonymous donations to human rights causes — the sanctions have left the crypto community wondering, what’s next?
What Is Tornado Cash?
Built on the Ethereum network, Tornado Cash is a virtual currency mixer that facilitates private, anonymous transactions in an otherwise fully transparent, public-facing interface. Swirling together clusters of pending trades, the decentralized privacy tool’s unique service creates flurries of transactions — cash tornados, if you will — obstructing on-chain addresses to ensure maximum security.
A transaction’s origin, destination and counterparties are kept confidential, without any way to “untangle” the blended streams of money on the move.
Co-founded by Roman Semenov and Roman Storm, Tornado Cash is the spin-off to the duo’s previous project PepperSec, a white-hat hacker security consultant agency. Given the fully transparent nature of blockchains, the non-custodial crypto mixer was created to solve a number of privacy and anonymity issues plaguing the crypto space, partial to traceability of transactions.
In relation to sanctions, it’s important to understand that Tornado Cash is not an isolated decentralized app, or dApp — it’s a coin mixing tool that can be accessed by any dApp on the Ethereum network. As a peer-produced, open-source code, anyone is allowed to download, modify and redistribute the software.
Its infinite reach complicates legal intervention. It’s not as simple as shutting down one platform.
How Does Tornado Cash Work?
While Tornado Cash is actually a collection of smart contracts with an open-source library that span variant crypto-centric services, the name has become synonymous with a core subset of its protocols — Tornado Cash pools.
These pools are the “cash tornados” made possible by a cryptographic method known as zero-knowledge proofs. These privacy-preserving, mathematical codes validate transactions while severing ties to both parties at the end of a trade.
The protocol accepts token deposits from one address while permitting withdrawals from another. This allows the ledger to still log a user’s activity without trailing back to their entire financial history.
A user’s anonymity is concealed by a private key in the form of a hash, provided at the time of deposit. When ready for withdrawal, the protocol prompts the token holder to input their private key’s hash in order to prove token ownership, recorded on the ledger under a brand-new address. While all transactions are tracked, traceability is not possible.
Tornado Cash acts as a secret bank vault, meaning all of its pools share the same operational principle: Users can only access the specific tokens they originally deposited. At no point do users lose ownership of their digital assets.
Tornado Cash Has Legitimate Use Cases
Tornado Cash’s main attraction — its mixing feature — lures an array of crypto users.
Advocates say legitimate use cases include donating to politically exposed causes, such as the war in Ukraine or Planned Parenthood. For some, cryptocurrency has also become a preferred method of payment for medical procedures, and mixers allow them to avoid linking sensitive information to an immutable transaction history.
The impetus for some who favor digital commerce by default and are averse to traditional methods goes back to the genesis of cryptocurrency — not having their information sold by banks to third parties. Mixers, which are valued based on a high volume of users, provide an added layer of security enjoyed especially by those with deep pockets who may be targeted by cyber criminals in a largely unregulated space.
Unfortunately, the privacy tool’s mechanism can just as easily be exploited for illicit use: washing dirty money.
Hackers have been known to exploit these trail-erasing services to conduct theft, heists, ransomware schemes, fraud and other cybercrimes, such as evading sanctions.
Debating the U.S. Sanctions on Tornado Cash: Was It a Fair Call?
At the very least, sanctioning an open-source software code caught the crypto community off guard. In fact, Tornado Cash co-founder Semenov told Bloomberg that enforcing sanctions on decentralized protocols would be “technically impossible.” As a decentralized, autonomous protocol run by pre-written smart contracts on a platform with no back end, nobody is really at the helm.
“There is not much we can do in terms of helping investigations,” Semenov told CoinDesk, noting the only entity with any say is the Tornado Governance DAO, or decentralized autonomous organization, now banned from platform interaction. Even then, “the team doesn’t have much control over the protocol,” he said.
