By Layer 2
Aug 12, 2022 at 5:00 p.m. UTCUpdated Aug 12, 2022 at 5:01 p.m. UTC
Nikhilesh De is CoinDesk's managing editor for global policy and regulation. He owns marginal amounts of bitcoin and ether.
What a week huh? Tornado Cash got sanctioned, hedge funds might soon have to report their crypto holdings and we haven’t even had a chance to look at the latest push to give the CFTC spot market oversight.
You’re reading State of Crypto, a CoinDesk newsletter looking at the intersection of cryptocurrency and government. Click here to sign up for future editions.
Tornado Cash getting sanctioned raises all sorts of questions. Are other privacy-focused projects likely to face a similar fate? Was the Tornado sanctioning inevitable? And what’s the deal with North Korea?
Why it matters
Something I’ve been hearing a lot recently from lawyers and regulatory-adjacent folks is that the Treasury Department’s Office of Foreign Asset Control (OFAC) is one of the few federal agencies you absolutely do not want to mess with. Whereas anyone can fight a Securities and Exchange Commission lawsuit or duke it out in court against the Department of Justice, OFAC can go hard.
Breaking it down
Tornado Cash developer Roman Semenov told Bloomberg News in March that it would be “technically impossible” to enforce sanctions against decentralized protocols like the privacy mixer he helped build.
Earlier this week, the Office of Foreign Asset Control, a sanctions watchdog operating under the auspices of the U.S. Treasury Department, said, “Bet.”
The fallout was swift: Circle immediately froze about $70,000 worth of its USDC stablecoin on Tornado, crypto exchange dYdX blocked accounts that may have once interacted with Tornado, GitHub suspended not only Tornado’s account but also Semenov’s and now everyone’s trying to determine what constitutes an interaction with a sanctioned address.
Perhaps the most interesting outcome was that someone decided to send small amounts of ether (ETH) through Tornado to various celebrities, presumably to try and demonstrate that sanctioning a protocol would not be as effective. (Related note: I casually asked a few lawyers what they thought about this and all of them seemed to think it was not a great idea.)
There are a few different issues I think we need to unpack.
First, there’s the North Korea angle. In its press release announcing the sanctions, the Treasury Department said Tornado “has been used to launder … over $455 million stolen by the Lazarus Group, a Democratic People’s Republic of Korea (DPRK) state-sponsored hacking group that was sanctioned by the U.S. in 2019, in the largest known virtual currency heist to date.”
This same week, but separately, Deputy National Security Adviser Anne Neuberger told an audience that she was “very concerned” about North Korea and its cyber work.
Also, the United Nations reported earlier this year that it estimated North Korea used some $50 million in stolen crypto to fund its nuclear weapons program.
In other words, Treasury’s not just saying that North Korea’s been stealing crypto, it’s that North Korea has been stealing crypto for its weapons program, and Tornado Cash has played a key role in helping it transmit these funds in a way that could evade scrutiny.
As TRM Labs’ Ari Redbord told me, “It’s not just money laundering, it’s money laundering that’s going to be used for weapons proliferation.” So it seems understandable that the U.S. government might be a bit freaked out by this.
This brings me to point number two: the technology angle. Tornado Cash is a protocol, one that was open source to boot and built on a decentralized framework. Unlike when OFAC sanctioned Blender.io, another mixer, Tornado doesn’t exactly have a business to shut down. It has a governance token. The token holders are responsible for voting to accept or reject various possible forks and whatnot. If those holders are not beholden to U.S. sanctions (i.e., they’re not U.S. persons or they feel really really confident in their privacy setup) they may feel more comfortable continuing to operate business as usual.
A senior Treasury official told reporters ahead of Monday’s announcement that following the Blender sanction “we have not seen evidence to suggest that it has remained active” when asked about Tornado being an open-source decentralized project.
The official did not rule out further action in the event Tornado continues to be used for money-laundering purposes, though they did not specify what that action might be.
Where things get weird is when you consider the whole open-source nature of Tornado Cash. As I mentioned, someone (and, I’ve been told, possibly several someones) has been sending small amounts of ETH through Tornado to people who have public Ethereum addresses, including comedians Jimmy Fallon and Dave Chappelle, or crypto folks like Coinbase (COIN) CEO Brian Armstrong and (I guess) Logan Paul and companies like Puma. Because their addresses are public, on the blockchain and not necessarily tied to a specific exchange, it’s difficult, if not impossible, to block these incoming transactions.
