Tornado Watch: Popular Cryptocurrency Mixer “Tornado Cash” Dealt Two Major Blows in a Week

 
September 07, 2023

Key Takeaways

  • Tornado Cash, a cryptocurrency mixer, recently suffered two major setbacks in federal regulatory efforts to block its use and prosecute its founders.
  • First, a federal district court threw out a lawsuit challenging the designation by the U.S. Treasury Department’s Office of Foreign Assets Control (“OFAC”) of Tornado Cash as a blocked foreign person.  The district court rejected arguments that Tornado Cash was nothing more than source code and held instead that it operated as an “association” in which foreign persons have an interest; therefore, it could be subject to OFAC sanctions.
  • Second, the U.S. Attorney’s Office for the Southern District of New York announced that it had indicted two of Tornado Cash’s founders, charging that they had knowingly facilitated money laundering on the platform.
  • Although Tornado Cash’s founders claim that they had no ownership or control over the platform, these developments suggest that regulators and courts will closely scrutinize such claims when third parties use such code to engage in criminal conduct.

Background

Tornado Cash is a cryptocurrency mixer that facilitates anonymous, digital transactions.  Although Tornado Cash may be used legitimately to protect financial privacy, cyber criminals have used the mixer to launder hundreds of millions of dollars.

Cryptocurrencies, such as Ether or Bitcoin, rely on blockchain technology that publicly records and secures transaction data.  A blockchain establishes and maintains a digital ledger of all transactions that is duplicated and distributed across a peer-to-peer network.  It is decentralized, meaning there is no need for a trusted third party—such as a bank or government—to execute and verify the transactions.  Instead, vast networks of computers do the necessary work redundantly, leveraging the public nature of the transactions to maintain accuracy and prevent fraud.

Transparency is a critical security feature of blockchain technology, but it comes at the cost of user privacy.  Anyone can view the balances and transaction history of every other user.  Importantly, cryptocurrency transactions are not themselves anonymous.  Individuals use “wallets” to create pseudonymous public key / private key pairs that do not directly provide identifying information, so they enjoy a measure of privacy.  However, their entire transaction history is in real-time public view, and experts can often determine user identity by studying the connections between multiple transactions.  

Tornado Cash mitigates those concerns.  As a virtual currency mixer, it allows users to deposit their crypto assets and pool them with the assets of other users.  Then, Tornado Cash uses a complicated algorithm known as a “zero-knowledge proof,” which hides transaction information and effectively severs the on-chain link between the source and destination wallets.1  In this way, a user can access his funds without exposing his entire transaction history to the world.

Arguably, nothing about Tornado Cash is inherently illegal, and there may be  plenty of legitimate reasons for token holders to seek financial privacy for their transactions.  But unsurprisingly, cyber criminals have an even stronger interest in financial privacy and thus in using Tornado Cash to launder the proceeds of criminal activities.  Most notably, the Lazarus Group, a North Korean state-sponsored cyberhacking organization, relied on Tornado Cash to launder $600 million worth of stolen cryptocurrency.2

Such actions caught the attention of federal authorities.  In August 2022, OFAC sanctioned Tornado Cash by adding it to the List of Specially Designated Nationals and Blocked Persons (“SDN List”), and it supplemented that designation in November 2022.3  Specifically, OFAC added to the SDN List dozens of smart contracts (effectively, lines of computer code that run on the blockchain’s network of computers) and the address for a wallet used to accept donations for supporting the Tornado Cash project.4  The designations mean that “all property and interests in property of the . . . entity” just described “must be blocked and reported to OFAC.”5  As a result, “U.S. persons cannot transact with Tornado Cash or deal in its property and interests in property, absent authorization from OFAC.”6

