The Breakdown - Are the US Sanctions on Tornado the Beginning of a War on Privacy?
Episode Date: August 9, 2022This episode is sponsored by Nexo.io, Chainalysis, FTX US and NEAR. In breaking news, the U.S. Treasury Department’s Office of Foreign Assets Control announced on Monday that it was adding Tor...nado Cash and associated addresses to its sanctions list. It is seemingly the first time that an entire technology protocol, rather than just an individual or group of individuals, has been added to the list. NLW explores the discussion in the crypto community as well as the legal and technological implications. - Nexo is a security-first platform where you can buy, exchange and borrow against your crypto. The company safeguards your crypto by relying on five key fundamentals including real-time auditing and insurance on custodial assets. Learn more at nexo.io. - Chainalysis is the blockchain data platform. We provide data, software, services and research to government agencies, exchanges, financial institutions and insurance and cybersecurity companies. Our data powers investigation, compliance and market intelligence software that has been used to solve some of the world’s most high-profile criminal cases. For more information, visit www.chainalysis.com. - FTX US is the safe, regulated way to buy Bitcoin, ETH, SOL and other digital assets. Trade crypto with up to 85% lower fees than top competitors and trade ETH and SOL NFTs with no gas fees and subsidized gas on withdrawals. Sign up at FTX.US today. - NEAR is a simple, revolutionary Web3 platform for decentralized apps, created by developers for developers. More than 700 projects are now building on NEAR’s fast, secure and infinitely scalable protocol, from DeFi apps to play-and-earn games, NFT marketplaces and more. Start your developer journey now by visiting NEAR at near.org. - “The Breakdown” is written, produced by and features Nathaniel Whittemore, aka NLW, with editing by Rob Mitchell and research by Scott Hill. Jared Schwartz is our executive producer and our theme music is “Countdown” by Neon Beach. The music you heard today behind our sponsors is “The Now” by Aaron Sprinkle. Image credit: Nuthawut Somsuk/Getty Images, modified by CoinDesk. Join the discussion at discord.gg/VrKRrfKCz8.
Transcript
Discussion (0)
Welcome back to The Breakdown with me, NLW.
It's a daily podcast on macro, Bitcoin, and the big picture power shifts remaking our world.
The breakdown is sponsored by nexus.com, and Ft, and produced and distributed by CoinDesk.
What's going on, guys? It is Monday, August 8th, and today we are asking the question if new U.S. sanctions on tornado cash are the beginning of a war on privacy.
Before we get into that, however, if you are enjoying the breakdown, please go subscribe to it,
give it a rating, give it a review, or if you want to dig deeper into the conversation,
come join us on the Breakers Discord. You can find a link in the show notes or go to bit.ly slash
breakdown pod. Also, a disclosure as always. In addition to them being a sponsor of the show,
I also work with FTX. And finally, this week I am thrilled to welcome NIR as an additional
sponsor of the show. Neer is a revolutionary yet simple Web3 platform for building decentralized
apps. Designed by developers for developers, over 700 projects are now building on NIR's fast,
secure, and scalable protocol. Whether you're a crypto-native launching defy apps, NFT
marketplaces, or play-to-earned games, or looking to migrate your project from Web 2,
NIR makes it easy to build Web 3 for the masses. NIR offers developers a variety of tools,
resources, and support for building apps, empowering communities, and creating a more fair,
inclusive, and equitable future. Start your Web3 developer journey now by visiting NIR at NIR.
All right, listen, guys, I had an easy plan for today.
I was going to discuss last week's jobs report.
It surprised economists in a big way with far more jobs added than expected.
528,000 jobs to be specific, more than twice consensus estimates.
And remember, the Fed has made it very clear that when it comes to September's rates decisions,
they're going to be based on data they're seeing not some forward guidance they've locked themselves into.
The first order analysis of the Friday jobs news then
was that it meant the Fed was more likely to keep raising rates aggressively.
The logic was that if the job market was still hot,
the economy could bear more interest hikes.
