The US Treasury Department blacklisted the virtual currency mixer Tornado Cash on Monday, saying the system “has been used to launder more than $7 billion worth of virtual currency since its creation in 2019.” The platform was added to the Specially Designated Nationals and Blocked Persons List (SDN), prohibiting all transactions on Tornado Cash by people in the US “unless authorized by a general or specific license issued by OFAC [Office of Foreign Assets Control]”, the Treasury Department announcement said.
“As a result of today’s action, all property and interests in property of the entity above, Tornado Cash, that is in the United States or in the possession or control of US persons is blocked and must be reported to OFAC,” the announcement said. There is reportedly over $412 million of assets on Tornado Cash. Prices of Tornado’s crypto token TORN plummeted after the blacklisting announcement.
The Treasury action was criticized within the crypto industry because it affects any US person using Tornado Cash, not just those involved in money laundering or other crimes. The SDN list is generally used to “identify persons involved in terrorism, enemy states, or other state-sanctioned activities and ensure that these individuals cannot get the benefit of the US financial system,” Coin Center Executive Director Jerry Brito and Research Director Peter Van Valkenburgh wrote yesterday. Coin Center is a cryptocurrency research and advocacy group.
The sanction of Tornado Cash is unusual because a “smart contract is a robot, not a person,” and Treasury’s action seems “to be the sanctioning of a tool that is neutral in character and that can be put to good or bad uses like any other technology,” they wrote. “It is not any specific bad actor who is being sanctioned, but instead it is all Americans who may wish to use this automated tool in order to protect their own privacy while transacting online who are having their liberty curtailed without the benefit of any due process.”
Open source code gone from GitHub
Tornado Cash’s open source code disappeared from GitHub, apparently just after the Treasury announcement. Tornado Cash co-founder Roman Semenov wrote yesterday, “My @GitHub account was just suspended. Is writing an open source code illegal now?”
When contacted by Ars, the Microsoft-owned GitHub said, “Trade laws require GitHub to restrict users and customers identified as Specially Designated Nationals (SDNs) or other denied or blocked parties, or that may be using GitHub on behalf of blocked parties. At the same time, GitHub’s vision is to be the global platform for developer collaboration. We examine government sanctions thoroughly to be certain that users and customers are not impacted beyond what is required by law.”
Tornado Cash says it uses a decentralized protocol in which smart contracts are “implemented within the Ethereum blockchain, making them immutable. They can neither be changed nor tampered with. Therefore, nobody—including the original developers—can modify or shut them down.” Despite the GitHub code removal, Tornado Cash said the “smart contracts are on the Ethereum blockchain. It doesn’t change anything for Tornado Cash contracts,” Decrypt wrote.
Decrypt also reported that an “anonymous troll is sending celebrities Ethereum from a Tornado Cash wallet—presumably as a way to demonstrate how difficult it will be for the US government to enforce its ban on the mixing service.”
The Treasury Department said Tornado Cash “indiscriminately facilitates anonymous transactions by obfuscating their origin, destination, and counterparties, with no attempt to determine their origin. Tornado receives a variety of transactions and mixes them together before transmitting them to their individual recipients. While the purported purpose is to increase privacy, mixers like Tornado are commonly used by illicit actors to launder funds, especially those stolen during significant heists.”
The US agency also said that money laundered on Tornado Cash “includes over $455 million stolen by the Lazarus Group, a Democratic People’s Republic of Korea (DPRK) state-sponsored hacking group,” plus “$96 million of malicious cyber actors’ funds derived from the June 24, 2022, Harmony Bridge Heist, and at least $7.8 million from the August 2, 2022 Nomad Heist.”
“Despite public assurances otherwise, Tornado Cash has repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis and without basic measures to address its risks,” said Under Secretary for Terrorism and Financial Intelligence Brian Nelson. He said Tornado Cash “launders the proceeds of cybercrimes, including those committed against victims in the United States.”