Crypto's sanctions storm

Why do people use Tornado Cash (or mixers)?

Mixers can have legitimate purposes, like data privacy. One of the arguments, in the name of privacy, is that this aligns virtual assets with cash - for example, think of a $50 note in your wallet, you don’t know all the prior owners of it and the whole world isn’t entitled to know that you have it by peering on a public ledger.  You can’t find out a year later whose wallet it now sits in. Tornado Cash seeks to make virtual assets similarly difficult to trace.

Why was Tornado Cash sanctioned?

However, according to OFAC and on-chain analytics providers, mixers like Tornado Cash are not only used for legitimate privacy-preserving purposes but are also used by criminals to launder criminal proceeds, fund terrorism or evade sanctions. 

Tornado Cash was sanctioned pursuant to Executive Order 13694, as amended, for having materially assisted, sponsored, or provided financial support for a cyber-enabled activity that poses a significant threat to US national security, foreign policy, or economic health or financial stability for commercial, competitive or financial gain.^[1] It is the second time OFAC has sanctioned a mixer, having sanctioned Blender.io in May 2022.

Specifically, according to OFAC, Tornado Cash has been used to launder:

• more than US$7 billion worth of virtual assets since its creation in 2019;
• over US$455 million stolen by the Lazarus Group, a Democratic People’s Republic of Korea state-sponsored hacking group that was sanctioned by OFAC in 2019; 
• more than $96 million of malicious cyber actors’ funds derived from the Harmony Bridge heist; and
• at least US$7.8 million from the 2022 Nomad heist.^[2]

In a press release, OFAC stated that: 

“Despite public assurances otherwise, Tornado Cash has repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis and without basic measures to address its risks.” 

This indicates that a lack of controls is what prompted OFAC’s action. However, Tornado Cash’s developers claim that they can’t control the mixer.  Indeed, according to developer Roman Semenov:

“There is not much we can do in terms of helping investigations because the team doesn't have much control over the protocol. The Tornado Cash team mostly does research and publishes the code to GitHub. All the deployments, protocol changes and important decisions are made by the community via Tornado Governance [Decentralised Autonomous Organisation (“DAO”)] and deployment ceremonies," when the code changes go live on the DAO.”^[3]

In short, the developers say they cannot control how virtual assets move and who uses code that is now effectively public.

To take a step back, control of virtual assets requires control over the relevant private key that enables a person to move those assets from one wallet to another (akin to a password to access an account and move money). In some cases, developers (or someone else) may have full or partial control over assets that use a certain system or function. Partial control might involve, for example, holding fragments or “shards” of keys - this is typically referred to as a “multi-signature” arrangement because it requires more than one person to come together to “sign” (authorise) the transaction and technically allow the virtual assets to move.

In the Tornado Cash example, a lack of control over assets was not always the case. 

In 2020, Tornado Cash’s developers held a “trusted setup ceremony” where 1,114 contributors destroyed the key codes that gave access to, and control of, the multi-signature wallet holding users' funds in order to make Tornado Cash “fully trustless, decentralised and unstoppable” (according to Semenov).^[4]  

Given that Semenov has publicly stated the developers cannot control Tornado Cash, it is unclear what “public assurances” regarding money laundering controls that could have been provided (per OFAC’s press release quoted above) or indeed effected in practice. 

However, what is clear is that a debate over the authenticity of Semenov’s claims that “decentralised” crypto services cannot be controlled is just beginning. There is a strong transnational policy shift toward questioning whether a crypto service can ever truly be “decentralised”. According to the Financial Action Task Force (“FATF”), the global anti-money laundering and counter-terrorist financing (“AML/CTF”) standard setter, “even in so-called decentralized arrangements, often there continues [sic] to be persons and centralised aspects that may be subject to AML/CFT obligations”.^[5] We reported in detail on FATF’s approach in our Building a Legal Architecture of the Metaverse Report^[6]. The Bank for International Settlements (“BIS”) also raised the problem of a “decentralisation illusion” and “algorithm incompleteness” in certain aspects of decentralised finance (or DeFi), necessitating human participation or intervention, in a December 2021 report. BIS also suggested a potential structure for better addressing the operation of code.^[7]  

Clearly, regulators and policymakers are taking umbrage with the notion that nobody is accountable and that such tools can go unchecked and be used in furtherance of financial crimes.

What are the implications?

There are immediate implications of the OFAC designation, as well as underlying trends and issues that are important for market participants developing and engaging in the crypto sector to monitor. We summarise some of the key points as follows.

First and foremost, all transactions by US persons or within (or transiting) the US that involve any property or interests in property of designated or otherwise blocked persons are prohibited (unless authorised under a license). The making of any contribution or provision of funds, goods, or services by, to, or for the benefit of Tornado Cash is prohibited, as is the receipt of any contribution or provision of funds, goods, or services from Tornado Cash. That means US persons cannot transact using Tornado Cash. Reports suggest that this means around US$424 million in virtual assets are now blocked.

