Cryptocurrency mixers, software that provides anonymity in crypto transactions, are at the forefront of the latest showdown between regulators and the emerging world of digital assets, with legal action, arrests, counter-claims, and North Korean hackers all part of the image.
The US Treasury’s Office of Foreign Assets Control (OFAC) imposed sanctions on crypto mixer Tornado Cash in August. This is based on allegations that, since its inception in 2019, the mixer has handled more than $7 billion in cryptocurrency, including from criminal organizations such as the North Korean state-backed Lazarus Group.
“Despite public assurances to the contrary, Tornado Cash has repeatedly failed to impose effective controls designed to prevent it from laundering funds for malicious cyber actors on a regular basis and without basic measures to address its risks,” said Treasury Under Secretary Brian E. Nelson, announcing the sanctions “Treasury will continue to aggressively pursue actions against mixers who launder virtual currency for criminals and those who assist them.”
Sheila Warren, executive director of the Crypto Council for Innovation, said the sanctions, actually a ban on US citizens and businesses from using the service, set a precarious precedent and “would have potentially far-reaching implications.”
“This is a departure from the principle that code or technology itself has a fundamental neutrality that is benign, and it’s what you do with it that makes it something that can be malicious,” he told the conference. Forkast livestreamed event, “Crypto Rising: The Role of Law: An International Debate post Tornado Cash” on October 5.
In addition to sanctioning specific wallets, all assets held in Tornado Cash were frozen, prompting a backlash from many in the crypto community and a lawsuit against Treasury. The case brought by six Tornado Cash users and backed by cryptocurrency exchange Coinbase Global, Inc. may set important precedents for US regulators.
privacy vs security
Proponents of cryptocurrency mixers argue that they are key to privacy on the blockchain because they obscure the history and origin of digital assets. When the mixer receives cryptocurrency, it pools it with other users’ assets, “mixes” them, and returns the same amount of funds, minus a fee, in a new wallet that the user can access with a special digital key, although the details how Tornado Cash works differ slightly.
The ability to move cryptocurrencies to a wallet that has never been used or associated with the user ensures greater privacy. Although cryptocurrency is often considered anonymous, it is pseudonymous, and every transaction can be traced back to a public cryptocurrency wallet address.
A wallet can be associated with the real identity of the user the more it is used in transactions with traditional finance. For example, once a wallet is added to a third-party exchange, the user’s wallet and bank account can be linked.
While the absence of cryptocurrency mixers would have a negligible effect on legal cryptocurrency activity, they present a dilemma for regulators and members of the cryptocurrency community, according to blockchain and legal experts.
“Virtually everyone would recognize that privacy is valuable and that, in a vacuum, there’s no reason services like mixers can’t provide it; however, this must be balanced against the fact that 25% of commingled funds come from illicit sources. addresses,” Andrew Fierman, Head of Sanctions Strategy at US blockchain analytics firm Chainalysis, told Forkast in an email.
A significant amount of the more than $7.6 billion in Ether cryptocurrency that Tornado Cash has received since its launch in August 2019 has come from high-risk or illicit sources, including $455 million from Lazarus Group hacks, according to data. from Chainalysis.
In the first half of 2022, crypto addresses linked to illicit activities transferred almost 10% of their funds to cryptocurrency mixers like Tornado Cash, data from Chainalysis shows, which did not provide a dollar figure.
Given the data, Fierman said, “we may see this trend continue and OFAC designate other blending services used by cybercriminal groups.”
However, on the privacy and security side of the argument, Ethereum co-founder Vitalik Buterin said used Tornado Cash to donate to Ukraine after the Russian invasion, claiming that the service allowed him to do so without revealing the recipients’ identities.
Christopher Goes, co-founder of Anoma, a privacy-focused blockchain protocol, said Forkast via email that he is skeptical about how sanctioning mixers would work, as they are not targeted or specific enough to shut down particular matches.
He argues that it’s easy to copy and rename protocols, diluting efforts to crack down on money laundering, while freezing people’s assets for using a service that was legal when they first engaged with it.
