On August 8, 2022, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) sanctioned virtual currency mixer Tornado Cash for having laundered more than USD 7 billion worth of virtual currency since its founding in 2019.  This includes over USD 455 million worth of stolen virtual currency associated with the Lazarus Group, a “Democratic People’s Republic of Korea (DPRK) state-sponsored hacking group” that is responsible for the largest known virtual currency heist to date.[1]  Notably, Tornado Cash is only the second virtual currency mixer that OFAC has sanctioned, following its May 2022 sanctions on Blender.io.  These sanctions against two virtual currency mixers within months of each other signal an escalation in OFAC’s focus toward cyber-criminal activity perpetrated through virtual currency related platforms.  Some in the digital assets industry, however, feel that OFAC’s actions—sanctioning a piece of computer code rather than specific bad actors—is unconstitutional and subject to legal challenge.

Tornado Cash, the “Virtual Currency Mixer”

Tornado Cash, which operates on the Ethereum blockchain, provides mixing or tumbling services to users of cryptocurrencies.[2]  A “mixer,” also known as a “laundry service” or “tumbler,” is a tool or service that allows users to send virtual currency anonymously.[3]  A mixer works by obscuring a transaction on the blockchain by sending the transaction through a “complex, semi-random series of dummy transactions”[4] and by comingling one payment with others, such that it becomes unclear to whom funds are being directed and extremely difficult to trace funds back to an original source.

Tornado Cash mixes transactions using a zero-knowledge proof algorithm.[5]  A zero-knowledge proof algorithm is a system where the user withdrawing the currency proves to the “verifier” (i.e., Tornado Cash’s smart contract tool) that a particular statement is true without having to provide any other information.[6]  The verifier automatically checks the proof provided by the user and processes a withdrawal if the proof is valid.  This process results in anonymous records on the blockchain and maximizes confidentiality in cryptocurrency transactions.[7]

The anonymity Tornado Cash provides users is purportedly for privacy, however the mixer appears to have been commonly misused by bad actors for illicit purposes.  In addition to its misuse by the Lazarus Group, which once stole USD 620 million in Ethereum from Ronin Network’s Sky Mavis, the maker of the Axie Infinity blockchain game, Tornado Cash was also used to launder over USD 96 million worth of virtual currency connected to the Harmony Bridge Heist in June 2022 and USD 7.8 million worth of virtual currency in the Nomad Heist in August 2022.  

OFAC Sanctions against Tornado Cash

Pursuant to Executive Order 13694, as amended, OFAC sanctioned Tornado Cash for facilitating the laundering of proceeds of cybercrimes, which caused “a significant threat to the national security, foreign policy, or economic health or financial stability of the United States” and “a significant misappropriation of funds or economic resources.”[8]

The sanctions block all property and interests in property of Tornado Cash in the U.S. or held by U.S. persons.  All property and interests in property must be reported to OFAC.  The sanctions also block entities that are owned fifty percent or more by a blocked person, whether ownership is direct or indirect.  Additionally, all transactions by U.S. persons and transactions within the U.S. involving Tornado Cash are prohibited.  In effect, OFAC has banned all Americans from using Tornado Cash.

OFAC’s related FAQs

On September 13, 2022, OFAC published frequently asked questions (“FAQs”) 1076-1079 discussing the Tornado Cash sanctions.[9]

FAQ 1076 explains what activity is prohibited under the sanctions.[10]  Specifically, “engaging in any transaction with Tornado Cash or its blocked property or interests in property” is prohibited under the sanctions.[11]  Additionally, transactions with certain virtual currency wallet addresses associated with Tornado Cash that are listed on OFAC’s Specially Designated National and Blocked Persons List (the SDN List) are prohibited.  However, using or interacting with open-source code that does not involve a prohibited transaction is still permissible.  U.S. persons may “copy […] the open-source code and mak[e] it available online for others to view, as well as discuss […], teach […] about, or includ[e] open-source code in written publications,” and access the Tornado Cash website archives.[12]  OFAC’s clarification on this point is useful to virtual currency developers, issuers, and users because Tornado Cash operates on Ethereum blockchain, which is publicly available.

FAQ 1077 answers the question whether U.S. persons can “engage in transactions involving identified Tornado Cash virtual currency wallet addresses absent a specific license from OFAC” with a resounding no.[13]  OFAC instructs that U.S. persons cannot engage in a transaction with Tornado Cash or one of its virtual currency wallet addresses without violating sanctions, unless the transaction is exempt or authorized by OFAC.

