In August 2022 the US Treasury’s Office of Foreign Assets Control (OFAC) imposed financial sanctions on the cryptocurrency mixer Tornado Cash, in a move that caused widespread consternation. This is potentially the first time that a truly decentralised cryptocurrency service provider — mixer or exchange — has become subject to sanctions.
A month later, a group of US citizens supported by the cryptocurrency exchange Coinbase filed a lawsuit challenging the legality of OFAC’s designation of Tornado Cash. More recently, a separate lawsuit was launched in October 2022 by the advocacy group Coin Center and three other plaintiffs. So, why do the plaintiffs in these two actions think that the sanctions against Tornado Cash are problematic?
First, it is helpful to take a step back and consider OFAC’s justification for the measures it took:
‘[Tornado Cash] has been used to launder more than $7 billion worth of virtual currency since its creation in 2019. This includes over $455 million stolen by the Lazarus Group, a Democratic People’s Republic of Korea (DPRK) state-sponsored hacking group that was sanctioned by the U.S. in 2019, in the largest known virtual currency heist to date. Tornado Cash was subsequently used to launder more than $96 million of malicious cyber actors’ funds derived from the June 24, 2022 Harmony Bridge Heist, and at least $7.8 million from the August 2, 2022 Nomad Heist.’
If an ‘ordinary’ mixer faced US sanctions as a result of similar allegations, it is safe to say no one would bat an eyelid (ask Blender.io, likewise accused of being too North Korea-friendly). What makes Tornado Cash unique is not the conduct it facilitated, but how it operates.
In a previous post, I wrote about the challenges of regulating mixers that, instead of being run on a day-to-bay basis by a person or group of people who in principle be regulated, operate automatically and without any ongoing intervention by those who set them up:
‘From a regulatory standpoint, this also means that, save for the automatic operation of software, there is no external party involved in the transfer of cryptocurrency. And, despite occasional flirtation in some quarters with the idea of imposing AML/CTF duties on software developers, it is plain that someone who has developed and published an open-source mixing protocol has no way of conducting due diligence on people who may use it in the future.’
For a long time, this vision of a truly decentralised, autonomous mixer remained a mirage. Now, however, Tornado Cash may have changed that. For instance, Coin Center’s detailed write-up of how Tornado Cash works states that, although the protocol could originally be updated by users of Ethereum addresses with ‘operator’ permissions, these have by now been phased out, with the effect that Tornado Cash is immutable and independent of its creators.
If that is correct, then the question inevitably arises of whom exactly OFAC sanctions when it prohibits US persons from engaging in cryptocurrency transactions with Tornado Cash’s listed addresses. In essence, all the arguments of the plaintiffs in the two lawsuits stem from the premise that, since there is no person operating the protocol, it is the protocol itself that is being sanctioned.
This, in turn, gives rise to the argument that OFAC has exceeded its authority, granted by the President, to designate ‘persons’ engaged in significant malicious cyber-activities. Instead, these sanctions apply to a particular technology — Tornado Cash — that is used by various persons, ranging from law-abiding Americans to North Korean cybercriminals.
Furthermore, the President’s own underlying authority under the International Emergency Economic Powers Act is limited to regulating ‘any property in which any foreign country or a national thereof has any interest by any person, or with respect to any property, subject to the jurisdiction of the United States’. In both cases, the plaintiffs argue that, since Tornado Cash does not constitute such property, its designation falls outside that authority.
For some, OFAC’s action raises First Amendment concerns, too.
These are complicated issues, and I would be foolish to venture any confident answers (or, indeed, any answers at all). One might wonder, though, whether a court would be tempted to say that, since OFAC can impose sanctions on North Korean hackers, there is no impropriety in extending those sanctions to cryptocurrency addresses that those hackers use to operate — namely, Tornado Cash. That, however, would appear at odds with OFAC’s characterisation of Tornado Cash itself as a designated ‘entity’, as well as its inclusion on the SDN list.
For now, therefore, it is difficult to say anything more insightful than: We shall see, and it should be interesting.