Dialogue with Senior Crypto Lawyer: What are the implications of Tornado Cash being sanctioned? Are new regulatory challenges on the horizon?

Original: Veteran Crypto Lawyer Insights on Tornado Cash and The Future of Crypto Regulations

Author: SolaNews

Translation: Baize Research Institute

Recently, the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) announced sanctions against the mixing protocol Tornado Cash, which has been used by many cybercriminals and illicit hacker organizations in the cryptocurrency space to launder and obfuscate their illegal sources of funds.

We recently spoke with Adam Vaziri, CEO and co-founder of Blockpass, a company focused on on-chain KYC and digital identity, and Vaziri is also a very successful lawyer.

Here is our interview with Mr. Vaziri.

Can you briefly introduce your background and when you entered the cryptocurrency industry?

I was the first cryptocurrency lawyer in London in 2013. I assisted Bitpesa in obtaining the first EU remittance license involving Bitcoin settlements; I helped the crypto derivatives platform Cryptofacilities, which was acquired by Kraken, obtain an EU remittance license; I worked with regulators to organize the first regulated ICO, which was Cardano, through KYC; I collaborated with regulators to eliminate sales tax on cryptocurrency sales (as early as 2014); my goal has always been to ensure that cryptocurrency has a place in mainstream finance, and for that, it must comply with the same regulatory rules and embrace compliance.

The Office of Foreign Assets Control (OFAC) recently added certain wallet addresses interacting with Tornado Cash to its "Specially Designated Nationals List," prohibiting all U.S. individuals and entities from interacting with Tornado Cash or any Ethereum wallet addresses associated with the protocol. Based on your experience in cryptocurrency law and regulation, did you anticipate this type of development?

The Ethereum blockchain allows applications to run extensively without a central server. Before this, law enforcement found it easier to shut down money laundering tools abused by cybercriminals, such as Silkroad and Liberty Reserve, which could be easily taken offline.

With Ethereum, smart contracts can be deployed, and if deployed without an administrator, it can be said that no one can control the smart contract. This means that when it comes to enforcement, law enforcement cannot easily shut it down.

The positioning of the crypto community is that these unstoppable smart contracts should not be subject to government intervention. This is a contradiction because if something is unstoppable, you shouldn't worry about government intervention.

A particular issue with Tornado Cash is that it is a decentralized money laundering tool used by cybercriminals and illicit hacker organizations. They use this tool to make it more difficult for law enforcement to trace the flow of funds.

Ethereum is an open financial system, which means that if I know your account, then I, law enforcement, and anyone else can see your financial information. It is precisely because the blockchain records all accounts and fund movements that it establishes the security attributes for the blockchain to become an open financial system. Due to this unique "transparency," some users want to take measures to retain financial privacy, and tools like Tornado Cash that can obfuscate funds can help.

Currently, the U.S. Treasury's sanctions against Tornado Cash are set against the backdrop of many cybercriminals laundering money on a larger scale than ever before, with greater abuse. Additionally, this also involves national security issues. For example, North Korean hacker groups use Tornado Cash to launder the proceeds from their hacking activities. Therefore, the use of Tornado Cash by sanctioned countries is seen as a security threat to the U.S. Thus, it is understandable that the U.S. Treasury has taken such a radical enforcement approach.

In response to OFAC's actions, we have seen debates on Twitter regarding the code of Tornado Cash, with some claiming that the code is protected by free speech laws. Can you share your thoughts on this?

Writing source code in Javascript or any language is a form of free expression. However, Tornado Cash does not run in code but operates in a distributed system's nodes in bytecode form. I can say that I have the right to free speech to write source code on Github. However, once that code is compiled into an "unstoppable" smart contract, it becomes a "tool." A tool is a thing, not code. Although this distinction may seem technical, to say that a tool is free speech is somewhat absurd.

Recently, we saw a Tornado Cash developer prosecuted in the Netherlands. The crypto community claimed (without any evidence) that the prosecution was due to this person writing code for Tornado Cash. No one knows the specifics of that particular case, and the Dutch police announcement did not mention that the prosecution was for writing code. It stated: "suspected of concealing criminal funds and facilitating money laundering activities by mixing cryptocurrencies through the decentralized Ethereum mixing service Tornado Cash." This did not mention that he wrote code.

In my view, the crypto community has other misunderstandings. The first is the claim that Tornado Cash is not an "organization" and cannot be a target of sanctions. This is a complete fallacy. "Al-Qaeda" is not a publicly traded company with board members, but that did not stop it from being designated as a sanctioned target. In this regard, Tornado Cash can simply be marked as an illegal entity with anonymous partners—this is the default legal classification of a DAO.