FAQ 1078 addresses whether OFAC’s reporting obligations apply to “dusting” transactions that occurred in the wake of the sanctions.[14]  “Dusting” is the practice of sending users unsolicited, nominal amounts of virtual currency.  After the sanctions were announced, over six-hundred addresses received 0.01 ETH (USD 19.25) as part of a dust attack.[15]  FAQ 1078 explains that OFAC’s reporting obligations do apply to such transactions, but the agency will not prioritize enforcement against delayed receipt of initial and subsequent blocking reports absent another “sanctions nexus.”[16]

FAQ 1079 pertains to completing transactions or withdrawals that were initiated, but not completed, before the sanctions went into effect on August 8, 2022.[17]  OFAC instructs U.S. persons or persons conducting transactions within the U.S., who would like to complete or withdrawal their transactions, to apply for a specific license from OFAC.  FAQ 1079 provides additional guidance on how to obtain a specific license and notes that OFAC will “have a favorable licensing policy towards such applications” so long as the transaction is not otherwise sanctionable.[18]

Legal Challenges to the Sanctioning of Computer Code

After the sanctions were announced, industry groups and privacy advocates reacted with fury, expressing concerns that the sanctions would limit access to tools that preserve necessary confidentiality in virtual currency transactions.[19]  Industry groups have also raised legal concerns over the sanctions.  For example, Coinbase, which operates a virtual currency exchange platform, is funding a lawsuit brought by six of its investors to remove Tornado Cash smart contracts from the sanctions list.[20]  The plaintiffs in the lawsuit allege that the U.S. Department of the Treasury acted outside its authority by sanctioning “an entire technology instead of specific individuals,” where such technology has legitimate applications and protects privacy.[21]  In a tweet, Neeraj Agrawal, the Communications Director for Coin Center, a virtual currency advocacy group, signaled that the group may challenge the sanctions on First Amendment grounds.[22]

Developments in Virtual Currency Regulation

Despite the pushback by virtual currency industry professionals, OFAC will likely increase its sanctions against virtual currency related platforms while the Biden Administration develops strategies and policies to deal with virtual currency and other digital assets.[23]  On September 16, 2022, the White House released its Comprehensive Framework for Responsible Development of Digital Assets, pursuant to President Joe Biden’s March 9, 2022, Executive Order.[24]  A significant portion of the framework is dedicated to countering illicit finance in virtual currency and digital assets.  In the framework, the Biden Administration explained that it will, among other things: (i) ask Congress to enact legislation addressing money-laundering and countering the financing of terrorism in digital assets; (ii) continue to monitor the development of the digital assets sector and its associated illicit financing risks; (iii) instruct departments and agencies to “continue to expose and disrupt illicit actors and address the abuse of digital assets”; and (iv) direct the U.S. Department of the Treasury to enhance dialogue with the private sector to ensure understanding of existing obligations and illicit financing risks associated with digital assets.[25]

The U.S. Department of Justice (the “DoJ”) has already responded to the Executive Order, announcing the expansion of DoJ’s enforcement capabilities through the establishment of a national network of more than 150 subject matter expert prosecutors dedicated to investigating and prosecuting criminal activity involving digital assets.  This will necessarily augment DoJ’s existing capacity and expertise and very likely foreshadows increased tenacity and sophistication on DoJ’s part in the future pursuit of criminal prosecutions in the digital assets space.  Please see our detailed analysis here.  The U.S. Department of the Treasury has also responded to the Executive Order.[26]

Additional Considerations

The regulatory framework for digital assets is still evolving and far from settled.  As noted by the New York State Department of Financial Services, it is important for entities that use virtual currencies to create risk-based policies, processes, and procedures to ensure that they do not engage in transactions with sanctioned individuals or entities.[27]  In particular, companies that engage in virtual currency should: (1) augment Know Your Customer (KYC)-related processes by using compliance tools that obtain certain identifying information that ties directly to the pseudonymous blockchain ledger data (such as the location of a wallet address on a specific exchange); and (2) conduct transaction monitoring and sanctions screening of blockchain ledger activity.[28]

[1] Press Release, U.S. Dept. of Treas., U.S. Treasury Sanctions Notorious Virtual Currency Mixer Tornado Cash (Aug. 8, 2022), https://home.treasury.gov/news/press-releases/jy0916 (hereinafter “Treasury Press Release”); Press Release, U.S. Dept. of State, Imposing Sanctions on Virtual Currency Mixer Tornado Cash (Aug. 8, 2022), https://www.state.gov/imposing-sanctions-on-virtual-currency-mixer-tornado-cash/ (noting that the Lazarus Group was sanctioned in 2019). 

[2] Treasury Press Release, supra note 1.

