Cryptocurrency mixers, a software that provides anonymity in crypto transactions, are at the forefront of the latest clash between regulators and the emerging world of digital assets, with legal actions, arrests, counter lawsuits, and North Korean hackers all part of the picture.
The U.S. Treasury’s Office of Foreign Assets Control (OFAC) slapped sanctions on the Tornado Cash cryptomixer in August. This is based on allegations that since its creation in 2019 the mixer has handled more than $7 billion of cryptocurrency, including from criminal organizations like the North Korean state-backed Lazarus Group.
“Despite public assurances otherwise, Tornado Cash has repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis and without basic measures to address its risks,“ said Treasury Under Secretary Brian E. Nelson in announcing the sanctions. “Treasury will continue to aggressively pursue actions against mixers that launder virtual currency for criminals and those who assist them.”
Sheila Warren, chief executive officer of the Crypto Council for Innovation, said the sanctions – effectively a ban on U.S. citizens and businesses using the service – set a precarious precedent and would “have potentially very far-reaching implications.”
“This is a departure from the principle that code or technology itself has a fundamental neutrality that is benign, and it is what you do with it that is what turns it into something that can be malicious,” she said at the Forkast live-streamed event, “Crypto Rising: The Role of Law: An International Debate post Tornado Cash” on October 5.
In addition to sanctioning specific wallets, all assets held in Tornado Cash were frozen, triggering a backlash from many in the crypto community and a lawsuit against the Treasury. The case filed by six Tornado Cash users and backed by cryptocurrency exchange firm Coinbase Global, Inc may set important precedents for U.S. regulators.
Privacy vs. Security
Advocates of crypto mixers argue they are key to privacy on the blockchain because they obscure the history and origin of digital assets. When the mixer receives cryptocurrency, it pools it together with assets from other users, “mixes” them together, and returns the same amount of funds, less a fee, into a new wallet that the user can access with a special digital key – though the details of how Tornado Cash works differ slightly.
The ability to move cryptocurrency into a wallet that has never been used or associated with the user ensures more privacy. Though cryptocurrency is often considered anonymous, it is pseudonymous, with every transaction traceable to a public cryptocurrency wallet address.
A wallet can become associated with the user’s actual identity the more it is used in transactions with traditional finance. For example, once a wallet is added to a third-party exchange, the user’s wallet and bank account can be linked.
While the absence of crypto mixers would have a negligible effect on legal cryptocurrency activity, they present a dilemma to regulators and members of the cryptocurrency community, according to legal and blockchain experts.
“Virtually everyone would acknowledge that privacy is valuable, and that in a vacuum, there’s no reason services like mixers shouldn’t be able to provide it, however, this needs to be balanced with the fact that 25% of mixed funds come from illicit addresses,” Andrew Fierman, head of Sanctions Strategy at U.S. blockchain analysis firm Chainalysis, told Forkast in an email.
A sizable amount of the more than $7.6 billion worth of Ether crypto that Tornado Cash has received since starting up in August 2019 has come from illicit or high-risk sources, including $455 million from hacks by the Lazarus Group, according to Chainalysis data.
In the first half of 2022, crypto addresses tied to illicit activity transferred nearly 10% of their funds to cryptocurrency mixers like Tornado Cash, Chainalysis data shows, which didn’t provide a dollar figure.
Given the data, Fierman said, “we may see this trend continue and for OFAC to designate other mixing services used by cybercriminal groups.”
However, on the privacy and safety side of the argument, Ethereum cofounder Vitalik Buterin has said he used Tornado Cash to donate to Ukraine following the invasion by Russia, stating the service allowed him to do so without disclosing the identities of recipients.
Christopher Goes, the cofounder of Anoma, a privacy-centric blockchain protocol, told Forkast via email that he’s skeptical of how sanctioning mixers would work, as they are not targeted or specific enough to shut down particular parties.
He argues it is easy to copy and rename protocols, diluting efforts to crack down on money laundering, while freezing the assets of individuals for using a service that was legal when they first engaged with it.
“While I can see how this goal makes sense within a certain U.S. foreign policy rationale, I am not sure that sanctioning Tornado Cash will actually accomplish it, or help,” he said.
