The sanctioning of Tornado Cash

Due to the blockchain, cryptocurrencies such as Bitcoin and Ether feature a publicly-visible register of all transactions; meaning that all cashflows are traceable. With crypto mixers, however, different streams of potentially identifiable cryptocurrency are mixed.

The Bitcoin owner can, therefore, transfer the money to the mixing service, which mixes it with that of other users and transfers the mixed currency to the desired address, meaning there is no connection between the original transaction and this address.

This approach improves the anonymity of transactions, as it makes Bitcoin harder to trace. But although crypto mixers might be great for privacy, they are also used to launder assets and proceeds from (cyber-)crimes. For instance, cryptocurrency stolen by criminal groups can be mixed with legitimate digital assets, making them difficult to trace.

Tornado Cash’s Designation by OFAC

Tornado Cash is one of the leading crypto mixers. On August 8, 2022, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned Tornado Cash for enabling cybercriminals to launder billions in crypto. The Lazarus Group, which is a hacking group backed by North Korea, is said to have laundered more than $455 million in stolen funds through the mixer.

At least one billion dollars' worth of cryptocurrencies of criminal origin is alleged to have passed through Tornado Cash. It is the second cryptocurrency mixer sanctioned by OFAC, following the designation of Blender.io in May for its role in laundering funds stolen by Lazarus Group. According to OFAC “Tornado Cash has repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis and without basic measures to address its risks.’’

The designation of Tornado Cash means that all its property and interests in property - or that of any entities owned, directly or indirectly, 50% or more by Tornado Cash - that are in the US or within the possession or control of US persons are blocked. All US persons are generally prohibited from engaging in transactions that are with Tornado Cash or that involve any property of Tornado Cash.

Reactions

The sanctioning of Tornado Cash was met with mixed reactions. Tornado Cash has legitimate uses and the attack on the protection of user privacy was harshly criticised. Furthermore, it is unclear what will happen to those US citizens that had funds sitting in Tornado Cash. For now, his or her funds are blocked and have to be reported to OFAC. However, there is no clear procedure for recovering those funds.

It is noteworthy that OFAC has sanctioned the code running the Tornado Cash application rather than sanctioning individuals or entities that are using the tool for crime. As Tornado Cash is a decentralised service and its code does not need to be maintained by developers, it cannot simply be shut down. The code can continue to run, meaning that crypto compliance teams need to be vigilant and ensure that their customers do not withdraw funds to addresses owned by or associated with Tornado Cash. OFAC sanctions violations are subject to a “strict liability” standard, meaning no intent, knowledge or reason to know that one is dealing with a sanctioned person is required for a violation to occur.

OFAC has, once again, shown rigorous enforcement activities when it comes to the crypto market.  However, the sanctioning of Tornado Cash is not a big surprise when one considers that more cryptocurrency is being stolen than ever before – and that in nearly every hack observed this year, Tornado Cash has received at least a part of the stolen funds. It has been the ideal tool to launder cryptocurrency coming from illegitimate backgrounds and its sanctioning makes it more difficult for criminals to continue these activities. However, sooner or later there will be other players and services in the market that will offer similar possibilities.

It is also worth noting that on 12 August 2022, the Dutch Fiscal Information and Investigation Service (FIOD) announced that it had arrested a suspected developer of Tornado Cash. The FIOD said it did not make the arrest due to OFAC's blacklisting of Tornado Cash and added that it had opened a criminal investigation into Tornado Cash in June. The 29-year-old man is suspected of concealing criminal financial flows and facilitating money laundering through the mixer. Yet the arrest has met with criticism in some quarters. Many pointed out that it is unfair to arrest someone who writes a code that is misused by criminals while, to take an example, gun manufacturers are not arrested when the weapons they create are used in illegal activity.