rounded

Written by: Liu Honglin, Attorney at Shanghai Mankiw LLP

 

In May 2024, Alexey Pertsev, a 31-year-old Russian citizen and one of the founders and core developers of Tornado Cash, was sentenced to 5 years and 4 months in prison in the Netherlands for laundering $2.2 billion on a cryptocurrency mixer platform.

 

Previously, the U.S. Treasury Department's Office of Foreign Assets Control (OFAC) announced that it would add Tornado Cash to its sanctions list, accusing it of helping hackers and criminals launder money, including the money laundering activities of the North Korean-linked hacker group Lazarus Group. Tornado Cash's U.S. users are prohibited from using the platform, and U.S. blockchain companies and projects are not allowed to trade or interact with Tornado Cash. The U.S. Department of Justice and other regulatory agencies (DOJ) have filed criminal charges against Tornado Cash founders Roman Storm and Roman Semenov, accusing them of conspiracy to launder money, violating sanctions regulations and operating an unlicensed remittance business during the operation of Tornado Cash. The two will face at least 20 years in prison. Storm was arrested last year and will stand trial in September this year, and Semenov has not yet been arrested. The outcome of Pertsev's verdict this time is likely to determine the future trial outcomes of the two Tornado Cash founders.

 

The Netherlands and the United States are not the only countries that have taken an unwelcome attitude toward Tornado Cash and even taken law enforcement action.

 

Germany On August 20, 2022, the German Federal Financial Supervisory Authority (BaFin) investigated Tornado Cash, believing that it failed to comply with anti-money laundering regulations, and issued a warning and fined it.

 

On September 5, 2022, the French National Commission for Information and Freedoms (CNIL) reviewed Tornado Cash's privacy policy, determined that it failed to effectively protect user privacy, and imposed sanctions on it.

 

On September 15, 2022, the Financial Services Agency (FSA) of Japan reviewed Tornado Cash, believing that it may be used for illegal activities, and sent it a warning letter requiring it to improve its anti-money laundering measures.

 

South Korea On October 1, 2022, the Financial Services Commission (FSC) of South Korea blacklisted Tornado Cash, prohibiting South Korean citizens from using the service and investigating its possible money laundering activities.

 

On October 20, 2022, the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) conducted an investigation into Tornado Cash, pointing out that it posed a money laundering risk and recommended strengthened supervision.

 

Australia On November 1, 2022, the Australian Transaction Reports and Analysis Centre (AUSTRAC) monitored Tornado Cash and warned that it could be used by criminals for money laundering.

 

Why is a blockchain project banned by multiple countries one after another? Is it the loss of privacy or the decline of technology? In this article, Liu Honglin, an attorney at Mankiw Law Firm, will take friends in the cryptocurrency circle to surf the Internet.

 

What is the Tornado Cash mixer?

 

Tornado Cash is a decentralized currency mixing service based on Ethereum that mixes users' deposits through smart contracts and then distributes them, making the source of funds untraceable. Tornado Cash was created on August 6, 2019 by two developers, Roman Semenov and Roman Storm, to improve the privacy of Ethereum transactions and enable users to "send Ethereum cryptocurrency 100% anonymously." Core team members include Alexey Pertsev and others, who have extensive experience in privacy protection and decentralized technology.

 

Since the launch of the project, Tornado Cash has been continuously iterating and improving, launching multiple versions, supporting different cryptocurrencies, and gradually developing into a well-known privacy tool in the cryptocurrency community. At its peak in July 2021, the Tornado Cash pool contract held more than US$700 million in ETH.

 

Simply put, the operating logic of Tornado Cash is to mix the deposit and withdrawal behaviors of a large number of users together. After the depositor deposits the token in Tornado, he presents the ZK Proof to prove that he has deposited the money, and then withdraws the money with a new address, thereby cutting off the correlation between the deposit and withdrawal addresses.

 

In order to make deposit and withdrawal actions appear homogeneous, Tornado Cash keeps the deposit address of the Tornado Cash pool and the withdrawal address consistent each time. For example, for 100 depositors and 100 withdrawers in a pool, the amount deposited and the amount withdrawn by each person are the same. It is impossible to determine the correlation based on the deposit and withdrawal amounts, and thus cut off the traces of fund transfer.

 

From the disassembly steps, the general situation is as follows:

 

  • User deposits. The user deposits Ether (ETH) into the Tornado Cash smart contract, generating a secret note.

  • Mixing process. The smart contract mixes deposits from multiple users to form a pool of funds.

  • Withdraw funds. Users use note to withdraw funds, and the withdrawn funds are not directly associated with the deposit address.

 

Tornado Cash is like a piggy bank. Ten people deposit 100 yuan into it at the same time and get a deposit certificate. Then, ten people use the certificate to withdraw 100 yuan from the piggy bank at the same time. Because the money itself is not registered, we cannot accurately associate the depositor and the withdrawer as the same person. This is the key reason why governments and regulators around the world find it difficult to identify.

 

Regulatory authorities, heavy blows

 

Of course, it is not only Tornado Cash that is giving governments and regulators headaches. There are also many similar coin mixers such as CoinJoin, Mixing services, Wasabi Wallet, etc. The cryptocurrency circle is constantly innovating, and regulators are constantly giving themselves headaches.

 

In 2024, the U.S. Senate passed an amendment to the Fiscal Year 2024 National Defense Authorization Act (FY24NDAA) with a total budget of $886 billion. One of the provisions is to strengthen the supervision of financial institutions engaged in cryptocurrency transactions and crack down on crypto assets that aim to "increase anonymity" for cryptocurrency mixers. The amendment was jointly introduced by members such as Elizabeth Warren of the Democratic Party and Roger Marshall of the Republican Party, who are well-known cryptocurrency critics. In response, Bill Hughes, a lawyer for Web3 infrastructure developer ConsenSys, called it "one of the most significant congressional actions on crypto assets so far."