At its core, Tornado Cash is just code running on various open public blockchains like Ethereum, making it a complex entity to regulate. The code was publicly available for anyone to use on the open-source software hosting service GitHub.
The code was then removed from GitHub on concern that even hosting the software was in breach of the Treasury sanctions.
Tornado Cash advocates pushed back, arguing the OFAC did not have the Congressional authority to sanction code, which they argued is an expression of freedom of speech, as established in 1996 in the Bernstein v. U.S. Dep’t of State case.
Digital Rights advocacy group the Electronic Frontier Foundation said in a blog post: “the disappearance of this source code from GitHub after the government action raised the specter of government action chilling the publication of this code.”
Peter Van Valkenburgh – the research director at Coin Center, a non-profit on public policy and cryptocurrencies – weighed in, saying the Tornado Cash ban is unconstitutional.
OFAC has since walked back slightly, saying that “U.S. persons would not be prohibited by U.S. sanctions regulations from copying the open-source code and making it available online for others to view.” The code is now back on GitHub, though in a read-only form.
Ethereum Core developer Preston Vanloon, tweeted about the reversal, saying, “that is progress from an outright ban. I still encourage GitHub to reverse all actions and return the repositories to their former status.”
Another casualty is 29-year-old developer Alexey Pertsev who was arrested in Amsterdam on August 10 by the Netherlands’ Fiscal Information and Investigation Service (FIOD) for his alleged involvement in the Tornado Cash protocol.
Accused of facilitating money laundering through the mixer, Pertsev was ordered to be held an 90 days in prison on August 25, though he has not been charged with any crime.
Six individuals who said they have funds trapped in Tornado Cash filed a lawsuit on Aug. 8 against the OFAC and the Treasury Department, alleging the sanctions exceeded the agency’s authority, infringed on users’ constitutional rights, and threatened the ability of law-abiding Americans to engage freely and privately in financial transactions.
Coinbase Global Inc., the biggest U.S. cryptocurrency exchange, has helped organize and bankroll the lawsuit.
The Treasury Department on 13 September announced a way for Tornado Cash users to recover their funds by applying for an OFAC license to withdraw funds legally.
More than US$1.6 million is frozen in Tornado Cash accounts, according to data from DeFiLlama, and much of it may well be illicit, but as with Buterin’s Ukraine donation there are legitimate reasons users may want layers of privacy when making a transaction.
In another lawsuit filed against the U.S. Treasury in September, the plaintiff Tyler Almeida said he used the mixer to privately donate 0.5 ETH to the Ukrainian government’s public crypto wallet address. Almeida said this was to avoid public crypto wallets that donated to Ukraine’s public addresses being targeted by Russian state-sponsored hackers, according to the complaint.
Despite the Treasury’s actions, cryptocurrency mixers are not illegal. Other services, such as UniJoin and ChipMixer, are still up and running. However, the risk of sanctions loom, according to Leonie Tear, counsel at King & Wood Mallesons and certified global sanctions specialist with the Association of Certified Anti-Money Laundering Specialists.
“I think it’s a warning shot to the whole industry in terms of the need to get compliance programs in place,” said Tear.
While the decentralized nature of Tornado Cash makes it difficult to identify individual bad actors, targeting the most high profile tumblers can dissuade users and incentivize new industry standards, Tear added.
“It’s all pushing the industry to really put in place proper controls and stop virtual assets being used for crime,” she said. “The aim — I don’t think — is just to stifle innovation or to stop cryptocurrency being used, it’s just to try and rein in the more wild side.”
Some crypto companies have distanced themselves from Tornado Cash. Circle, issuer of the popular dollar-pegged USDC stablecoin, froze 75,000 USDC held by users with ties to Tornado Cash.
Conversely, Tether Holdings Ltd., the issuer of the world’s largest stablecoin by market capitalization, USDT, decided not to freeze any assets linked to Tornado Cash unless instructed specifically to do so by law enforcement.
Christopher Goes at Anoma said that either way, this story is far from over.
“I see a lot of productive engagement, and I expect that to continue,” he said, “the technology and regulations are both complex, and I hope that all involved parties can exercise patience and assume good intent by default.”