OFAC sanctioned Tornado Cash based upon authority delegated to Treasury by the President under the International Emergency Economic Powers Act (“IEEPA”) and the North Korea Sanctions and Policy Enhancement Act of 2016 (the “North Korea Act”).  IEEPA is a federal law that gives the President the authority, upon the declaration of a “national emergency,” to “block during the pendency of an investigation . . . any property in which any foreign country or a national thereof has any interest,” if that property is “subject to the jurisdiction of the United States.”7  The President commonly exercises this power by declaring a national emergency on a particular subject, identifying the types of foreign persons who should be sanctioned, and then delegating authority to the Secretary of the Treasury, who through OFAC investigates and identifies the particular persons and property to be blocked.  Similarly, the North Korea Act grants the Department power to “block and prohibit all transactions in property and interests in property of a person designated” for engaging in certain activities involving North Korea.8  Pursuant to IEEPA, President Obama issued Executive Order 13757 in January 2017, which granted the Treasury Secretary authority to block the property and interests in property of “any person” that the Secretary determines is “responsible for or complicit in” or has “engaged in, directly or indirectly, cyber-enabled activities originating from, or directed by persons located . . . outside the United States.” OFAC sanctioned Tornado Cash pursuant to this executive order.  Persons who have been added to the SDN List can seek removal through an administrative process set forth in OFAC regulations or by bringing litigation against the U.S. Government.10

Federal Court Upholds OFAC’s Designation of Tornado Cash

Shortly after OFAC’s August 2022 designation of Tornado Cash, a group of Tornado Cash users sued the Treasury Department and OFAC in the Western District of Texas, claiming that the defendants’ addition of Tornado Cash to the SDN List “exceeds [their] statutory authority, infringes on [the] Plaintiffs’ constitutional rights, and threatens the ability of law-abiding Americans to engage freely and privately in financial transactions.”11  

The parties filed dueling motions for summary judgment.  The plaintiffs argued that the designation of Tornado Cash was unlawful under IEEPA and the North Korea Act because: (1) Tornado Cash is nothing more than a set of immutable, open-source smart contracts, and so is not a foreign “national” or a “person” subject to those statutes; (2) the immutable smart contracts are not “property”; and (3) even if Tornado Cash were a person, it does not have an “interest in property” with respect to the smart contracts.  They further contended that the designation of Tornado Cash violates the First Amendment’s Free Speech Clause.  The OFAC defendants disputed each of those contentions, arguing that Tornado Cash’s founders and others excercised control over the smart contracts through the decentralized autonomous organization (“DAO”) responsible for their governance and the hosting and related services they provided in support. 

On August 17, the district court resolved the motions and granted judgment in favor of the OFAC defendants.

First, the court held “that Tornado Cash is an entity that may be properly designated as a person under IEEPA.”12  The Department had by regulation defined a sanctionable “person” to include an “association.”13  And applying the “ordinary meaning” of “association,” the court found that “[s]ubstantial evidence support[ed] the argument that [Tornado Cash’s] founders, developers, and [members of its DAO] constitute ‘[a] body of persons who have combined to execute [the] common purpose’ of developing, promoting, and governing Tornado Cash.”14 Thus, Tornado Cash could “be designated per OFAC regulations.”15

Second, the court concluded that Tornado Cash has a property interest in the blocked smart contracts.  Reasoning that “‘interest in property’ is hardly an unambiguous term,” the court rejected the plaintiffs’ “ordinary meaning” argument in favor of “OFAC’s regulatory definitions.”16  Those definitions encompassed “contracts of any nature whatsoever.”17  And from there, the court found that “OFAC’s determination that the smart contracts constitute property, or an interest in property, is not plainly inconsistent with the regulatory definition of those terms.”18

Third, the court reasoned that Tornado Cash has a “beneficial interest” in the smart contracts.19  It once again deferred to the agency’s regulation, and found that the smart contracts “convey an ongoing benefit for Tornado Cash, in the form of fees transmitted to the DAO.”20  In sum, the court rejected the plaintiffs’ statutory claims because “Tornado Cash is an entity that may be designated by OFAC and it has a property interest in the smart contracts it has deployed.”21

Finally, the court addressed the constitutional claim and held that plaintiffs had “not shown that the government’s action in any way implicates the First Amendment.”22  The plaintiffs argued that Tornado Cash enables users to donate money anonymously.  However, while granting that the “First Amendment protects the right of individuals to donate money to social causes,” the court observed that “it does not protect the right to do so through any particular bank or service of their choosing.”23  Plaintiffs did not show that the designation “prevent[ed] them from using other services that may allow them privacy.”24  Nor did they show that the designation chilled the right to publish source code, which other courts have held is protected speech.25

Accordingly, OFAC’s sanctions against Tornado Cash remain in place.

