An Alleged Tornado Cash Developer Was Arrested. Are You Next?
Should Tim Cook of Apple be thrown in jail for manufacturing a phone that’s used by criminals to plan heists? Should the CEO of Boeing be punished for building the planes that hijackers flew into the World Trade Center? Is the inventor of the pressure cooker criminally responsible for making something that can be turned into a bomb?
On Friday, news broke that Dutch authorities have arrested someone who allegedly contributed to the open-source Tornado Cash cryptocurrency tumbler on Ethereum. The full story is not yet known, though many crypto and privacy advocates were immediately troubled by the prospect of criminalizing code.
We know the person arrested was a 29-year-old male, and apprehended in Amsterdam. We know Tornado Cash is a service used to anonymize crypto transactions that was sanctioned by the U.S. Treasury Department on Monday. We know Dutch financial regulators opened a criminal investigation into that service in June.
The coder, however, was only “suspected” of helping to code Tornado Cash. And, likewise, only “suspected of involvement in concealing criminal financial flows and facilitating money laundering,” according to the Dutch Fiscal Information and Investigation Service (FIOD).
We do not know the full implications of this move, how wide the probe is or what it might mean for crypto in future. “Multiple arrests are not ruled out,” the Dutch financial investigators said in a statement.
Depending on how things shake out, how Tornado Cash’s founders are “dealt with” by criminal investigators and for what justification, the case could have a significant chilling effect on crypto development – especially projects or updates related to privacy.
For years, crypto coders have acted under a cloud of uncertainty. There are real differences between how a truly decentralized program operates in the wild and other software projects, differences that are not yet fully understood under the law. But there’s also something like self-denial at play by the crypto industry, which may lead to a false sense of security or confidence.
There are certain things about writing code that are pretty cut and dry. At least in the U.S., merely publishing code on Github is almost always legal if it’s an original idea – even for controversial things like ghost guns and crypto mixers. That’s a legacy of the so-called cryptography wars 30 years ago: Code is a language, cryptography is speech and the government is constitutionally prevented from banning its production under, say, munitions regulations.
The situation gets dicier when you move beyond the act of writing. “Without commenting on Tornado Cash specifically, acts like providing help to someone who wants to use the code, uploading a mixing smart contract to a protocol or operating a web app which can hook into a user’s MetaMask wallet strays into potentially criminal territory,” Preston Byrne, a lawyer who specializes in cybercrime and crypto, told Motherboard this week.
This is not the first time a privacy-app developer has been arrested. Last year, the U.S. Department of Justice arrested Roman Sterlingov, the owner and operator of crypto mixer Bitcoin Fog, for allegedly assisting money laundering. That was a few months after Larry Dean Harmon pleaded guilty for running the unlicensed money-transmitting business Helix and to conspiracy charges related to money laundering on the crypto mixer.
(The difference between Tornado and Helix or Bitcoin Fog is that the latter two were “custodial,” meaning they took possession of users’ funds – a distinction that may no longer matter when it comes to facilitating money laundering or operating a money transmitter.)
On Monday, the U.S. Treasury Department’s Office of Foreign Assets Control took the unprecedented step of designating a smart contract as a Specially Designated National. This is a classification typically reserved for terrorist organizations and nation-states. It’s a bit like arresting a robot – one that no one can power down or keep others from using.
Tornado Cash is an open-source protocol, meaning that anyone can contribute to or deploy its code. It’s non-custodial, meaning it doesn’t hold onto user’s funds, nor did it have administrators that could see who was using the application or freeze transactions. Its founders burned the cryptographic keys needed to decrypt anonymous transactions on the platform.
That doesn’t mean its founders didn’t attempt to comply with financial regulations, when asked. In April, Tornado began working with blockchain analytics firm Chainalysis to block addresses sanctioned by OFAC following a particularly high-profile hack orchestrated by the North Korea-backed Lazarus Group. But they were limited by what they could do beyond basically screening the protocol’s “front-end” website.
Once deployed on Ethereum, a smart contract is immutable. This is at least part of the reason why crypto boosters have been so enraged by the recent international actions taken against Tornado. MakerDAO’s Rune Christensen was right to call the sanctions “useless,” because anyone – smart enough to use the command line, and dumb enough to break the law – can still transact with the robot.
In other words, Tornado is a system that operates autonomously. It’s just something that exists in the world – ready to be put to use like an iPhone, a plane or a pressure cooker. And how often are inventors held liable if their systems are misused? As Mike Dudas pointed out, Mastercard (MA) and SWIFT help process fraudulent transactions everyday.
But this argument is not enough. You won’t get far calling cops hypocrites. Although Tornado was clearly used for more than crime – Elliptic and Chainalysis both estimated upwards of $1 billion worth of crypto can be tied back to hacks or malware, out of the $7 billion deposited since 2019 – it was still a system designed specifically to shift some financial flows outside of the purview of financial regulators.
Cops don’t like that. Shifting financial flows without their knowing much about it. Crypto users can say it’s none of the cops’ business how they use their money, but that’s not how the world works. The world isn’t interested in knowing how or why these systems actually operate.
For goodness sake, the U.S. Treasury said that Tornado was used to launder $7 billion worth of crypto, vastly overestimating that amount, according to the data – either meaning they don’t care about the data or are comfortable saying all money that flows by outside its sights is definitionally laundered.
The question for coders might be where this stops, where contributing to a privacy-preserving app crosses the line into facilitating money laundering. Is contributing to Bitcoin’s Taproot part of a conspiracy to assist money laundering, if it eventually improves bitcoin’s privacy? What about contributing to Monero’s upcoming upgrade?
Bloomberg’s Matt Levine has a catchphrase, “everything is securities fraud,” because anything could be considered securities fraud under the broad definition under which the U.S. Securities and Exchange Commission operates. Gary Gensler, the SEC chairman, applies what he calls a “duck test” to determine what is or isn’t a security – essentially a gut call. The same is true for “wire fraud,” or a financial crime “involving the use of telecommunications or information technology.”
Again, we don’t know why this “supposed” Tornado coder was arrested. He could have been working directly with criminal entities or sanctioned governments to tumble ill-gotten gains on Tornado. Or, he could have been like Virgil Griffith, the Ethereum Foundation developer who traveled to North Korea and was charged with sanctions violations for sharing publicly available information about crypto at a conference.
But Griffith was warned by U.S. state officials before traveling, and he went to North Korea anyway. He may have only been giving an idiot’s guide to Ethereum, but he knew that information was interesting because it was framed as a way to bust sanctions.
When it comes to crypto mixers, the warning is clear enough. There’s little hope remaining that someone can deploy an app, let it run and wash their hands of ownership. Even if it’s strictly up to users what to do with the app, there’s still a person behind the code. And it’s probably better if we don’t know their name.
– D.K.
