How do you ban an open-source software project and make it stick?
That’s the question facing the Treasury Department, which last week added open-source cryptocurrency mixer Tornado Cash to a U.S. government list of individuals and entities blacklisted for violating sanctions. In this case, Tornado Cash — which helps keep cryptocurrency transactions private — made the list for violating sanctions against North Korea.
But Tornado Cash isn’t a company. It’s an open-source software project based on the Ethereum blockchain, maintained by people and servers spread around the globe. As the team wrote in a 2020 blog post, “From now on, Tornado.cash is largely living by the precepts that code is law. … No one can modify the smart contracts and the protocol is decentralized and unstoppable, as long as Ethereum isn’t changed or taken down.”
The U.S. action raises a host of questions about whether any government can effectively sanction open-source code, rather than individuals, and what widespread effects that might have for not just future open-source projects, but anyone who has used Tornado Cash. There have been 12,243 unique user deposits on Tornado Cash, according to Dune Analytics, a blockchain analytics platform.
“They weren’t just sanctioning a specific entity or user like from, in this case, North Korea,” said Seth For Privacy, the pseudonym of a privacy educator whose work focuses on the cryptocurrency ecosystem.
“Instead, they’re sanctioning the entire tool, the entire open-source tool of decentralized smart contracts on [the cryptocurrency] Ethereum,” he said. “They went after the entire tool itself that had been used by an entity that was sanctioned. So that was a big, big shift from previously where normally sanctions are targeting an entity using a tool.”
How did we get here?
The Treasury Department added Tornado Cash to the sanctions list — known as the Specially Designated Nationals and Blocked Persons List (SDN list) — for allegedly facilitating millions of dollars in cryptocurrency transactions to the North Korean government at the hands of government-affiliated hackers.
In its statement, the Treasury Department said Tornado Cash “has been used to launder more than $7 billion worth of virtual currency since its creation in 2019. This includes over $455 million stolen by the Lazarus Group,” a state-sponsored North Korean hacking group that was sanctioned by the U.S. in 2019, which the department described as the largest-known virtual currency heist to date.
“Despite public assurances otherwise, Tornado Cash has repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis and without basic measures to address its risks,” said Undersecretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson in a statement. “Treasury will continue to aggressively pursue actions against mixers that launder virtual currency for criminals and those who assist them.”
Contrary to popular belief, few cryptocurrency transactions are private.
Public blockchains, which can be thought of as digital ledgers, keep a record of all transactions. While cryptocurrency wallets or alphanumeric addresses where funds are sent are pseudonymous, the people behind them can be identified.
Indeed, people publicly post their wallet addresses online, and blockchain analytics or analysis companies like Chainalysis and Elliptic have made whole business models off of opening up the curtains and tracking cryptocurrency transactions.
They do things like identify, categorize and track addresses in real time, using modeling and visual representations to track changes on a blockchain and identify behaviors. In a sense, they follow the money.
Tornado Cash is a mixer, meaning that it helps obfuscate the origins and destinations of cryptocurrency transactions and makes them harder to trace, even for law enforcement. People can send funds to a smart contract on the Ethereum blockchain, which then mixes the funds, which are then withdrawn from another address. That contract address was on the sanctions list even though no one owns it; it’s merely a series of ones and zeros executing a task.
Chainalysis, a blockchain analytics company that has done multimillion-dollar business with the U.S. military and law enforcement, estimated that 18 percent of the funds received by Tornado Cash were from sanctioned entities, but said “almost entirely, we should note, before those entities were sanctioned.”
Detractors of the mixer service argue that it’s used solely by criminals for money laundering. Proponents tout the privacy-preserving function, which is also used by a significant number of law-abiding people.
“While we and many others have been working alongside both sides in the aisle in a positive direction on crypto and privacy, this move blindsided everyone,” said Josh Swihart, senior vice president of growth, product strategy and regulatory affairs at Electric Coin Company, creators and supporters of the anonymity-enhancing cryptocurrency Zcash.