DOJ Charges Tornado Cash Founders

On the heels of the district court’s ruling, the Department of Justice announced that it had indicted Tornado Cash founders Roman Storm and Roman Semenov for conspiracy to commit money laundering, conspiracy to commit sanctions violations, and conspiracy to operate an unlicensed money transmitting business.26  The indictment alleges that Tornado Cash facilitated more than $1 billion in money laundering transactions, including hundreds of millions of dollars for the Lazarus Group—the sanctioned North Korean cybercrime organization.27  Storm and Semenov allegedly were aware of this, but they “turned a blind eye to the illicit activity and made public representations that they were compliant with sanctions laws.”28  Notably, the indictment further alleges that Storm and Semenov controlled various aspects of the Tornado Cash business—such as its user interface—and ran the business to generate profits for themselves, including by increasing the value of tokens that they recieved as part of the initial distribution they designed.

Looking Forward

Tornado Cash provides yet another example of how the federal government has had to grapple with and adapt old laws to new blockchain technologies.  The President has recognized the need for “an evolution and alignment of the [government’s] approach.”29  And the Department of Treasury has called for public input on the matter.30  But many questions remain to be answered.  For instance, will the Executive prioritize enforcement actions in order to crack down on those, like the Lazarus Group, that abuse blockchain technologies for nefarious purposes?  Or will it prioritize policies that facilitate the development and use of digital assets for those who use the technology responsibly?

In some respects, OFAC’s handling of Tornado Cash suggests the former.  Rather than target only the bad actors, OFAC opted for an aggressive approach that effectively outlawed the privacy-enabling technology for everyone.  Indeed, in the eyes of many critics, OFAC did so without legal authority—and the battle on that front is not over.  Another case that raises similar claims remains pending in the Northern District of Florida.31  And the plaintiffs in the Western District of Texas case will likely appeal to the Fifth Circuit, which is known for taking a considerably less deferential approach to agency action than the district court appears to have here.

The criminal charges brought against Tornado Cash’s founders suggest that the government will closely scrutinize scenarios where fintech innovators create platforms that facilitate illegal activity, but then claim that the platform is decentralized and outside their control.  In the case against the Tornado Cash founders, the government has shown that it will consider the specific facts and circumstances, disregard traditional barriers, and focus on effective control and profits that innovators derive from the platforms.  In this way, the impending criminal case, in which the government will have to prove control over the platform, will likely present important questions that could have far-reaching implications for the decentralized finance industry.

Tornado Cash is not the only example of OFAC’s focus on the cryptocurrency industry.  OFAC has imposed sanctions on, and brought enforcement actions against, numerous other actors in the cryptocurrency space in connection with violations of U.S. sanctions law.32 OFAC has also issued guidance specifically focused on sanctions compliance for the blockchain industry that highlights key sanctions risks in the sector.33  This guidance highlights best practices to mitigate sanctions compliance risks, which include (among others):

  • Developing sanctions compliance policies and procedures;
  • Implementing geolocation tools, IP address blocking, and email-related restrictions for sanctioned jurisdictions;
  • Conducting sanctions training for employees;  
  • Creating a keyword list of a sanctioned jurisdiction’s cities and regions to be used when screening know-your-customer information;
  • Deploying blockchain analytics tools; and
  • Reviewing and updating end-user agreements to include information about U.S. sanctions requirements.34

The U.S. Government charged Tornado Cash’s founders with failing to take sufficient steps to implement a sanctions compliance program.  Companies operating in the cryptocurrency sector are on notice regarding the U.S. Government’s expectations for sanctions compliance—and those that fail to implement appropriate compliance programs are at risk of facing significant fines or, in the case of Tornado Cash, being specifically added to the SDN List and effectively prohibited from operating in the U.S. market.

