While it might not have been the original purpose for building the service, or even what its creators would prefer it currently be used for, Tornado Cash has become the #1 destination for cyber criminals looking to launder their ill-gotten funds. But the service also has legitimate crypto privacy functions that are not adequately met elsewhere, and privacy advocates are worried that these elements of the blockchain may be pressured out of the blockchain now that the United States has placed sanctions on Tornado Cash and similar service Blender.io.
Tornado Cash sanctioned under OFAC money laundering and terrorism financing rules
The sanctions are levied under the US Department of the Treasury’s Office of Foreign Assets Control (OFAC), which can order residents of the country to cease doing business with foreign organizations linked to terrorism or money laundering under penalty of steep fines.
OFAC cited some recent hacking incidents as direct motivations for the sanctions on Tornado Cash, all involving decentralized finance (“defi”) heists that exploited a cryptocurrency bridge used to exchange token types: the $620 million theft from the Ronin network, attributed to North Korea’s state-sponsored Lazarus Group, as well as the recent multimillion-dollar heists pulled on the Nomad and Harmony networks. In all cases, the stolen funds were quickly traced to Tornado Cash where the attacker “spun” them to throw off pursuit. OFAC noted that some of the victims of these attacks were located in the US.
Crypto privacy advocates see the sanctions, which effectively make it illegal for any US resident to use Tornado Cash, as an overreach and an inappropriate measure conducted against a form of technology rather than a specific entity. Designer Roman Semenov has said in interviews that Tornado Cash was designed specifically so that once up and running there was no governing body able to control it. With no offices, executives or incorporated company associated with it, the crypto tumbler is essentially more of a free-floating protocol than a business or organization.
Semenov has also said that he was well aware that criminals would make use of it for money laundering purposes, but that the tool was vital to crypto privacy and the issue of its use for crimes is something that simply makes the requisite police investigation into those incidents more challenging rather than impossible (akin to a criminal encrypting their own incriminating files with open source software). It also differs from similar services that have been offered via the dark web and expressly advertised themselves as being for money laundering purposes rather than crypto privacy concerns, such as Helix.
The fallout of the incident has gone beyond simply threatening US residents; other coin issuers have frozen funds traced to Tornado Cash activity, and Microsoft-owned Github deleted the accounts of the service’s developers.
Activists and advocates consider US moves an assault on crypto privacy
Advocates for Tornado Cash and similar mixing services point out that there are numerous legitimate and legal reasons to use them, which are taken off the table if the service is declared illegal. Some want to avoid having banks sell their personal and financial information to third parties, others want to make political donations in the most anonymous way possible, still others need to retain access to funds while being targeted by a repressive government. Some insist on paying for sensitive medical procedures in this way as traditional fiat systems inevitably leave trails that someone might pick up. And these services also provide a substantial layer of security for those in the largely unregulated crypto space who handle large amounts of money and may draw the special attention of criminals.
The sudden US government interest doesn’t seem to be so much about ransomware operators and other private criminal gangs making use of Tornado Cash, but the fact that North Korea’s state-sponsored hackers were linked to the Ronin attack earlier this year. This link has been used to demonstrate that the US government has a legitimate national security concern in this area.
The move has crypto privacy advocates concerned that other defi elements are next in the crosshairs, as the US and other governments apply similar reasoning to them. Aside from any possible legitimate national security concerns, the US has made clear that it is not in favor of an anonymous crypto world and would like to be able to unmask all users in some way (something that is already done at US-based exchanges such as Coinbase).
The bit about coin issuers freezing funds with connections to Tornado Cash activity also creates a potential attack vector should a person’s crypto wallet address be made public. An attacker could theoretically send small amounts of crypto that has passed through a mixer service to the intended victim, who would not have the means to refuse the transaction; the victim might now be caught up in account freezes and investigations.
Some crypto privacy advocates have floated the idea of challenging the OFAC sanctions, which were established via executive order, in court on constitutional grounds. The argument would be that government banning of a neutral software protocol is a free speech violation.