However, when one digs into the jobs report numbers a little more deeply,
they aren't telling us quite a clear story
as the first headlines would have made it seem.
However, we are going to have to wait to get into that
because this morning, news broke that the Crypto Mixing Service,
Tornado Cash, had been blacklisted.
in other words, sanctioned by the U.S. Department of Treasury.
Sometimes I wait a day to get more info and context, but in this case, I think this is a BFD and
worth diving into.
Now, there will be some definitional stuff as we dive in, but the TLDR on what a mixer is,
if you're not familiar, is it's a type of technology that's used to obfuscate potentially
identifiable transaction addresses for cryptocurrencies like Bitcoin or Ethereum.
There are a bunch of different ways that mixers do this, but effectively they involve
mixing multiple transactions into one pool so that it's not as easy to read on-chain,
value going from address X to address Y, as is the case with the normal cryptocurrency transaction.
In other words, it is a privacy technology, and that's obviously key to today's discussion.
And to get into that discussion, let's start with the Treasury Department's official statement.
Now, this comes from the Office of Foreign Assets Control or OFAC, which is the sanctioning body of the U.S.
Today they sanctioned Tornado claiming that it had been used to launder more than $7 billion
worth of virtual currency since 2019 when it was created.
That includes $455 million stolen by the Lazarus Group, which is a North Korean state-sponsored
hacking group, which had been sanctioned by the U.S. in 2019.
The statement calls this the largest known virtual currency heist to date.
The statement also claimed that Tornado was used to launder other ill-gotten crypto loot,
96 million from the June 24th, 2022 Harmony Bridge heist, and at least 7.8 million from the nomad
heist last week. By the way, these are their words that I'm using. Heist seems to be the preferred
official term. In the statement, the Undersecretary of the Treasury for Terrorism and
Financial Intelligence, Brian E. Nelson says, today Treasury is sanctioning Tornado Cash, a virtual
currency mixer that launders the proceeds of cybercrimes, including those committed against victims
in the United States. Despite public assurances otherwise, tornado cash has
repeatedly failed to impose effective controls designed to stop it from laundering funds for
malicious cyber actors on a regular basis and without basic measures to address its risks.
Treasury will continue to aggressively pursue actions against mixers that launder virtual
currency for criminals and those who assist them. End quote.
Now, this document very much makes it clear that mixers in general are on notice.
It says that the action follows OFAC's May 6th, 2022 designation of virtual currency mixerblender.io
as also sanctioned. Recapping from that original statement. Quote, on March 23rd, 2022,
Lazarus Group, a DPRK state-sponsored cyberhacking group carried out the largest virtual currency
heist to date, worth almost $620 million, from a blockchain project linked to the online game
Axy Infinity. Blender was used in processing over 20.5 million of the illicit proceeds.
Under the pressure of robust U.S. and UN sanctions, the DPRK has resorted to illegal activities,
including cyber-enabled heists from cryptocurrency exchanges and financial institutions
to generate revenue for its unlawful weapons of mass destruction and ballistic missile programs.
Another quote from Brian E. Nelson,
today for the first time ever Treasury is sanctioning a virtual currency mixer.
Virtual currency mixers that assist illicit transactions pose a threat to U.S. national security interests.
We are taking action against illicit financial activity by the DPRK
and will not allow state-sponsored thievery and its money laundering enablers to go unanswered.
Now, just to really put a fine point on how Treasury feels about mixers, here's how they
describe Tornado Cash.
Tornado is a virtual currency mixer that operates on the Ethereum blockchain and indiscriminately
facilitates anonymous transactions by obfuscating their origin, destination, and counterparties,
with no attempt to determine their origin.
Tornado receives a variety of transactions and mixes them together before transmitting them
to their individual recipients.
While the purported purpose is to increase privacy, mixers like Tornado are commonly used
by illicit actors to launder funds, especially those stolen, during significant heists.
And here's the money line.
Virtual currency mixers that assist criminals are a threat to U.S. national security.
Treasury will continue to investigate the use of mixers for illicit purposes and use its
authorities to respond to illicit financing risks in the virtual currency ecosystem.
