What happened?
On August 8, 2022, Tornado.cash - the website and associated Ethereum smart contract addresses - has been added to the OFAC (Office of Foreign Assets Control) to its Specially Designated Nationals (SDN) blacklist. According to the press release from the U.S. Treasury, Tornado Cash had been used to launder more than $7 billion worth of virtual currency since its founding in 2019, including more than $455 million stolen by the Lazarus Group, a cyberterrorism group sponsored by the North Korean government. In addition to sanctioning the Tornado Cash protocol and related tools, OFAC also sanctioned a list of large wallets associated with the protocol.
OFAC SDN list is designed to identify persons involved in terrorism, enemy states, or other state-sanctioned activities and ensure that these individuals cannot get the benefit of the US financial system. By being added on the SDN list, “US persons” ", including digital asset exchanges operating in the U.S., are explicitly banned from transacting with it. The sanctions have entered into force on 10:30 am ET on August 8, 2022.
What is Tornado Cash?
Tornado Cash is a decentralized, non-custodial, Ethereum-based, virtual currency tumbler that mixes a variety of Ethereum-based transactions into a lockbox that can be withdrawn by individuals who possess specific keys.
Like a VPN, tumblers like Tornado Cash are designed to create a disconnect between the cryptocurrencies that a user deposits and withdraws. At a high level, they work by pooling the funds deposited by many users together, shuffling them in a seemingly random fashion, and then subtracting a small service fee and returning the remaining funds to each depositor and thereby protecting the anonymity of the user. Tornado Cash is thus designed to hide users’ transaction history, increasing privacy on what is otherwise an open and transparent blockchain. Next to such legitimate use cases, mixers like Tornado Cash also make criminal activity easier to conceal and may therefore be used for money laundering.
While may mixers are centrally setup and operated by a legal entity (e.g. blender.io), Tornado Cash is a non-custodial, smart contract-based software application, not an entity. Because of its immutable, distributed design, Tornado Cash remains operational despite of the imposed sanctions.
Why does Tornado Cash make the headlines?
The innovation lies in the subject of OFAC’s sanction: the action is not against a person nor an entity but against a technology. If Tornado Cash’s sanction follows suit OFAC’s first-ever designating of a virtual currency mixer with Blender.io, it is reckoned by some as the largest and most impactful action so far. In designating Tornado Cash, OFAC effectively sanctioned a technology that resides on the Ethereum blockchain. For the first time, the U.S. Department of the Treasury has sanctioned a specific fully decentralized software (smart contract) connected to an address (smart contract address) on an open distributed ledger infrastructure (here Ethereum). Even when Bitcoin addresses have been added to the SDN list in the past, the rationale for those additions is that they are under the control of persons who are engaged in sanctioned activities and the address is simply another alias for the sanctioned person.
What is the effect of the OFAC’s designation?
U.S. Persons must comply with these (primary) sanctions as a matter of U.S. law. The consequences for a U.S. person found to be engaging in any transactions with an entity on SDN list can be severe: possible penalties include multi-million-dollar fines and lengthy prison terms.
While the U.S. sanction regulations are not directly applicable to non-U.S. (e.g. Swiss) persons, the sanctions may also have an (indirect) implication on non-U.S. Persons as the US authorities may block non-U.S. persons from accessing the US monetary system if they transact with the Tornado Cash addresses on the SDN blacklist. Effectively, non-US Persons may therefore decide to “voluntarily” adhere to the imposed sanctions, or refrain from doing business with the US.
Due to the nature of blockchain, transfers through smart contract addresses cannot be rejected. Hence, any Ethereum address holder could be faced with a potential OFAC sanction violation (particularly if the holder is a US person) even if such holder had never intentionally interacted (e.g. through a “dusting attack”) with such sanctioned address.
How to mitigate the risks?
Given the regulatory risks set forth above, non-US entities providing digital asset service, namely custody or exchange services providers, are also advised to review their compliance and operational setup with regard to the following topics:
-
Sanction implementation: Non-US Persons that do US business are advised to also implement the Tornado Cash sanctions and put Tornado Cash, as well as the 44 associated virtual currency wallet addresses sanctioned by OFAC to their sanctions screening programs. This to identify whether they receive or transmit any digital asset, associated with sanctioned wallet addresses, and any other address believed to be associated with Tornado Cash.
- Best practices knowledge: Organizations should check whether their sanctions compliance practices meet OFAC’s expectations in the light of OFAC’s October 2021 Sanctions Guidance and virtual currency Frequently Asked Questions, as well as NYDFS’s April 2022 Virtual Currency Guidance.
-
Transaction monitoring: Organizations should review their transactions monitoring model whether built-in house or supplied by a vendor, in order to access on an ongoing basis any potential touchpoints to Tornado Cash addresses.
-
Operational transfer-in setup: Organisations should revisit their operational setup regarding incoming transactions with the aim to reduce the risks of contamination of wallet addresses by unsolicited incoming transactions. Potentially, the use of temporary dynamic addresses for both in- and out transaction needs to be assessed.
-
Client due diligence: Financial institutions as well as service providers that have costumers from DeFi or digital asset sector are advised to conduct diligence on these clients as part of their own compliance practices.
-
Shape a safer code: DeFi developers are advised to assess sanction risks both on a project as well as on a personal level when designing the technical setup of their future tech-infrastructure.
