The Breakdown - Tornado Cash Arrests: Attack on Terrorism or Attack on Privacy?
Episode Date: August 24, 2023The US Government has arrested one of the founders of Tornado Cash and is on the hunt for another. NLW examines the community's reaction, and the discussion of whether it's an action more about chilli...ng privacy tech than it is about actually preventing terrorism financing. Enjoying this content? SUBSCRIBE to the Podcast: https://pod.link/1438693620 Watch on YouTube: https://www.youtube.com/nathanielwhittemorecrypto Subscribe to the newsletter: https://breakdown.beehiiv.com/ Join the discussion: https://discord.gg/VrKRrfKCz8 Follow on Twitter: NLW: https://twitter.com/nlw Breakdown: https://twitter.com/BreakdownNLW
Transcript
Discussion (0)
Welcome back to The Breakdown with me, NLW.
It's a daily podcast on macro, Bitcoin, and the big picture power shifts remaking our world.
What's going on, guys? It is Thursday, August 24th, and today we are talking about tornado
cash and some big announcements of arrests yesterday.
Before we get into that, however, if you are enjoying the breakdown, please go subscribe to it,
give it a rating, give it a review, or if you want to dive deeper into the conversation,
come join us on the Breakers Discord.
You can find a link of the show notes or go to bit.ly slash breakdown pod.
Well, friends, a bit of a big announcement yesterday.
On Wednesday, the Justice Department unsealed charges against two tornado cash co-founders.
Roman Storm, who lives in Washington State, has been arrested, and Roman Seminoff,
a Russian citizen, remains at large, and is believed to be currently residing in Dubai.
In addition to the charges, Seminoff has been added to the Office of Foreign Asset Control
specially designated nationals list, which is the list of sanctioned company.
and individuals. The pair are charged with conspiracy to commit money laundering, conspiracy to commit
sanctions violations, and conspiracy to operate an unlicensed money transmitting business.
A third co-founder, Alexei Perzev, you will remember, was arrested in the Netherlands in August
of last year, and Perzzev is currently awaiting trial on money laundering charges from home detention
after spending over six months in jail. OFAC said in a statement that, quote,
Tornado Cash has been used to launder funds for criminal actors since its creation in 2019,
including to obfuscate hundreds of millions of dollars in virtual currency stolen by Lazarus Group hackers.
Alongside Seminov being personally added to the sanctions list,
eight Ethereum wallet addresses were identified as belonging to him.
According to Elliptic, these addresses have processed more than 11.5 million in crypto transactions.
Now, the DOJ claims that Tornado Cash has, quote,
facilitated more than $1 billion in money laundering,
including, quote, hundreds of millions for North Korea's Lazarus Group.
The key to the case, according to U.S. Attorney Damien Williams,
is that the pair here charged, quote, knowingly facilitated money laundering.
He said in a statement,
while publicly claiming to offer a technically sophisticated privacy service,
Storm and Seminoff in fact knew they were helping hackers and fraudsters conceal the fruits of their crimes.
Today's indictment is a reminder that money laundering through cryptocurrency transactions
violates the law and those who engage in such laundering will face prosecution.
Now, Storm's lawyer claimed that the case hinged on a novel legal theory.
He said in a statement,
We are incredibly disappointed that the prosecutors chose to charge Mr. Storm because he helped develop
software, and they did so based on a novel legal theory with dangerous implications for all software developers.
Mr. Storm has been cooperating with the prosecutor's investigation since last year,
and disputes that he engaged in any criminal conduct.
There is a lot more to the story that will come out at trial.
Now, let's take a step back and put this in the context of what happened last year.
In August of last year, Tornado Cash was placed on the sanctions list.
The use of sanctions to prohibit the use of anonymizing services was controversial within the
crypto industry. Both CoinCenter and a group of individuals backed by Coinbase have sued the Treasury
Department over the sanctions, with each lawsuit claiming that the sanctions impinge on
U.S. citizens' legitimate expectation of privacy and freedom of speech protections around the execution
of computer code. In addition, they claim that autonomous smart contracts cannot be the subject
of sanctions law, as they are not the property of a sanctioned individual or group.
Last week, however, the Coinbase lawsuit was dismissed, with the judge writing in their
decision that smart contracts are analogous to vending machines in the way they carry out their
predetermined task. The judge wrote that, the fact that smart contracts do so without additional
human intervention like a vending machine or that they are immutable does not affect its status as
the type of contract and thus a type of property within the meaning of the regulation.
