- Chainalysis reports 10.5% of funds ran through Tornado Cash were stolen
- Classifying code as an entity for the purpose of sanctions laws gets complicated, experts say
The Treasury Department’s decision to sanction a second crypto mixing service has sent blockchain enthusiasts and privacy chauvinists in an uproar this week.
On Monday, Tornado Cash, a cryptocurrency mixing service allegedly used to launder stolen funds linked to major hacks, was added to the Office of Foreign Asset Control’s Specially Designated Nationals (SDN) list, along with 45 associated Ethereum wallet addresses.
“OFAC’s designation of Tornado Cash is a crucial moment in the fight against cryptocurrency-based crime,” a report from blockchain analytics firm Chainalysis said.
“For one thing, it’s especially timely: More cryptocurrency is being stolen than ever, and in almost every hack we’ve observed this year, Tornado Cash has received at least some of the stolen funds.”
The Treasury alleges that North Korea-sponsored hacking group Lazarus Group, which in March stole over $620 million in cryptocurrency from the Ronin Bridge protocol, attempted to conceal the origin of the funds with Tornado Cash. Chainalysis agrees.
“Lazarus Group is one of the biggest perpetrators of these [decentralized finance] hacks,” Chainalysis said in its report. “Soon after the Ronin Bridge theft, the hackers sent much of those funds to Tornado Cash in order to be laundered.”
Not the first mixing service to be targeted
It’s not the first time OFAC has sanctioned a cryptocurrency mixer. In May, officials targeted Blender.io, a centralized service Lazarus Group also allegedly used to conceal stolen funds. But Tornado Cash is different, some experts say.
“Blender.io was designated back in May of this year, but it’s different and in a pretty meaningful way, which is that was a centralized custodial service and this…is just code,” Michael Mosier, former deputy chief in the Department of Justice’s money laundering and asset recovery section, said during a Twitter Spaces discussion Friday.
As a smart contract-based mixing service, Tornado Cash can continue to run without individual actors, those who oppose the sanctions insist. It’s an argument that Tornado Cash co-founder Roman Semenov has long used himself, but others have expressed doubt in this line of reasoning.
“I do not think personally, although we’re still kind of working through arguments…that you can necessarily make a particularly strong argument that Tornado Cash is not an entity,” Peter Van Valkenburgh, director of research at Coin Center, said during the Twitter Spaces. “As far as I know, Blender.io wasn’t incorporated in any legal jurisdiction, either.”
Some people retain a level of control over Tornado Cash’s admin keys, Van Valkenburgh said, allowing them to make changes to the code and therefore would be the ‘entity’ in the eyes of the government.
It gets murky though, Van Valkenburgh added, because Tornado Cash, as code, is not in and of itself ‘property.’
“It would be almost like we discovered that Phillips, the person who invented the Phillips head screwdriver, did something very, very bad, and we sanctioned his bank accounts, but then we also said that no one is allowed to use Phillips head screwdrivers anymore,” he said.
The blanket sanctions have collateral consequences, Rebecca Rettig, general counsel at Aave, said during the Twitter Spaces. Targeting every wallet that has come in contact with funds from Tornado Cash, no matter how far removed, is still a hypothetical scenario, but it’s one that could have a significant negative impact, Rettig said.
“The thought process through what all the unanticipated consequences would be was very narrow here, because it seems like a very severe reaction to software that is being used for some illicit activity,” she added.
Tornado Cash’s compliance responsibility
OFAC’s decision suggests that all protocols, decentralized or not, are subject to the same compliance obligations, Chainalysis’ report said. It is the responsibility of the mixer itself to stop illicit activity, officials say.
“Despite public assurances otherwise, Tornado Cash has repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis and without basic measures to address its risks,” Brian Nelson, the Treasury’s under secretary for terrorism and financial sntelligence, said after the sanctions were announced.
Since its launch in August 2019, Tornado Cash has received over $7.6 billion worth of ether, “a sizable portion of which have come from illicit or high-risk sources,” Chainalysis’ report noted. Of this figure, about 18% of funds came from sanctioned entities, but, the report notes, almost all of the funds were received before the entities were added to the sanctions list.
Less than 11% of funds received by the recently-sanctioned crypto mixing service Tornado Cash were stolen from other cryptocurrency exchanges and protocols, according to Chainalysis.