Tornado Cash OFAC & Arrests

Two big things happened in the last few days that may have an impact far beyond Ethereum land: a judge approved the sanctioning of a smart contract address by OFAC and the the country followed The Netherlands by charging and arresting, a whole year later, a Tornado Cash co-founder.

I’m using this post to literally gather all my thoughts that I spread between various Twitter and Nostr threads. For now it’s just a copy-paste of these brain dumps. I may clean it up later into a more coherent story and argument. If you share this, considering linking to an archived version. I reserve the right to completely overhaul this.

At the time of writing Elon Musk suspended my Twitter / X account for no clear reason so so threads are all offline. Fortunately I had a backup.

In August 2022 two big things happend:

1. OFAC put Tornado Cash on the sanctions list. It’s main (immutable) smart contract and some of the DAO smart contracts. Notably they did not sanction the developers. The code also wasn’t sanction though Microsoft briefly took it offline (from Github).
2. Alexey Perstev was arrested in The Netherlands a few days later. Charges presented in the media were extremely vague, strongly implying a ban on even writing source code that can be used to launder money. We do not have explicit code == speech protection here, so this was quite disturbing.

So What Does The Diagram Mean?

Let me explain that first…

The workflow for North Korean hackers in on the left. Until the prosecutor proofs otherwise, I think it’s reasonable to assume they simply send coins to the core immutable smart contract and then take it out themselves. They’re technically sophisticated enough to do this; they’re in the business of hacking smart contracts. It minimises the evidence trail for them. In theory it also avoids problems with US hosted services banning their IP, but they probably just use Tor. Now for more mainstream users… it’s more complicated. I picked an employer paying their employee as an example.

And if you’re having difficulty unfolding the thread, here’s the whole thing in on message… I simplified the employer side here. They would also use the UI, but for simplicity I assume they just put the salary in the smart contract manually, North Korea style.

The employee then uses the UI to retrieve the salary. That way their boss can’t see what they do with it. This UI is hosted on a website*, some web3 magick where you use a browser plugin to connect your wallet. In addition to providing a nice user interface, it also picks a relayer for the employee.

A relayer is a third party smart contract that makes it easier and more private to withdraw. They get a percentage fee for that. It’s non-custodial though! The DoJ hints that they’re also after the people running them, but that’s for another time.

* = slightly oversimplifying, because with web3 you could in theory put the whole site on IP (Inter Planetary File System) and have the smart contract point to it. But afaik that wasn’t the case here (yet).

There are multiple relays out there, so how does the UI decide which one to use? Well, one way would be to always pick the one with the lowest fee. But then you can’t have tokenomics. And VC investors want tokenomics. So what do you do as a founder? YOU MAKE A TOKEN

The idea for the token (called TORN) was that relayers can stake it. This increases the chance of their relay being picked. That’s represented by the green line on the left going from TORN to the Relayer. They’re a buying force.

Then of course there’s the founders who received coins in the pre-mine (according to the DoJ). That’s the red line on the left.

Now if that was all there’s to this, you could perhaps make a (vague) case for profiting from money laundering as follows:

1. Some bad hombre use the UI and relay system

2. Relay operators pump the token price in order to get business from these bad people

3. Founders take profit by selling tokens

However this does NOT prove the founders profited from North Korean hackers laundering their proceeds. Because they (until proven otherwise) don’t use the relay system, so relayers do not buy TORN to get them as a customer, so there’s no token pump and no profit to take.

But it’s more complicated than that. Of course it is, sigh.

And that’s where the green arrow on the right comes in: speculators. These are not people in the business of laundering money. They don’t (necessarily) use the Tornado Cash system. They simply buy the token because number go up. Some people might call them degens.

So now when the price goes up and founders sell some tokens, where did those profits originate? From crime or from speculation? The DoJ makes zero effort, at least in what they published, to distinguish this. But will a judge / jury understand that? Or care? We’ll find out.

But wait, there’s more. What’s unique about the founders is that they have control over the hosting. . That’s what’s represented with the dashed line to the UI. They also put in more work in the form of writing code, marketing, etc.. The DoJ mentions all that in order to argue they’re a business.

But what about that DAO? It seems to control rather important stuff like how the relay selection works. Hence the other dotted line from TORN token holders to that DAO and from the DAO to the UI. So this begs the question what the liability is for the other token holders. Control aside, all token holders make money if the price goes up. So what happens to the VC if they ever decide to take profit?

Initial OFAC Announcement

I didn’t have too much to say on this. Once it was clear this wasn’t about the source code, I was at least somewhat less worried about it. It was clear CoinCenter and others were going to challenge it, so that was good. I think I took a wait and see approach. Well, we saw!

