On August 8, 2022, the US Treasury Department’s (Treasury) Office of Foreign Assets Control (OFAC) announced that it designated the virtual currency mixer Tornado Cash on the Specially Designated Nationals and Blocked Persons List (the SDN List) under Executive Order 13694 over claims that more than $7 billion worth of virtual currency has passed through Tornado Cash since its creation in 2019—much of this by illicit actors. On November 8, 2022, OFAC delisted and simultaneously redesignated Tornado Cash under Executive Orders 13722 and 13694 over claims that Tornado Cash had also materially assisted, sponsored, or provided financial, material, or technological support for the Government of North Korea.
One of the innovations of blockchain—a public ledger of transactions—is the ability, in normal circumstances, to trace a flow of funds from the original sender to the ultimate recipient. Virtual currency mixers, or tumblers, use various techniques to obfuscate the end recipient of the transaction, so that someone tracing the flow would see only that the sender had sent funds to the mixer, but would lose the trail to the ultimate destination. Illicit actors are known to use mixers to obfuscate transaction flows. For instance, the Lazarus Group—a North Korean state-sponsored hacking group—used Tornado Cash to launder over $455 million in the largest known virtual currency hack to date. Other malicious cyber actors used the mixer to launder millions more dollars in illicit proceeds, including $96 million from the June 2022 Harmony Bridge Heist and at least $7.8 million from the August 2022 Nomad Bridge Heist. OFAC determined that Tornado Cash repeatedly failed to impose effective controls to address this misuse.
OFAC’s designation of Tornado Cash is another example of US regulators’ efforts to expose components of the virtual currency ecosystem that cybercriminals use to obfuscate transactions and evade US sanctions. Financial institutions and those with exposure to the virtual currency ecosystem may consider assessing their exposure to transactions involving mixers, anywhere in the chain, and reviewing the adequacy of their AML and sanctions controls.
Regulators Target Virtual Currency
As we have discussed previously, US regulators are channeling enforcement resources to target persons that enable criminals to profit from cybercrime and other illicit activities. For example, in May 2022, OFAC announced that it designated Blender.io—Treasury’s first designation of a virtual currency mixer—following OFAC’s determination that the mixer had been used to launder stolen funds by the Lazarus Group and several Russian-linked ransomware groups. Additionally, in 2020 the US Treasury Department’s Financial Crimes Enforcement Network (FinCEN) assessed a $60 million civil penalty against Larry Dean Harmon, the operator of two unlicensed virtual currency mixers, for violations of the Bank Secrecy Act (BSA) and its implementing regulations. According to FinCEN, Harmon failed to register for a license for the two mixers and did not implement effective AML controls. As a result, FinCEN found that Harmon conducted over $311 million worth of transactions in convertible virtual currencies without performing appropriate due diligence on transactions or customers.
Treasury’s efforts to target virtual currency mixers has occurred in parallel with actions by other regulators. Notably, in June 2022, the US Justice Department (DOJ) announced charges against six individuals in four cases of alleged cryptocurrency fraud offenses involving over $100 million, including the largest NFT scheme to date, fraudulent cryptocurrency exchanges, a global Ponzi scheme of unregistered cryptocurrency securities, and a fraudulent initial coin offering. In August 2022, the Commodity Futures Trading Commission (CFTC) filed an injunctive action against Rathnakishore Giri and his companies for $12 million in fraudulently obtained investments, alleging that he created a Ponzi scheme to defraud investors interested in digital assets. In a September 2022 statement on digital assets, the White House encouraged regulators “to aggressively pursue investigations and enforcement actions against unlawful practices in the digital assets space.” The recent turbulence of the bankrupt cryptocurrency exchange FTX portends further regulatory scrutiny in this space.
Tornado Cash is unique among virtual currency mixers in that it is non-custodial and relatively decentralized, which means that Tornado Cash executes transactions without an intermediary’s direct control over the mixing process and does not obtain custody of its users’ deposits. By contrast, Blender.io was a centralized mixer because a single company managed the transactions. Tornado Cash, on the other hand, mixes cryptocurrency using smart contracts, which are essentially code running on a blockchain (Ethereum, in this case). Tornado Cash’s website is down; however, the underlying smart contracts that conduct the mixing are still running because they are self-executing code that can operate without further intervention. OFAC’s sanctions effectively shut down the service because the designations prevent users from easily accessing Tornado Cash wallets and the user-friendly website front end, highlighting that even ostensibly decentralized cryptocurrency projects still rely on a variety of centralized actors to function. Moreover, and though not the subject of this post, the developer behind Tornado Cash was arrested by Dutch authorities (and is currently in jail awaiting charges), stoking the argument in cryptocurrency circles about the level of culpability developers bear for their actions.
Tornado Cash’s redesignation is significant because it serves as a reminder of OFAC’s regulatory reach for centralized and decentralized companies in the virtual currency ecosystem alike, including virtual currency mixers, bridge protocols, cryptocurrency miners, privacy wallets, privacy-oriented cryptocurrencies, and other platforms reliant on smart contracts.
Takeaways for Companies and Cryptocurrency Project Participants
In light of US regulators’ efforts to target the virtual currency industry, companies and those pursuing cryptocurrency projects might consider assessing their exposure to potential sanctions and implementing and reviewing their AML and sanctions controls. OFAC’s Enforcement Guidelines state that it will consider the existence, nature, and adequacy of a risk-based sanctions compliance program in determining the appropriate action in response to an apparent violation of sanctions. An effective risk-based compliance program may include: (1) management commitment; (2) periodic risk assessments; (3) internal controls; (4) testing and auditing; and (5) training. Companies may consider reviewing their policies in light of these expectations.
Participants in the virtual currency ecosystem face increasing pressure to protect users’ privacy. However, companies may take steps to mitigate sanctions risks while still protecting privacy. For instance, cryptocurrency developers might consider building compliance controls directly into the foundation of their blockchain network—writing code that contains verification checks with minimal intrusions into personal details. New coding techniques and emerging blockchain technology may help ensure compliance without compromising privacy.
The Tornado Cash designation demonstrates that US regulators continue to target the virtual currency industry and are committed to countering the use of virtual currencies to facilitate illicit activities—from sanctions evasion to money laundering. Companies might consider these risks and take steps now to review the adequacy of their AML and sanctions controls.