Can we also view the sanctions against Tornado Cash as a sign of regulators' inability to combat money laundering and fraud in the cryptocurrency space?

Yes, absolutely, the distributed nature of the system makes enforcement more difficult.

As mentioned earlier, law enforcement only needed to shut down the server of a tool to get the job done. But now they have to take a different enforcement approach. This approach criminalizes the use of the tool. This is a powerful deterrent, rendering the tool almost useless to ordinary legitimate users. For cybercriminals, continuing to use the tool makes no sense, as they cannot prove the innocence of the account after laundering.

However, the problem with the new enforcement method is that it always leads to unintended consequences and collateral damage.

The unintended consequence is that some people will use this measure to "pollute" the wallets of well-known Ethereum users.

The collateral damage is that many legitimate users have used Tornado Cash in the past, and generally, sanctions are not retroactive, but cryptocurrency exchanges will treat any accounts that have had any transactions with Tornado Cash as high risk. Furthermore, all users who have used Tornado Cash now face an administrative process requiring them to apply for permission from OFAC to transfer their assets. This requires extensive reporting and often takes a significant amount of time.

What measures do you think could improve the effectiveness of KYC and AML programs for cryptocurrency service providers? Do you believe that new regulatory frameworks (such as MiCA in Europe) can address these issues?

The crypto industry needs to take compliance seriously.

"We hate KYC" and anti-government positioning are undermining the opportunity for cryptocurrency to challenge the existing financial system.

In fact, decentralization can have the opposite effect, such as governments intensifying crackdowns, regulations becoming stricter, and even leading to some countries completely banning cryptocurrency. This essentially means that cryptocurrency will continue to exist in the "underground" and become more niche.

For some project founders, tools like Tornado Cash may seem like interesting, cool DeFi projects. However, when that tool is used for large-scale money laundering, the crypto community's response should be more about how to make that tool compliant rather than confronting the government.

One thing that should be clearer is that crypto projects, whether they are inherently decentralized or not, are opening the door to fraud, money laundering, and other behaviors if they do not conduct KYC and KYT.

Do you think the rules followed by major players like cryptocurrency exchanges regarding KYC and AML should be less strict or more strict than those for traditional fintech companies or banks?

For the past 10 years, the cryptocurrency industry has been able to provide services on an unregulated basis.

The first regime implemented in the industry was the VASP regime to mitigate money laundering. (VASP: Virtual Asset Service Provider)

I believe that cryptocurrency has not yet reached the same level of regulation as traditional financial services. Its business operations still have a certain degree of flexibility. Although regulations have been enacted in various countries requiring companies providing cryptocurrency-related services to register as VASPs and be subject to AML (Anti-Money Laundering) regimes due to the guidance of the Financial Action Task Force (FATF), this is just the tip of the iceberg in addressing the risks associated with crypto businesses.

Feel free to add any other key points.

I believe that the cryptocurrency space will face regulatory challenges:

Verification nodes involved in transactions with sanctioned parties may become the next conflict area between cryptocurrency and regulators. The positioning of nodes in relation to regulators is similar to that of ISPs (Internet Service Providers) enjoying immunity from prosecution.

However, the difference between nodes and ISPs is that if an ISP is unaware of illegal activity, it can benefit from the "safe harbor" principle. When an ISP becomes aware of illegal activity, it must take steps to remove relevant materials from certain websites; once a cryptocurrency address/account is publicly sanctioned, nodes will also become aware of this. In principle, nodes that continue to validate sanctioned transactions will not benefit from the "safe harbor" principle.

While current blockchains have both Proof of Work (PoW) and Proof of Stake (PoS) consensus systems, both involve miners/stakeholders choosing transactions for validation, so selecting sanctioned transactions would violate sanctions.

This is likely to lead to a future division of blockchains into two types: compliant and non-compliant. Currently, only privacy coins are considered non-compliant. For this reason, regulated exchanges refuse to list privacy coins like Zcash.

While many amazing innovations have emerged in the crypto industry, all aspects of the industry need to improve compliance. If this can be achieved, then the industry can begin to move away from scams, Ponzi schemes, market manipulation, and sanctions violations, and start to become a dark horse to replace SWIFT, VISA, and all traditional financial applications.

Web3 and blockchain cannot become a dystopian, anarchic world, nor can they promote lawlessness and chaos in the name of decentralization; this is a nightmarish scenario, akin to a centralized "Facebook" metaverse that tracks, collects, and exploits all user data. The Web3 and blockchain community must make a certain degree of compromise and take responsibility.