It did however trigger my curiosity as to how Tornado Cash actually works. I had barely heard of the project before, since I work on Bitcoin and hadn’t paid attention to Ethereum since 2017 or so. But what knowledge I had did come in handy.

This article came out a bit later: https://www.coincenter.org/analysis-what-is-and-what-is-not-a-sanctionable-entity-in-the-tornado-cash-case/

Perstev arrest

Unlike US prosecutors, the Dutch prosecutor, Openbaar Ministerie (OM), does not publish detailed indictments. They start with a very short press release and they maybe they’ll say something in court. This is in part for privacy reasons, but obviously frustrating. The suspect does get to read their dossier of course, though not immediately, not all of it at once.

So because I happen to live in The Netherlands I was able to attend the court hearings. At the time there were so called “pro forma” hearings that were only supposed to cover his pre-trial detention. But because several of his friends, many supporters and a handful of journalists were present, both the defence and the prosecuting were discussing the case itself. Much to the chagrin of the judge, but arguable to the benefit of society.

My thinking at the time is probably best distilled in a podcast episode Aaron van Wirdum and I did. They only one that wasn’t about Bitcoin.

The podcast also covers my thoughts on the compliance tool, which I think is of no use in the context of defending against money laundering charges. It lets users proof the source of funds to exchanges, but users can choose to not use it, so it doesn’t prevent anything.

However, and this is more recent thinking, perhaps the following line or argument could be used – in the Dutch case: all Dutch exchanges are licensed by the central bank and have to do strict compliance checks. It’s trivial to tell if coins come from Tornado Cash. So arguably such an exchange would breaking the law if it didn’t ask their user to show the compliance tool report. That means that under Dutch law the compliance tool is sufficient. Well, unless you require Dutch companies and citizens to somehow control what people in other countries do (with “weaker” laws) do.

Here’s what I wrote on Twitter around the same time:

Afaik he was charged, but didn’t get the dossier. And a charge like “facilitating money laundering” is about as vague as “undermining national security” or “hate speech” so there’s no way to defend the charge until more details are known. Hopefully he has a good lawyer. [tweet]

The term “verdachte” means “suspect”. “verdacht van” generally means “charged with”. Which is what you are until either the case is dropped or judge convicts you.
I think someone got confused in translating terminology. Afaik he’s not held without charge. [tweet]
https://www.fiod.nl/aanhouding-verdachte-ontwikkelaar-van-tornado-cash/

Being charged with something super vague and no access to your dossier is still very bad of course. [tweet]

If the above is indeed what Alex was told during his police interrogation, it is once again extremely disturbing.

It implies any Dutch person working on privacy tools may need to consider emigration. Companies may have to move headquarters.
It’s also unclear where the line is: can you publish a paper on encryption techniques that are specifically tailored for use in mixers or privacy tools? [tweet]

And when is the right time to do that? Do you wait for the final appeal of this case at some “supreme court”? That could be years. How many arrests will follow before that?

This podcast covered both the US situation and the Dutch arrest, and how they differ:

.@jchervinsky is quite adamant that in the US the mere act of writing and publishing code is considered speech and protected by the First Amendment. I guess we’ll find out the hard way if it’s free speech in The Netherlands too…

Much later, in spring of 2023, I observed on Twitter that it was going to be very had for Pertsev to get a fair trial in The Netherlands. [tweets in Dutch] He was forced to use a Dutch – Russian translator even though he speaks English just fine. Anyway, the situation presumably improved a lot once he was finally able to go home awaiting trial. With access to Google Translate and good stuff like that.

All the while the charges that the public prosecutor presented in the public hearings were intolerably vague. Of course we don’t know what was in the written stuff that only he and his lawyer had access to. His lawyer claimed that was extremely vague too, which wouldn’t surprise me, but at the same time it’s also what any good lawyer would say.

So we just kept waiting for more information… which the US government decided to provide in August 2023.

August 2023

The second arrest happened almost immediately after the OFAC related ruling, so I assume they DoJ was waiting to see what would happen. And the winds were favourable indeed. So I’m going to cover it first, even though they are different in many ways.

My main observation about the ruling is that the judge did not differentiate between the core immutable contract (where most of the ETH from innocent Americans is stuck) from the DAO smart contracts. The latter are far less important – in fact I couldn’t care less – and arguably much more reasonable to put on a sanctions list. These contracts are not immutable, there’s voting and tokenomics involved.

The DoJ analysis seems more aware of this distinction, though they (intentionally imo) fail to draw the correction conclusions from it.