Circle Internet Financial Limited, the firm that manages the USD Coin (“USDC”), immediately blacklisted Tornado Cash wallet addresses and froze about $70,000 worth of its USDCs, in compliance with OFAC’s requirements. GitHub pulled Tornado Cash’s source code from its website.

Whilst Circle quickly moved to comply with the sanctions, Circle’s Chief Executive let it be known that in his view, OFAC had crossed a line, stating:

“the regulatory intervention in this case crossed a major threshold in the history of the internet, and the history of open blockchain finance, with a major government obliging parties to outright block or limit the functioning of open software on the internet.  It raises extraordinary questions about privacy and security on the internet, and the future of public internet digital currency…”^[8]

The reason for these comments is that it is unclear whether any legal person has been targeted (due to the claims of decentralisation), only the mixer, which is computer code, and several related wallet addresses.^[9] Unlike Blender.io, which is a group of persons providing mixing services, Tornado Cash is an open-source software application that runs as a smart contract on the Ethereum blockchain.^[10]

If Tornado Cash does not exist as a legal entity, then OFAC’s actions arguably amount to sanctioning US persons’ use of open-source code, which has been criticised by some as a restriction on the freedom of speech protected by the First Amendment of the US Constitution. US case law has long provided that code may amount to constitutionally protected speech. This may appear at odds with the conceptualisation of protected speech in other markets and is therefore somewhat unique to the US market.  

As the judge in one of the first cases to establish this principle put it:

“This court can find no meaningful difference between computer language, particularly high-level languages as defined above, and German or French. All participate in a complex system of understood meanings within specific communities...For the purposes of First Amendment analysis, this court finds that source code is speech.”^[11]

This decision was later upheld by the 9^th Circuit Court of Appeal:

“To the extent the government's efforts are aimed at interdicting the flow of scientific ideas (whether expressed in source code or otherwise), as distinguished from encryption products, these efforts would appear to strike deep into the heartland of the First Amendment.”^[12]

This position has not been formally applied in relation to virtual asset mixers, so it remains to be seen whether it would apply to Tornado Cash and its developers. However, we expect this to be tested given the widespread impacts of the sanctions on the industry and the strong views expressed on the subject, so monitoring further case law is important. For example, Semenov has argued that this First Amendment protection should apply to the Tornado Cash code, stating in March 2022:

“All we do is write code and publish it on GitHub. This is pretty close to the definition of free speech so writing code cannot be illegal.”^[13]

One counterargument is that OFAC is not prohibiting the publication or expression of the Tornado Cash code (which would be challenging to enforce as - the code has been widely distributed and is easily copied and pasted). Instead, OFAC is prohibiting the actions of US persons in making transactions using that code. However, given that GitHub removed the code from its open-source library, we expect legal arguments may be advanced in any future litigation that OFAC’s designation is having at least some impact on the exercise of speech, as that is understood in the US. 

OFAC might also argue that, unlike traditional forms of speech, Tornado Cash created a platform that was being used by criminals for criminal ends. A recent report by Chainalysis found that, in 2022, illicit addresses account for 23 percent of the funds sent to mixers.^[14] Rather than pursuing criminal suspects individually, many of whom are state-sponsored or outside US jurisdiction, sanctioning Tornado Cash was more efficient and achieved the intended purpose: making it more difficult to launder virtual assets that are the proceeds of a crime.

Others question why legitimate users would want to risk using the same platform as criminals, potentially contaminating their legally gained virtual assets with someone else’s illegally gained virtual assets.^[15] At the very least, OFAC’s designations of Blender.io and Tornado Cash appear to be intended to send a message to law-abiding individuals and entities that they should steer clear of virtual asset mixers that allow complete anonymity. Other mixing services that are developed anywhere in the world could also be at risk of being sanctioned if they become the go-to platform for cybercriminals and state-sponsored actors and fail to implement AML/CTF controls. 

For some, however, it is a step too far and is arguably out of step with the usual regulatory process.  For example, some argue that while numerous well known and reputable financial institutions have been fined for breaching AML/CTF laws and regulations, they tend not to become subject to blocking sanctions themselves despite criminals accessing their platforms and the institution failing to implement proper AML/CTF or sanctions controls.

To counter this, it could be argued that traditional financial institutions, licensed and regulated for AML/CTF compliance in various jurisdictions are compelled to comply with directives from authorities, and by their centralised nature, are able to effect remedial processes.  US regulators are in a difficult position with decentralised actors – whether by operation of law or by the difficulty of enforcement.  In particular, the statements by Tornado Cash’s founder that nobody is in control, and that it cannot be controlled, places US regulators in a difficult position.

On the other hand, if the mixer is truly decentralised, there may be no one with standing to petition for removal from OFAC’s SDN^[16] List or assert any violation of legal rights. US persons whose virtual assets are tied up in Tornado Cash might have standing to challenge the designation. Alternatively, they might seek a specific license from OFAC to permit them to withdraw their assets. It is also conceivable that OFAC could issue a general licence permitting US persons to wind down their involvement with Tornado Cash and withdraw any assets held in the application.

The debate in relation to Tornado Cash and OFAC’s approach to sanctions on virtual asset platforms is likely to continue over the coming months, so it will be important to watch for challenges in the US and further afield.   

