Legal experts in the US are divided by the Treasury’s decision to repeal sanctions imposed on Tornado Cash, which has reignited debates on the remit of financial privacy and crime prevention.
On 21 March, the Department of Treasury lifted the sanctions which placed Tornado Cash as an organisation monitored by Specially Designated Nationals (SDN) since August 2022 – “designated terrorists, officials and beneficiaries of certain authoritarian regimes, and international criminals.”
The Treasury had previously accused Tornado Cash of facilitating the laundering of over $7bn in illicit funds, including over $455m stolen by the North Korean hacking group, Lazarus. In its statement, the Treasury acknowledged the complexity of regulating decentralised technologies but maintained that its concerns over illicit activity remain:
“While Tornado Cash’s removal from the sanctions list reflects the evolving understanding of decentralised protocols, the Treasury remains vigilant in addressing illicit financial activity in the cryptocurrency ecosystem.”
Tornado Cash operates as a ‘decentralised cryptocurrency mixer’ which allows users to conduct private transactions that break on-chain links between recipients. The function allows for the anonymity of transactions, which are provided with a new smart contract to mix funds with other crypto pools, that can be withdrawn to a new wallet on the Ethereum blockchain.
The decision was made a few days after the US Fifth Circuit Court of Appeals ruled that the Treasury Department went beyond its authority to put Tornado Cash on the sanctions list. The court ruled that Tornado Cash’s smart contracts were not “property” under federal law and, therefore, could not be sanctioned the way a normal financial entity can.
Tornado Cash has been a major target for regulators and law enforcement because of the ease with which it can obfuscate its customers’ transactions. Although its primary purpose is to ensure that users remain anonymous, the platform has been abused by cybercriminals and state adversaries.
The Lazarus Group, a North Korean state-sponsored hacking group, used Tornado Cash to conceal the proceeds of the $625m Ronin Network hack in March 2022, one of the biggest crypto heists ever. The group’s activities led the Treasury Department to claim that Tornado Cash was a key node in the movement of funds for North Korea’s weapons programmes and other criminal activities around the world.
The decision to decriminalise Tornado Cash has divided financial experts and cryptocurrency enthusiasts. Some consider it a step forward for decentralisation and financial privacy, while others consider it a sign of a slippery slope. Critics are concerned that without a clear legal basis for the action, the door may be opened for future misuse of decentralised networks.
Coinbase’s Chief Legal Officer, Scott Besent, shared his views on the risks of the decision: “Taking Tornado Cash off the sanctions list without resolving the legal issues leaves the industry in limbo. There is no clear definition of what is and is not permissible for developers and the market.
Besent’s comments represent the broader concern regarding the legal status of decentralised applications, as well as the potential for different regulatory perspectives.
The issue does not end there; it also affects the core of what decentralisation is and who is responsible for it. Two of the co-founders of Tornado Cash, Roman Storm and Alexey Pertsev, have been charged with crimes, even though the platform is decentralised. Storm is scheduled to stand trial in July 2025 in New York, where the prosecutors are likely to contend that he knowingly enabled money laundering through the creation and operation of the programme.
In May this year, Pertsev was found guilty in the Netherlands and was sentenced to five years and four months in prison for the same offences. The third co-founder, Roman Semenov, is still at large and is thought to be in Russia.
The legal pressure on Tornado Cash’s founders shows how regulators grapple with the problem of extending liability to developers when their open-source software is used. Tornado Cash is autonomous in that the founders do not control the platform’s operations once it has been deployed via smart contracts. Yet prosecutors contended that the founders knew enough about the platform’s misuse to hold them accountable under current anti-money laundering laws.
The decision to lift sanctions also impacts the discourse on financial privacy. Tornado Cash has been used not only for criminal purposes but also by people who simply want to hide their financial transactions in countries with harsh governments or no financial anonymity. Supporters of the privacy rights argument have contended that it is unfair to erase one’s financial anonymity simply because a few people are bad actors. Some have seen the Treasury’s decision as a recognition of this tension, and a potential shift towards a more balanced regulatory approach.
Nevertheless, the backlash against the decision has been swift. Some lawmakers and security experts have accused the Treasury of caving to the cryptocurrency industry.
Concerns grow that decriminalising sanctions may encourage other decentralised platforms to flout regulatory rules and increase the likelihood of more malicious financial activities. Some have expressed concern that the decision might weaken the Treasury’s position in future enforcement actions as it sends a wrong signal on the mixture of cryptocurrencies.
The Tornado Cash case shows that the conflict between financial privacy and regulatory control is becoming increasingly apparent in the cryptocurrency world. The decision by the Treasury Department is a major legal and political shift, but the ongoing trial of Roman Storm and unanswered questions regarding the legal status of developers suggest that the larger issue of decentralisation versus centralised control is far from resolved.