The tokenomics play a bigger role in the DoJ case, and probably too in the Dutch case. But there the confusion is between the two diferent of using the smart contract: with or without all the DAO stuff.

I’ll get to all that. But this is what motivated me to draw the above diagram. And when trying to explain said diagram to non-bitcoiners I came to the conclusion it’s simply too complicated. Therefore my current thinking is to ignore the OFAC ruling (in the sense of not paying attention to the case, not in the sense of violating it) and wait for a more clear-cut immutable smart contract to set proper precedent.

Unfortunately for the criminal case I don’t believe we (people who work on open source money and/or privacy software, but who are not in the custody business) can ignore these. They appear to be setting extremely bad precedent for non-custodial mixers and even just wallets in general. This category was perceived as protected both in the US (by Fincen guidance) and in the EU (AMLD5 and the new travel rule most exclude non-custodial wallets, though mixers are less clear). Tornado Cash despite its “flaws” is totally non-custodial! Yet it is the subject of an all out attack in both jurisdictions. What’s next if they lose?

US judge approves OFAC sanction

I went through the whole thing yesterday. This was my live brain dump on Nostr, which mostly consisted of me taking a screenshot of part of the ruling and then commenting on it.

Fascinating. I think what the judge is saying here is that, in the context of what OFAC is allowed to do, if you create a vending machine and relinquish all control of it, it’s still your “property” and so it can be sanctioned.

The judge doesn’t discuss whether it’s relevant that the vending machine doesn’t and can’t pay you. Such discussion would be remenescent of how the Dutch tax authorities treat trusts (even if it never pays you, you pay wealth tax as if it’s your own money).

But I think the better analogy would be donating the vending machine to a non-profit. You spent resources building it, but it now serves the commons, not you. Hopefully they’ll try that argument in the appeal.

Tokenomics is really biting Tornado Cash in the arse here. The judge is not making a clear distinction between the autonomous and DAO-controlled smart contracts. Arguments that make (some) sense for the latter are then applied to both.

When your tokenomics scheme gets compared to Hamas…

Rough translation of ‘cascading economic causation”: exit liquidity from degenerate gamblers. I find the argument that TORN token holders make money from mixing somewhat persuasive. Though it’s not spelled out here. Relayers stake tokens in order to receive priority (from the frontend javascript code), which improves their ETH revenue.

There is no ‘stream of revenue” whatsoever from the immutable core Tornado Cash contracts to the DAO. Only (indirectly, by means of their owners investing in TORN tokens) from the relayers to the DAO. The judge doesn’t notice this distinction, and I can’t fully blame them.

The weather probably wasn’t the best analogy, but the judge misses the point here imo. Again perhaps because it was near impossible to explain with all the tokenomics noise.

The weather in this analogy is the immutable core smart contract, not the ‘the crypto-economy’. It may have an “property interest in smart contracts” but not in that particular one. Which happens to be the one that causes the most egregious violation of property rights for all American users (who could otherwise retrieve their coins with some manual commands not involving anything controlled by the DAO).

Imo by far the biggest problem here is the sanctioning of the core contract.

The free speech part of the ruling suggests to me that they could have made a good case, but just didn’t.

In the appeal, maybe try explaining how it is impossible to build an alternative system that would not inevitably get sanctioned. But then perhaps the judge will say: if you can’t use a decentralized system to pay someone, that’s tough luck, use a centralized shitcoin like USD.

“You didn’t do your homework, therefore government wins” (and anyone with coins trapped remains, as they have been for the past year, royally screwed.

The Second Arrest – Indictment

Although of course it’s not fun for Romanov, the silver lining of his arrest is that it provides clues as to what the Dutch prosecutor is charging Perstev with (again, he and his lawyer know, but it’s not public information).

Reading through it brought back memories of what I heard in the court room. I assume they shared evidence. And I would not be surprised if they half copy-pasted the charges. That’s a problem, because the legal basis and charges are quite different. In The Netherlands the accusation is just money laundering, which involves some work to prove. In the US prosecutors generally just use the transmission-without-a license charge, though there’s also a conspiracy charge.

And finally there’s sanctions violation, which doesn’t apply in NL. Here the laundering of NK hacker funds would “just” be laundering funds originating from a crime.

Now back to the indictment…

(I might get some sleep first though)
Narrator: I didn’t

At least up to point 31 it provides a solid explanation of the whole system, which matches my understanding of it. Worth reading.

I physically visited the first couple of hearings in The Netherlands. But the Dutch prosecutor is less transparent than the Americans. All we had until today were (fairly high level) oral arguments made in court.

