Office of Foreign Assets Control

This agency is a division of the U.S. Treasury Department and has been irrelevant for quite a long time. Its function is to control (and to sanction) irregular trade activities with foreign assets. The scope of regulation depends on the definition of “foreign”: if “foreign” is interpreted as anything not produced in USA, its controlling activity is acceptable. If “foreign” is applied to assets established in other countries, in this case, it would not apply.

The OFAC has become relevant lately for the investigation and sanctions imposed over the Tornado Cash platform. Tornado Cash is a project which name fits ok: it is a decentralized non- custodial virtual currency mixer, that operates on the Ethereum blockchain. Basically, the platform receives a certain amount in crypto from a wallet and it goes to the “tornado” to be deposited in a smart contract in exchange for a receipt, which can be exchanged for the user’s cryptocurrencies at any moment sending, thereafter, the funds to another wallet, affecting traceability. This mechanism is justified to preserve crypto users’ identities but it is quite attractive for cybercrime. For a comprehensive understanding about Tornado Cash operation, we recommend this article and this video.

As reported by Chainalysis, almost 10% of fraudulent money came from mixers in 2022, with an estimation of USD 50,000,000 on a daily basis operated through these platforms in April 2022 (with legal and illegal transactions). In the case of Tornado Cash, almost 30% of the money received came from entities that were subsequently sanctioned or from stolen funds. A key question to consider is the effects of restricting these tools for those who use them legally aiming to protect their identities.

The sanctions over Tornado Cash were attributed to the fraudulent transactions of those pursuing illegal activities, not for the platform’s services. OFAC has reported that, in the case of Lazarus Group (a group of cybercriminals based in North Korea), the platform was a key factor in enabling criminals “to escape” with the funds obtained from the hack to Ronin Bridge of Axie Infinity (one of the largest crypto thefts over the last years estimated in USD 620,000,000) together with Harmony and Nomad Bridges. Blender.io., another crypto mixer, has also been used by the North Korean hackers for illegal activities. We recommend this article for further information on this fraudulent activity.

Sanctions imposed by regulators are being applied on platforms that do not custody deposits but only allow users to deposit crypto in smart contracts. This regulatory move is moving forward towards centralized and decentralized projects as well.

The statements made by the Under Secretary of the Treasury are very clear in such respect. Tornado Cash has been sanctioned for having failed to impose effective controls to avoid being used as a tool for cybercrime and  the agency will keep on pursuing actions to fight against cybercrime. Extrapolating Brian Nelson’s statement, it would be like holding weapons’ manufacturers liable for all armed robberies.

The OFAC alleges that Tornado Cash has laundered USD 455 million worth of
cryptocurrency for Lazarus Group (on the grounds that the platform must have materially assisted, sponsored or provided financial support to hackers), reason why the agency blocked 44 Ethereum-related addresses connected with this fraud. However, the decentralized nature of the project obstacles control as well as the fact that governance is made through an open-code DAO.

The OFAC could reconsider the sanctions applied to Tornado Cash if it agrees to apply its “recommendations” for virtual currencies to all their operations, the recommendations can be seen here. Due to the fact that the platform is outside its jurisdiction, the agency has no governance over it and can only address indirect enforcement actions.

Sanctions compliance poses a challenge for many protocols and platforms unable (or not willing) to comply with such requirements; for example, DeFi platforms, mining and web3 infrastructure providers. Within this context, Tornado Cash sent small payments to different users prior to OFAC’s designation; receivers were not able to refuse such deposits (incoming transfers cannot be blocked) with the possibility to appear as sanctions’ defaulters.

We share the position of the Blockchain Arbitration Society (we strongly recommend to read it) regarding blockchain lawfulness. It is completely legal to protect users’ identities behind blockchain transactions (which are public and transparent) and this fact contributes to users’ safety. The position of other crypto platforms is quite interesting. For example, Tether refused to apply sanctions until further instructions from OFAC regarding stablecoins’ projects. In the meantime, one of Tornado Cash developers was sent to prison in The Netherlands (given the platform is governed by a DAO, the prisoner has no control over it). Coinbase and Ethereum also defied OFAC invoking it had overstepped, setting a precedent regarding the legal liability of smart contracts, its developers and DAOs-governed projects, with or without legal identity.

To conclude, it is important to highlight the fact that, in such a huge inter-connected market, many bona-fide crypto investors are likely to have received assets managed by Tornado Cash in a given time. To extend the sanction imposed over Lazarus Group to Tornado Cash is an abusive enforcement action that affects many crypto users who want to make use of this useful and legal tool and undermines the potential the industry has.