The U.S. Treasury Department’s Office of Foreign Assets Control (“OFAC”) on August 8, 2022, imposed sanctions against the popular decentralized virtual currency mixer Tornado Cash alleging that it has been used to launder more than $7 billion worth of virtual currency since its creation in 2019. Authorities in the Netherlands arrested the alleged developer of Tornado Cash two days after OFAC issued these sanctions, and users of Tornado Cash have since issued legal proceedings against OFAC, filing a 20-page complaint in Federal Court in Texas on September 8, 2022. This is not the first time OFAC has targeted a virtual currency mixer (it sanctioned Blender.io on May 6, 2022); this most recent action reinforces the U.S. government’s continuing focus on the connections between virtual currency and suspected malign activities.
Tornado Cash is a virtual currency mixer that operates on the Ethereum blockchain and indiscriminately facilitates anonymous transactions by obfuscating their origin, destination, and counterparties, with no attempt to determine their origin. It receives transactions, mixes them together and then transmits them to their individual recipients to increase privacy. On account of the open nature of blockchains such as Bitcoin and Ethereum, a recipient of a transaction can view the wallet balance and complete transactional history of the sending wallet address, unlike the private nature of transactions sent with other payment methods such as ACH or wire transfer in which a recipient has no access to such information regarding the sender. Tornado Cash became popular because it addresses privacy concerns for Ethereum users who prefer to not share their entire transaction history whenever they make financial transactions. It has allegedly been used by illicit actors to launder funds because the anonymous process makes it difficult to track the flow of funds. Such services are provided absent any know-your-customer procedures or any other effort to determine the origins of the funds.
OFAC designated Tornado Cash as a Specially Designated National and Blocked Person (“SDN”) pursuant to Executive Order 13694, which targets persons engaging in significant malicious cyber-enabled activities. According to OFAC, Tornado Cash is connected with the proceeds of cybercrimes, including over $455 million stolen by the Lazarus Group (a Democratic People’s Republic of Korea (DPRK) state-sponsored hacking group that was previously designated as an SDN in 2019), more than $96 million from the June 24, 2022 Harmony Protocol hack, and at least $7.8 million from the August 2, 2022 Nomad bridge hack.
As a result of these sanctions, all property and interests in property of Tornado Cash, or of any entities that are owned, directly or indirectly, 50 percent or more by Tornado Cash, that are in the United States or in the possession or control of U.S. persons must be blocked and reported to OFAC. U.S. persons also are generally prohibited from engaging in transactions with Tornado Cash or that involve any property of Tornado Cash.
OFAC has expanded its ability to sanction crypto actors and the speed with which it designates wallet addresses. The first OFAC sanctions on a crypto wallet were imposed on November 28, 2018 against two Bitcoin wallets controlled by two Iranians which allegedly were used to launder money from the SamSam ransomware. Notably, since OFAC’s designation of Lazarus Group in September 2019, OFAC has been targeting numerous entities that are reportedly connected to it, including Blender.io and Tornado Cash.
Although OFAC refers to Tornado Cash as an “entity” in its announcement, there is some controversy as to whether this designation has gone too far. Congressman Tom Emmer, who is known to support the crypto industry, expressed concern in a letter dated August 23, 2022, that the sanctions “were not levied against a person or an entity, but against ‘privacy-enabling code,” and that, as a result, the sanctioned Ethereum addresses will have no ability to appeal the sanction to OFAC as they are smart contracts with no agency. While Blender.io had a centralized custodial service attached to it that could be shut down, Tornado Cash does not operate as a conventional business: Tornado Cash consists of randomly generated addresses on the Ethereum blockchain that were uploaded by independent developers over years and is operated as an open-source, decentralized, non-custodial, and autonomous organization.
The issues raised by Congressman Emmer are also raised in the case brought in federal court in Texas. Plaintiffs claim the decision to sanction Tornado Cash exceeded the government’s statutory jurisdiction, authority, or limitation under the International Emergency Economic Powers Act (“IEEPA”) because Tornado Cash is not a “property,” a “foreign country or a national thereof,” or a “person” of any kind under the IEEPA, and thus infringes on the users’ free speech and property rights and “threatens the ability of law-abiding Americans to engage freely and privately in financial transactions.” Plaintiffs are seeking immediate injunction to allow the plaintiffs and similarly situated users to access their Ethereum deposited with Tornado Cash or to use Tornado Cash in legitimate ways including making anonymous donations to support Ukraine.
In the action against Tornado Cash, OFAC also cited the reportedly growing trend of criminals’ use of anonymity-enhancement technologies, including mixers, to hide the movement or origin of funds, referencing the Department of the Treasury’s 2022 National Money Laundering Risk Assessment. OFAC previously published updated guidance on sanctions risks associated with ransomware payments on September 21, 2021 following its first sanctions against a Russian-operated virtual currency exchange involved in ransomware payments. The guidance highlighted that victims of ransomware attacks may be liable for sanctions violations if they make ransom payments to sanctioned entities; the sanctions against Tornado Cash further demonstrate that the method of payment may also create culpability if the victim is instructed to pay using technology that involves a sanctioned virtual currency mixer.
As the Under Secretary of the Treasury for Terrorism and Financial Intelligence, Brian E. Nelson, stated in connection with the imposition of sanctions against Tornado Cash, “Treasury will continue to aggressively pursue actions against mixers that launder virtual currency for criminals and those who assist them.” Companies should carefully assess the risks associated with virtual currency services, implement measures to mitigate risks, and address the challenges anonymizing features can present to compliance with AML/CFT obligations. Companies should be wary of the use of virtual currency mixers in transactions, as the recent sanctions demonstrate that mixers should in general be considered as high-risk.
Dechert regularly advises market participants in the virtual currency ecosystem, assisting with evaluating potential sanctions-related risks and building risk-based compliance programs to manage and mitigate such risks.