The US Treasury Department has sanctioned a “virtual currency mixer” for failing to prevent money laundering by foreign cybercriminals. The developer behind the project was arrested in Amsterdam two days after the sanction was announced.
The decision has divided opinions. Some believe that the facilitation of criminal activity is a price worth paying for economic privacy and anonymity. Others argue that crypto services should shoulder the responsibility for enabling ransomware attacks and money laundering.
But more broadly, the case illustrates how every organisation must be increasingly aware of the overlapping nature of financial, privacy, geopolitical and cyber risks.
Crypto Mixer and Criminal Funds
The case centres on Tornado Cash, which describes itself as “a fully decentralized protocol for private transactions on Ethereum”.
Crypto transactions are publicly listed on the blockchain, which acts as a digital ledger. While transactions are not, by default, attributed to known individuals, it is possible to trace the origin of funds by analysing subsequent purchases.
Tornado is a cryptocurrency “tumbler” or “mixer” that serves to obscure the source and destination of funds. Users send crypto transactions to the mixer, which pools them together for a period and then redistributes them to the users.
As such, crypto transactions that have been processed by a mixer are very hard to trace.
While mixers are not illegal, they can be used for money laundering. In April last year, a developer behind mixer Bitcoin Fog was arrested by the US authorities. And in May, the mixer Blender.io was also sanctioned by the Treasury department.
Some privacy advocates maintain that mixers have a legitimate use in concealing the origin of legitimate transactions, such as donations to politically-sensitive organisations.
What Did Tornado Do Wrong?
The US Treasury determined that Tornado Cash had been used to launder funds stolen from high-profile crypto heists.
One of these incidents was the largest known crypto heist in history, which saw North Korean cybercrime organisation Lazarus Group steal $615m (£469m) from a crypto asset exchange used by players of the online game Axie Infinity.
Tornado was also allegedly used to launder funds from another two attacks, both against so-called “crypto bridges”.
While some crypto platforms perform know-your-customer (KYC) and anti-money laundering (AML) compliance checks, the Treasury Department alleged that Tornado had failed to implement such controls.
“Despite public assurances otherwise, Tornado Cash has repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis and without basic measures to address its risks,” said Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian Nelson in a press release.
The sanction against Tornado was imposed by the US Treasury’s Office of Foreign Assets Control (OFAC) under Executive Order (E.O.) 13694.
The charge against Tornado was that it provided support for a “cyber-enabled activity” by persons outside the US that is reasonably likely to result in a significant threat to the United States.
Alexey Pertsev, a developer behind Tornado, was arrested by Dutch authorities two days after the sanction was announced.
Crypto Regulation and Wider Implications
Governments worldwide are beginning to catch up with cryptocurrency by developing laws and regulations to control its use.
US President Biden signed an executive order on “ensuring the responsible development of digital assets” in March. And in June, EU institutions agreed a draft framework for regulating markets in crypto assets (MiCA).
But the case shows that, even in the absence of strong cryptocurrency-specific regulation, the authorities have the means to pursue actors who fail to take appropriate measures to prevent the use of their platforms for criminal activity.
The Tornado case also raises a number of themes that are relevant for a much broader range of organisations than those operating crypto mixers:
The ability of regulators and authorities to enforce the law in the face of fast-moving technological advancements
Transacting, or facilitating transactions, with sanctioned organisations or organisations in sanctioned regimes
The crucial importance of carrying out KYC checks and complying with AML checks
The potential for liability when using privacy-protecting technology that might facilitate criminal activity