On August 8, 2022, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced the imposition of sanctions on the decentralized digital asset mixer Tornado Cash. The action marks the first time OFAC has targeted an on-chain decentralized protocol. To date, OFAC has not issued any guidance specific to decentralized finance (DeFi) as part of its broader sanctions guidance for the “virtual currency” industry, but the Tornado Cash action lays down an important marker and makes clear that OFAC will target projects or protocols engaged in illicit activity regardless of their centralized or decentralized status. (Our prior blog post on OFAC’s general virtual currency guidance is available here).
According to OFAC, Tornado Cash was “used to launder more than $7 billion worth of virtual currency since its creation in 2019,” including over $455 million stolen by the Lazarus Group, a North Korean-backed hacking group that was previously targeted by OFAC sanctions. In announcing the action, Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian Nelson explained, “Despite public assurances otherwise, Tornado Cash has repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis and without basic measures to address its risks.”
Tornado Cash was added to OFAC’s List of Specially Designated Nationals and Blocked Persons (SDN List) pursuant to Executive Order (EO) 13694, “Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities.” The property and interests in property of an SDN must be blocked (i.e., frozen) when within the United States or within the possession or control of a US person, and US persons are generally prohibited from dealing with SDNs.
In addition, EO 13694 authorizes the SDN designation of any person determined to have “materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services in support of … any person whose property and interests in property are blocked pursuant to this order.” While use of so-called “secondary sanctions” of this nature is discretionary, this provision means that any person, including a non-US person acting outside the United States, is at potential risk if they continue to engage in dealings with Tornado Cash.
What it Means for Developers
The action has important implications for developers of decentralized platforms. In particular, it makes clear that decentralized projects that launch without considering sanctions compliance measures may risk designation by OFAC, threatening the project’s viability and creating legal risks for those interacting with it, including the developers. While a number of questions remain with respect to OFAC’s approach to DeFi, the Tornado Cash action sends a clear message that OFAC will target projects engaged in illicit activity regardless of their centralized or decentralized status.
Decentralized protocols have historically struggled to implement or enforce sanctions compliance measures. However, developers are increasingly looking for creative solutions, including building certain user screening mechanisms into the protocol code. That is a trend that may continue as developers look for ways to safeguard their projects from future OFAC action. Under Secretary Nelson’s comments on the Tornado Cash designation suggest that the Treasury Department believes certain basic compliance measures are achievable.
What it Means for Customers and Counterparties
The Tornado Cash designation highlights the importance of carefully considering the controls in place at digital asset platforms before using the platform or interacting with the platform in another manner (e.g., sending tokens to or receiving tokens from the platform on behalf of a customer). Sanctions compliance measures vary considerably across digital asset platforms and that variance is particularly pronounced in decentralized contexts where it can be more difficult for the platform to implement measures and more difficult for third parties to obtain information on the measures in place. Fortunately, there are an increasing number of tools, including blockchain analytics, available to assist industry in assessing the relative risks associated with a given platform, including decentralized platforms.
As noted above, OFAC has also issued guidance outlining its expectations with respect to sanctions compliance measures for the “virtual currency industry.” The guidance outlines a variety of measures that should be incorporated into a robust compliance program. Among other measures, companies dealing with digital assets should conduct a detailed risk assessment that takes into account the platforms with which they interact, implement measures to identify and mitigate risky relationships, utilize transaction monitoring and investigation tools, and implement procedures to identify and act on risk indicators and red flags, some of which are enumerated in the guidance. While OFAC’s guidance does not specifically address decentralized platforms, the Tornado Cash action highlights the importance of implementing a robust sanctions compliance program across all aspects of the digital asset ecosystem.