In sanctioning what it called the “notorious virtual currency mixer Tornado Cash” on Monday (Aug. 8), the Treasury Department kicked off what could be the beginning of a more aggressive push to lift the veil of secrecy that much of the cryptocurrency industry exists behind.
The Office of Foreign Assets Control (OFAC) sanctioned Tornado Cash to settle assertions that it played a role in laundering more than $7 billion worth of virtual currency since its creation in 2019, including more than $455 million allegedly stolen by the Lazarus Group, a North Korea-sponsored hacking group that was sanctioned by the U.S. that same year.
A number of bitcoin and ether wallet addresses were also sanctioned, prohibiting financial institutions — including crypto exchanges — from doing business with them. Americans are banned from using the Tornado Cash service.
Crypto mixing projects are generally decentralized finance (DeFi) platforms that allow people to obscure the origins of cryptocurrencies like bitcoin and ether, which can be tracked from one transaction to another via their public key code.
Mixers use a variety of techniques, most notably bundling a group of users’ cryptocurrency together into a single wallet address and then returning it randomly in small batches so it isn’t clear who put in which specific tokens.
Specifically, OFAC cited the more than $96 million stolen in the June 24 hack of the Harmony blockchain’s Horizon cross-chain payments bridge, and $7.8 million from the $190 million Nomad bridge hack on Aug. 1 — both of which it believes were orchestrated by the Lazarus Group.
It is the second sanctioning of a mixing service by OFAC, following the May 6 listing of the Blender.io mixing service after the Lazarus Group allegedly used it to launder funds from an earlier hack.
While notable on its own, this second action in three months suggests that the government may be embarking on a broader push against mixing services and other tools crypto owners use to turn their pseudonymous tokens into something truly anonymous and untraceable.
Cryptocurrencies are called pseudonymous because their public keys makes it simple to track transactions from A to B to C, but the use of one-time-only private keys needed to initiate a transaction place users behind a pseudonym — which sounds like splitting hairs, until your wife allegedly buys a $500 Walmart card that authorities say they can tie to $4.5 billion worth of stolen crypto from the 2016 Bitfinex hack.
However, this action also suggests that the OFAC sanctions are about a broader push to bring crypto fully into a world financial system that it was — as a way of making payments that did not go through a trusted third-party financial institution — ultimately designed to bypass.
There’s generally a focus on the cost and delays caused by those third parties, but they are also relied upon for most basic surveillance of financial crimes ranging from tax avoidance to laundering drug money to funding terrorists.
That’s difficult enough with a currency that by default hides users behind a cryptographic pseudonym, but there are still plenty of virtual asset service providers (VASPs) — to use the Financial Action Task Force’s term — like exchanges.
But DeFi, in theory, removes any human third party on which to impose responsibility. Add in a decentralized service designed to actively prevent oversight and tracking, and you’ve got a problem authorities can’t ignore. That’s one reason why crypto is still distrusted as a payments tool and shunned by many financial institutions: It’s still seen as a criminal’s currency in many regulatory and law enforcement circles.
Lack of Oversight
The impact on Tornado Cash has been swift — its TORN governance token nosedived almost 25% when the sanctions were announced. Like other mixing services, Tornado Cash is completely decentralized, co-founder Roman Semenov told CoinDesk in January.
“There is not much we can do in terms of helping investigations because the team doesn’t have much control over the protocol,” he told CoinDesk. “The Tornado Cash team mostly does research and publishes the code to GitHub. All the deployments, protocol changes and important decisions are made by the community via Tornado Governance.”
On May 18, 2020, the developers had a Trusted Setup Ceremony in which the original developers burned the key codes that would have given them control over the DeFi platform, and turned it over to smart contracts and votes by holders of the TORN token, CoinDesk said at the time.
Related: DeFi Series: Unpacking DeFi and DAO
Along with banning U.S. persons from using Tornado Cash’s services, the sanctions seem to make providing any services — like coding — or governance voting prohibited and make possession of TORN tokens illegal.
A Bridge Hack Too Far
The crypto industry’s libertarian segment reacted with outrage, calling the sanctions an unreasonable overreach that restricts Americans’ privacy.
Industry think tank Coin Center’s Executive Director Jerry Brito and Research Director Peter Van Valkenburgh criticized the action, saying that they are still “looking at the legal and constitutional ramifications,” and the sanction might amount to a “typically unconstitutional” prior restraint of free speech.
Arguing that sanctions are intended to target people, the decentralized mixing service is “a tool that is neutral in character and that can be put to good or bad uses like any other technology.”
By targeting it, they said, OFAC has imposed “a limit on any American who wishes to use her own money and a freely available software tool to maintain her own privacy — including for otherwise entirely legal and personal reasons.”
Semenov tweeted that his account on GitHub, a popular site for coders and developers building cryptocurrency projects, had been suspended. The Tornado Cash website is also down.
“Is writing an open source code illegal now?” he said.
Muneeb Ali, a well-known developer of the Stacks blockchain, a bitcoin scalability layer 2, tweeted, “the crypto wars II are starting.” He added that the Treasury Department’s sanctions list “is meant for people, not tech tools. Privacy tools are for every American.”
Not everyone agreed.
CoinDesk said Ari Redbord, the head of legal and government affairs at blockchain intelligence firm TRM Labs, called the sanctions “the largest, most impactful action by Treasury to date in the crypto space.”
For all PYMNTS crypto coverage, subscribe to the daily Crypto Newsletter.