On August 8, 2022, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) sanctioned virtual currency mixing service Tornado Cash, which OFAC said has been used to launder billions of dollars in virtual currency, including $455 million stolen by the Lazarus Group, a Democratic People’s Republic of Korea (“DPRK”) state-sponsored hacking group that OFAC sanctioned in 2019. Though OFAC’s action marks the second instance it has sanctioned a virtual currency mixer—OFAC sanctioned Blender.io in May 2022—this is the first time that OFAC has designated a non-entity software protocol. Tornado Cash is a “smart contract” that allows users to anonymize the origins, destinations, and counterparties for virtual currency transactions.
OFAC’s action builds on its action against Blender.io, and the enforcement action of OFAC’s sister agency, the Financial Crimes Enforcement Network (“FinCEN”), against the founder and operator of mixers Helix and Coin Ninja. It also builds on a general rise of OFAC enforcement against virtual currency businesses. These actions point to OFAC’s growing concern about the use of virtual currency to facilitate sanctions evasion and the activities of sanctioned actors broadly, and its increasing willingness to take enforcement action against crypto market participants that facilitate such activities. Virtual currency exchanges, decentralized finance (“DeFi”) entities and developers, non-fungible token (“NFT”) platforms, Web3 companies (together, “Virtual Currency Market Participants”), and traditional financial institutions (or “TradFi”) should continue to assess the risks associated with the use of mixers by sanctions targets and other illicit actors, and consider adjustments to their sanctions compliance and anti-money laundering (“AML”) programs to address such risks.
OFAC’s Action
OFAC designated Tornado Cash pursuant to Executive Order (“EO”) 13694, as amended, for providing support to malicious cyber actors, along with 38 Ethereum (“ETH”) virtual currency wallet addresses and six USD Coin (“USDC”) virtual currency wallet addresses. In addition to the $455 million stolen by the Lazarus Group, OFAC said that Tornado Cash had been used to launder more than $96 million of malicious cyber actors’ funds derived from the June 24, 2022 “Harmony Bridge Heist,” and at least $7.8 million from the August 2, 2022 “Nomad Heist,” and that Tornado Cash had failed to impose effective controls designed to prevent its use for laundering funds for malicious cyber actors, “despite public assurances otherwise.” As a result of the sanctions, U.S. persons are prohibited from having any direct or indirect interactions with Tornado Cash unless authorized by a general or specific license issued by OFAC. Additionally, U.S. persons must block and report to OFAC all property and interests in property of Tornado Cash.
Unlike Blender.io, Tornado Cash is a non-custodial, smart contract-based software application, not an entity. In designating Tornado Cash, OFAC effectively sanctioned a technology that resides on the Ethereum blockchain. Thus, while Tornado Cash remains operational, Virtual Currency Market Participants should be mindful that OFAC and the U.S. Department of Justice may pursue civil or criminal enforcement proceedings for direct or indirect interactions with the Tornado Cash code. This is particularly the case for instances when those agencies view persons as evading U.S. sanctions or causing U.S. persons to violate sanctions. There also is some risk that OFAC may view assets that have passed through the mixer as blocked property. Further, non-U.S. persons not subject to OFAC’s jurisdiction may wish to consider risks of continued transactions with Tornado Cash, as OFAC may consider such persons as potential targets for secondary sanctions pursuant to EO 13694.
Key Takeaways: Has the Tide Turned Against Mixers?
Treasury’s sanctioning of Tornado Cash follows a series of actions in which the U.S. Government has highlighted the risks of mixing services. In October 2020, FinCEN assessed a $60 million penalty against Larry Dean Harmon, the founder, administrator, and primary operator of the Helix mixer, for violations of the Bank Secrecy Act (“BSA”). In August 2021, Harmon pleaded guilty to conspiracy to commit money laundering in connection with his operation of Helix. Last summer, FinCEN penalized BitMEX, a virtual currency exchange, for its failure to file suspicious activity reports (“SARs”) on transactions involving virtual currency mixers. Then, as discussed above, in May 2022, OFAC sanctioned virtual currency mixer Blender.io for assisting cryptocurrency transactions on behalf of the DPRK.
