The recent sanctioning of Tornado Cash by the Office of Foreign Assets Control (OFAC) pertinently shows the uneasy relationship between effective law enforcement and emerging blockchain technology.
Tornado Cash is a popular decentralised virtual currency mixer operating on the Ethereum blockchain. In simple terms, Tornado Cash provides mixing or tumbling services, whereby users send virtual currency and the mixer operates to receive transactions from the various users, mix them together and then transmit to recipients.
The primary purpose of the mixer is to increase privacy, so that a recipient does not have information about the sender of the virtual currency. While privacy is the purported objective of Tornado Cash, the platform is often criticised as being a useful tool for illicit actors seeking to launder funds by obscuring their source and in some circumstances invariably distancing tainted funds from their criminal origins.
It is suggested that Tornado Cash was the preferred laundering platform for NFT scammers and may have been used to launder circa 52% of all stolen NFTs. In a recent report by Elliptic, it is also noted that Tornado Cash was the source of $137.6m of cryptoassets processed by NFT marketplaces.
Whether it is NFT rug-pulls or NFT phishing scams, the view is that the perpetrators have typically used mixers such as Tornado Cash to obfuscate the illicit proceeds so they can be layered and eventually integrated into real world fiat currency systems.
On 8 August 2022, pursuant to Executive Order 13694, OFAC designated Tornado Cash as a Specially Designated National and Blocked Person. OFAC assert that Tornado Cash is, amongst other things, connected with the launder of some $455m stolen by Lazarus Group -a North Korean state sponsored hacking group.
By virtue of the sanctions, all property and interests in property of Tornado Cash, or any of its entities owned directly or indirectly by them – which are in the United States – are blocked and must be reported to OFAC. Furthermore, US persons are broadly prohibited from transactions with Tornado Cash or in transactions that involve the property of Tornado Cash.
This is a particularly notable enforcement action because Tornado Cash is essentially a piece of autonomous computing code. It is not a person or real property to which sanctions ordinarily apply and open-source code does not comfortably fit within the parameters for which OFAC powers have been designed. Indeed, following the imposition of the sanctions, a suspected developer of the code was arrested in the Netherlands.
There is a huge potential to stifle technological developments by attacking open-source code and those who contribute to it – a bedrock of development in the programming community. Commentators argue that open-source code should not be maligned because it has the potential to be utilised for nefarious purposes, such a step ignores all of the positive purposes for which the code can also be used and the broader utility it may have in continuing technological developments.
OFAC has sought to play down the risk of stifling the utility of open-source code, and in September OFAC updated its FAQs to include the following guidance:
While engaging in any transaction with Tornado Cash or its blocked property or interests in property is prohibited for U.S. persons, interacting with open-source code itself, in a way that does not involve a prohibited transaction with Tornado Cash, is not prohibited. For example, U.S. persons would not be prohibited by U.S. sanctions regulations from copying the open-source code and making it available online for others to view, as well as discussing, teaching about, or including open-source code in written publications, such as textbooks, absent additional facts. Similarly, U.S. persons would not be prohibited by U.S. sanctions regulations from visiting the Internet archives for the Tornado Cash historical website, nor would they be prohibited from visiting the Tornado Cash website if it again becomes active on the Internet.
There will no doubt be many challenges for law enforcement agencies as they come to terms with the complexities of cybercrime involving NFTs and other cryptoassets. The age of blockchain is very much upon us and it is now an apposite time to start considering how laws, and their enforcement, can effectively support and supervise the burgeoning cryptoasset industry.
