Cryptocurrency Mixer Tornado Cash Sanctioned by U.S. Treasury Department
-
19 août 2022
-
Overview
On August 8, the tumbler/mixer Tornado Cash was sanctioned by the Office of Foreign Assets Control (OFAC), an enforcement agency within the U.S. Department of the Treasury. According to a press release from the U.S. Treasury, Tornado Cash had been used to launder more than $7 billion worth of virtual currency since its founding in 2019, including more than $455 million stolen by the Lazarus Group, a cyberterrorism group sponsored by the North Korean government.1 Blockchain analytics firm Elliptic estimates the number to be lower at about $1.5 billion but estimates that over 20% of all activity on the protocol has supported illicit activity such as theft, sanctions evasion or fraud.2 This action follows the sanctioning of a similar service, Blender.io, on May 6, 2022.3 Ari Redbord, head of legal and government affairs at analytics firm TRM Labs, called the move the U.S. Treasury Department’s “’largest, most impactful action’ in crypto to date.4
The specific action taken by OFAC was to add Tornado Cash to its Specially Designated Nationals (SDN) blacklist, which effectively removes the entity from the global financial system and explicitly bans "U.S. persons", including digital asset exchanges operating in the U.S., from transacting with it.5 This is a novel action: for the first time, the U.S. Department of the Treasury has sanctioned a smart contract and a tool, substantially increasing the degree of technical engagement with the industry by the U.S. Treasury Department.
About Tornado Cash
Tornado Cash is an Ethereum-based (ETH) virtual currency tumbler that mixes a variety of Ethereum-based transactions (i.e., both ETH and ERC-20 tokens) into a lockbox that can be withdrawn by individuals who possess specific keys. Providing those keys takes place within a "zero knowledge proof" algorithm in which the withdrawer proves they have the required keys in hashed form without actually providing them to the verification service on the Tornado side and therefore compromising their identity. To further protect the anonymity of users, only a few pre-set quantities can be transacted on the protocol. Assets that have gone through the Tornado Cash protocol are not easily traceable.6
Bitcoin's alternative to tumblers/mixers
An alternative to tumblers/mixers for privacy available to BTC users is Taproot, a soft fork network upgrade for Bitcoin that improves privacy and adds complex transactions through Schnorr signatures, which is an alternative to the current ECDSA signature method. The upgrade enables identify obfuscation by combining multiple signatures and transactions into a single one, effectively introducing multi-sig and multi-input transactions that are cheaper, easier and more efficient. A transaction can use multiple features and functions all while not disclosing its real form to other network participants. A peer-to-peer transaction, a smart transaction, or even a lightning network transaction will all look the same on blockchain explorers where Taproot is used.7
Taproot also helps with scalability by reducing transaction space by at least 20%,8 and there could potentially be more savings if a majority of transactions use multi signatures - mass adoption will ultimately bring higher transaction throughput and lower fees.9
While there are legitimate use cases related to privacy for the service, Tornado’s services have been involved in some of the most notorious hacks and thefts in recent cryptocurrency history, including the Ronin and Harmony cross-chain bridge hacks, both allegedly perpetrated by North Korea's Lazarus Group.10 In the August 8 SDN listing press release, the U.S. Treasury Department declared Tornado Cash a threat to U.S. national security.11
About the sanctions and implications
The consequences for a U.S. person found to be engaging in any transactions with an entity on SDN list can be severe: possible penalties include multi-million-dollar fines (31 CFR Appendix A to Part 501 I.F.) and lengthy prison terms.12
In addition to sanctioning the Tornado Cash protocol and related tools, OFAC also sanctioned a list of large wallets associated with the protocol. Some of those wallets held the ERC-20 version of the USDC stablecoin. USDC issuer Circle froze the funds of those large wallets to avoid culpability in any related sanctions violations.13
The action by Circle highlights a risk factor many stablecoin holders might not consider: the issuer has broad rights to freeze wallets if it believes those wallets are involved in a regulatory compliance breach. If the issuer’s assessment turns out to be wrong, it could lead to costly and protracted litigation to recover the assets or fiat equivalent.
