Tornado Cash Sanctions Are a Warning Shot for Crypto — Quartz
In its pursuit of money laundering by North Korean hacker groups, the United States has leveled legal charges against people, organizations, even the North Korean government itself. It has frozen bank accounts, imposed extensive sanctions and followed suspected money launderers far into the deep web.
But the investigation into the Lazarus Group, which is accused of laundering millions in stolen cryptocurrency, took an unprecedented turn earlier this month when the United States sanctioned a piece of blockchain-based software.
The move stunned the crypto world, which relies on the same software for legitimate money transfers. Many experts are now wondering if it signals a more aggressive stance by the US in regulating decentralized apps. And the case has also raised some thought-provoking questions about exactly how to regulate a piece of code that no one controls.
Tornado Cash’s ties to the Lazarus Group
The software in question is Tornado Cash, a cryptocurrency “mixer” that allows users on the ethereum blockchain to hide the origin and recipients of their transactions. Mixers are used by crypto holders to maintain the privacy of their accounts on hyper-transparent blockchains like ethereum. The problem, according to the US Treasury Department, is that mixers are also a common tool for launderers.
Tornado Cash has processed more than $7 billion in ethereum for around 60,000 users since it was created in December 2019. US authorities say those users include the Lazarus Group, which has been a frequent target of US sanctions. Most recently, the US claims, Lazarus used Tornado Cash to launder some of the $620 million in stolen crypto from the popular crypto game Axie Infinity.
The stolen coins were allegedly laundered with several others mixers but the other sanctioned was created and owned by a private company. Tornado Cash is unique among those sanctioned mixers to be open source software (anyone can copy it) that is decentralized by design (nobody owns it) and exists on a globally distributed ledger (it can’t be destroyed). How do you sanction it?
The Treasury Department’s Office of Foreign Assets Control (OFAC) hands out financial sanctions against individuals and companies it deems to pose security risks, such as terrorists and drug traffickers. In April, OFAC added three of Lazarus’ known ethereum addresses to its sanctions list before adding Blender, a privately held mixer, in May and Tornado Cash on August 8.
Placement on this list of Specially Designated Nationals and Blocked Persons, better known as the SDN list, effectively blacklists a person or business from all economic activity in the United States. Breaching sanctions by doing business with those on the SDN list is a serious offense that can result in large fines or prison terms.
But one thing is to avoid a person or company on the SDN list. It is quite another to avoid Tornado Cash because a lot of crypto has come through the protocol at one time or another. The Washington Post reported on August 24 that prominent stablecoin operator Tether, which has been under regulatory scrutiny of late, has yet to blacklist accounts linked to the Tornado Cash sanctions.
A vague set of sanctions
In its press release, the Treasury Department refers to Tornado Cash as if it were a corporation, which it is not. But as the Electronic Frontier Foundation, a digital rights advocacy group, wrote in a blog post, Tornado Cash could mean a number of things: There are several different versions of software, published code on GitHub, a website and a decentralized autonomous organization (DAO), a sort of crypto collective that votes on changes and maintenance for the project. The Treasury Department did not respond to multiple requests to clarify who or what has been sanctioned.
On August 10, one of Tornado Cash’s developers was arrested in the Netherlands for “concealing criminal financial flows and facilitating money laundering”, but it is not clear if the arrest is directly related to the announcement of US sanctions just two days earlier.
The vagueness of the sanctions announcement is uncharacteristic of OFAC, said Ari Redbord, a former senior adviser to the Treasury Department and now the head of legal and public affairs at blockchain analytics firm TRM Labs. “This designation is exceptional,” he said, because OFAC has previously been “very, very targeted — almost scalpel-like” in going after specific bad actors in the crypto-economy.
The confusion here creates uncertainty about any cryptocurrency that has been sent through Tornado Cash, or even funds that have at some point passed through the Tornado Cash protocol, said Peter Van Valkenburgh, director of research at the Coin Center, a crypto-focused nonprofit and advocacy group.
“The metaphor I like is: It’s one thing if you sanction an Iranian author, and that means Americans aren’t allowed to buy a contract from him to buy the rights to his next novel. That’s a perfectly legitimate use of sanctions, he said: “What’s happening here is … the book is already written and it’s already in the home libraries of thousands — if not tens of thousands of Americans, so the sanctions are kind of like saying you can’t read that book anymore.”
According to research by crypto analytics firm Chainalysis, about 23% of crypto transactions transacted through mixers in 2022 are illegal, up from 12% in 2021. But of the roughly $4.5 billion sent through mixers so far in 2022, most of these funds are apparently legitimate. Now it is unclear whether all this money has been sanctioned, for the US government.
What is the government signaling about crypto?
Coin Center claims that OFAC has “exceeded its legal authority,” and can sue on behalf of parties who have had their due process and free speech rights potentially violated by these sanctions. Coin Center, EFF and other groups have expressed concern that because computer code is recognized speech, there may also be First Amendment implications of the sanctions order.
If sanctioning Tornado Cash was indeed deliberate and not a confused oversight, it could mean the Treasury Department is signaling that decentralized software and devices will not be exempt from the sanctions effort, said Carlton Greene, a former assistant director for transnational threats at OFAC who is now a partner in law firm Crowell & Moring.
“Contrary to how some people view decentralized finance, the mere fact that you create a smart contract and don’t stand there day-to-day manually processing all the transactions doesn’t mean that OFAC is going to excuse you from complying with regulations, if what you’ve created becomes used by sanctioned parties to launder funds and engage in nefarious activity,” Greene said.