Dechert regularly advises market participants in the blockchain and digital asset ecosystem, including by assisting with evaluating potential sanctions-related risks and building risk-based compliance programs to manage and mitigate such risks. Dechert also assists persons who have been added to the SDN List in seeking removal from the list through OFAC’s administrative process and, where appropriate, through litigation and other advocacy.


Footnotes

[1] See Alex Wade et al., How does Tornado Cash work?, Coin Center (Aug. 25, 2022), https://www.coincenter.org/education/advanced-topics/how-does-tornado-cash-work/. 

[2] See Van Loon v. Dep’t of Treasury, No. 1:23-cv-312-RP, 2023 WL 531091, at *5–6 (W.D. Tex. Aug. 17, 2023).

[3] See Press Release, U.S. Dep’t of the Treasury, Treasury Designates DPRK Weapons Representatives (Nov. 8, 2022), https://home.treasury.gov/news/press-releases/jy1087.

[4] See Wade et al., supra note 1.

[5] See Nov. 8 Press Release, supra note 3.  

[6] Office of Foreign Assets Control, Frequently Asked Questions 1095, U.S. Dep’t of the Treasury (Nov. 8, 2022), https://ofac.treasury.gov/faqs/1095.

[7] 50 U.S.C. §§ 1701(b), 1702(a)(1)(B).

[8] 22 U.S.C. § 9214(c)(1); see also id. § 9214(c)(2).

[9] Exec. Order No. 13,757, 82 Fed. Reg. 1 (Jan. 3, 2017) (amending Exec. Order No. 13,694, 80 Fed. Reg. 18,077 (Apr. 1, 2015)).

[10] See 31 C.F.R. § 501.807; 5 U.S.C. § 706.

[11] Compl. ¶ 1, Van Loon v. Dep’t of Treasury, No. 1:23-cv-312-RP (W.D. Tex. Sep. 8, 2022). 

[12] Van Loon, 2023 WL 5313091, at *7.

[13] See 31 C.F.R. §§ 510.305, 510.322, 578.305, 578.313.

[14] Van Loon, 2023 WL 531061, at *7.

[15] Id. at *8.

[16] Id.

[17] 31 C.F.R. §§ 510.323, 578.314.

[18] Van Loon, 2023 WL 531091, at *9.

[19] Id. at *10.

[20] Id. at *10–11.

[21] Id. at 11.

[22] Id.

[23] Id.

[24] Id. at *12.

[25] Id.

[26] Press Release, U.S. Attorney’s Office, Southern District of New York, Tornado Cash Founders Charged With Money Laundering And Sanctions Violations (Aug. 23, 2023), https://www.justice.gov/usao-sdny/pr/tornado-cash-founders-charged-money-laundering-and-sanctions-violations.

[27] Id.

[28] Id.

[29] See Exec. Order 14,067, 87 Fed. Reg. 14143, 14143 (Mar. 14, 2022).

[30] See Ensuring Responsible Development of Digital Assets; Request for Comment, 87 Fed. Reg. 57556 (Sep. 20, 2022).

[31] See Compl., Coin Center v. Yellen, No. 3:22-cv-20375 (N.D. Fla. Oct. 12, 2022). 

[32] See, e.g., Press Release, U.S. Dep’t of the Treasury, Treasury Announces Two Enforcement Actions for over $24M and $29M Against Virtual Currency Exchange Bittrex, Inc. (Oct. 11, 2022), https://home.treasury.gov/news/press-releases/jy1006.

[33] See OFAC, Sanctions Compliance Guidance for the Virtual Currency Industry, U.S. Dep’t of the Treasury (Oct. 2021), https://ofac.treasury.gov/media/913571/download?inline; see also Darshak S. Dholakia et al., When You Got It, Flaunt It: Enforcement Authorities Expect Companies, Including Banks and Cryptocurrency Exchanges, That Collect Geolocation Data to Use It for Sanctions Compliance, Dechert LLP (June 27, 2023), https://www.dechert.com/knowledge/onpoint/2023/6/when-you-got-it--flaunt-it--enforcement-authorities-expect-compa.html.

[34] See OFAC, supra note 33.

Subscribe to Dechert Updates