Remote Procedure Call (RPC) node provider Infura, owned by the U.S. firm ConsenSys, and Web3 development platform Alchemy are now blocking application programming interface (API) requests to the Tornado Cash smart contract.14 The MetaMask wallet uses Infura as its default RPC endpoint for connecting to the Ethereum network.15
Enforcement challenges and dusting attacks
There are challenging questions about enforcement that have not yet been worked out. Ether and ERC-20 tokens that traveled through the Tornado Cash protocol will find their way into broader trading activity. Is anyone who ever receives such ETH guilty of transacting with an SDN and subject to up to 30 years in prison? If tainted ETH enters a DeFi exchange (DEX), are liquidity providers on that platform similarly at risk? Are DEX users who swap another asset for tainted ETH at risk? Are ETH stakers and miners that unwittingly propagate transactions involving the protocol at risk?16
Dusting attacks explained
A “dusting” attack is a technique in which small amounts of cryptocurrency known as ‘dust’ are sent to thousands of addresses. In this case, the impetus for the dusting attack was to create decoy instances of tainted crypto to muddy the analysis into assets with a nexus to Tornado Cash. Since the transfers occur on-chain, any party with the required tools can also analyze the resulting dust, meaning both adversaries and law enforcement can examine the activity. In other dusting attacks, bad actors often track addresses where they sent dust and attempt to de-anonymize them, particularly wallets holding large quantities of digital assets. Past cases where identities were determined through this method have led to targeted attacks, such as phishing and extortion.17 18
Recently, entities distributed 0.1 ETH to a variety of celebrities in a "dusting" attack. Recipients of these Tornado-tainted digital assets may technically have transacted with a sanctioned entity and themselves be in violations of U.S. sanctions. However, it appears unlikely that the celebrity dusting attack victims will be charged.19
Risk of copycat services
Tornado Cash is an open-source tool that until recently was available to programmers globally on the ubiquitous GitHub code sharing platform. With the announcement of the OFAC action, Tornado Cash’s GitHub and website were taken offline, and the GitHub account of Tornado Cash developer Roman Semenov was suspended.20
Bad actors with past access to the Tornado Cash open-source code base, or even those without that access for that matter, could theoretically replicate the functionality of Tornado Cash in a new incarnation on either the internet or dark web. Indeed, there are multiple bad actors around the world who are so motivated. As law enforcement’s ability to monitor the dark web has improved in recent years, as has crypto asset tracing capabilities, such a service would face major challenges to operate over time and build the network effects needed to be successful – such services become valuable only when many users recognize and use them, and without many independent users on the platform, there is not enough to mix or blend, and thereby become a tool that can obfuscate a significant quantity of transactions. Nevertheless, the existence of nefarious code bases on GitHub and other open-source repositories seems to be a logical next space for increased attention from regulators and law enforcement.
Operational refinements
There are several operating areas where organizations engaged in digital asset businesses may need a refreshed review due to this action by OFAC, including:
- Reporting: Leading firms are developing the capability to produce reporting that summarizes digital assets that have had any past hops through mixer/blender protocols such as Tornado Cash. Reporting tools send automated API-based queries to multiple blockchain analytics providers and aggregate results in a consolidated report, produced perhaps daily or on command, that summarizes the specific assets in the entity’s inventory with a nexus to sanctioned digital assets, noting whether that nexus is to a sanctioned entity such as Tornado Cash, or to specific wallets on the SDN list or in OFAC-restricted countries.
- Model validation: Models embedded in transaction monitoring tools, whether built in-house or supplied by a vendor, may need a refresh as a result of this action. Organizations should review their transaction monitoring capabilities with respect to sanctions and identify cases where analytics and/or reporting may be incomplete as a result of a gap in a model.
- Risk management policy: Operating procedures, control repositories, and risk policy and procedures may need edits or amendments to require the reporting described above, and to set out the operating procedures and corrective controls in place to quickly and effectively redress the identification of any sanctioned digital assets on the platform and submit required regulatory reporting.
- Cybersecurity: Dusting attacks have demonstrated that institutional and individual wallet addresses were more widely known than was realized in some cases. The wider awareness of business wallets to potential cybercriminals seeking dusting targets provides an impetus for a review of various cybersecurity hygiene leading practices. Implementing protections to block trades with Tornado Cash wallet addresses, and checks on outgoing crypto transfers for possible tainted crypto, may also be needed to reach compliance with OFAC’s new ruling.
FTI Consulting professionals are well versed in all of the above topics and can advise you on the approach and implementation of this range of work.
Footnotes:
1: U.S. Treasury Sanctions Notorious Virtual Currency Mixer Tornado Cash, U.S. Department of the Treasury (August 8, 2022), https://home.treasury.gov/news/press-releases/jy0916.
2: Tornado Cash Mixer Sanctioned After Laundering Over $1.5 Billion, Elliptic Connect, (August 8, 2022), https://hub.elliptic.co/analysis/tornado-cash-mixer-sanctioned-after-laundering-over-1-5-billion/.
