Based on its regular use by cyber criminals for laundering the proceeds of ransomware attacks, a US Treasury sanction was placed on popular crypto mixer Tornado Cash a month ago. While it is undeniable that the service was popular with criminals looking to cut off the digital trail of stolen money, privacy advocates were quick to point out that crypto mixers serve valid privacy functions that are not addressed by any other existing services.
They also pointed out that the US Treasury sanction represented an unprecedented step in making a piece of software illegal. Sanctions are meant to discourage people from doing business with individuals, organizations or governments; Tornado Cash is only an “organization” in the most loose sense, with the service acting more as an independent algorithm that is not managed by (or even accessible to) its creators.
All of this is the basis for a legal challenge to the US Treasury sanction, which is now being funded by Coinbase. The largest crypto exchange in the US is backing a Texas suit that includes two Coinbase employees as plaintiffs, alleging financial damages from the government’s restriction of their legitimate use of Tornado Cash.
Lawsuit contends Tornado Cash crypto mixer has legitimate and important uses
When the US Treasury sanction was announced there was an immediate backlash, including assorted musings and threats of lawsuits challenging the move on the basis of its constitutionality. Coinbase is the first into the arena, however, and its suit focuses on the fact that Tornado Cash is software that essentially has no central management rather than an entity that can be sanctioned. This is a constitutional issue on First Amendment grounds, with prior legal precedent establishing that government restriction of tools such as software can be viewed as a free speech violation.
The government appeared to make the move against Tornado Cash specifically in response to North Korea’s state-sponsored Lazarus hacking group going on a small rampage through the crypto community in recent months, stealing hundreds of millions of dollars from an assortment of decentralized finance (“defi”) platforms and taking the proceeds to crypto mixers to throw off pursuit.
But privacy advocates argue that crypto mixers such as Tornado Cash were created for legitimate purposes, and that people rely on them for an assortment of functions. One of these is anonymity in making donations to groups that might invite retaliation from a repressive government (or the malicious criminal hacking groups that support them). Another is in keeping the amount of crypto payments and salary private, with these transactions usually recorded to the blockchain in a way that can be viewed by anyone who knows a wallet address.
A study run in June and July by blockchain analytics firm TRM Labs found that crypto laundering is certainly a major use of Tornado Cash, but not the majority of its traffic: 41% of the funds that went through it were linked to hacks and thefts. Naturally, that number would be skewed in the favor of cyber attacks involving hundreds of millions of dollars versus everyday use by legitimate parties dealing in relatively tiny dollar amounts.
US Treasury sanction challenge has important ramifications for government authority over software
Tornado Cash’s unique structure as an open source decentralized project makes this case interesting not just to privacy advocates and crypto enthusiasts, but to legal analysts as well. The crypto mixer was built as a non-custodial smart contract with the specific intention of being beyond the reach of law enforcement demands. The small team that created it has no headquarters, organizational structure or ability to reach into the system and alter transactions or unmask its users.
A miniature version of this fight is playing out on Github, where Tornado Cash was removed following the US Treasury sanction but has been re-uploaded by free speech advocates as an archival fork. At least one of the co-founders of the crypto mixer has had their Github account removed as well.
Coinbase chief legal officer Paul Grewal likened the banning of Tornado Cash to making highways illegal in order to stop criminals from fleeing, and noted that allowing this to stand as precedent could open the door to future technology bans (to include bans of code itself) and to punishing open source developers for unintentional uses of their code. In addition to the arguments for that and for free speech, several of the plaintiffs in the Texas suit are arguing that the US government denied them opportunity to legally recover funds that were already in the crypto mixer when the US Treasury sanction was handed down.
The Office of Foreign Assets Control (OFAC), the US sanctions authority in this case, has a range of classifications for violations that can hit individuals with penalties of anywhere from several thousands to millions of dollars for doing business with sanctioned parties.