Given these enforcement actions, Virtual Currency Market Participants should consider ways to address and mitigate sanctions and AML risks arising from transacting with mixers. Last November, OFAC issued its first-ever Sanctions Compliance Guidance for the Virtual Currency Industry (“Sanctions Guidance”), along with updated “Frequently Asked Questions” regarding virtual currency sanctions compliance. In its Sanctions Guidance, OFAC highlighted the potential usefulness of blockchain analytics tools to help identify transactions with listed addresses, and provided advice on how to mitigate the risks associated with dealing with unlisted virtual currency addresses that transact with sanctioned wallets. Additionally, in April, 2022, the New York State Department of Financial Services (“NYDFS”), the State of New York’s crypto regulator, issued its own virtual currency guidance that similarly stressed the importance of blockchain analytics. NYDFS indicated that blockchain analytics are relevant to effective compliance programs, customer due diligence, transaction monitoring, and sanctions screening by NYDFS-licensed virtual currency businesses, as this technology can help trace the provenance of virtual currency transactions, including through the review of on-chain “hops”. Such “Know Your Transaction” technology could help mitigate compliance risks and address red flags.
Cryptocurrency exchanges should be mindful of continued scrutiny by OFAC and other agencies for sanctions compliance in the virtual currency sector. In October, 2021, Suex OTC became the first virtual currency exchange to be placed on the SDN List for facilitating transactions involving ransomware payments. Media reports indicate that OFAC is investigating at least one other major virtual currency exchange for allowing almost 2,000 accounts from Iran, Syria, and Cuba, potentially in violation of U.S. sanctions.
Despite Tornado Cash’s stated connection to the Lazarus Group, OFAC’s actions against Tornado Cash has prompted debate about the role that mixers, privacy coins, and other anonymizing technologies play in the broader virtual currency ecosystem, and what qualifies as legitimate use of such technologies. For example, Vitalik Buterin, a co-founder of Ethereum, used Tornado Cash to donate to Ukraine following Russia’s invasion. It remains to be seen whether similar uses might expose those mixers, or those users, to potential sanctions or other forms of regulatory scrutiny.
OFAC’s action also suggests a willingness to pursue sanctions against decentralized protocols—even where these protocols are not clearly associated with an entity—when the protocol is used by sanctioned actors to evade sanctions or to engage in malicious activity. It also raises the risk of action against the developers or persons with control over these decentralized protocols.
Compliance Considerations
In light of OFAC’s recent actions:
- Virtual Currency Market Participants may wish to: (1) review OFAC’s October 2021 Sanctions Guidance and virtual currency Frequently Asked Questions, as well as NYDFS’s April 2022 Virtual Currency Guidance for best practices for virtual currency sanctions compliance; (2) assess their potential touchpoints to mixers, including Tornado Cash, and consider how they will address the potential uses of such technology in a manner consistent with their sanctions and AML obligations, including, potentially, the use of blockchain analytics and other controls to identify transactions or clients that use such technologies and to understand the implications of such technologies for those customer relationships.
- Virtual Currency Market Participants should add Tornado Cash, along with the 44 associated virtual currency wallet addresses sanctioned by OFAC to their sanctions screening programs, and identify whether they receive or transmit any virtual currency, directly or indirectly, associated with these sanctioned wallet addresses, and any other address believed to be associated with Tornado Cash.
- Financial institutions and technology companies that have Virtual Currency Market Participants or DeFi customers or users, may wish to conduct diligence on these participants’ AML and sanctions compliance programs as part of their own compliance practices.
- DeFi developers should consider sanctions risks as they develop projects, particularly in pre-launch stages where there may be opportunity to implement protections against potential sanctions risks before a product is launched, a point OFAC emphasized in its 2021 virtual currency sanctions guidance. OFAC’s designation of Tornado Cash, in part for failing to “impose effective controls,” implies that Treasury feels such measures are reasonable and possible, even in DeFi.
- Consult with experienced sanctions and AML counsel regarding potential risks associated with developing, supporting or operating a business involving identity mixers, DeFi, or virtual currency anonymizing technologies.
We will continue to monitor enforcement actions involving virtual currency.
For further information, please contact:
Carlton Greene, Partner, Crowell & Moring