3: U.S. Treasury Issues First-Ever Sanctions on a Virtual Currency Mixer, Targets DPRK Cyber Threats, U.S. Department of the Treasury, (May 6, 2022), https://home.treasury.gov/news/press-releases/jy0768.
4: Nikhilesh De, Crypto-Mixing Service Tornado Cash Blacklisted by US Treasury, CoinDesk, (August 8, 2022), https://www.coindesk.com/policy/2022/08/08/crypto-mixing-service-tornado-cash-blacklisted-by-us-treasury/.
5: U.S. Treasury Issues First-Ever Sanctions on a Virtual Currency Mixer, Targets DPRK Cyber Threats, Press Release, U.S. Department of the Treasury, (May 6, 2022), https://home.treasury.gov/news/press-releases/jy0768.
6: Josiah Makori, What Is Tornado Cash And How Does It Work?, CoinGecko.com, (August 17, 2022), https://www.coingecko.com/learn/what-is-tornado-cash-and-how-does-it-work.
7: Alyssa Hertig, Taproot, Bitcoin’s Long-Anticipated Upgrade, Has Activated, CoinDesk (November 12, 2021), https://www.coindesk.com/tech/2021/11/13/taproot-bitcoins-long-anticipated-upgrade-activates-this-weekend/.
8: Oluwapelumi Adejumo, Scalability comes to Bitcoin as Taproot upgrade goes live, CryptoSlate.com, (November 15, 2021), https://cryptonews.net/news/bitcoin/2677103/.
9: Alyssa Hertig, Taproot, Bitcoin’s Long-Anticipated Upgrade, Has Activated, CoinDesk (November 12, 2021), https://www.coindesk.com/tech/2021/11/13/taproot-bitcoins-long-anticipated-upgrade-activates-this-weekend/.
10: Tornado Cash Mixer Sanctioned After Laundering Over $1.5 Billion, Elliptic Connect, (August 8, 2022), https://hub.elliptic.co/analysis/tornado-cash-mixer-sanctioned-after-laundering-over-1-5-billion/.
11: U.S. Treasury Sanctions Notorious Virtual Currency Mixer Tornado Cash, U.S. Department of the Treasury (August 8, 2022), https://home.treasury.gov/news/press-releases/jy0916.
12: Parties assessed civil penalties by OFAC for transacting with SDNs may be subject to a criminal referral for investigation and prosecution for violations of the Trading with the Enemy Act of 1917 or the International Emergency Economic Powers Act of 1977.
13: Circle freezes USDC funds in Tornado Cash’s US Treasury-sanctioned wallets, CoinMarketCal.com, (August 8, 2022), https://coinmarketcal.com/en/news/circle-freezes-usdc-funds-in-tornado-cashs-us-treasury-sanctioned-wallets.
14: Zhiyuan Sun, Alchemy and Infura block access to Tornado Cash as Vitalik Buterin weighs in on debate, CoinTelegraph, (August 9, 2022), https://cointelegraph.com/news/alchemy-and-infura-block-access-to-tornado-cash-as-vitalik-buterin-weighs-in-on-debate.
15: Frequently Asked Questions, Infura.io website, https://infura.io/faq/general.
16: Tornado Cash Crackdown: What Is Going On?, Coin Bureau Clips via YouTube, (August 9, 2022), https://www.youtube.com/watch?v=Hw-2zrODTv4.
17: Joshua Mapperson, Understanding Litecoin’s Dusting Attack: What Happened and Why, Cointelegraph, (August 15, 2019), https://cointelegraph.com/news/understanding-litecoins-dusting-attack-what-happened-and-why.
18: What is Bitcoin Dust Attack Explained, NowNodes.io blog, (September 21, 2020), https://medium.com/coinmonks/bitcoin-dust-attack-explained-2b3bebd4b373.
19: Juhi Mirza, Tornado Cash dusting attack trolls Jimmy Fallon, Logan Paul, and other crypto celebs, Planet Crypto, (August 10, 2022), https://www.gfinityesports.com/cryptocurrency/tornado-cash-dusting-attack/.
20: Nikhilesh De, Crypto-Mixing Service Tornado Cash Blacklisted by US Treasury, CoinDesk, (August 8, 2022), https://www.coindesk.com/policy/2022/08/08/crypto-mixing-service-tornado-cash-blacklisted-by-us-treasury/.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, Inc., its management, its subsidiaries, its affiliates, or its other professionals.
Related Information
Date
19 août 2022
Contacts
Senior Managing Director
Senior Managing Director
Senior Director
Managing Director