Now, a tweet from Secretary of State Anthony Blinken really showed how the Treasury Department
felt, but we'll come to that in a minute.
So what does this mean in practice?
Well, again, the official statement says all property and interest in property of tornado cash
that is in the United States or is in the possession or control of U.S. persons is blocked and must be
reported to OFAC. In addition, any entities that are owed directly or indirectly, 50% or more by one
or more blocked persons are also blocked. All transactions by U.S. persons or within or
transiting the United States that involve any property or interest in property of designated or
otherwise blocked persons are prohibited unless authorized by a general or specific license issued by
OFAC. Anyways, it goes on. But the TLD
is that all U.S. persons could now face criminal penalties for interacting with Tornado Cash
or any of the Ethereum wallet addresses tied to the protocol.
Now, one of the big questions you might be asking is, will this actually work?
Can you sanction a protocol?
One of the co-founders of Tornado Cash Roman Seminoff previously said,
This protocol was specifically designed this way to be unstoppable,
because it wouldn't make much sense if some third party, such as a developer, would have control over it.
This would be the same as if someone had control over Bitcoin or Ethereum.
On March 10, 2022, a Bloomberg piece ran called Cryptomixer Tornado Cash says sanctions can't apply to
smart contracts. Seminoff again said that it is, quote, technically impossible for sanctions to be
enforced against this type of decentralized protocol. He said, quote, according to FinCEN guidance
of 2019, in the case of tornado cash, contributors fall under the anonymizing software provider's
definition, which excludes them from money transmitter regulations. He also said we comply with
all U.S. regulations regardless of our citizenship.
He also said that Helix, which is another Bitcoin mixer that pled guilty to helping criminals
laundering money, was different. Seminoff said that many Bitcoin mixers are illegal because the services
are custodial, aka they actually hold user funds. Quote, it makes them money transmitters and money
transmitters are required to do KYC. Now, in a press conference after this announcement today, a
treasury official disagreed with Seminov's assessment that it's technically impossible to enforce these
types of sanctions. He said, quote, since we sanctioned virtual currency mixer blender.
we have not seen evidence to suggest that it has remained active post that designation.
We do believe that this action will send a really critical message to the private sector
about the risks associated with mixers writ large,
which obviously is designed to inhibit tornado cash
or any sort of reconstituted version of it to continue to operate.
Couldn't be clearer, frankly, what their goal is. No mixing.
In times like these, security of your assets should be your number one priority.
If you want to offset risk as much as possible and still stay in crippling,
you need a trusted partner by your side.
Nexo is a security-first company that manages risk by relying on mechanisms such as over-collateralization,
real-time auditing, and insurance on custodial assets.
Learn more about Nexo's reliable business model and start your crypto journey at nexo.io.
That's nexo.io.
Eager to make more informed decisions around crypto, chain analysis is here to help.
Chainalysis demystifies cryptocurrency by providing industry-leading compliance, market intelligence,
and investigations support for all crypto assets.
For organizations like Gemini, Crypto.com, and BlockFi.
Gain unparalleled visibility and maximize your potential with the leading blockchain data platform
by visiting us now at Chainalysis.com slash CoinDesk.
The breakdown is sponsored by FTXUS.
FDXUS is the safe, regulated way to buy and sell Bitcoin and other digital assets
with up to 85% lower fees than competitors.
There are no fixed minimum fees, no ACH transaction fees, and no withdrawal fees.
One of the largest exchanges in the U.S.
FDXUS is also the only leading exchange that supports both Ethereum and Solana NFTs.
When you trade NFTs on FTCS, you pay no gas fees.
Download the FTCX app today and use referral code Breakdown to support the show.
Now, what about the crypto industry response?
Ari Redboard, the head of legal and governmental affairs at analytics firm TRM Labs,
called this the largest and most impactful action from the Treasury Department in crypto to date.
Quote, when you talk about North Korea in particular,
tornado cash has been the go-to mixing service.
What OFAC is saying is, these hacks are more than hacks.
They're serious national security risks.