[3] Financial Action Task Force, Virtual Currencies: Key Definitions and Potential AML/CFT Risks 6 (June 2014), https://www.fatf-gafi.org/media/fatf/documents/reports/Virtual-currency-key-definitions-and-potential-aml-cft-risks.pdf (defining mixer as “a type of anonymizer that obscures the chain of transactions on the blockchain by linking all transactions in the same bitcoin address and sending them together in a way that makes them look as if they were sent from another address.”) (hereinafter “Virtual Currencies”); Dept. of Justice, Report of the Attorney General’s Cyber Digital Task Force (Oct. 2020), https://www.justice.gov/archives/ag/page/file/1326061/download (defining mixer and tumblers as “entities that attempt to obfuscate the source or owner of particular units of cryptocurrency by mixing the cryptocurrency of several users prior to delivery of the units to their ultimate destination.”)

[4] Id.

[5] See Alex Wade et al., How Does Tornado Cash Work?, Coin Ctr. Blog (Aug. 25, 2022), https://www.coincenter.org/education/advanced-topics/how-does-tornado-cash-work/.

[6] Id.

[7] Id.; see also Virtual Currencies, supra note 4, at 6.

[8] Treasury Press Release, supra note 1; see Exec. Order No. 13,694, 3 C.F.R. 18077 (2015), amended by Exec. Order No. 13,757, 3 C.F.R. 1 (2017); Treasury Press Release (“Tornado is being designated pursuant to E.O. 13694, as amended, for having materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services to or in support of, a cyber-enabled activity originating from, or directed by persons located, in whole or in substantial part, outside the United States that is reasonably likely to result in, or has materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States and that has the purpose or effect of causing a significant misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain.”)

[9] Financial Statements: Frequently Asked Questions, U.S. Dept. of Treas. (Sept. 13, 2022), https://home.treasury.gov/policy-issues/financial-sanctions/faqs/added/2022-09-13 (hereinafter “OFAC FAQs”).

[10] Id.

[11] Id.

[12] Id.

[13] OFAC FAQs, supra note 13.

[14] Id.

[15] Sebastian Sinclair & David Canellis, DeFi Web Apps Block Users Hit by Tornado Cash ‘Dust Attack, Blockworks (Aug. 15, 2022), https://blockworks.co/defi-web-apps-block-users-hit-by-tornado-cash-dust-attack/.

[16] OFAC FAQs, supra note 13.

[17] Id.

[18] Id.

[19] David Yaffe-Bellany, Investors Sue Treasury Department for Blacklisting Crypto Platform, N.Y. Times (Sept. 8, 2022), https://www.nytimes.com/2022/09/08/business/tornado-cash-treasury-sued.html.

[20] Id.; Brian Armstrong, Defending Privacy in Crypto, Coinbase Blog (Sept. 8, 2022), https://blog.coinbase.com/defending-privacy-in-crypto-e09db33dece8.

[21] Armstrong, supra note 20 (“While Treasury is allowed to sanction people (along with their property), Congress never gave it the power to sanction open source software.”); see Compl. at 1-3, Van Loon v. U.S. Dept. of Treas., No. 6:22-cv-00920 (W.D. Tex. Sept. 8, 2022).

[22] Neeraj K. Agrawal (@NeerajKA), Twitter (Aug. 15, 2022, 9:52 AM), https://twitter.com/NeerajKA/status/1559182510319337472. (Agrawal is the Communications Director for Coin Center); see also Jerry Brito & Peter Van Valkenburgh, U.S. Treasury sanction of privacy tools places sweeping restrictions on all Americans, Coin Ctr. Blog (Aug. 8, 2022), https://www.coincenter.org/u-s-treasury-sanction-of-privacy-tools-places-sweeping-restrictions-on-all-americans/.

[23] See Fact Sheet: White House Releases First-Ever Comprehensive Framework for Responsible Development of Digital Assets, White House (Sept. 16, 2022), https://www.whitehouse.gov/briefing-room/statements-releases/2022/09/16/fact-sheet-white-house-releases-first-ever-comprehensive-framework-for-responsible-development-of-digital-assets/ (hereinafter “Fact Sheet”).

[24] See id.; Exec. Order No. 14,067, 87 F.R. 14,143 (Mar. 9, 2022). 

[25] Fact Sheet, supra note 23.

[26] Press Release, U.S. Dept. of State, Statement from Secretary of the Treasury Janet L. Yellen on the Release of Reports on Digital Assets (Sept. 16, 2022), https://home.treasury.gov/news/press-releases/jy0956.

[27] See Memorandum from Adrienne Harris, Superintendent of Financial Servs., N.Y. Dept. of Finance, to All Virtual Currency Business Entities, Guidance on Use of Blockchain Analytics (Apr. 28, 2022), https://www.dfs.ny.gov/industry_guidance/industry_letters/il20220428_guidance_use_blockchain_analytics#ftn4.

[28] See id.; see generally Off. Of Foreign Assets Control, Sanctions Compliance Guidance for the Virtual Currency Industry (Oct. 2021).