Advocates are accusing the Treasury Department’s Office of Foreign Assets Control of overreach after the decision announced Monday to sanction Tornado Cash, a virtual currency mixer that federal officials said is responsible for more than $7 billion in laundered proceeds since its founding in 2019.
A range of organizations, including financial privacy experts to advocates of virtual currency, claim the sanctions levied against Tornado Cash will harm the ability of business and consumer users of virtual currency to conduct secure, private transactions.
Some are raising questions about the larger implications of whether the government’s global fight against ransomware will unleash a larger conflict with some fundamental civil liberties.
Jake Chervinsky, head of policy at the Blockchain Association, said the Treasury Department may have opened a Pandora’s Box through the sanctions.
“There’s good reason why sanctions have always applied to entities, not technology,” Chervinsky said in a Twitter post. “Treating Tornado Cash as an entity makes little sense.”
Tornado Cash is an immutable smart contract that mixes a pool of various cryptocurrencies from many different senders as a way to protect the privacy of on-chain transactions, said Miller Whitehouse-Levine, policy director of the DeFi Education Fund.
“People seek privacy in transactions for a number of legitimate reasons, like to donate money to causes they believe in or to pay for sensitive medical treatments,” Whitehouse-Levine said via email.
While conceding the tool can be used for illicit activities, Whitehouse-Levine said the Treasury sanctions put the entire debate in “uncharted waters,” as the move effectively banned an open-source software protocol.
The sanctions are part of a larger effort by federal law enforcement and financial regulators to crack down on the rise of malicious cybercrimes. Treasury officials have now sanctioned the second virtual currency mixer since May, when the department levied similar penalties against Blender.io.
According to the Treasury, Tornado Cash was used by the state-sponsored Lazarus Group to launder more than $455 million as part of the largest known virtual currency heist to date, a $620 million theft in Ethereum traced to North Korea. Tornado Cash was later used to launder $96 million in the June Harmony Bridge case and $7.8 million in the heist of San Francisco-based Nomad earlier this month, according to Treasury officials.
In May, OFAC sanctioned Blender.io, a virtual currency mixer that was also allegedly used to launder about $20.5 million in proceeds from the same heist.
Cybersecurity researchers say state-sponsored and other threat actors have long used cryptocurrency tools in order to obscure extortion schemes from authorities and make the transfer of funds incredibly hard to trace or recover.
“We have observed North Korean actors repeatedly and consistently utilizing such services as well as leveraging other methods for moving ill-gotten funds in a variety of schemes to support the regime in Pyongyang,” Joe Dobson, senior principal analyst at Mandiant, said via email. “These operations frequently spill outside of cyberspace, demonstrating the creativity and persistence of these operators."
Andrew Fierman, head of sanctions strategy at Chainalysis, confirmed that ransomware groups do use mixers to obscure the flow of funds once ransom payments are made. But Tornado Cash was not among the preferred mixers used by these actors and therefore he doesn’t think the sanctions will have a huge impact on mitigating malicious ransomware activity.