It's not just money laundering.
It's money laundering that's going to be used for weapons proliferation.
Now, one of the things that also makes this different is that Tornado Cash, in addition to that
illicit financing, has a significant amount of value that flows through that isn't illicit at all.
Redboard went on. I think what we're seeing from Treasury is, if you're going to allow a lot of
illicit activity, we're going to go after you even if there is a lot of legitimate activity.
And this is much the point and the discussion of the Coin Center response, which was titled,
U.S. Treasury's sanction of privacy tools places sweeping restrictions on all Americans.
The response confirms that the net impact of this is, quote,
no Americans can send to receive money to or from those addresses without violating sanctions laws.
Here's the meat of their response.
Quote, what is the OFAC SDN list typically meant to do?
In general, it is a tool to identify persons involved in terrorism,
enemy states, or other state-sanctioned activities,
and ensure that these individuals cannot get the benefits of the U.S. financial system.
How is adding Tornado.cash to the SDN list different from past OFAC actions?
A smart contract is a robot, not a person.
It is software that resides on the Ethereum blockchain.
If a contract is credibly decentralized,
then the original authors of that contract
could be hit by a bus, and the service would continue to work.
As such, today's action does not seem so much a sanction
against a person or entity with agency.
It appears instead to be the sanctioning of a tool
that is neutral in character,
and that can be put to good or bad uses like any other technology.
It is not any specific bad actor who is being sanctioned,
but instead it is all Americans who may wish to use,
use this automated tool in order to protect their own privacy while transacting online, who are having
their liberty curtailed without the benefit of any due process. In other words, what CoinCenter
is saying is that this is an attack on technology which is inherently neutral, and that is a shift.
They point out in the past when Bitcoin or Ethereum addresses have been sanctioned, the reasoning
is that they're controlled by persons who are engaged in sanctioned activities. This is different.
Quote, sanctioning a tool that is not an alias of any person meriting sanction is substantially
different from typical usage of the STN list. It is a ban on a technology and not a sanction
against a person. There's also a practical problem that they recognize. Quote, even worse,
because of the nature of blockchain transactions, an American who has sent money through the
tornado.cash address is not even able to reject the transaction, and yet may be at that
moment technically in violation of OFAC rules. So another way to think about this is if you have any
sort of public Ethereum address that holds NFTs, think about how many random, crappy NFTs
people have just sent you, hoping that you're going to interact with them. What Cointender is pointing
out is that theoretically, tornado-related funds could just be sent to any public Ethereum address.
And that might make the recipient, even though they didn't ask for those funds, and they don't
want those funds, and they don't want to do anything with those funds, and they're not actively
doing anything with those funds in violation of sanctions. Preston Byrne, a lawyer at Anderson Kill,
writes, the tornado cash thing makes me wonder if in future crypto wallets will need to have
functionality to reject incoming transactions. I'm seeing people ask what would happen to someone
in the Dot ETH crowd by just shoving some coin through the tornado cash contract and withdrawing it
to your least favorite E-Celeb's wallet account. OFAC is a strict liability regime. He goes on to
speculate about what that would look like, but as you'll see, this is a key question and point
of discussion is what happens in this circumstance. What about other discussions on crypto
Twitter, well, some people think this is going to get forked. It's part of that unstoppable
theme. Chain Yoda writes, this tornado cash sanction is going to go exactly the way
previous Uncle Sam actions have gone. Influencers will larp. Some kid like Virgil will get
excited by the LARP, forked tornado, do something not funny, not have a good lawyer and get
dinged on personal liability like Ross. Now, he is referring to Virgil Griffith, an Ethereum
developer who went and gave a presentation in North Korea and is now in jail because of it.
Stephen Paley, another partner at Anderson Kill, says,
Virgil had one of the best criminal defense lawyers in the United States.
It didn't matter.
Strongly advised not fucking around with OFAC children.
Also, I don't know why this is an unpopular opinion,
but maybe providing mixing services for rogue states and criminals isn't a great idea.