In particular, monitoring this case and understanding some of the underlying debates and challenges is particularly relevant for our clients in the traditional finance and emerging technology sectors who are developing open source technologies, using decentralised solutions and implementing their own financial crime and market surveillance controls.

What do you need to do?

All entities in the virtual asset must carefully consider the controls they have in place and whether they are sufficient to prevent money laundering and terrorist financing. If mixers are to continue to exist lawfully and within regulatory expectations, controls must be implemented in some manner. If creating a decentralised model, developers should consider how this can be done by design and how the decentralised aspects of the arrangement can continue to support consistency with prevailing legal and regulatory requirements or at least not stand in its way (for example, by establishing appropriate in-built rules or reserving certain aspects to a more centralised function). According to OFAC, mixers should “in general be considered as high-risk by virtual currency firms, which should only process transactions if they have appropriate controls in place to prevent mixers from being used to launder illicit proceeds”.

Virtual asset service providers need to ensure they have controls in place, including:

• conducting know-your-customer due diligence;
• ensuring transfers of virtual assets are accompanied with originator and beneficiary details;
• conducting enhanced due diligence using a risk-based approach, including where mixers have been used;
• conducting ongoing monitoring, including transaction monitoring and on-chain analysis. That analysis will assist in identifying the use of mixers, but it will be important to have a proper policy and procedure to interpret the results;
• implementing suspicious activity reporting and procedures, including prompt freezes on transactions; and
• name screening for sanctions or politically exposed persons nexus. 

Headwinds and opportunities ahead

Some other key trends to keep an eye on include the following:

•  Miners and validators – imposing sanctions on wallets on a blockchain network has raised questions for participants that process and validate blockchain transactions. For example: 
  • are sanctions breached by appending a block to a blockchain which contains a transaction with sanctioned wallets?
  • does the responsibility or obligation change depending on the role of a network participant (ie whether the participant bundles transactions and proposes blocks, or confirms that blocks and transactions are valid and appends it to the blockchain)?
• Developer liability  – aiding and abetting (or similar offences) exist under multiple criminal laws around the world. Developers have been pursued in cases of hacking software (such as the US action against Taylor Huddleston) and virtual assets (such as the EtherDelta case). In our experience, these risks are underappreciated and are at particular risk of being prosecuted where prominent developers are known and software is specifically designed and marketed to evade laws with criminal sanctions. This has already been the case with the arrest of an individual alleged to be connected to Tornado Cash in the Netherlands.^[17]
• Institutional participation – we are seeing an uptick in financial institutions seeking to innovate including by either leveraging or participating in decentralised platforms. 

Broad regulatory considerations including licensing, consumer protections, systemic stability and financial crimes compliance are often front of mind. Models might be emerging to facilitate participation by regulated entities, including solutions such as permissioned pools with pre-vetted participants.

Please contact us if you have any questions. We would be delighted to discuss.

References

[1]  https://home.treasury.gov/system/files/126/E.O.%2013694%2C%20as%20amended%2C.pdf

[2]  https://home.treasury.gov/news/press-releases/jy0916

[3]  https://www.coindesk.com/tech/2022/01/25/tornado-cash-co-founder-says-the-mixer-protocol-is-unstoppable/

[4]  https://tornado-cash.medium.com/the-biggest-trusted-setup-ceremony-in-the-world-3c6ab9c8fffa

[5]  https://www.fatf-gafi.org/media/fatf/documents/recommendations/Targeted-Update-Implementation-FATF%20Standards-Virtual%20Assets-VASPs.pdf

[6]  https://www.kwm.com/hk/en/insights/latest-thinking/fatf-2021-virtual-assets-guidance.html

[7]  https://www.bis.org/publ/qtrpdf/r_qt2112b.pdf

[8]  https://twitter.com/jerallaire/status/1557004770723995650

[9]  It is understood an individual was arrested in Holland following the sanctions. Although the individual has not been named, the individual is said to be a developer of Tornado Cash.

[10]  It is understood an individual was arrested in Holland following the sanctions. Although the individual has not been named, the individual is said to be a developer of Tornado Cash.

[11]  Bernstein v U.S. Department of Justice, 922 F Supp. 1426 (N.D. Cal. 1996): https://law.justia.com/cases/federal/district-courts/FSupp/922/1426/1592613/

[12]  Bernstein v U.S. Department of Justice No. 97-6686: https://caselaw.findlaw.com/us-9th-circuit/1317290.html

[13]  https://www.bloomberg.com/news/articles/2022-03-10/crypto-obfuscator-tornado-says-sanctions-cant-affect-smart-contracts

[14]  https://blog.chainalysis.com/reports/crypto-mixer-criminal-volume-2022/

[15]  https://thehill.com/policy/3598957-crypto-community-split-on-treasurys-tornado-cash-sanctions/

[16]  Specially Designated and Blocked Persons List

[17]  https://www.coindesk.com/policy/2022/08/21/arrest-of-tornado-cash-developer-draws-dutch-crypto-community-protest/