In its pursuit of money laundering by North Korean hacker groups, the US has pressed legal charges against people, organizations, even the North Korean government itself. It has frozen bank accounts, imposed widespread sanctions, and followed suspected money launderers deep into the deep web.
But the investigation of Lazarus Group, which is accused of laundering millions in stolen cryptocurrency, took an unprecedented turn earlier this month when the US sanctioned a piece of blockchain-based software.
The move stunned the crypto world, which relies on the same software for legitimate money transfers. Many experts now wonder if it signals a more aggressive posture by the US toward regulating decentralized apps. And the case has also posed some mind-bending questions about how exactly one regulates a piece of code that nobody controls.
The software in question is Tornado Cash, a cryptocurrency “mixer” that allows users on the ethereum blockchain to disguise the origin and recipients of their transactions. Mixers are used by crypto holders to maintain the privacy of their accounts on hyper-transparent blockchains such as ethereum. The problem, according to the US Treasury department, is that mixers are also a common tool for money launderers.
Tornado Cash has processed more than $7 billion worth of ethereum for about 60,000 users since it was created in December 2019. US authorities say those users include Lazarus Group, which has been a frequent target of US sanctions. Most recently, the US alleges, Lazarus used Tornado Cash to launder some of the $620 million in stolen crypto from the popular crypto game Axie Infinity.
The stolen coins were allegedly laundered using multiple mixers, but the other one sanctioned was created and owned by a private company. Tornado Cash is unique among the sanctioned mixers for being open-source software (anyone can copy it) that’s decentralized by design (no one owns it) and exists on a globally distributed ledger (it can’t be destroyed). How do you sanction that?
The Treasury department’s Office of Foreign Assets Control (OFAC) doles out financial sanctions against individuals and companies it deems to pose security risks, such as terrorists and drug traffickers. In April, OFAC added three of Lazarus’ known ethereum addresses to its sanctions list before adding Blender, a privately owned mixer, in May and Tornado Cash on Aug. 8.
Placement on this Specially Designated Nationals and Blocked Persons List, better known as the SDN list, effectively blacklists a person or business from all economic activity in the US. Violating sanctions by doing business with those on the SDN list is a serious offense that could carry hefty fines or prison time.
But it’s one thing to avoid a person or company on the SDN list. It’s another thing altogether to avoid Tornado Cash because lots of crypto has come through its protocol at one time or another. The Washington Post reported on Aug. 24 that the prominent stablecoin operator Tether, which has come under regulatory scrutiny in the past, has not yet blacklisted accounts associated with the Tornado Cash sanctions.
The Treasury department, in its press release, refers to Tornado Cash like it’s a company, which it’s not. But as the Electronic Frontier Foundation, a digital rights advocacy group, wrote in a blog post, Tornado Cash could mean any number of things: It is several different versions of software, published code on GitHub, a website, and a decentralized autonomous organization (DAO), a kind of crypto collective that votes on changes and maintenance for the project. The Treasury department did not respond to multiple requests to clarify who or what exactly has been sanctioned.
On Aug. 10, one of Tornado Cash’s developers was arrested in the Netherlands for “concealing criminal financial flows and facilitating money laundering,” but it’s not clear if the arrest is directly linked to the US sanctions announcement just two days earlier.
The vagueness of the sanctions announcement is uncharacteristic for OFAC, said Ari Redbord, a former Treasury department senior adviser and now the legal and government affairs lead at the blockchain analytics firm TRM Labs. “This designation is exceptional,” he said, because OFAC has previously been “very, very targeted—almost scalpel-like” in going after specific bad actors in the crypto economy.
The confusion here casts uncertainty on any cryptocurrency that has been sent through Tornado Cash, or even funds that have at one point passed through the Tornado Cash protocol, said Peter Van Valkenburgh, director of research at the Coin Center, a crypto-focused nonprofit and advocacy group.
“The metaphor I like is: It’s one thing if you’re sanctioning an Iranian author and that means Americans aren’t allowed to purchase a contract from him to buy the rights to his next novel. That’s a perfectly legitimate use of sanctions, he said “What’s going on here is…the book is already written and it’s already in the home libraries of thousands—if not tens of thousands of Americans, so the sanctions are kind of like saying you can’t read that book anymore.”
According to research from the crypto analytics firm Chainalysis, about 23% of crypto that has transacted through mixers in 2022 is illicit, up from 12% in 2021. But of the approximately $4.5 billion sent through mixers so far in 2022, most of those funds are ostensibly legitimate. Now it’s unclear if all of that money is sanctioned, as far as the US government is concerned.
Coin Center claims that OFAC has “overstepped its legal authority,” and may sue on behalf of parties who have had their due process and free speech rights potentially violated by these sanctions. Coin Center, EFF, and other groups have expressed concern that because computer code is recognized speech, there may also be First Amendment implications of the sanctions order.
If sanctioning Tornado Cash was, in fact, deliberate and not a confused oversight, then it might mean that the Treasury department is signaling that decentralized software and entities will not be excused from its sanctions efforts, said Carlton Greene, a former assistant director for transnational threats at OFAC who is now a partner at the law firm Crowell & Moring.
“Contrary to how some view decentralized finance, the mere fact that you create a smart contract and you’re not standing there day-to-day manually processing all the transactions doesn’t meant that OFAC is going to excuse you from compliance, if what you’ve created is being used by sanctioned parties to launder funds and engage in bad activity,” Greene said.