The US Treasury opens a Pandora’s box of legal issues as it targets a decentralized finance protocol used for both licit and illicit means.
On August 8, 2022, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced sanctions against decentralized virtual currency “mixer” Tornado Cash (and 44 associated USDC and ETH addresses) — the first action of its kind against a decentralized finance (DeFi) protocol.
Mixers (or “blenders”) are centralized platforms or decentralized protocols (software that operates on the Ethereum blockchain) that specialize in masking the source and flow of digital assets via randomized and deliberately obfuscating transactions. They can therefore be an attractive resource for those seeking to maximize anonymity, launder stolen digital assets, or evade law enforcement.
OFAC asserts that since 2019, individuals and groups have used Tornado Cash to “launder” more than $7 billion worth of cryptocurrency. The service has allegedly been used by North Korea-affiliated hacking collective Lazarus Group (itself sanctioned since September 2019) to launder $455 million in stolen cryptocurrency, as well as recent multimillion-dollar ransomware attacks and DeFi exploits. Treasury stated that Tornado Cash had “indiscriminately” processed transactions and “repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis and without basic measures to address its risks.”
Mixers Continue to Be in the Crosshairs
Tornado Cash was added to OFAC’s Specially Designated Nationals (SDN) list pursuant to E.O. 13694, for materially assisting or sponsoring cyber-enabled activities that are reasonably likely to result in (or have materially contributed to) a significant threat to the national security, foreign policy, economic health, or financial stability of the US. The sanctions effectively prohibit US residents from using or interacting with the service.
Tornado Cash was added to the SDN list just three months after OFAC sanctioned Blender.io, the first time OFAC sanctioned a virtual currency mixer. North Korea, OFAC asserted, used Blender.io to support its malicious cyber activities and money-laundering of stolen virtual currency. The announcement issued at the time noted that “Treasury is committed to exposing components of the virtual currency ecosystem…that are critical to the obfuscation of the trail of stolen proceeds from illicit cyber activity.”
OFAC’s First Foray Into DeFi Raises Fundamental Questions
The sanctioning of a mixing service that North Korea utilized to evade US sanctions is unremarkable. However, the unprecedented nature of this action stems from the fact that Tornado Cash is a decentralized protocol without a central owner or operator. In essence, OFAC has sanctioned software code.
This action raises questions that will have a profound impact on regulation in the DeFi space. Some observers have questioned whether OFAC exceeded its statutory authority by designating a decentralized protocol, which is not a “person” under the relevant Executive Order. OFAC likely would counter that the Executive Order defines a “person” broadly to include both formally organized entities (like corporations and partnerships) and more loosely organized affiliations, including a “group, subgroup or other organization.” Therefore, taking the position that participants in the Tornado Cash ecosystem constitute such a “group” and have a “property” interest in the Tornado Cash URL and smart contract wallet addresses would not be a big leap for OFAC.
Similarly, Coin Center, a prominent digital asset advocacy group, decried Treasury’s action as overreach. It argued that the sanction targets not a person or persons committing illicit activity, but a technology that is neutral at its core. Coin Center contended that all US citizens are therefore being punished because a tool that law-abiding citizens can use for legitimate privacy preservation is now outlawed.
In that regard, comparing this action to OFAC’s designation of the SUEX centralized virtual currency exchange in September 2021 is instructive. SUEX was sanctioned for facilitating financial transactions for ransomware actors, with OFAC’s analysis showing that more than 40% of SUEX’s known transaction history was associated with illicit actors. Illicit transactions occur on most exchanges, and legitimate transactions undoubtedly took place on SUEX. However, OFAC distinguished SUEX from other exchanges by explaining that while “some virtual currency exchanges are exploited by malicious actors…others, as is the case with SUEX, facilitate illicit activities for their own illicit gains.” OFAC has apparently arrived at that same conclusion with respect to Tornado Cash, but how it has identified that kind of illicit motive in open-source software code operating without a central administrator is unclear.
Numerous commentators have flagged the potential First Amendment issues that OFAC’s action has raised, noting that software code is protected speech, as is how one chooses to spend their money. Coin Center noted that “in this case, the sanctions laws are being used to create a limitation on spending money not merely with some person who has been found guilty of a crime or even suspected of terrorism. This is a limit on any American who wishes to use her own money and a freely available software tool to maintain her own privacy—including for otherwise entirely legal and personal reasons.”
Finally, OFAC’s designation of Tornado Cash has demonstrated both the effectiveness and limitations of enforcement against a DeFi platform. Despite the absence of a tangible actor to penalize, OFAC’s actions have severely crippled the protocol. Within hours of the sanctions announcement, the open source code for Tornado Cash that was hosted on GitHub was apparently removed, and the founder’s account suspended. Various service providers have terminated their support for the protocol. Exchanges and stablecoins have restricted the now-sanctioned smart contract addresses, and the value of Tornado Cash’s token (TORN) has fallen sharply. Whether Tornado Cash can continue to successfully operate under these circumstances is an open question (circumstances in which other centralized mixers shut down).
On the other hand, because of its decentralized nature, Tornado Cash continues to function and process transactions. In a vivid demonstration of the protocol’s continued viability, an unknown person or group sent a tenth of an Ether through Tornado Cash to various high-profile and unsuspecting recipients with public wallets — all of whom, by dealing with the sanctioned protocol, are now technically in violation of US sanctions (which are strict liability offenses). This example illustrates the challenges that OFAC and other regulators face in pursuing enforcement actions in the DeFi space.
OFAC’s action against Tornado Cash represents the regulator’s first attempt to apply the US sanctions regime to DeFi. How far these sanctions are pursued, enforced, or litigated remains to be seen, but this action clearly raises a host of questions that implicate wide and varied areas of law. The nature of regulation in DeFi is one of the most challenging issues in crypto, and this action — and the industry’s response — will likely frame many of the legal and philosophical battles to come.