From the perspective of U.S. regulation, why Tornado Cash faced sanctions and subsequent speculations

Author: David, W3.Hitchhiker

Regulatory Events:

On August 8, the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) announced sanctions against the crypto mixer Tornado Cash, stating that the service laundered over $7 billion in the past three years and helped North Korean state-sponsored hacking group Lazarus Group evade U.S. sanctions. The total amount laundered includes $455 million from Lazarus Group in March and $96 million from the Harmony Horizon Bridge hack in June.

As of now, the affected parts include:

1. Ethereum and USDC addresses and USDC assets that interacted with Tornado Cash and are listed on the SDN.

2. Tornado Cash's GitHub repository and official front-end website are no longer accessible.

Regulatory Background Analysis:

Background 1: The motivation behind this sanction is primarily to ensure the effectiveness of financial sanctions against crypto hackers by U.S. officials.

The sanctions are implemented by OFAC, an agency under the U.S. Department of the Treasury that specializes in enforcing financial sanctions against foreign entities or individuals. Its daily work does not directly involve regulating the crypto industry but rather monitoring sensitive overseas capital flows while ensuring that its sanctions are enforced. OFAC has been active in previous U.S. government sanctions against Iran, North Korea, Russia, and even China's Huawei.

It regularly publishes the well-known Specially Designated Nationals (SDN) list, where the assets of listed individuals or organizations are frozen, and U.S. citizens are generally prohibited from dealing with them.

Before the sanctions against Tornado Cash, on April 14, OFAC listed Lazarus on the SDN list under North Korea sanctions regulations. According to a military report released by the U.S. government in 2020, North Korea's hacking program can be traced back to at least the mid-1990s and has developed into a cyber warfare force of 6,000 people. Blockchain analysis firm Chainalysis reported that Lazarus stole nearly $400 million in digital assets in at least seven attacks on crypto platforms in 2021.

In 2022, the organization also launched an attack on Axie Infinity, acquiring 173,600 Ether (approximately $597 million) and $25.5 million worth of USDC, totaling $625 million in assets. This is the largest amount to date from a decentralized hacking attack. Additionally, according to BEOSIN statistics, in the first half of this year, $1.14 billion in stolen assets were transferred to Tornado Cash by hackers, accounting for about 60% of all stolen assets during the same period.

As shown in the figure below, among the "three pillars" of crypto regulation in the U.S., the SEC and CFTC primarily define asset attributes (whether they are commodities or securities) and regulate tokens they consider to be securities or commodities; while the Treasury Department's agencies are more diverse, with the IRS mainly looking at whether crypto transactions are taxable, FinCEN focusing on domestic money laundering and anti-terrorism, and OFAC primarily responsible for enforcing financial sanctions against overseas blacklisted entities or individuals. All three need to continuously track on-chain transaction data, analyze and judge, and enforce the law accurately.

Background 2: Regulation and penalties for crypto capital flows are beginning to be placed on par with traditional capital flow regulation.

Against the backdrop of increasing global capital flows through crypto protocols, OFAC published a manual on virtual currency sanctions compliance guidelines in 2021, indicating that OFAC's sanctions compliance obligations also apply to U.S. citizens holding virtual assets.

If Americans believe they hold sanctioned crypto assets, they must report to OFAC within ten business days.

Members of the crypto asset industry are responsible for ensuring they do not directly or indirectly participate in transactions prohibited by OFAC sanctions, such as trading with sanctioned individuals or properties, or engaging in prohibited trade or investment-related transactions. OFAC has the authority to impose civil penalties for non-compliance with its sanctions requirements.

Background 3: Penalties against privacy-enhancing technologies in crypto transactions have occurred multiple times, and regulation targeting privacy technologies is expected to continue.

Currently, there is a growing trend of criminals using privacy-enhancing technologies or operating on opaque blockchains. These privacy-enhancing assets or commercial services (mixers) help criminals hide the flow and source of funds.

Privacy-enhancing technologies pose challenges for investigators trying to trace illegal proceeds. OFAC has pointed out that Monero employs:

1. Ring signature technology to hide the identity of the transaction initiator;

2. Ring confidential transactions to obscure transaction amounts;

3. Stealth address technology to conceal the identity of the recipient.

Additionally, these transactions are not broadcast to the Monero blockchain but are obscured using one-time generated addresses.

For example,

• At the end of 2020, FinCEN fined the founder of the mixer Helix $60 million for failing to register legally and for assisting in converting drug-related funds from the dark web into cryptocurrency.

• At the end of 2021, OFAC collaborated with the FBI to announce restrictions on a crypto exchange called SUEX, stating it intentionally "facilitated illegal activities" and indicated it would strengthen regulation of mixers.

• In May of this year, OFAC sanctioned another cryptocurrency mixing service Blender.io for assisting Lazarus in laundering over $20 million. An OFAC spokesperson stated that this regulation targeting mixers would not be the last.

In fact, TORNADO.CASH tweeted in April this year that it would use Chainanalysis's oracle protocol to block access to the platform for addresses sanctioned by OFAC. However, Tornado Cash co-founder Roman Semenov stated in an interview that due to the design of decentralized protocols, it is "technically impossible" to impose sanctions on decentralized protocols. This is because Tornado itself employs smart contract deployment and zero-knowledge proof technology. Even if GitHub is shut down, the smart contracts still run on Ethereum, and the contract code itself is also publicly available on Ethereum browsers.
?️ Tornado.cash ?️ @TornadoCash Tornado Cash uses @chainalysis oracle contract to block OFAC sanctioned addresses from accessing the dapp. Maintaining financial privacy is essential to preserving our freedom, however, it should not come at the cost of non-compliance.Chainalysis: Sanctions Oracle | Address 0x40c57923924b5c5c5455c48d93317139addac8fb | EtherscanThe Contract Address 0x40c57923924b5c5c5455c48d93317139addac8fb page allows users to view the source code, transactions, balances, and analytics for the contract address. Users can also interact and make transactions to the contract directly on Etherscan.etherscan.io
April 15th 2022 209 Retweets782 Likes

Conclusion:

In the context of the multi-regulatory framework of the U.S. financial system, regulatory agencies perform their respective duties, and the parts involving the crypto industry often lead to over-interpretation of the industry during the legislative and enforcement processes.

OFAC is unlikely to be unaware of the technical background that makes it impossible to control decentralized smart contracts on certain levels, but given OFAC's enforcement requirements and the current damage caused by Lazarus to the crypto ecosystem, it seems that taking relatively extreme measures is a last resort. The subsequent impact on the privacy sector will need to be continuously observed.