 

Why do regulators pay so much attention to and continue to crack down on coin mixers? There are several main reasons:

 

Anti-money laundering issues. Tornado Cash is widely used for money laundering due to its anonymity. For example, the indictment issued by the Dutch judicial authorities stated that Alexey Pertsev, the developer of Tornado Cash, a cryptocurrency mixing service, was accused of participating in money laundering activities involving an amount of up to $1.2 billion. The indictment lists 36 suspected money laundering transactions on the Tornado Cash platform, including one involving 175 ETH. The funds are believed to be related to the Ronin Bridge hack. March 23, 2022: The Axie Infinity Ronin sidechain bridge lost approximately $625 million in a hack. This is one of the largest cryptocurrency hacks to date, and criminals laundered money through Tornado Cash.

 

Terrorist financing. The anonymity of Tornado Cash has also been exploited by terrorist organizations to conduct covert fundraising activities. Law enforcement agencies are concerned that this anonymous transaction method will make it easier for terrorists to obtain funds without being detected. For example, in 2021, there was evidence that certain terrorist organizations raised large amounts of funds through cryptocurrency mixing services.

 

Sanction circumvention. Some countries or individuals use Tornado Cash to circumvent international sanctions and transfer funds through anonymous transactions in cryptocurrencies. For example, North Korea's hacker group Lazarus Group was accused of transferring funds obtained from cyber attacks through Tornado Cash, avoiding the tracking of international sanctions.

 

Cryptocurrency players, love and hate

 

Contrary to government agencies, crypto players like mixers because they satisfy some users’ desire for privacy and need for financial security.

 

Tornado Cash and similar mixers provide users with strong privacy protection features. For some high-net-worth players in the cryptocurrency world, using a mixer can avoid becoming the target of hacker attacks or blackmail due to public transaction records. At the same time, some activists or journalists under repressive regimes need to use mixers to protect the source and use of their funds from being discovered by the government or other organizations. Therefore, when Tornado Cash developers face charges, some people set up defense funds for them, and some well-known people also publicly stand in line. For example, former US National Security Agency (NSA) whistleblower Edward Snowden publicly supported the legal fund defending Tornado Cash developers Roman Storm and Alexey Pertsev, which has currently raised more than $350,000.

 

Of course, everything has two sides, and those who want to hide their identity and whereabouts are not always good people.

 

The most typical scenario is in cases related to theft of virtual currency. Often, friends find lawyer Mankiw because of the theft of virtual currency. After our on-chain analysis, if it is found that the thief used a mixer, they will more or less sigh "It's over". Once the cryptocurrency is stolen, it becomes extremely difficult to track and recover the stolen assets after mixing them through the mixer. For example, in the Ronin Bridge hacking incident, the attacker mixed the stolen money through Tornado Cash, making it almost impossible to track the flow of funds, and ultimately resulting in irreparable losses.

 

In addition to the risk of asset loss, from the perspective of legal compliance, the biggest risk for users of mixers is that using Tornado Cash and other mixers may violate the anti-money laundering and anti-terrorist financing laws of some countries. Since Tornado Cash and other mixers are the focus of regulators, once they are sanctioned or shut down, users' funds may be frozen or unable to be retrieved. For example, OFAC's sanctions have prevented many users of Tornado Cash from withdrawing their funds, causing significant losses.

 

Therefore, for individual players, before using any currency mixing service, understand and comply with the laws and regulations of the country where you are located to avoid legal risks due to the use of currency mixers. It is also recommended to carefully choose currency mixing services with good reputation and security, and avoid using those that have been sanctioned or controversial. It is also recommended not to invest all funds in a single currency mixing service. It can be dispersed through multiple channels to reduce risks. Once any risks or problems are discovered, take timely measures.

 

In April 2023, the U.S. Treasury Department released an assessment report on illegal financial activities in DeFi, which revealed the potential risks in DeFi services and deeply analyzed the illegal actors' use of these services for criminal activities. Three months later, four U.S. senators proposed the Crypto Asset National Security Enhancement and Enforcement Act, which also aims to strengthen supervision of KYC, AML and DeFi.

 

The Crypto-Asset National Security Enhancement and Enforcement Act provides a new framework for regulating DeFi, requiring that DeFi be regulated like other cryptocurrency institutions, requiring that anyone who can control the project must be responsible for the project. The bill may mention that if no specific person can control the DeFi service, then any investor who invests more than $250,000 in the project should be responsible for the project.

 

For the technical developers of currency mixers, although decentralized technology services are neutral, your company and you still have countries in the real world. Therefore, it is recommended that before conducting related business, you must ensure that the development and operation of currency mixing services comply with the laws and regulations of the country and region where you are located, strengthen the platform's security measures, prevent hacker attacks and fund theft, protect users' funds, and avoid becoming a target of legal crackdowns.

 

Attorney Mankiw reminds

 

Tornado Cash has been favored by many cryptocurrency users for its strong anonymity and privacy protection features. However, it is precisely this anonymity that has made it a key target for law enforcement agencies. Today, when the number of aiding and abetting crimes has become one of the top three criminal charges in China, as cryptocurrency users and technology developers, while enjoying the convenience brought by technology, we should also always remain vigilant and abide by laws and regulations. After all, the dark forest law of the cryptocurrency circle, it is always right to be more careful.