On August 8th, 2022 the Ethereum smart-contract mixer Tornado Cash was sanctioned by the U.S. Treasury’s Office of Foreign Assets Control (OFAC) for its role in laundering more than $7 billion worth of cryptocurrency since its creation in 2019. Of this amount, over $455 million was stolen by the North Korean state-sponsored hacking organization Lazarus Group which the US sanctioned in 2019.
Tornado Cash has been added to the Treasury’s Specially Designated Nationals (SDN) list alongside 45 related Ethereum wallets, meaning their “assets are blocked and U.S. persons are generally prohibited from dealing with them”. The associated Ethereum wallets that have also been added to the SDN list can be found among Treasury Department's recent actions.
What is Tornado Cash and how does it operate?
Tornado Cash is a virtual currency mixer that operates on the Ethereum blockchain and helps obfuscate the origin, destination, and counterparties of transactions to make them harder to trace. Technically speaking, it is a decentralized, non-custodial smart contract. Its codebase is open source and does not gain custody over its users’ funds at any point during the mixing process.
The tool receives various transactions and mixes them together to the point that none of them can be connected back to their original wallet addresses. While the main purpose of this service is to increase privacy and it is generally not illegal, these solutions are often associated with money laundering and other illicit activities.
What are the implications of the Tornado Cash sanction?
The imposed sanction requires all Tornado Cash property and interests in the US or in the possession or control of US persons to be blocked and reported to OFAC. This includes transactions to US persons or within the US that involve any property of designated or blocked persons.
In practical terms, as transactions under smart contracts occur automatically, blocking them is impossible. Thus, cryptocurrency wallet addresses receiving cryptocurrency from Tornado Cash will be blocked.
What makes the Tornado Cash sanction significant?
In recent years, we have seen increased regulatory scrutiny towards the alternative finance ecosystem. With the Tornado Cash sanction, the Treasury confirmed the trend of heightened scrutiny by targeting open-source software, rather than the usual crypto targets like wallets linked to individuals or centralized exchanges run by identifiable companies.
Notably, the sanctioning action was taken pursuant to Executive Order 13694, which authorizes the sanction of a “person” (defined as an individual, partnership, association, trust, joint venture, corporation, group, subgroup or other organization). This raised the question of whether OFAC has the authority to impose sanctions on an open code that clearly does not fall under the definition of “person”.
Importantly, the sanction is a first-of-its kind, as it is not levied against an individual or an entity a “privacy-enabling” code.
What is the difference between the Tornado Cash and Blender.io sanctions?
To fully understand the significance of the Tornado Cash sanction, it helps to examine the OFAC sanction of the cryptocurrency mixer Blender.io.
In May, 2022 OFAC added Blender.io to the SDN list. While this was big news back then, as it involved the first sanction against a virtual currency mixer, the sanction drew no objection from the crypto community. Blender.io is an entity that is ultimately under the control of natural persons, so it makes perfect sense for OFAC to impose sanctions on it.
Given the Blender.io sanction and the definition of “person” it could be argued that in the Tornado Cash sanction:
- OFAC overstepped its statutory authority by sanctioning software;
- The sanction undermines the privacy needs and financial integrity of innocent users and the concept of decentralization as a whole; and
- The sanction could set a dangerous precedent, especially for the future of financial privacy and freedom in web3.
The Tornado Cash sanction will likely raise a specter of future liability concerns and claims. Notwithstanding whether the sanction is well-founded or not, going forward crypto compliance teams must ensure they implement it in their sanctions compliance programs.
What are the key priorities for crypto compliance teams following the sanction?
OFAC’s most recent guidance on virtual currency states that crypto compliance teams “are encouraged to develop, implement, and routinely update a tailored, risk-based sanctions compliance program. Such compliance programs generally should include sanctions list and geographic screening and other appropriate measures as determined by the company’s unique risk profile.”
The Tornado Cash sanction highlights the importance of implementing a robust sanctions compliance program across all aspects of the digital asset ecosystem. To do so, the industry must collectively take a risk-based approach to determine the risks associated with different crypto services, implement effective risk controls, and address the residual threat posed by mixers and other anonymity-enhancing technologies.
As demonstrated by the Tornado Cash sanction and highlighted in the 2022 National Money Laundering Risk Assessment, crypto compliance specialists should consider mixers a high-risk activity. Sound blockchain analysis tools should also be used to identify transactions and wallets that may have “tainted funds” or be exposed to Tornado Cash-related addresses.
How can your crypto and DeFi fintech reduce the risk of non-compliance?
As a specialized outsourced compliance provider, InnReg is well positioned to offer companies operating in the crypto and alternative finance sectors compliance expertise to support the full gamut of compliance requirements, including:
- Sanctions compliance program development and management;
- Compliance facilitation across federal and state regulatory bodies;
- Monitoring for regulatory changes;
- Risk assessment and quality control;
- Implementation of compliance management workflows tailored to blockchain-based business models; and
- Support the CCO function and other key stakeholders in establishing an effective compliance governance and risk management framework.