On August 8, the U.S. Department of the Office of Foreign Assets Control (“OFAC”) sanctioned “notorious” virtual currency “mixer” Tornado Cash, which allegedly has been used to launder more than $7 billion worth of virtual currency since its creation in 2019. Tornado Cash is a virtual currency mixer that operates on the Ethereum blockchain. Tornado Cash receives a variety of transactions and mixes them together before transmitting them to their individual recipients. The stated purpose of such mixing is to increase privacy, but mixers are often used by illicit actors to launder funds because the process enhances anonymity and makes it very hard to track the flow of funds. According to the Treasury Department press release, “[d]espite public assurances otherwise, Tornado Cash has repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis and without basic measures to address its risk.” This statement seems to imply that Tornado Cash is run by actual people – an implication that is at the heart of the controversy over these sanctions, as we will discuss.
The sanctions against Tornado Cash have elicited enormous controversy in the crypto world because, some argue, (1) Tornado Cash is not an entity run by actual people, but is merely code; and (2) although OFAC has the legal authority to sanction people and entities, it lacks such authority to sanction code or a technology – or at the very least, such sanctions create many practical problems for innocent actors, including in ways which no one has foreseen fully. As we discuss, even a member of the U.S. House of Representatives has waded into the controversy this week, questioning the ability of OFAC to issue the sanctions and demanding answers. The controversy also reflects that, once again, whether one chooses to focus on the word “privacy” or on the word “anonymity” typically reflects an a priori value judgment predicting one’s conclusion as to whether something in the crypto world is good or bad.
Indisputably, the Tornado Cash sanctions are, to date, unique and unprecedented. Although they may turn out to be an outlier experiment by OFAC, public pronouncements by the U.S. Treasury Department strongly suggest that, to the contrary, they represent part of the future of crypto regulation, in which the enormous power of the U.S. government to issue broad sanctions obliterates legal and practical hurdles which could stymie other agencies, such as the Financial Crimes Enforcement Network (FinCEN). This may be because, ultimately, the government actually agrees that no person is in control of a powerful technology that has easy application for malicious uses, and that is precisely the problem.
The money allegedly laundered through Tornado Cash is connected with the over $455 million stolen by the Lazarus Group, a Democratic People’s Republic of Korea (“DPRK”) state-sponsored hacking group that was sanctioned by the U.S. in 2019, “in the largest known virtual currency heist to date[,]” in addition to other “multi-million dollar heists.”
OFAC took action against Tornado Cash pursuant to Executive Order 13694, which seeks to limit the cyber threats to U.S. national security through economic sanctions via OFAC’s Specially Designated Nationals and Blocked Persons List (“SDN List”). As a result of the OFAC sanctions, all property and interests in property of Tornado Cash that is in the United States or in the possession or control of U.S. persons is blocked and must be reported to OFAC. Further, any entities that are owned, directly, 50% or more by one or more blocked people are also blocked. All transactions by U.S. persons or within (or transiting) the United States that involve any property or interests in property of designated or otherwise blocked persons are prohibited unless authorized by a general or specific license issued by OFAC, or exempt. OFAC also designated 38 Ethereum virtual currency wallet addresses and six USD Coin virtual currency wallet addresses.
Mixers: Perfect Tools for Money Laundering and Sanctions Evasion?
This is not the first time such mixers have made headlines – as we previously blogged, Roman Sterlingov was arrested in early 2021 for his alleged role as the founder and operator of mixer Bitcoin Fog. Further, on May 6, 2022, OFAC issued its first-ever sanctions on a virtual mixer, Blender.io (“Blender”). OFAC also sanctioned Blender pursuant to Executive Order 13694. As the press release accompanying the Tornado Cash sanctions warns, “mixers should in general be considered as high-risk by virtual currency firms, which should only process transactions if they have appropriate controls in place to prevent mixers from being used to launder illicit proceeds.”
However, even though Tornado Cash and Blender are both mixers sanctioned by OFAC under the same legal framework, the two mixers have an important difference. With regard to Blender, OFAC sanctioned an actual company or similar entity (i.e. a person or group of persons) providing Bitcoin mixing services. By contrast, with regard to Tornado Cash, OFAC designated the mixer itself (i.e. the addresses at which a user can find the software logic that, given the proper inputs, will execute and mix coins for users).
Perhaps not surprisingly, the Tornado Cash sanctions have drawn strong protests from segments of the crypto community – and also from at least one member of the U.S. Congress.
Coin Center, an entity focused on policy issues facing cryptocurrencies, has issued a whitepaper which declares: “By treating autonomous code as a ‘person’ OFAC exceeds its statutory authority.” According to Coin Center, there may be an entity called Tornado Cash that is under the control of a person or group of persons, but this is not where OFAC has directed its sanctions with regard to Tornado Cash. Coin Center stresses that Executive Order 13694 defines “persons” subject to listing by OFAC as “an individual or entity,” and defines “entity” as “a partnership, association, trust, joint venture, corporation, group, subgroup, or other organization.” Coin Center posits that the prior sanctions against Blender fit within this definition, because Blender ultimately was an entity under the control of natural persons. In contrast, Tornado Cash is not.