I doubt OFAC is going to drop the hammer on celebrities for receiving sanctioned ETH, but I could see the watchdog going after someone openly defying sanctions if they make enough noise. The main issue may be in identifying the sender(s).
Which brings me to point three: the privacy angle. A lot of folks used Tornado for innocuous reasons. The Treasury Department said about $7 billion in crypto flowed through the mixer over the past three years or so since Tornado launched. Blockchain analytics firm Elliptic estimated that some 20% of this was illicit, which, to be clear, is a lot. But it also means that over $5 billion was not used in illegal activity but may have just been used by individuals hoping to preserve some privacy while transacting on a digital ledger known for recording every single transaction conducted on it.
A huge chunk of the crypto world is calling the Tornado sanctions an attack on privacy.
Fight for the Future suggested in a statement that the sanction was overly broad, saying that while “hackers and cybercriminals … should be stopped,” the execution may infringe on First Amendment constitutional rights.
“This is a rough equivalent to sanctioning the email protocol in the early days of the internet, with the justification that email is often used to facilitate phishing attacks. Tornado.cash is code, and rather than identify those who were aiding and abetting criminals the Treasury simply sanctioned that code. Code is speech,” the statement said.
Likewise, crypto think tank Coin Center likened the move to trying to restrict speech prior to it occurring.
“In this case, the sanctions laws are being used to create a limitation on spending money not merely with some person who has been found guilty of a crime or even suspected of terrorism. This is a limit on any American who wishes to use her own money and a freely available software tool to maintain her own privacy – including for otherwise entirely legal and personal reasons,” Coin Center said.
Ethereum co-founder Vitalik Buterin tried to illustrate the potential beneficial uses of Tornado Cash, to send crypto to Ukraine in its battle against Russia.
I think whatever happens next will largely be defined by Tornado itself. If, after a few weeks, volume continues to stay high, we might see more action from Treasury. If volume drops, maybe not, and people will move on to the next big fight. Admittedly, this seems obvious but this is such a novel case it’s hard to point to any specific precedents.
On Friday morning, after the first draft of this newsletter was written but before it was sent out, Dutch officials arrested an unnamed developer of Tornado Cash on money laundering allegations. That is a really interesting decision. The Fiscal Information and Investigation Service did not detail the specific charges or say if it arrested the person because of the U.S. sanctions or on its own initiative.
Changing of the guard
Hm. I think we’re basically set now? It doesn’t seem like we’re getting any new nominations.
- Master of Anons: How a Crypto Developer Faked a DeFi Ecosystem: One single individual built a huge chunk of the protocols powering various tools on Solana, which at one point became responsible for what sounds like around three-quarters of the total value locked (TVL) on the network. The catch? This individual appears to have created at least 11 different pseudonyms to feign a level of decentralization that did not actually exist.
- Solana Wallets Targeted in Latest Multimillion-Dollar Hack: In other not-great news for Solana, the Slope Wallet protocol was compromised last week. It appears that somehow private keys were stored in plain text on a centralized server. Phantom wallets on Slope were also affected.
- US Regulators Consider Asking Large Hedge Funds to Disclose Crypto Exposure: The SEC and CFTC voted to advance a joint proposal amending Regulation PF, which directs how hedge funds must report their holdings, to distinguish their crypto holdings.
- (TechDirt) When Tesla (TSLA) CEO Elon Musk first tried to formally get out of his deal to buy Twitter *(TWTR), I a carefully considered analysis. Mike Masnick has a far more in-depth analysis based on the legal filings and Musk’s actions over the past few months.
- (DOJ) A member of Iran’s Islamic Revolutionary Guard tried to pay for the assassination of former National Security Advisor John Bolton using bitcoin (BTC), offering $300,000 to a would-be assassin.
If you’ve got thoughts or questions on what I should discuss next week or any other feedback you’d like to share, feel free to email me at [email protected] or find me on Twitter .
You can also join the group conversation on Telegram.
See ya’ll next week!