I assume they’ve collaborated in making the case (or even copy pasted stuff). But it’s also possible they’re both making completely different arguments.

And the biggest question: will Pertsev (CC-1) get the ‘best’ deal of all with just a few years in Dutch prison (if he’s convicted at all), or the worst – by doing that and then, only after being release, suddenly getting extradited at the request of an extra vindictive US prosecutor?

But anyway, continuing to read… what’s the charge?

They’re facing up to 45 years in the US, I’d be shocked if it’s more than 5 over here. I think the max is 8.

The plot thickens, but it seems to hone in on the centralized parts of the system – as opposed to the core contract.

They’re going for the “profit from tokenomics” angle it seems… Remember that’s very indirect: relay operators buy tokens in order to get priority from UI users (this can be bypassed with some technical skill, certainly by the North Koreans), which drives up the price. More realistically, and what probably ACTUALLY happened, is that degens pushed up the price. So the profits came from gambling, not laundering. But maybe that’s why they’re only charged with conspiracy.

Reading on…

Yes they could have. And then someone would clone the UI code and remove the KYC stuff. So it’s a non-starter. It’s misleading of both the Dutch and US prosecutor to pretend otherwise.

What is it with people and self-incriminating (appearing) text messages ffs.

THE FBI CAN READ ANYTHING YOU EVER ENTERED ON ANY FUCKING KEYBOARD – or least you should live accordingly. Like how a gun is always loaded even if you just checked and saw it wasn’t loaded

Anyway, very hand-wavy argument from the prosecutor.

Ya’ll better crowdfund them good lawyers. Because the same reasoning can be used against, say, a non-custodial phone wallet that doesn’t have KYC.

Because the attorney in question was a moron. Tornado Cash is non-custodial and does not have possession. And there was nothing they could do.

Or they’re really playing the same dirty trick as the Dutch prosecutor. First they pretend adding KYC to the UI would have been effective. Full well knowing that’s false. Then, when it suits them, they suddenly argue it would NOT be effective.

The paper over this glaring contradiction with the red underlined nonsense. None of those things would have stopped the transactions. The developers understood this, so they didn’t act. The prosecutor understands this too but hopes the jury doesn’t. Or in the case of the Dutch system – where judges are way less educated on the topic and there’s isn’t a single attorney who can teach them – the judge doesn’t.

They keep playing this game fpr a while. But notice what’s absent: there’s no allegation, let alone evidence, that the North Koreans used the UI. In fact they had no reason to. It would save money for their great leader to just do it themselves. And if the UI ran on CloudFlare it wouldn’t even work in NK.

This last bit is highly relevant in the Dutch case since they’re accused of laundering ‘billions’ and without the Lazarus funds that would drop to way less.

The SEC might have an opinion about that..

It seems like they’re undermining their case here. Clearly the money is coming from investors, not money launderers. This should have been a securities case.

Ok, that was quite possibly the worst move ever. Assuming it was unilateral move by Storm, now the other two co-founders are sitting on coins (fiat?) received after the sanctions were into effect. Which comes with onerous reporting requirements, $1000+ / hour lawyers and countless ways for an eager prosecutor to (selectively) make your life hell.

It’s the kind of thing you do *after* you’ve all moved to a non-extradition tropical island of choice. Not when two of you are sitting ducks. (Not legal advice)

But also irrelevant to the Dutch case; these are US sanctions. Though perhaps there’s an indirect case for laundering the proceeds of a crime (violating sanctions law of a befriended country). In any case this is the first time I hear about it. Pretty sure the Dutch prosecutor would have brought this up in the courtroom full of journalists if she knew about it at the time.

So I’m not the only one to observe [that this seems to contradict the Fincen guidance]

https://www.coincenter.org/new-tornado-cash-indictments-seem-to-run-counter-to-fincen-guidance/

This makes the comparison to the Dutch case even murkier, since we don’t have this registration thing. Here the charge is simply money laundering, but that’s a higher bar to prove than simply not having a license.

This may actually turn out to be an international copy-paste screwup. Since both prosecutors are dealing with completely different legal frameworks and need to prove different things. But presumably they shared all the evidence.

Some of the reasoning (especially the worst parts)/in the indictment is so similar to what I heard the Dutch prosecutor say that I suspect one side copy-pasted the other. Probably the US copying NL, lowering the charge from actual money laundering to just conspiracy, and then – out of habbit and without reading the FinCen guidance – slapping on the missing registration thing.

If they HAD read that guidence they presumably would have referred to it and explain why it doesn’t apply.

What’s Next?

Well, I guess we wait.