Takeaways

• The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued the first-ever smart contracts sanction, and its decision to sanction a nonperson may be challenged in court.
• The U.S. government has made it clear that it will hold accountable all those responsible for unlawful activity, with no exceptions allowed for decentralized protocols.
• Governments worldwide appear ready to hold developers and founders of privacy protocols, not just the protocol itself, responsible for illicit network activity, even if it is decentralized, just as the purported developer of the decentralized protocol was arrested in the Netherlands.
• The peer-elected signatories to the protocol’s community fund disbanded, and thereafter, the protocol’s decentralized autonomous organization (DAO) reportedly shut down, which raises various potential questions about DAOs that are structured in a similar manner.

Overview

On Aug. 10, 2022, just days after OFAC issued sanctions against virtual currency mixer Tornado Cash, Dutch authorities arrested the protocol’s alleged developer. In a press release, the Treasury Department alleged that since 2019, Tornado Cash had been used to launder more than $7 billion in cryptocurrency, including more than $455 million stolen in the largest decentralized finance (DeFi) hack to date, on the Ronin Network, carried out by the North Korean-backed cybercrime syndicate the Lazarus Group. Dutch authorities have not released the identity of the developer and have not ruled out the possibility of further arrests related to Tornado Cash.

Tornado Cash Background

Mixing services like Tornado Cash facilitate the efforts of those seeking to obfuscate cryptocurrency transaction histories by pooling users’ tokens with funds from different sources. Tornado Cash is an Ethereum privacy protocol operating as a noncustodial smart contract mixer. Once deployed, the Tornado Cash smart contracts cannot be modified or shut down and will operate in perpetuity. While Tornado Cash developers initially retained control over user funds, the coin-mixing service became permissionless in May 2020. 

Although Tornado Cash’s founders write and publish the protocol’s code, a DAO must approve any changes before those changes are implemented. In an interview earlier this year, Tornado Cash co-founder Roman Semenov emphasized the decentralized nature of the service, saying that “there is not much we can do in terms of helping investigations because the team doesn’t have much control over the protocol.”

OFAC Sanctions

OFAC announced sanctions against Tornado Cash on Aug. 8, 2022, and added it to the Specially Designated Nationals (SDN) List along with 45 Ethereum addresses allegedly linked to crime perpetuated through use of Tornado Cash. The Treasury Department alleged that the protocol indiscriminately facilitated anonymous transactions, allowing cybercriminals to launder billions of dollars in cryptocurrency, and that “[d]espite public assurances otherwise, Tornado Cash has repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis and without basic measures to address its risks.”

Notably, OFAC sanctioned the protocol’s smart contracts rather than any natural person or entity. This is significant; while the Treasury Department has previously sanctioned wallet addresses and centralized custodial mixers, the sanction of a noncustodial, open-source protocol is unprecedented. Privacy advocates and critics of the decision have argued that the Tornado Cash sanctions operate not as a ban on a person or entity but rather as a ban on any person using a specific tool for any reason, including lawful purposes.

The knock-on effects of the Tornado Cash sanctions are already being felt in the DeFi world. As a result of OFAC’s Tornado Cash sanctions, stablecoin issuer Circle blacklisted the 45 Ethereum addresses added to the SDN List. Similarly, Ethereum infrastructure provider Infura – reportedly used to support Ethereum calls made by Tornado Cash’s front-end user interface – dropped all support of Tornado Cash.

In the wake of the sanctions and arrest, the peer-elected signatories to Tornado Cash’s community fund disbanded, leaving control of the fund to the DAO. Shortly thereafter, the DAO itself reportedly shut down, with both the website and the Discord server associated with the DAO apparently going offline. According to reports, this move was prompted by fear of legal consequences for Tornado Cash community members and contributors. Abandonment by the signatories to the DAO appears to have effected a fatal blow to the operation of the DAO itself, which raises various potential questions about DAOs that are structured in a similar manner.

Conclusion

The sanctions and the arrest of a Tornado Cash developer are the latest developments in an ongoing regulatory crackdown in the cryptocurrency industry. In early May, the centralized custodial cryptocurrency mixer Blender.io was sanctioned by OFAC as a result of allegedly laundering funds related to ransomware attacks and DeFi hacks. Speaking at a Chainalysis Links conference weeks after the Blender.io sanctions, Alessio Evangelista, the associate director of the Financial Crimes Enforcement Network’s Enforcement and Compliance Division, warned that “too often” crypto service providers have opted to keep their heads in the sand about blatantly suspect wallets “right up until the day of an OFAC designation or criminal indictment.”

Decentralized protocols, especially those that offer privacy-enhancing services, would be well advised to consider upgrading their compliance activities.

[View source.]