hit counter

Treasury Department sanctions against a major crypto privacy tool pose new risks for the industry

What happened

On Monday, the Office of Foreign Assets Control (OFAC), an agency within the US Treasury Department tasked with maintaining the list of Specially Designated Nationals (SDN) and enforcing sanctions violations, added the non-decustodial mixing service Tornado Cash and smart contract wallet addresses added to SDN list.

The US Treasury Department sanctioned Tornado Cash for allegedly helping launder proceeds from cryptocurrency hacks by the Lazarus Group, a state-sponsored North Korean group linked to the $625 million hack of Axie Infinity’s Ronin network in the US March has been linked. According to on-chain data analysis, Axie Infinity’s Ronin network hackers have repeatedly laundered proceeds via Tornado Cash even after April 2022, when OFAC approved an Ethereum address associated with Lazarus Group allegedly linked to the hack. Overall, around 18% of the total amount of ETH that has flowed through Tornado Cash over the past few months — 167,400 ETH — came from the Ronin hack, perhaps underscoring OFAC’s sense of urgency. According to a senior Treasury Department official, Tornado Cash has reportedly laundered more than $7 billion in virtual currency since its launch in 2019.

Following Monday’s action, Center, the consortium behind USDC stablecoin, blacklisted wallet addresses following the announcement. Ethereum Blockchain Explorer Data shows Center halted the movement of at least $75,000 USDC by blacklisting Tornado Cash Wallets from sanctions lists. Tornado Cash’s GitHub account and website went offline; Tornado Cash developer Roman Semenov’s GitHub has also been suspended.

key figures

  • Office for Foreign Assets Control
  • Lazarus group
  • Roman Semenov, founder of Tornado Cash

key context

Tornado Cash is a no-custodial virtual currency mixer. A blender typically receives a series of transactions and mixes them together before sending them to their final destination to make it harder to track where the money came from or where it’s going. Blenders are part of a larger family of privacy-enhancing technologies, such as B. ring signatures or zk-snarks, which aim to obfuscate important information in a blockchain.

These tools are championed by privacy advocates, but at the same time they can also be used for evasive purposes like money laundering. In this case, it’s not much different than using Virtual Private Networks (VPNs) or The Onion Router (TOR), a privacy-enhancing relay layer over the Internet actually created by the US government. The dual nature of these technologies makes it difficult for law enforcement to find the right balance between these competing priorities of privacy and security.

According to Chainalysis, only 10.5% of the funds pooled in Tornado Cash came from hacking incidents. However, as of yesterday, all US citizens must ensure that they do not transact with Tornado Cash or any address on the SDN list.

It is important to note that this is not the first time OFAC has added names and addresses to the SDN list.

In December 2018, OFAC named the two Iran residents under Executive Order 13694 for assisting individuals involved in certain cyber-assisted attacks using the so-called SamSam ransomware against a variety of US public and municipal entities. According to OFAC’s press release, Ali Khorashadizadeh and Mohammad Ghorbaniyan facilitated the exchange of Bitcoin from the SamSam ransomware attacks for Iranian rials, including by depositing the funds in Iranian banks. OFAC claimed that since 2013, the two individuals have used the two stated wallets to process more than 7,000 bitcoin transactions involving more than 40 exchanges, including some based in the United States, and about 6,000 bitcoins worth millions of US dollars. Dollars, some derived from SamSam ransomware activity.

Then, in early May 2022, OFAC sanctioned Blender.io, a North Korea-affiliated crypto blending service that the Treasury Department claimed was used to launder proceeds from ransomware attacks, as well as about $20.5 million in crypto stolen by Ronin . Specifically, OFAC added Blender.io to the SDN list, as well as 46 bitcoin addresses and 12 ether addresses that connect directly to Blnder.io wallets.

Still, Monday’s sanctions represented an escalation in OFAC’s enforcement of the cryptocurrency space. Unlike Blender.io, Tornado Cash is blending software with no custody and is not a registered entity. Funds are controlled by software logic and run on the Ethereum blockchain through smart contracts.

The Treasury had alerted the industry that an action like this could happen. On May 19, 2022, Alessio Evangelista, the deputy director of enforcement at the Financial Crimes Enforcement Network (FinCEN), speaking to an audience at the Chainalysis LINKS conference, said that crypto service providers have “too often” chosen to use the Keeping an eye on the sands around obviously suspect wallets “up to the date of an OFAC determination or criminal indictment”.

key quote

“Today’s action does not appear to be so much a sanction against a person or organization with decision-making power. Instead, it seems to be sanctioning a tool that is neutral and can be used like any other technology for good or ill.” – Jerry Brito, CoinCenter

outlook

Interestingly, OFAC’s addition of Tornado Cash to the SDN list likely does not mean that Tornado Cash will cease operations. The Tornado Cash team just writes and publishes the smart contract code that allows the blender to work. Tornado Cash’s code is still executable, and since Tornado Cash is open source, other interfaces already provide access to the same software. Also, nothing prevents new user groups from copying the source code and launching other similar products.

Yesterday’s action also raises larger regulatory questions for the crypto industry, particularly how decentralized platforms like mixing services that fall under a larger umbrella of decentralized autonomous organizations (DAOs) can be subject to oversight. Coin Center and others in the industry have noted that yesterday’s OFAC sanction is an example of placing software or code on a sanctions list, thereby preventing any users of the code from using it in the future.

Even when cryptocurrency addresses have been added to the SDN list in the past, the rationale for these additions was that they were under the direct control of individuals involved in sanctioned activities and the address was simply another alias for the sanctioned individual was. In yesterday’s case, OFAC identified only a URL and a set of Ethereum contract addresses. Sanctioning a tool and non-custodial smart contract addresses that are not a direct alias of a person deserving of a sanction differs significantly from typical use of the SDN list.

FinCEN issued clear guidance in 2019, emphasizing the important difference between a custodial wallet (hosted) and a non-custodial wallet (non-hosted). It is likely that OFAC understands too

this distinction, but may not have realized how sanctioning Tornado Cash itself would work in practice. In fact, an anonymous user has started sending Tornado Cash transactions to high-profile Ethereum addresses (including Coinbase CEO Brian Armstrong, TV host Jimmy Fallon, prominent crypto figures like artist Beeple, and more mainstream celebrities like comedian Dave Chappelle). to broadcast what appears to be an attempt to hint at the potential regulatory mess.

Additionally, there is a Section 501.807 procedure to be removed from the SDN list, but who exactly would appeal the designation in that case?

It is also worth noting that crypto wallets currently do not have a reject function for incoming transactions. If funds are routed through Tornado Cash and withdrawn into an unsuspecting person’s wallet, that person could technically be in breach of OFAC, as OFAC is strict liability, meaning intent or knowledge is not a requirement for finding a breach.

decision points

Many in the industry viewed yesterday as an assault on the financial privacy that the industry is working to promote, against those with a legitimate desire for privacy.

There is case law that contends that restrictions on how individuals use and spend money for legitimate purposes may raise First Amendment concerns. There is also the argument against unconstitutional search and seizure under the Fourth Amendment.

Notwithstanding the valid arguments against yesterday’s activities, OFAC remains a strict liability tort and for the time being, funds in Tornado Cash pools are frozen and US citizens cannot interact with funds associated with Tornado Cash. Users should check all of their addresses to see if such connections exist.

While mixers may at first seem like something only criminals would want to use, this is certainly not the case. Part of the fascination with Bitcoin and other cryptocurrencies is the legitimate desire for more financial privacy. Everyone should understand and want that.

Leave a Comment