Now, let's dig into the charges a little bit. The newly unsealed charges explain the functionality
of Tornado Cash and how Storm and Seminoff established a token system around the protocol
in order to profit from its operation. Tornado Cash allows you.
users to deposit ETH to be mixed with other depositors. Users receive a secret note which can be
redeemed for the deposited ETH at a new unrelated address. In order to facilitate the withdrawal of ETH
two fresh wallets that could not pay gas fees, Tornado Cash established a system where users
could use relays to process withdrawal requests using the smart contract. Relays would take a fee
for providing this service. This process makes private transactions possible on the Ethereum
network, breaking the ability to trace funds through blockchain analytics.
Storm and Seven off the government accused would frequently give instructions on how to
maximize the anonymity provided by the service, including waiting several days before withdrawing
to ensure that transactions couldn't be linked. Nine months after the launch of Tornado Cash in August of 2019,
the developers updated the smart contract to remove their private keys. This made it impossible for the code to be further modified
and relinquished any ability to control its operation. In December 2020, the founders created the Torn
Dow to make governance decisions around the protocol. The Dow issued Torn tokens and distributed them
with 8% of the supply going to each founder and 6% going to venture capital backers.
The Dow then used these tokens to create an incentive scheme to encourage relay to compete
to process transactions and to incentivize users to deposit funds to increase the anonymity set
for the protocol. The indictment alleges that the founders profited from the price appreciation
of the torn token, ultimately cashing out for $2.6 million each in August of 2022.
Now, where the nuance in this case comes in is the question around were these charges for writing
code, or were they charges for some other type of activity that the government sees as
beyond the pale? Obviously, when we're talking about something where the implications are the big
thing that matters, these sort of details are essential to really understand. And indeed,
in this case, the charges against Storm and Seminoff go deeper than just writing and publishing
the code underlying tornado cash. In fact, the DOJ appears to be much more focused on the actions
taken by them to support, promote, and profit from the protocol after its initial deployment.
The indictment claims that the developers were aware and indifferent to the use of tornado cash
to launder the proceeds of crime from the beginning.
As far back as November 2021, the government says the developers considered whether they should
implement KIC and anti-money laundering features into tornado cash and chose not to.
This consideration became more serious after the $552 million Rohn and bridge hack in March of 2022,
given that the following month, the attack was attributed to the Lazarus Group, which had been
on the sanctions list since September 2019.
The stolen funds were very publicly identified as being laundered using tornado cash.
According to encrypted chats disclosed in the indictment, Storm sent a message to his fellow
developers as the news broke in April stating, guys, we are effed.
The tornado cash team then implemented some perfunctory controls on the protocol's front end,
such as the website used to access tornado cash would now block deposits from wallet addresses
on the sanctions list. However, in encrypted chats, the developers acknowledged that these
controls would be, quote, easy to evade by interacting with a smart contract directly.
The indictment also introduces evidence that the developers were aware of just how rampant money laundering was on tornado cash.
In encrypted chats, they shared an article which claimed that more than 90% of transactions through the service were related to criminal acts.
In the three months that followed the Ronan attack, as much as 15% of volume was attributed to the laundering of those funds.
The key allegation in the indictment is that, quote,
Throughout this time period, the tornado cash founders continued to operate the tornado cash service
and facilitate the Lazarus Group's money laundering and sanctions evasion, including by paying
the U.S.-based web hosting service to continue to host the Tornado Cash website, continuing to maintain
and keep the U.I accessible to customers, and promoting the Tornado Cash service in public statements.
Moreover, they maintained the Relayer Algorithm, and the Relayer Registry, which allowed them to
profit financially from the continued use of the Tornado Cash Service by the Lazarus Group.
As to the charges, the developers have been charged with three counts each.
