U.S. sanctions against cryptocurrency mixer Tornado Cash last week have ignited concern from industry stakeholders, privacy advocates and legal experts over what the future of virtual currencies look like under the Biden administration.
The Treasury Department’s Office of Foreign Assets Control placed the sanctions in response to alleged negligence by Tornado Cash’s operators to prevent money laundering by cybercriminals, primarily North Korea’s Lazarus group, which used the technology to launder more than half a billion in stolen cryptocurrency.
But according to some critics and legal experts, the agency may have overstepped its authorities and placed a number of U.S. consumers in the crossfires.
“We believe that OFAC has overstepped its legal authority by adding certain Tornado Cash smart contract addresses to the [Specially Designated Nationals] List, that this action potentially violates constitutional rights to due process and free speech, and that OFAC has not adequately acted to mitigate the foreseeable impact its action would have on innocent Americans,” cryptocurrency think tank Coin Center’s Jerry Brito and Peter Van Valkenburgh wrote in a post Monday announcing the group’s effort to overturn the decision. Coin Center is also exploring a legal challenge to the designation.
Fundamental to critics’ concerns is the Office of Foreign Assets Control’s decision to sanction addresses on the Ethereum blockchain that the Tornado Cash code runs on. The problem is the code’s developers have no control over the smart contract, or application, that runs the mixer. As long as the Ethereum blockchain exists, the code will keep running and mixing cryptocurrency indefinitely, regardless of sanctions. The only way to alter a smart contract is with a cryptographic key and Tornado Cash’s developers destroyed it in 2020.
“They basically sanctioned a robot,” Brito explained to CyberScoop. Coin Center argues that because the authorities under which OFAC brought the sanctions require that an individual be tied to the sanction, the agency has overreached.
“Sanctions are a behavior change mechanism. It’s not punishment. So, it’s a pretty novel use here that hasn’t really been done before to sanction a smart contract, rather than a person or organization,” Michael Mosier, a former acting director of the Treasury Department’s Financial Crimes Enforcement Network who now works at a Web3 startup Espresso Systems, told CyberScoop “It’s unclear how code or a protocol — including without administrative keys — could change its behavior or petition for delisting on its own.”
Cryptocurrency owners use mixers to combine various types of virtual currencies to mask the origin of the assets. If a developer destroys the administrative key to the code, as Tornado Cash’s founder claims he did, then the code will continue to operate without any human intervention in perpetuity.
The anonymity that mixers provide have made them popular with cybercriminals and therefore of interest to enforcement agencies going after financial criminals. Treasury in May sanctioned individuals related to the Blender.io mixer for facilitating the transactions of criminal outfits such as the Lazarus group and several Russian cybercriminal gangs. The sanctions, which targeted individuals involved in running the operation, sparked little pushback from industry because the sanctions targeted Blender the company, not the technology.
The distinction between the two is a messy enough question that the U.S. government has addressed it before. The Financial Crimes Enforcement Network (FinCEN), another Treasury Department that oversees money laundering, issued guidance in 2019 that mixer technology should be considered a software and not a service provider. OFAC isn’t bound by FinCEN guidance, however, and was free to take a different approach. It did, leaving the roughly 70 percent of Tornado Cash’s transactions not tied to any illicit activity in a legal grey area.
“Users and developers of this technology are in a real bind,” Jerry Brito, executive director of Coin Center told CyberScoop. “Treasury took this action without seemingly evaluating the impact this would have on millions of Americans and not contemplating basic answers to questions.?
This lack of clarity has left industry frustrated and eager for Treasury engagement. In a Twitter Spaces conversation on Friday hosted by Espresso Systems, several industry and legal experts expressed frustration that Treasury had offered little engagement before or after the sanctions to help industry understand the ramifications and deal with potential collateral impact, the typical agency process after enacting sanctions.
“It’s the lack of clarity and also the haphazard kind of way of going about this,” said Jill Gunter, co-founder at Espresso Systems.
Despite frustrations, speakers during the Twitter Spaces event encouraged engagement with regulators.
“The main takeaway is that we have to work ourselves on privacy protecting solutions at the same time that we’re educating the government on ways that they could satisfy all of these national security interests, including privacy, through a more rifle shot approach,” said Gus Coldebella, a partner at True Ventures, a venture capital firm that invests in web3 technologies, and former lawyer at the Department of Homeland Security.
Several sources confirmed to CyberScoop that some of that discussion is already ongoing and OFAC has been engaging industry in conversation since late last week but declined to comment on the private nature of the conversations.
The Treasury Department did not immediately respond to CyberScoop’s requests.
The sanctions come ahead of a wave of September deadlines set by the Biden administration’s March executive order on virtual currencies, which will create even more ground for discussion between industry and government. Industry reacted to the initial executive order with strong support, but some industry members have expressed concerns that the recent sanctions point to a clash between the administration’s investment in emerging technology and national security prerogatives like sending a strong message to North Korea.
Long before the political dust settles, the Tornado Cash sanctions are primed to have a chilling effect on developers and companies in the cryptocurrency space who seek to develop similar privacy-preserving technologies.
“This is a rough equivalent to sanctioning the email protocol in the early days of the internet, with the justification that email is often used to facilitate phishing attacks,” Lia Holland, campaign director at Fight for The Future said in a statement.
The tech sector is already seeing ramifications of the Tornado Cash sanctions. Last week, GitHub removed the account hosting Tornado Cash’s source code as well as three developer accounts who contributed to it, including found Roman Semenov and developer Alexey Pertsev, who was arrested last week by Dutch Police in relation to his work with Tornado Cash.