The recent indictment of Tornado Cash developers brings the tension between crypto privacy and national security into sharp focus. What are the implications for the crypto world?
One of the main issues affecting innovation is the potential for abuse by bad actors. Because of its pseudonymous nature, low cost, and ability to move vast sums, crypto has had its fair share of cases of misuse. Looking at the recent fiasco of Tornado Cash founders and the regulators, one could think that criminals are tipping the scales in the regulator’s favor.
A recent report by blockchain research firm Chainalysis found that as much as $23.8 billion was laundered using cryptocurrency in 2022. The report estimated that cybercriminals have laundered over $67 billion using crypto since 2015.
That amount excluded funds from so-called “offline crimes” such as drug trafficking and illegal gambling and only comprised money from hacks and ransomware attacks. It means that the actual figures could be exponentially higher.
Law enforcement agencies increase their efforts to bring these bad actors to book. However, it may impact developers and entrepreneurs struggling to navigate the increasingly complex regulatory landscape while still adhering to the core values of decentralization and peer-to-peer innovation.
Tornado Cash sanctions
Tornado Cash (TORN) is a cryptocurrency mixing service that enables anonymous crypto transactions. It provides privacy to users by making it difficult to tie a particular crypto wallet’s transactions with the wallet’s owner.
However, the downside to such anonymity is its potential to be used for malicious activities. It is nearly impossible to trace criminal financing and unlawful actions within the system.
Tornado Cash’s woes began in August 2022, after the Office of Foreign Assets Control (OFAC) placed it and its developers on the Specially Designated Nationals (SDN) sanction list due to the alleged facilitation of anonymous transactions.
OFAC explained its decision by highlighting the anonymous nature of transactions facilitated by Tornado Cash, with no attempts made to determine their origin, posing a potential threat to U.S. national security.
The ambiguity of sanctions
OFAC’s sanctioning of Tornado Cash caused consternation among the crypto community, with many, including the Electronic Frontier Foundation (EFF), concerned about how the decision impacted the free speech protections for software code and the potential repercussions concerning government attempts to curtail illegal activities using said code.
For years, courts in the United States have recognized that software code is speech. The precedent was set over a quarter century ago in Bernstein v. U.S. Department of State and has been a critical component of advocacy for the crypto community.
The action by OFAC created ambiguity about what exactly is sanctioned in the context of Tornado Cash. EFF actively sought clarity from OFAC on its interpretation and the scope of what it meant by “Tornado Cash.”
Technically, the Tornado Cash name does not refer to a legal body but to a collection of open-source software libraries created over time by various contributors. In its indictment, OFAC referred to the crypto mixer variously as “Tornado Cash,” “Tornado Classic,” and “Tornado Nova.”
For that reason, the EFF claimed that the moniker “Tornado Cash” could refer to various items, thus generating doubt about what was officially sanctioned.
According to the advocacy group, “Tornado Cash,” “Classic,” and “Nova” were software variants available as source code on GitHub as well as functioning on the blockchain.
This distinction was particularly pertinent given that GitHub, following the SDN listing, removed the Tornado Cash source code and suspended the accounts of its primary developers.
This action by GitHub, while within its rights, raised concerns about the potential chilling effect of government actions on the publication of code. Creators of privacy-preserving technology became worried that if bad actors utilized tools developed using their code, the U.S. government would not only shut it down but also punish contributors who, in general, have little influence in how their open source contributions are used.
Speaking to The Messenger in August 2022, Omid Malekan, an adjunct professor at Columbia Business School, said that adding the Tornado Cash protocol to the sanction list would have greater implications for the world beyond crypto than for crypto itself.
Community backlash
In August 2023, the U.S. Department of Justice (DoJ) and Treasury’s Office of Foreign Assets Control (OFAC) indicted and sanctioned the platform and its founders, Roman Semenov and Roman Storm, for allegedly facilitating the laundering of over $1 billion in illicit proceeds.