Tornado Cash’s presumed invincibility shattered the minute the Treasury made the protocol’s “technically impossible” sanctioning possible.
To Freeze or Not to Freeze?
Since the sanctions, USD stablecoin issuer Circle froze over 75,000 USDC worth of secondary-market funds connected to 44 Tornado Cash accounts. Until authorities issue direct orders, Tether took a stand to not freeze digital assets linked to the crypto mixer, according to a statement released on their website.
“Repercussions could be catastrophic,” said Dion Guillaume, global head of communications representing first-generation crypto exchange and trading platforms Gate.io.
Although Guillaume can see why U.S. authorities went after Tornado Cash, he said the entire ordeal was badly planned out.
“Regulators bit off more than they could chew,” said Guillaume. “They had reasons like ‘money laundering’ and ‘terrorism funding’ for going after Tornado Cash, but the way they went about it shows their lack of knowledge about the sanctions.”
Authorities seem to be under the impression that they can come after decentralized finance, or DeFi, by targeting a few key protocols without carefully considering what it could do to the entire interlinked ecosystem, he said.
“We definitely need lawmakers to get more educated about the space they are attempting to regulate.”
Taking open-source protocols like Curve, Maker or Aave for example, which are heavily integrated into other dApps, Guillaume noted a potential domino effect. In the event these codes became a target of sanctioning, it would wreck all DeFi apps built using these platforms, setting off a chain reaction of volatility for their associated coins.
“We definitely need lawmakers to get more educated about the space they are attempting to regulate,” said Guillaume.
Looking back, THORWallet DEX founder Harmann said that the current sanctions are reminiscent of an early nineties criminal investigation that targeted computer scientist and cypherpunk icon Phil Zimmerman in the development of his end-to-end encryption software Pretty Good Privacy, primarily used to increase email security. After three years, the case was dropped without filing charges and even led to federal court precedent, declaring encryption was protected under the First Amendment.
“It is clear that authorities are still trying to discern where liability lies when it comes to decentralization, particularly as it relates to distributed groups and the software products they create,” Harmann said. “Criminals have leveraged technological developments throughout history for illicit activity and to ban the technology would be more detrimental than constructive.”
“Policing protocols in this way could hamper technological breakthroughs and economic prosperity by extension,” he added.
Changing the Regulatory Landscape
Having spent 20 years as a developer and software engineer before founding Modulus, a manufacturer of high-performance software and hardware systems, Richard Gardner offers his perspective — it had to be done.
“The call to sanction Tornado Cash is justified. This was the right call,” he said. “A mixer, operating as Tornado Cash does, can’t be allowed to operate, as it would allow for a bypass of international sanctions. It can directly be used to facilitate hacks perpetrated by enemy nation states.”
Gardner’s forecast for U.S. digital assets regulation mimics what he sees abroad.
Although the European Union moved forward with a landmark provisional standard, Markets in Crypto Assets, which establishes the first regulatory framework for the crypto market, there has been a muddled response from the United States and the United Kingdom, among others, he noted.
“It’s clear we need a set of rules that are fair and easy to understand.”
“I suspect that, after the election, the new Congress will take up the issue and really decide how they are, legally speaking, going to treat cryptocurrencies and stablecoins, as well as the exchanges and custodians that deal with them,” Gardner said.
Mark Fidelman, founder of decentralized finance marketing firm SmartBlocks and host of the Cryptonized! podcast, disagreed with the Treasury’s ban.
“Sanctions weren’t fair because Tornado Cash and its users weren’t warned of any violation,” he said, as seen with Pertsev’s arrest without bail and claims from three defendants involved in Coinbase’s pending lawsuit. “Because of this process, crypto companies are not going to want to build their business here. As a result, we’re going to lose out to crypto-friendly nations.”
Regardless of sides, critics and supporters can agree that one outcome from the mixer mixup is definite.
“It’s clear we need a set of rules that are fair and easy to understand,” Fidelman added.