Conspiracy to commit money laundering, conspiracy to commit sanctions violations, and
conspiracy to operate an unlicensed money-transmitting business. As you might imagine, the crypto-legal
community has a lot to say about whether the facts alleged in the case, establish that tornado cash or
the system of relays around it, legally qualify as a money-transmitting business. Peter Van
Valkenberg, the director of research at Coin Center, said, the factual allegations of unlicensed
money transmission are in conflict with FinCEN's longstanding guidance that a, quote,
anonymizing software provider is not a money transmitter. In an accompanying article, Valkenberg says that
the only part of the indictment that indicates the developers were operating an unlicensed money
transmission business is that they, quote, engaged in the business of transferring funds on behalf of
the public. According to Valkenberg's analysis of the law, this falls short of the legal definition
which requires acceptance of funds from a customer for the purposes of transmission. The implication is the
same one that Tom Emmer has been putting forward in his blockchain regulatory certainty bill that,
quote, if you don't custody consumer funds, you are not a money transmitter. However, Preston
Byrne, a lawyer at Brown and Rudnick, noted that there is some legal nuance in the way the
DOJ went about charging the developers. He said, the feds don't need to show that they accepted
or received funds because defendants aren't charged with the underlying offense. They're charged
with conspiracy. Preston expanded that thought. There is a huge difference, he wrote, between
A, merely publishing code for discussion purposes which could be used unlawfully, and B, running an
unlawful business which monetizes that code. After reading the Tornado Cash indictment, if things are as
alleged, it was the latter. For the purposes of 18 U.S.C. 1960, the public
application of protocols on GitHub isn't the same thing as operating a whole damn system,
including hosting a UI and bolting on a shit coin to it, where the returns from the coin
are linked to the provision of liquidity for the system. I think it is that involvement with
the essential functionality of the system which makes it not subject to the network access
carve out from the definition of money transmitter. Do we need privacy and crypto? Absolutely.
Are there ways for people to run code that does this lawfully? Yes. Was tornado cashed the way? No.
Now, of course, as much nuance as there might be in the specifics of how the defendant
were charged, one of the big concerns is the chilling effect on privacy norms and open source
development that it might have no matter what the charges actually are. In a rare moment of
speechless, Jake Chivinsky, the chief policy officer at the Blockchain Association said,
I'm struggling to think of something, anything useful to say about the tragic mistake that is
the DOJ's decision to treat privacy and speech as crimes. I'm blank. Later, he followed up,
privacy is normal. Code is speech. The right to anonymity is essential to a free society. These are
fundamental principles embodied in the U.S. Constitution. In time, I'm confident they will be confirmed
by the judiciary, even if today they were ignored by the executive. Chris Bleck wrote,
The arrest of Roman Storm and Roman Seminoff of Tornado Cash isn't about money laundering. This is an
attack on privacy. It's an attempt to chill the open source community into compliance. The government
does not want you to do anything that it's unable to observe and judge. Dysopia Breaker writes,
Take a moment to consider the broad and absurd implications of writing software that is used in a bad way
makes the author legally responsible for every bad use would mean. No signal, no privacy tools,
total handover of power to centralized orgs and illegalization of privacy. Ultimately, this position is so
absurd that it seems unlikely to be accepted. It's remarkable that they went with it.
Masari's Ryan Selkis said, we are so far from our founding principles we just jailed a software
developer for building encryption tech and daring to empower citizens to transact freely.
Utterly disgusting. We need a total evisceration of our political police state in D.C. No reform,
mass layoffs. And Udi Wertheimer really summed up many people's feelings when he said,
Today is a sad day for America and for freedom. Privacy is for everyone, and it is crucial that as
an industry, we keep fighting for it no matter the setbacks. No one else is going to.
At this point, I think in crypto, we're almost anesthetized to more government actions against
the industry. But I think this one is worth holding aside and putting in a slightly different category.
The conversation here isn't really about cryptocurrency, except insofar as it was used.
as a reward mechanism for people who are promoting this protocol. Obviously, the much bigger questions
are about the nature of privacy, about the rights of software developers, about the responsibilities
of software developers, about the tools that the government uses to fight money laundering and
terrorism. They are, in other words, emblematic of bigger concerns and bigger questions. It's reasonable
to have contradictory feelings about this, but that's exactly why we need regulatory clarity.
not just for crypto, but for software development. And guess what? In a world of AI, these questions are coming up all over again. The question in particular of whether the developers of software can be held accountable for how it's used is becoming an even bigger question than it ever has been in the past. In other words, this one is worth considering for far more than the implications for just this industry, but for the very basis of the technology-driven society that we live in.
Anyways, guys, that is going to do it for today's breakdown. I will of course keep you updated as the situation evolves.
Until next time, be safe and take care of each other. Peace.