Tornado Cash Devs Are Caught in a U.S. Dragnet

The Treasury and Defense Departments are working to stop North Korean hackers — with little to show for it.

AccessTimeIconAug 24, 2023 at 8:06 p.m. UTC

I’m not going to call Roman Storm or Roman Semenov innocent for their work building the now-sanctioned Tornado Cash protocol. I’m not even going to say the two aren’t guilty of the three specific crimes of which they were accused. But I am willing to say the two are caught up in something much bigger than themselves and are likely victims as much as perpetrators.

Yesterday two explosive stories hit the wires about supposed crypto crimes that taken together show a fuller picture of the U.S. government’s interest in Tornado Cash. In addition to the Romans getting charged, the FBI also issued a warning that North Korea is preparing to cash out millions in stolen crypto.

This is an excerpt from The Node newsletter, a daily roundup of the most pivotal crypto news on CoinDesk and beyond. You can subscribe to get the full newsletter here.

If the connection isn’t immediately obvious, it helps to know that in its indictment the Department of Justice made pains to note that the hermit kingdom’s infamous Lazarus Group accounted for “hundreds of millions” of dollars of the $1 billion in illicit funds the Romans allegedly helped launder by building Tornado Cash.

In other words, the legal action taken against Tornado Cash is bound up in a geopolitical conflict between the U.S. and North Korea. In other other words, both the smart contract itself and the Romans are caught up in a massive U.S. dragnet.

So far unable to actually persecute North Korea itself or bring to justice any suspected hackers – who are thought to be funding the wayward country’s nuclear missiles program, no less – the U.S. government is making an example out of a couple cryptocurrency coders.

The actual crimes almost don’t matter. Instead the prosecution of Storm, Semenov and their colleague Alexey Pertsev who faces trial in the Netherlands is supposed to stand for the international community of Good Guy nations going hard against an international pariah. Considering the countless resources that flow to law enforcement in the U.S., the technology and spycraft available, you have to wonder: is this the best they can do?

This is more lit crit than evidence, but consider the DOJ presser’s dek, that bit under the headline that’s supposed to sum up the story and highlight why it matters: “Concurrent Treasury sanctions and DOJ indictments hold to account founders of mixing service that laundered stolen virtual assets for North Korea.”

The trouble is, you can sanction Tornado Cash and charge its founders with any imaginable crime, but that isn’t going to shut off the actual smart contract. Storm and Semenov are being charged with facilitating money laundering for writing and publishing self-executing code that will continue to function – i.e. continue laundering funds – whether they’re in jail or not.

Not only that, but Tornado Cash will continue laundering funds for North Korea because the code itself is agnostic to who is using it. There’s no semantic debate about it; there’s no AI to question whether it “knows” if what it’s doing is right or wrong, just a couple hundred lines in Solidity that follow prompts and push transactions out onto the blockchain.

Should the Romans get in trouble anyway? Isn’t that quite a dangerous machine they built? And couldn’t they have tried to put in an off switch? To the extent that Russian nationals, Storm and Semenov, broke U.S. law by neglecting the appropriate know-your-customer (KYC) or anti-money laundering (AML) protections and FinCEN “money-transmitting business” registrations then, maybe, sure, there’s enough justification to bring them to trial.

But the whole money laundering thing freaks me out. It’s true, I don't know enough about the case to say whether they were actually national defense risks who were working in tandem with North Korea to launder funds to build bombs. But something tells me that isn’t quite right, instead it seems like many crypto ideologues that Storm and Semenov were simply concerned about the absolute lack of financial privacy today.

Their document “Tips to Remain Anonymous” was a collection of best practices meant to guide people looking to, justifiably, bolster their on-chain privacy. It included hot tips like using Tor, auto-delete your browsing history and use different IP addresses for Tornado Cash deposits and withdrawals. Something tells me that a hacking group like Lazarus already knows what a VPN is.

We’ve heard this one before: it’s the same accusation levied against former Ethereum Foundation developer Virgil Griffith, who presented at a conference in Pyongyang where he said that Ethereum exists outside of government control. What an Earth-shattering revelation to make in 2019. Griffith was found to have violated U.S. sanctions, and is now a few months into his 63-month prison sentence.

To some extent I get it. It would probably be a headache for the U.S. if there were dozens of Virgil Griffiths in the world making contact with state enemies — and few would ever be as doe-eyed and innocent as the real Virgil Griffith seemed to be. Likewise, crypto mixers undoubtedly present a problem for financial enforcers, especially if they exist in a state like Tornado Cash pre-2022 when it was an open question whether using it was illegal.

The trouble is the twisting logic it takes for the government to shut these systems down. There are, as Coin Center argues, legitimate First Amendment rights that protect developers who write code. There are legitimate needs for privacy in the world. And the suggestion that every dollar that passes through a mixer is “laundered” is a pernicious way of ignoring all the legitimate uses of blockchain and legitimate reasons for wanting anonymity – and it’s troubling how often this idea comes up.

But even if the existence of something like Tornado Cash is an issue of national security, it wouldn’t be right to ask people to trade in liberty for security. I mean, “burner phones” can often be untraceable, causing trouble for police. And to that I say, deal with it.


Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.


Disclosure

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk offers all employees above a certain salary threshold, including journalists, stock options in the Bullish group as part of their compensation.

Daniel Kuhn

Daniel Kuhn is a deputy managing editor for Consensus Magazine. He owns minor amounts of BTC and ETH.