Tornado Cash Developers Accused of Assisting Hackers in Laundering $1 Billion, Including Notorious North Korean Attacks
Blockchain Association Submits Amicus Brief Supporting Coin Center's Lawsuit Against U.S. Treasury Regarding Tornado Cash Sanctions
As the SEC moves in on Tornado Cash, Coinbase is fighting back
Should Apple's Tim Cook be imprisoned for creating a phone that criminals use to organize heists? Should the CEO of Boeing be held accountable for the planes that the hijackers flew into the World Trade Center? Is the creator of the pressure cooker criminally liable for creating something that may be used to make a bomb?
On Friday, Dutch authorities arrested someone for allegedly contributing to the open-source Tornado Cash cryptocurrency tumbler on Ethereum. The complete narrative is unknown at this time, but the potential of criminalizing code quickly concerned many crypto and privacy activists.
We know the arrested guy was a 29-year-old male who was captured in Amsterdam. Tornado Cash is a service used to anonymize cryptocurrency transactions that was approved by the United States Treasury Department on Monday. We know that in June, Dutch banking officials launched a criminal inquiry into that service.
The coder, on the other hand, was just "suspected" of assisting in the creation of Tornado Cash. Likewise, according to the Dutch Fiscal Information and Investigation Service, solely "suspected of involvement in hiding unlawful financial flows and enabling money laundering" (FIOD).
We don't know the full scope of this move, how broad the investigation is, or what it might entail for cryptocurrency in the future. The Dutch financial investigators said in a statement that "several arrests are not ruled out."
Depending on how things play out, how Tornado Cash's founders are "dealt with" by criminal authorities, and for what reason, the case could have a big chilling impact on crypto development - particularly projects or updates involving privacy.
Crypto developers have been operating under a shadow of uncertainty for years. There are significant distinctions between how a truly decentralized program runs in the wild and other software projects, ones that the law has yet to completely comprehend. However, the crypto business is also engaging in self-denial, which may lead to a false sense of security or confidence.
Certain aspects of developing code are rather straightforward. At least in the United States, simply releasing code on Github if it's an original idea is nearly always legal - even for controversial stuff like ghost weapons and crypto mixers. That's a hangover from the so-called cryptography wars of 30 years ago: Code is a language, and cryptography is speech, and the government is prohibited by the constitution from prohibiting its development under, say, munitions rules.
When you get beyond the act of writing, the situation becomes more complicated. "Without commenting on Tornado Cash specifically, acts such as assisting someone who wants to use the code, uploading a mixing smart contract to a protocol, or operating a web app that can hook into a user's MetaMask wallet stray into potentially criminal territory," Preston Byrne, a cybercrime and crypto lawyer, told Motherboard this week.
This is not the first time a developer of a privacy program has been arrested. The US Department of Justice detained Roman Sterlingov, the owner and operator of crypto mixer Bitcoin Fog, last year on suspicion of facilitating money laundering. That was just a few months after Larry Dean Harmon pled guilty to running the illegal money-transmitting business Helix as well as conspiracy counts connected to money laundering on the cryptocurrency mixer.
(The distinction between Tornado and Helix or Bitcoin Fog is that the latter two were "custodial," which means they took control of customers' funds - a distinction that may no longer be relevant when it comes to assisting money laundering or operating a money transmitter.)
The US Treasury Department's Office of Foreign Assets Control designated a smart contract as a Specially Designated National on Monday, an unprecedented step. Terrorist organizations and nation-states are often assigned this label. It's similar to arresting a robot that no one can turn off or prevent others from utilizing.
Tornado Cash is an open-source protocol, which means that anyone can contribute to it or use it. It is non-custodial, which means it does not keep user funds, nor does it have administrators who can monitor who is using the application or freeze transactions. The cryptographic keys required to decipher anonymous transactions on the platform were burned by its founders.
That doesn't mean its founders didn't try to follow financial regulations when they were questioned. Following a high-profile attack orchestrated by the North Korea-backed Lazarus Group in April, Tornado began collaborating with blockchain analytics startup Chainalysis to ban addresses sanctioned by OFAC. They were, however, limited in what they could do beyond inspecting the protocol's "front-end" webpage.
A smart contract is immutable once it is deployed on Ethereum. This is why crypto supporters have been so outraged by the recent international actions launched against Tornado. MakerDAO's Rune Christensen was correct when he called the sanctions "useless," because anyone - smart enough to use the command line or stupid enough to flout the law - can still transact with the robot.
Tornado, in other terms, is a self-contained system. It's simply something that exists in the world, ready to be used, like an iPhone, a plane, or a pressure cooker. And how frequently are innovators held accountable when their systems are abused? Every day, as Mike Dudas pointed out, Mastercard (MA) and SWIFT assist in the processing of fraudulent transactions.
However, this is insufficient. You're not going to go far calling cops hypocrites. Although Tornado was clearly used for more than just criminal activity – Elliptic and Chainalysis both estimated that up to $1 billion in crypto can be traced back to hacks or malware, out of the $7 billion deposited since 2019 – it was still a system designed specifically to shift some financial flows outside the purview of financial regulators.
That irritates cops. Financial flows are shifting without their knowledge. Crypto users may argue that it is none of the cops' concern how they spend their money, but that is not how the world works. The world isn't interested in learning how or why these systems work.
For goodness sake, the US Treasury stated that Tornado was used to launder $7 billion in cryptocurrency, vastly overestimating the amount based on the data - either indicating that they don't care about the data or are comfortable claiming that all money that flows by outside its sights is laundered.
The difficulty for coders may be where this line is drawn between contributing to a privacy-preserving app and supporting money laundering. Is contributing to Bitcoin's Taproot part of a money-laundering conspiracy if it finally improves bitcoin's privacy? What about contributing to the future Monero upgrade?
According to Bloomberg's Matt Levine, "anything is securities fraud," because everything might be considered securities fraud under the broad definition used by the Securities and Exchange Commission. The SEC chairman, Gary Gensler, uses what he calls a "duck test" to evaluate what is or isn't a security - essentially a gut call. The same holds true for "wire fraud," which is defined as a financial crime "using the use of telecommunications or information technology."
Again, we have no idea why this "alleged" Tornado coder was detained. He could have been collaborating with criminal organizations or sanctioned countries to dump ill-gotten assets on Tornado. Alternatively, he may have followed in the footsteps of Virgil Griffith, an Ethereum Foundation developer who traveled to North Korea and was prosecuted with sanctions violations for providing publicly available information about cryptocurrency at a conference.
Griffith was told by US state authorities not to travel to North Korea, but he went nonetheless. He was merely delivering an idiot's tour to Ethereum, but he understood it was interesting since it was positioned as a mechanism to circumvent sanctions.
The warning is obvious enough when it comes to crypto mixers. There is little prospect that someone will install a software, let it run, and then wash their hands of ownership. Even though consumers have complete control over what they do with the app, there is still a person behind the code. And it's probably best if we don't know who they are.