Tornado Cash allegedly enabled the obfuscation of transaction trails between varying cryptocurrency addresses, making them untraceable. This lack of transparency reportedly violated basic know-your-customer (KYC) protocols designed to combat money laundering.
Semenov and Storm were also implicated in laundering funds for the Lazarus Group—a cybercrime syndicate with ties to North Korea—amounting to hundreds of millions of dollars.
The indictment again has sparked debate within the crypto community, with crypto advocacy group Coin Center and U.S. law firm Cravath Lawyers cautioning about the implications for software developers and the enforceability of regulatory compliance.
Others, like crypto YouTuber Alexa, who goes by Crypto Tea on X, claimed that “KYC laws and permissionless money cannot coexist.”
Generally, the reaction was similar across the length and breadth of crypto X, with most commentators arguing that developers shouldn’t be arrested for writing code.
Roman Storm’s lawyer, Brian Klein, echoed those sentiments in a written statement, where he said,
“We are incredibly disappointed that the prosecutors chose to charge Mr. Storm because he helped develop software, and they did so based on a novel legal theory with dangerous implications for all software developers.”
However, according to the FBI, the indictment of Storm and Semenov was a stark reminder to criminal organizations that they could not hide from law enforcement authorities regardless of the technology they used.
The agency also stated that it would work to bring to book anyone facilitating money laundering, especially for cybercriminals and sanctioned states like North Korea.
Challenges posed by FinCEN guidance
The regulatory landscape in the U.S. has proven challenging for the burgeoning world of blockchain and cryptocurrency technology.
The Financial Crimes Enforcement Network (FinCEN) is a U.S. government agency focused on stopping financial crimes like money laundering. Under the Federal Bank Secrecy Act (BSA), they make rules for anyone who moves money around, whether it’s regular cash or digital currency.
The regulator requires all money transmitters to register and comply with numerous compliance obligations, including regular reporting. This covers user/customer identification and transaction data.
The guidance from FinCEN concerning the treatment of cryptocurrencies has evolved over time. In 2013, the agency stated that the rules for moving regular money also apply to digital currencies.
This was reaffirmed in 2019, with FinCEN asserting that any entity that acts as a middleman, accepting virtual currency payments from one user and relaying them to another, likely qualifies as a money transmitter.
This guidance apparently led to designating Tornado Cash as a money transmitter and demanding that it implement basic KYC protocols.
According to Treasury Undersecretary for Terrorism and Financial Intelligence Brian Nelson, the crypto mixer did not put in place effective controls to stop money laundering, even after it gave public assurances that it had.
Semenov and Storm aren’t the first crypto developers to face FinCEN’s stringent regulations. In November 2019, Ethereum developer Virgil Griffith was arrested following allegations he’d helped North Koreans evade international economic sanctions using crypto.
He pleaded guilty to the charge and is now serving a 5-year prison term. When handing down its sentence, the court described Griffith as having a “desire to educate people on how to evade sanctions.”
“The fact of the matter is Virgil Griffith…hoped to come home as a crypto hero, to be admired and praised for standing up to government sanctions,” the court said.
The judge also cited the ongoing conflict in Ukraine and the subsequent sanctions against Russia to support his severe sentence against Griffith. In the judge’s opinion, Griffith and others like him needed a harsh sentence to prevent them from breaking U.S. sanctions rules in the future.
The action by OFAC created ambiguity about what exactly is sanctioned in the context of Tornado Cash. EFF actively sought clarity from OFAC on its interpretation and the scope of what it meant by “Tornado Cash.”
Technically, the Tornado Cash name does not refer to a legal body but to a collection of open-source software libraries created over time by a varied range of contributors. In its indictment, OFAC referred to the crypto mixer variously as “Tornado Cash,” “Tornado Classic,” and “Tornado Nova.”
