Tornado Cash Arrest Signals Gathering AML Storm for DeFi Developers

The arrest of a Tornado Cash developer in the Netherlands just days after U.S. authorities blacklisted the crypto mixing service for its alleged use by North Korean hackers could have a profound impact on all of decentralized finance.

Dutch prosecutors on Friday (Aug. 12) announced the arrest of an unnamed 29-year-old man who “is suspected of involvement in concealing criminal financial flows and facilitating money laundering through the mixing of cryptocurrencies through the decentralized Ethereum mixing service Tornado Cash.”

See also: With Tornado Cash Sanctions, Feds Seek to Lift Crypto’s Veil of Anonymity

Other arrests may be forthcoming, according to the Fiscal Information and Investigation Service (FIOD), which investigates financial crimes in the Netherlands. What’s potentially groundbreaking — even DeFi breaking — about the action is that the developer doesn’t run the service.

The theory that pretty much all decentralized finance development works under holds that once a project is fully controlled by a decentralized autonomous organization (DAO) — the voting-controlled, smart-contract-governed organizations that make decentralized (DeFi) projects work — it is without centralized human management that can be held liable for, well, anything.

Tornado Cash Co-founder Roman Semenov complained on Twitter that his account on the software developer site GitHub “was just suspended,” shortly after the sanctions were announced on Aug. 8.

He asked: “Is writing an open source code illegal now?”

Even the Treasury Department’s Office of Foreign Assets Control (OFAC) decision in the U.S. to sanction Tornado Cash was met with shock and promises to look into “the legal and constitutional ramifications,” of the action by crypto industry advocates.

How Untouchable?

Regulators have taken exception to DeFi’s belief that no one is in charge, with both the Financial Action Task Force (FATF) and Bank for International Settlement (BIS) saying DeFi’s decentralization is overstated.

Read also: Bank for International Settlements Calls DeFi’s Decentralization an Illusion

“Although DeFi’s main vision is to be decentralized, providing financial services without intermediaries, full decentralization in DeFi is illusory,” the BIS’s head of financial markets, Andreas Schrimpf, said in December.

Specifically, they have focused on the lack of anti-money-laundering (AML) tools on most DeFi projects, including exchanges, cross-chain payments bridges, and lending protocols in which funds could plausibly be laundered.

See more: Top DeFi Exchange SushiSwap Builds in Controls as AML Measures Loom

Just the Facts

Semenov summarized the position of much of the DeFi industry’s position pretty neatly in January.

“There is not much we can do in terms of helping investigations because the team doesn’t have much control over the protocol,” he told CoinDesk. “The Tornado Cash team mostly does research and publishes the code to GitHub. All the deployments, protocol changes and important decisions are made by the community via Tornado Governance DAO and deployment ceremonies,” when the code changes go live on the DAO.

Tornado Cash was “specifically designed this way to be unstoppable,” he said.

On May 10, 2020, Tornado Cash’s developers held what’s called a “trusted setup ceremony” in which 1,114 contributors destroyed the key codes that gave access to and control of the “multi-sig wallet” holding users’ funds,” CoinDesk reported at the time. This refers to a type of digital wallet that needs multiple signature key codes — generally a set number rather than all — to be accessed. It’s a way of ensuring no one DAO-controlled project developer can make off with user funds.

Now, there’s a pretty big caveat here: Dutch prosecutors have not released enough information about the case to be certain that the alleged criminal activity did not occur and the project was fully decentralized. But even so, it would make it much harder to build any decentralized project with any potential legal violations like the lack of AML checks endemic to almost all DeFi projects.

And that’s the point the Netherlands is trying to make.

Coming for DeFi

“Tornado Cash has repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis and without basic measures to address its risks,” said Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian Nelson in a statement on Aug. 8. “Treasury will continue to aggressively pursue actions against mixers that launder virtual currency for criminals and those who assist them.”

Ultimately, DeFi developers will have to get in line, supporters of a crackdown on DeFi’s freewheeling culture argue.

“The crypto space talks about wanting to go mainstream and be a new financial system,” Yaya Fanusie, a fellow at the Center for a New American Security, a former analyst at the Central Intelligence Agency now working as a consultant on crypto money laundering procedures told CoinDesk. “If you want to play in the big leagues, you’re going to have to play with big regulation.”

This is why “advanced technologies, such as decentralized organizations that may facilitate money laundering are receiving extra attention from the FIOD,” Dutch prosecutors said.


For all PYMNTS Crypto coverage, subscribe to the daily Crypto Newsletter.