U.S. sanctions against cryptocurrency mixer Tornado Cash last week have ignited concerns from industry stakeholders, privacy advocates and legal experts over what the future of virtual currencies look like under the Biden administration.
The Treasury Department’s Office of Foreign Assets Control added Tornado Cash to its sanctions list in response to ongoing use of the technology by North Korea’s Lazarus cybercriminal group to launder more than half a billion in stolen cryptocurrency.
But according to some critics and legal experts, the agency may have overstepped its authorities and placed a number of U.S. consumers in the crossfires.
“We believe that OFAC has overstepped its legal authority by adding certain Tornado Cash smart contract addresses to the [Specially Designated Nationals] List, that this action potentially violates constitutional rights to due process and free speech, and that OFAC has not adequately acted to mitigate the foreseeable impact its action would have on innocent Americans,” cryptocurrency think tank Coin Center’s Jerry Brito and Peter Van Valkenburgh wrote in a post Monday announcing the group’s effort to overturn the decision. Coin Center is also exploring a legal challenge to the designation.
Fundamental to critics’ concerns is the Office of Foreign Assets Control’s decision to sanction addresses on the Ethereum blockchain that the Tornado Cash code runs on. The problem is the code’s developers have no control over the smart contract, or application, that runs the mixer. As long as the Ethereum blockchain exists, the code will keep running and mixing cryptocurrency indefinitely, regardless of sanctions. If a developer destroys the administrative key to the smart contract, as Tornado Cash’s founder claims he did, then the code will continue to operate without any human intervention in perpetuity.
“They basically sanctioned a robot,” Brito, executive director of Coin Center, explained to CyberScoop. Coin Center argues that because the authorities under which OFAC brought the sanctions require that an individual be tied to the sanction, the agency has overreached.
“Sanctions are a behavior change mechanism. It’s not punishment. So, it’s a pretty novel use here that hasn’t really been done before to sanction a smart contract, rather than a person or organization,” Michael Mosier, a former acting director of the Treasury Department’s Financial Crimes Enforcement Network who now works at a Web3 startup Espresso Systems, told CyberScoop “It’s unclear how code or a protocol — including without administrative keys — could change its behavior or petition for delisting on its own.”
Cryptocurrency owners use mixers to combine various types of virtual currencies to mask the origin of the assets. That promise of anonymity has made them popular with cybercriminals and therefore of interest to enforcement agencies going after financial criminals. The Treasury Department in May sanctioned individuals related to the Blender.io mixer for facilitating the transactions of criminal outfits such as the Lazarus group and several Russian cybercriminal gangs. The sanctions, which targeted individuals involved in running the operation, sparked little pushback from industry because the sanctions targeted Blender the company, not the technology.
The distinction between a mixer as a software and a mixer as a service provider (implying a human component) is a messy enough question that the U.S. government has addressed it before. The Financial Crimes Enforcement Network (FinCEN), another Treasury Department that oversees money laundering, issued guidance in 2019 that mixer technology should be considered a software and not a service provider. OFAC isn’t bound by FinCEN guidance, however, and was free to take a different approach. It did, leaving the roughly 70 percent of Tornado Cash’s transactions not tied to any illicit activity in a legal grey area.
“Users and developers of this technology are in a real bind,” Coin Center’s Brito told CyberScoop. “Treasury took this action without seemingly evaluating the impact this would have on millions of Americans and not contemplating answers to basic questions.”
This lack of clarity has left industry frustrated and eager for Treasury engagement. In a Twitter Spaces conversation on Friday hosted by Espresso Systems, several industry and legal experts expressed frustration that Treasury had offered little engagement before or after the sanctions to help industry understand the ramifications and deal with potential collateral impact, a process the agency typically undergoes around enacting sanctions.
“It’s the lack of clarity and also the haphazard kind of way of going about this,” Jill Gunter, co-founder at Espresso Systems, pointed to as a key concern.
Despite frustrations, speakers during the Twitter Spaces event encouraged engagement with regulators.
“The main takeaway is that we have to work ourselves on privacy protecting solutions at the same time that we’re educating the government on ways that they could satisfy all of these national security interests, including privacy, through a more rifle shot approach,” said Gus Coldebella, a partner at True Ventures, a venture capital firm that invests in web3 technologies, and former lawyer at the Department of Homeland Security.
Several sources confirmed to CyberScoop that some of that discussion is already ongoing and OFAC has been engaging industry in conversation since late last week. The sources declined to comment on the private nature of the conversations.
The Treasury Department did not immediately respond to CyberScoop’s requests.
The sanctions come ahead of a wave of September deadlines set by the Biden administration’s March executive order on virtual currencies, which will create even more ground for discussion between industry and government. Industry reacted to the initial executive order with strong support, but some industry members have expressed concerns that the recent sanctions point to a clash between the administration’s investment in emerging technology and national security prerogatives like sending a strong message to North Korea.
Mosier, who has first-hand experience with the tensions that can emerge between technical expertise and political pressures at Treasury, sees a middle ground.
“I think some will say, ‘Well, we can’t stop enforcing against North Korea while we write reports.’ Which is somewhat fair but I think the other point is that you should be doing very tailored restrained, rather than novel, actions until you figure out what you want your policy to be,” he said.
Long before the political dust settles, the Tornado Cash sanctions are primed to have a chilling effect on developers and companies in the cryptocurrency space who seek to develop similar privacy-preserving technologies.
“This is a rough equivalent to sanctioning the email protocol in the early days of the internet, with the justification that email is often used to facilitate phishing attacks,” Lia Holland, campaigns director at Fight for The Future said in a statement.
The tech sector is already seeing ramifications of the Tornado Cash sanctions. Last week, GitHub removed the account hosting Tornado Cash’s source code as well as three developer accounts who contributed to it, including found Roman Semenov and developer Alexey Pertsev, who was arrested last week by Dutch Police in relation to his work with Tornado Cash.