So by now you’ve seen that the U.S. Department of Justice brought charges against Roman Storm and Roman Semenov, two of the co-founders of Tornado Cash. One – Storm – was arrested last week, is now out on bail and will appear before a judge in the U.S. District Court for the Southern District of New York next week.
The indictments and arrest drew alarm from the crypto ecosystem, with concerned individuals decrying what they saw as efforts to regulate the very development and deployment of software intended to guarantee privacy in transactions.
First: A disclaimer that we don’t yet have all the facts in the case. The DOJ hasn’t presented much beyond an indictment with allegations, and some of the allegations need important details to contextualize the arguments, as we’ll get into.
As far as the allegations themselves go, there are some facts that aren’t really great for the industry: the DOJ alleged that Storm and Semenov created a program and user interface that allowed for malicious actors to launder up to $1 billion in crypto – including North Korea’s Lazarus Group, which allegedly moved “hundreds of millions” through the mixer (leading to last year’s sanctions).
“These are individuals who were allegedly helping North Korea with economic transactions, allegedly in aid of a nuclear weapons program. Those are really, really serious allegations,” said Anand Sithian, a former financial crimes prosecutor now with Crowell & Moring.
But even if the actions alleged by the government are true and Tornado Cash was used to launder money to North Korea making crypto live down to its reputation as being a tool for the dregs of humanity, the charges against the three accused are very specific and this case may not be an indictment of the industry as a whole or a power grab over privacy tools.
The charges themselves – conspiracy to operate an unlicensed money services business, conspiracy to commit money laundering and conspiracy to violate the International Emergency Economic Powers Act (in other words, violate sanctions) are all based on agreements between the indicted parties.
“Certainly, the government will want to prove the substantive charge, that he actually did these things, but did these two individuals come to a meeting of the minds as to the conduct that is alleged to violate these federal statutes? That is what the government is going to have to prove,” he said.
It may also be difficult to distinguish between the time period where the developers had control over Tornado Cash from when they didn’t, he noted. Tornado Cash’s developers famously burned their keys, arguing they no longer had the ability to unilaterally change the smart contract code.
“It's really hard to decipher if the government actually believes that they gave up control,” he said. But, this issue may only apply to the money services business charge.
Moreover, the DOJ seems to be specifically arguing that it was the user interface at issue, rather than the smart contract itself, said Craig Timm, a senior director of anti-money laundering at the Association of Certified Anti-Money Laundering Specialists (ACAMS).
“You've got to think about it sort of separate in your mind, the Tornado Cash smart contract from the user interface in the website, because I think that's exactly what the Department of Justice is doing,” he said.
It seems unlikely the charges would be brought if there was no user interface, he added.
Tornado Cash’s native TORN token is another complicating factor, Sithian said. According to the indictment, the defendants used the token to profit off of the operation of Tornado Cash as a service. The filing cites messages they sent to each other, where they allegedly discussed the need to pump TORN’s price.
They converted their TORN token holdings into stablecoins, with Storm advising Semenov and Pertsev to create new wallets and further move the funds around, the indictment said. This allegation that the accused were using Tornado Cash to pad their own accounts is another serious blow against the accused and would again seem to argue that the indictment is more narrowly tailored than an attempt to rein in the industry.
The idea that “they were in the business of making money off really bad actors [is] a compelling argument for a jury,” he said. It can help prosecutors provide a reason for why Storm and Semenov were working on Tornado Cash, as opposed to the more altruistic argument that they just wanted to defend privacy.
Timm echoed this view, saying that prosecutors don’t need to prove a motive but prosecutors would typically share one anyway for the jury.
“What [the DOJ has] done here is lay out a bunch of evidence to try to paint the picture that these guys weren't just in it for software or development, they just weren't good Samaritans here,” he said. “They were in this for money, and in fact, they were deceptive with their community about the money they were making [and] how they were profiting.”
Coin Center, an industry group, took a competing view, saying the indictment’s allegations suggest that Storm and Semenov remained within parameters defined by the Financial Crimes Enforcement Network (FinCEN).
“The allegations include that the defendants: (a) paid for web hosting services for a user interface that allowed users to send transaction messages to the underlying smart contracts, (b) paid for a software repository (Github) where smart contract and user interface software and documentation was hosted, and (c) had (for a time before May 2020) “complete control” over the Tornado Cash smart contracts,” research director Peter Van Valkenburgh said in a blog post.
FinCEN’s guidance went on to say that the publisher of anonymizing software would not be treated like a money transmitter. Storm and Semonov, if they were only the publishers of the Tornado Cash software, shouldn’t be treated like the operators, Van Valkenburgh wrote.
Some parts of the case may hinge around the question of whether the defendants controlled Tornado Cash as a service.
Timm said the DOJ is trying to argue that Tornado Cash wasn’t decentralized, that it was a centralized entity running a website and trying to profit off of the service being provided.
“The allegations aren't aimed at the smart contract. They're aimed at the user interface where they could have done any number of things that could have shut it down, they could have put controls in it, they could have done any of these things once they knew criminal money is here, but they didn't,” he said. “And they knew that their system was then designed to conceal it and make it easier for the criminals to move that money.”
Van Valkenburgh wrote that to Coin Center’s knowledge, the defendants never had the ability to directly access user funds, which would again suggest they weren’t violating FinCEN guidance for money transmitters.
The details about exchanges that were hacked reaching out to the developers for assistance and being turned away may play in here.
Of course, what we don’t know is whether the developers said they couldn’t help the hacked exchanges or if they wouldn’t help the hacked exchanges. If they said they couldn’t because they didn’t have control over the smart contract or any aspect of the user interface that would have allowed them to help, that’s one story. If they said they wouldn’t help, but could have, that’s an entirely different one. The indictment only says the defendants responded to at least two emails from exchanges “declining to offer any assistance.”
Brian Klein, Storm’s attorney, said there was “a lot more to this story” in a statement last week.
“We are incredibly disappointed that the prosecutors chose to charge Mr. Storm because he helped develop software, and they did so based on a novel legal theory with dangerous implications for all software developers,” he said.
So while it’s possible that Klein is right and that when all the details are known, this case may prove a dangerous precedent for the crypto industry, from the facts that are known at present, it looks more targeted at Tornado Cash and the actors behind it rather than something that could have a chilling effect on the ecosystem.