For that reason, the EFF claimed that the moniker “Tornado Cash” could refer to various items, thus generating doubt about what was officially sanctioned.
According to the advocacy group, Tornado “Cash,” “Classic,” and “Nova” were software variants available as source code on GitHub as well as functioning on the blockchain.
This distinction was particularly pertinent given that GitHub, following the SDN listing, removed the Tornado Cash source code and suspended the accounts of its primary developers.
This action by GitHub, while within its rights, raised concerns about the potential chilling effect of government actions on the publication of code. Creators of privacy-preserving technology became worried that if bad actors utilized tools developed using their code, the U.S. government would not only shut it down but also punish contributors who, in general, have little influence in how their open source contributions are used.
Speaking to The Messenger in August 2022, Omid Malekan, an adjunct professor at Columbia Business School, said that adding the Tornado Cash protocol to the sanction list would actually have greater implications for the world beyond crypto than for crypto itself.
Does FinCEN guidance apply to Tornado Cash?
Roman Storm and Roman Semenov are facing indictment charges, including conspiracy to operate an unlicensed money-transmitting business. However, according to Coin Centre, the evidence presented against them by OFAC does not appear to prove violations of the pertinent laws conclusively.
In an Aug. 23 blog post, Peter Van Valkenburgh, research director at Coin Center, argued that the focal point of OFAC’s case lies in distinguishing between money transmission versus software development or communication services, which is critical to people’s rights to create and publish software in the U.S.
According to Valkenburgh, OFAC’s indictment alleges that Semenov and Storm transferred funds on behalf of the public without registration with FinCEN, but it doesn’t present substantial facts to prove they engaged in activities that fall under the legal definition of money transmission.
He further added that FinCEN’s guidelines define “money transmission services,” and they clearly state that providers of anonymizing software are not money transmitters. Therefore, in Valkenburgh’s opinion, Semenov and Storm’s activities, as described in the indictment, seem to align with the FinCEN exemption, suggesting they are not money transmitters.
To summarize, the defendants engaged in activities such as paying for web hosting services and software repositories and had some control over Tornado Cash smart contracts.
None of these activities fit the definition of money transmission, which implies the acceptance and transmission of funds from one person to another. They merely provided the means for individual users to transmit their own money.
Although the defendants had control over smart contracts, the indictment does not clarify the extent of this control and, therefore, does not convincingly allege unlicensed money transmission.
According to Coin Center, Storm and Semenov’s only control was related to Tornado Cash’s privacy features; they could not access, move, or direct user funds. This, along with their advertising, profiting from governance tokens, and designing aspects of the tool, does not, in Coin Center’s opinion, equate to the “acceptance and transmission” of money as defined by the FinCEN guidelines.
Similarly, other observers feel that the throwing out of a class action lawsuit against Uniswap by a New York court on Aug. 30 may offer a glimmer of hope to the Tornado Cash defendants. In its dismissal of the lawsuit, the court determined that Uniswap, as a protocol, could not be held liable for the losses of its users or any damage caused by third parties.
Unpacking the consequences
Crypto has scored a few victories against regulators recently, including the decision by three judges to overturn the SEC’s blocking of Grayscale’s spot Bitcoin ETF rollout.
However, regarding the Tornado Cash issue, the industry lost an important battle when U.S. District Judge Robert Pitman found that Tornado Cash was an entity capable of being sanctioned.
The judge also agreed with OFAC, the defendants in that case, that Tornado Cash’s smart contracts are property and that the platform has a beneficial interest in them since it allows it to control and use crypto.
While it is unknown how Semenov and Storm’s cases will eventually pan out, it has brought attention to the complex difficulties that exist between software development and regulatory compliance.
Many in the crypto community feel that the case should prompt inquiries regarding the definition of money transmission and the accountability of developers for the possible misuse of their creations.
Others also believe the discussion should encompass the protection of free speech for software code and its broader implications for contributions to open-source projects.