Now, I wanted to flag that point from Paley,
because while it's definitely one of the least loud perspectives out there,
you have to think that a lot of people are thinking that exact same thing.
And to preview where I think this is all headed, I think this is headed towards a larger
internal conversation in crypto about privacy, which is a conversation that we've often
started but never really gotten to any sort of consensus on, or really any sort of clear
positions to debate.
Because by and large, the way that this is being seen by the crypto community is a war
on privacy.
Dylan LeClair writes, the U.S. Treasury announced this morning that it is sanctioned the use
of the non-custodial Ethereum mixer through the blacklisting of various addresses.
Even if you just hold Bitcoin, pay attention.
The war on privacy is just beginning.
Maya Zahavi wrote the OFAC tornado's slippery slope, banning any on-chain private metadata
because it could potentially harm blockchain forensic analysis, i.e., only wallets that can be hermetically
surveilled are koshered under OFAC crypto rules.
It's a government war on privacy, not money laundering.
Checkmady from GlassNode writes, the tornado cash event of today should highlight why
adversarial thinking is so important.
Privacy is far from being robust and remains one of the biggest attack factors.
but minimizing attack surface at the consensus layer means it will always fight another day.
We have to remember that not everyone is watching this with the Paul.
Nicholas Weaver, a long-term opponent of crypto, retweeted CoinDesk, and said,
This is my super happy dance, happy dance.
Andrew Bailey takes a screenshot and writes this kind of bootlicking is gross and to me quite honestly sad.
There's someone out there who needs tornado or tornado-like gizmos, not to steal, but to survive.
Muneeb from Stacks and Trust Machine points out that this is exactly why the constant
constant Twitter tribal fighting is just so stupid and useless. And worse, distracting. It's time to put
our crypto tribalism aside. The Crypto Wars, too, are starting. U.S. Treasury puts Privacy Tool
Tornado Cash on the sanctions list. This list is meant for people, not tech tools. Privacy tools
are for every American. Now, to wrap up with one of the crazier parts of the story,
this morning, Secretary of State Anthony Blinken wrote, we will continue to aggressively pursue
actions against currency mixers laundering virtual currency for criminals. Today,
U.S. Treasury-sanctioned virtual currency mixer, Tornado Cash, which is a U.S. sanctioned DPRK
state-sponsored hacking group used by the DPRK to launder money. Now you may be sitting there
thinking to yourself, wait a second, Tornado Cash is a U.S. sanctioned DPRK state-sponsored
hacking group? That's quite a bit different than being used by a state-sponsored hacking group.
And the crypto industry was, of course, very quick to point that out. The tweet was deleted
and replaced with, quote, will continue to aggressively pursue actions against currency mixers laundering
virtual currency for criminals. Today, U.S. Treasury sanctioned virtual currency mixer tornado cash,
which has been used to launder money for a U.S. sanction DPRK. State-sponsored cyber hacking group.
This was a surprising moment, but I think Tom Schmidt from Dragonfly Capital has it right.
Even though this tweet was deleted, it's a pretty damning glimpse into how regulators view these things.
When someone shows you who they are, believe them the first time.
So what's next? Well, first there are some immediate issues like what happens to user funds in Tornado right now.
And of course, the concern that we were discussing about what happens when someone sends random addresses Tornado funds.
Larry Sermak from the Block summed this up admirably when he wrote,
what I'm curious about is what happens when you send Tornado-washed Eath to random public ENS.
Do you just f*** them forever?
But then, of course, there is the larger question of what it means for privacy in crypto.
And what that means for privacy in the financial system in general going forward.
As I said, I don't believe that we've really fully had that conversation in this space.
And given that the stakes are increasingly not just going to be what you can and can't do with crypto,
but what our fundamental expectations of financial privacy are in a new technology era
that can include everything from these sort of mixers to hyper-surveillance central bank digital currencies.
There aren't very many conversations that could be more important to have.
For now, I want to say thanks again to my sponsors, nexus.com.i.o.
chain alysis, FTX, and NEAR, and thanks to you guys for listening. Until tomorrow, be safe and take care of each other.
Peace.