“While I can see how this goal makes sense within some US foreign policy logic, I’m not sure sanctioning Tornado Cash will actually accomplish or help it,” he said.
At its core, Tornado Cash is just code that runs on various open public blockchains like Ethereum, making it a complex entity to regulate. The code was publicly available for anyone to use on the open source software hosting service GitHub.
The code was then removed from GitHub over concerns that even hosting the software violated Treasury sanctions.
Defenders of Tornado Cash backed down, arguing that OFAC did not have the authority of Congress to enact the code, which they argued is an expression of free speech, as established in 1996 in the Bernstein v. US Department of State. case.
Digital rights advocacy group the Electronic Frontier Foundation said in a blog post: “The disappearance of this source code from GitHub after government action raised the specter of government action that chilled the release of this code.”
Peter Van Valkenburgh, the director of research at Coin Center, a cryptocurrency and public policy nonprofit, weighed in and said the ban on Tornado Cash is unconstitutional.
Since then, OFAC has backed down a bit, saying “US sanctions regulations would not prohibit Americans from copying open source code and making it available online for others to view.” The code is now back on GitHub, albeit in a read-only format.
Preston Vanloon, Ethereum Core Developer, tweeted about the rollback, saying, “That’s progress from a total ban. I still encourage GitHub to reverse all actions and return repositories to their previous state.”
Another victim is 29-year-old developer Alexey Pertsev, who was arrested in Amsterdam on August 10 by the Netherlands Tax Information and Investigation Service (FIOD) for his alleged involvement in the Tornado Cash protocol.
Accused of facilitating money laundering through the mixer, Pertsev was sentenced to 90 days in prison on August 25, although he has not been charged with any crime.
Six people who said they had funds trapped in Tornado Cash filed a lawsuit on August 8 against OFAC and the Treasury Department, alleging that the sanctions exceeded the agency’s authority, violated the constitutional rights of users and threatened the ability of law-abiding Americans. participate freely and privately in financial transactions.
Coinbase Global Inc., the largest US cryptocurrency exchange, helped organize and fund the lawsuit.
The Treasury Department announced on September 13 a way for Tornado Cash users to recover their funds by applying for an OFAC license to legally withdraw funds.
More than $1.6 million is frozen in Tornado Cash accounts, according to DeFiLlama data, and much of it may well be illicit, but as with Buterin’s donation to Ukraine, there are legitimate reasons why which users may want levels of privacy when making a transaction.
In another lawsuit filed against the US Treasury in September, plaintiff Tyler Almeida said he used the mixer to privately donate 0.5 ETH to the Ukrainian government’s public crypto wallet address. Almeida said this was to prevent public crypto wallets that were donated to public Ukrainian addresses from being attacked by Russian state-sponsored hackers, according to the complaint.
Despite Treasury’s actions, cryptocurrency mixers are not illegal. Other services, such as UniJoin and ChipMixer, are still up and running. However, the risk of sanctions is looming, according to Leonie Tear, general counsel at King & Wood Mallesons and a certified global sanctions specialist with the Association of Certified Anti-Money Laundering Specialists.
“I think it’s a warning to the entire industry in terms of the need to put compliance programs in place,” Tear said.
While the decentralized nature of Tornado Cash makes it difficult to identify individual bad actors, targeting the highest-profile tumblers may deter users and incentivize new industry standards, Tear added.
“Everything is putting pressure on the industry to really put proper controls in place and stop the use of virtual assets for crime,” he said. “The goal, I don’t think so, is just to stifle innovation or stop the use of crypto, it’s just to try to rein in the wilder side.”
Some crypto companies have distanced themselves from Tornado Cash. Circle, issuer of popular dollar-pegged stablecoin USDC, froze 75,000 USDC held by users linked to Tornado Cash.
By contrast, Tether Holdings Ltd., the issuer of the world’s largest stablecoin by market capitalization, USDT, has decided not to freeze any assets linked to Tornado Cash unless specifically instructed to do so by police.
Christopher Goes at Anoma said that this story is far from over either way.
“I see a lot of productive engagement and I hope it continues,” he said, “The technology and regulations are complex, and I hope that all parties involved can be patient and assume good intentions by default.”