In Coin Center’s analysis, it notes that FinCEN has distinguished in its 2019 Guidance between someone “who provides anonymizing services by accepting value from a customer and transmitting the same or another type of value to the recipient, in a way designed to mask the identity of the transmitter,” and therefore is a money transmitter covered by the BSA, and an anonymizing software provider, who is not a money transmitter covered by the BSA “because suppliers of tools (communications, hardware, or software) that may be utilized in money transmission, like anonymizing software, are engaged in trade and not money transmission.” Coin Center further stresses that FinCEN also has acknowledged the distinction between “service providers who employ anonymizing software to serve customers and who are thus subject to BSA obligations [as money transmitters], and (on the other hand) individual persons who employ anonymizing software on their own behalf.” FinCEN refers to the latter category of persons as “users” not subject to the BSA. While acknowledging that OFAC is not bound by FinCEN’s interpretation, Coin Center argues that this distinction is important because it is improper to issue sanctions against a software rather than against a natural person. Of course, OFAC routinely sanctions persons and entities regardless of whether they are covered by the BSA.
Coin Center argues that a key distinction here is that a natural person can file a petition with OFAC for removal from the SDN list, whereas a software cannot. Typically, if an entity under the control of individuals is added to the SDN list, those individuals can argue to OFAC that the entity should be removed from the list. If this process is unsuccessful, the entity can challenge the designation in court. In the case of Tornado Cash, there is (apparently) no natural person associated who can dispute its designation – or at least, no natural person who has volunteered to come forward, yet.
On August 23, U.S. Representative Tom Emmer (R., Minnesota) sent a letter to Janet Yellen, the Secretary of the Treasury Department, reiterating many of the arguments raised by Coin Center, and emphasizing that “the smart contracts that are Tornado Cash are not maintained, updated, or controlled by any human being(s); rather, the software itself is self-sufficient, as it is de-centralized and open-source and will operate as an anonymizing software powered by code as long as the Ethereum network continues to operate.” Representative Emmer’s letter requested OFAC to “provide clarity” on seven questions, most of which were grounded in the messy practical implications of the nuts-and-bolts application of the sanctions, mixed with certain apparently rhetorical questions. The questions include the following:
- [W]ho or what entity did OFAC believe was reasonably responsible for imposing controls on the Tornado Cash blockchain contracts?
- Are otherwise innocent U.S. persons who receive unsolicited funds from SDN-listed addresses in breach of law or regulation?
- To the extent valuable property is held at the sanctioned addresses, and to the extent a law-abiding person is the only person able to remove said valuable property from that address through the creation of an Ethereum transaction that they alone form and undertake, is that property accurately described as belonging to that law-abiding person, or does it, through some mechanism or legal fiction, belong to a person listed on the SDN list?
- How does OFAC intend to uphold the appeals process for the sanctioned addresses that have no ability to appeal the sanction to OFAC because the . . . blockchain addresses are smart contracts with no agency, corporate or personal, and as such cannot speak for themselves or those whose funds they hold?
Representative Emmer’s letter ends by declaring that “technology is neutral, and the expectation of privacy is normal.”
The Government Perspective?
Not surprisingly, OFAC has not responded to date to these criticisms and questions. However, it is reasonable to surmise that the government has at least two responses. First, the government may argue that decentralized finance, or “DeFi,” almost always turns out to be a phantom in the real world, because inevitably there is one or more actual human beings who are pulling the strings, and who can be targeted for enforcement. The Treasury Department press release for the sanctions warned that “Treasury will continue to aggressively pursue actions against mixers that launder virtual currency for criminals and those who assist them.” Indeed, just after the sanctions were announced, blockchain developer Alexey Pertsev was arrested by Dutch authorities in Amsterdam on August 10 on suspicion of involvement in the Tornado Cash code and alleged “involvement in concealing criminal financial flows and facilitating money laundering” through Tornado Cash.
Second, the government presumably has a more existential concern: if it is actually true that Tornado Cash or other mixers are simply neutral and mindless instruments – code created for use by others, with no one person actually directing anything – then that is inherently unacceptable, particularly because the code is specifically designed to enhance anonymity and open to anyone. Stated more bluntly, it’s not OK to build a device capable of causing great harm if used by bad actors for its specific purpose, unleash this device upon the world with no direction or supervision, and then complain that nothing can or should be done about the device because no one is currently in control – per the initial design – and some good actors also happen to be using the device. Presumably, in the eyes of OFAC and its sisters and brothers in the regulatory and law enforcement communities, it’s like leaving a live bomb in the street and then walking away. An admiration of technology, for its own sake, cannot justify allowing such a device to persist. Rather, it must be shut down, and not be allowed to function, because notions of absolute “privacy” in financial transactions are baseless and outweighed by the need to deter the financing of terrorism, child porn, narcotics trafficking, ransomware, identity theft, fraud, corruption and other illicit activity. Once the pressing threat has been removed, the resulting practical problems can be worked out later.