After the government announced the sanctions against Tornado Cash, Microsoft deleted the accounts of Tornado Cash contributors and the project itself from GitHub, a platform where developers collaboratively create and maintain open-source software. It has over 83 million users.
“Thirty years of hard legal work to establish first amendment protections around software distribution, blown up in a day by GitHub/Microsoft,” tweeted Johns Hopkins University cryptography professor Matthew Green.
“Trade laws require GitHub to restrict users and customers identified as Specially Designated Nationals (SDNs) or other denied or blocked parties, or that may be using GitHub on behalf of blocked parties,” said a GitHub spokesperson in a statement. “At the same time, GitHub’s vision is to be the global platform for developer collaboration. We examine government sanctions thoroughly to be certain that users and customers are not impacted beyond what is required by law.”
The impact to open source
The move to sanction a tool, rather than, for example, a cryptocurrency wallet address directly affiliated with a national security threat, has sent shock waves through the cryptocurrency community.
“The implications of [the Treasury Department] adding the Tornado Cash protocol to the sanction list was actually greater for the world beyond crypto than for crypto itself,” said Omid Malekan, an adjunct professor at Columbia Business School who teaches courses on crypto and blockchain.
The U.S. government “took the drastic step of sanctioning an open-source, decentralized protocol — specifically actually adding the Ethereum addresses of the smart contracts where the code lives,” along with the addresses to access the service, he said.
That effectively criminalizes the act of seeking financial privacy, Malekan said, and opens up a can of worms around open source — such as whether the government will charge someone who wrote code because a criminal later used that code.
Seth For Privacy said there may also be risks for users of the Tornado Cash service. He wonders what will happen with any of their funds that interacted with Tornado Cash and whether that money would be subject to criminal action.
On Friday, Dutch authorities announced they had arrested a 29-year-old for being “suspected of involvement in concealing criminal financial flows and facilitating money laundering through the mixing of cryptocurrencies through the decentralized Ethereum mixing service Tornado Cash.”
Authorities said multiple arrests could not be ruled out.
A slippery slope
Because crypto wallets cannot reject incoming transactions, an anonymous Twitter user out to prove a point started sending a slew of incredibly small, unsolicited transactions of Ethereum that had interacted with Tornado Cash to the public wallets of celebrities, in theory implicating them in potential violations of sanctions laws.
Malekan performed a similar public experiment on Twitter by donating a small amount of Ethereum, via Tornado Cash, to Planned Parenthood and to a secret group of Russians helping Ukrainian refugees. In both cases, he said, he committed a crime, but did so to illustrate that privacy itself should not be criminalized.
“There are 10,000 vanilla reasons why somebody would want to use Tornado Cash for something completely mundane in a way that is not remotely criminal or illicit,” he said.
Hailey Lennon, a shareholder at the law firm Anderson Kill’s Technology, Media and Distributed Systems Group, said the further sanctions regimes get from a direct connection to helping terrorists and covering the source of funds, the more you get “toward developers and open source that gets really sticky.”
She also pointed out that there is a tension between national security and privacy in this case, with national security used as a justification for intruding on privacy. Similar debates play out around encrypted communications, for example.
“When 9/11 happened, it gave the Patriot Act sharper teeth,” she said. “It changed the way we travel and how financial institutions surveil transactions.”
The government’s actions have already made it harder for Tornado Cash users to access the service, although whether sanctions can truly eliminate an open-source project remains to be seen. In addition to Microsoft removing the code and contributors from GitHub, two major application programming interface and infrastructure providers, Alchemy and Infura, have blocked API access to Tornado Cash’s front-end interface. That means users trying to access it through these APIs — software intermediaries that let apps talk to each other — cannot see Tornado Cash. Users can still reach the Tornado Cash service, but it’s going to get increasingly harder and more complicated over time.
“I think the main things for a project to be prepared for when building their project is to make sure it’s built for adversarial environments,” said Seth for Privacy. “Not assuming that the current environment will last forever, or that their tool itself will always be considered above board and OK.”
Thanks to Lillian Barkley and Alicia Benjamin for copy editing this article.