Tornado Cash

Into the storm: The murky world of cryptocurrency mixers

A handful of obfuscation protocols are competing for the user base of OFAC-sanctioned Tornado Cash.

Cryptocurrency mixing services are a divisive subject in the industry. Some advocate for the privacy-enabling features of these protocols while others maintain that they are mainly used for illicit means.

For platforms like Tornado Cash, the mainstream verdict is “guilty as charged.” The infamous decentralized mixing protocol was sanctioned by the United States Office of Foreign Assets Control (OFAC) in August 2022, essentially making it illegal for anyone to make use of the service.

Tornado Cash continues to be a contentious topic and one of its developers, Alexey Pertsev, controversially remains in detention in the Netherlands while investigators look to build a case against the Russian developer and his alleged role in the mixer’s operation.

In a proverbial sense, one man’s loss is another man’s gain and that seems to be the case for cryptocurrency mixers according to a report from blockchain analytics firm Elliptic.

A blow to money-laundering operations

As highlighted in its analysis, Elliptic reveals that over $7 billion worth of cryptocurrencies were processed by Tornado Cash. An estimated $1.54 billion of illicit cryptocurrency was laundered through the platform, with a user base that included the likes of North Korean Lazarus Group state hackers.

In the wake of OFAC’s sanctions, Tornado Cash liquidity pools saw their holdings drop by 60% which is said to have drastically reduced the anonymizing potential of the platform for large-scale money laundering operations.

With Tornado Cash ostensibly shut down, a number of alternative mixing services have been identified as potential threats to cryptocurrency service providers and criminal investigators. Elliptic highlights six different protocols that have been used as mixers in the wake of Tornado Cash’s prohibition.

Not all mixers are being used for illicit means

Elliptic’s report unpacks how these mixer protocols operate in different ways and provide a variety of outcomes for potential users. A top-down view shows that these obfuscation protocols have mixed over $41 million of cryptocurrency, which pales in comparison to the total amount that was processed by Tornado Cash.

Ether (ETH), BNB (BNB), Wrapped Ether (wETH) and Tether (USDT) are the most commonly mixed tokens, given their usability within decentralized finance (DeFi). Elliptic’s figures notably exclude Polygon-based tokens.

Two particular protocols account for the highest mixing capacity of the tools analyzed and as a result, make up three-quarters of the cryptocurrency mixed.

The first is Railgun, a decentralized protocol that, according to Elliptic, caters to professional traders and DeFi users looking to conceal investment strategies. Railgun Privacy System removes wallet addresses from transactions on public blockchains using zero-knowledge-proof technology. It claims to be ERC-20 token compatible and has no mixing limit.

Cyclone Protocol is the second protocol, a Tornado Cash fork that touts a number of enhancements said to include yield farming to contributors of anonymity pools. Elliptic reports that Cyclone is able to mix 100 ETH/100,000 USDT in one instance and is available on IoTEX, Ethereum, BNB Smart Chain and Polygon.

Aside from Cyclone, which Elliptic highlights as the highest risk protocol among the six in its report, funds being mixed by these services “largely reflect legitimate DeFi trading activity.”

Just $40,000 of mixed funds were traced back to DeFi thefts which suggests that current activity reflects a lack of adoption of these alternative mixing protocols by nefarious actors and criminal elements.

Keeping tabs

Despite the fact that a relatively small amount of cryptocurrency has been mixed by nefarious actors, Elliptic still provides a cautionary note aimed at a couple of the services it highlighted.

Cyclone Protocol is identified as the highest-risk service in the wake of Tornado Cash sanctions. The service’s high transaction limit, large liquidity available in its mixing pools, and its ability to process Tornado Cash’s eponymous governance token (TORN) are cause for concern according to Elliptic:

“It’s confirmed use to launder at least some proceeds of DeFi exploits, the large amount of funds it has since processed and the apparent absence of its developer team to address concerns only strengthen these risks.”

Buccaneer V3 (BV3) was scored as a “medium-high” risk tool. The Ethereum-based token (BUCC) allows users to “bury” funds for an indefinite period of time without having to mix, pool or cycle transactions. A decoy mode displays fictitious BUCC balances on user interfaces as an obfuscation technique.

The service could be attractive for illicit use cases as it makes use of a Gas Station Network in order to pay transaction fees by claiming a small proportion of transferred BUCC. This could allow users to avoid using regulation-compliant cryptocurrency exchanges and services:

“BV3 therefore claims that it solves the ‘funding problem’ — the issue that addresses typically need to source ETH to pay transaction fees, typically from a centralized KYC exchange.”

A caveat provided by Elliptic is that BV3 uses technology that is still being tested, with its features and capabilities still to be fully realized. The remaining four protocols all have factors that Elliptic believes will inhibit large-scale illicit use.

Treasury officials would have done more for national security by leaving Tornado Cash alone

Tornado Cash contributes to our national security interests more than it undermines them.

One of the most powerful moments in a new crypto user’s journey happens the first time they send a sizable amount of money to their private wallet. It’s an awe-inspiring, serious moment — and it’s a little scary to experience the power and personal responsibility of the technology firsthand with your own real money.

A second powerful moment occurs when the same user is introduced to a block explorer, looks up their address and sees that same transaction there on the blockchain for all to see.

There are competing visions of what Bitcoin (BTC), Ether (ETH) and other cryptocurrencies will achieve. They may be the future of gold, payments, currency or bank accounts. But no matter your crypto vision, none can work without achieving the same level of privacy enjoyed by cash or, at a minimum, credit cards. While credit card companies conduct unparalleled surveillance on our financial life, at least our transactions are not viewable on a public ledger.

There are a number of tools to achieve privacy available in crypto, from privacy coins to mixers and conjoining transactions on the Bitcoin blockchain. These tools are used by everyday users, and in some cases, they are used by bad actors — just like cash. Or to be more precise, crypto and crypto privacy tools are used by criminals with less frequency than cash.

The United States Treasury Department’s Office of Foreign Assets Control sanctioned one particular project, Tornado Cash, that was the most effective privacy tool on Ethereum. Much has been written about the sanction and the threat represented by sanctioning code as speech, and two lawsuits have been filed to push back against OFAC’s efforts.

What has been lost in the FTX drama over the last few weeks is the deft maneuvering that OFAC has engaged in to improve its strategic position in the litigation. On Nov. 8, OFAC “redesignated” Tornado Cash “on the basis of new information.”

Two significant legal challenges brought forward a few weeks prior that poked holes in OFAC’s designation are the likely source of the “new information.” OFAC can only sanction groups, not computer code, and OFAC seems to be pushing a novel theory in its second designation that the decentralized autonomous organization around Tornado Cash was part of a group, even though the DAO had no power to change the code since the admin key was burned.

Supporters of the designation argue it was overall a fair trade to achieve national security goals. The stated reason for the designation was that Tornado Cash “obfuscated the movement of over $455 million stolen in March 2022” by North Korean hackers.

But did it really? Privacy tools require a large anonymity set to work. That’s the only way that small transactions by ordinary users can hide in a large crowd. And it works only if privacy tools are used correctly, without privacy mistakes like making mirror transfers into and out of shielded assets within a short timeframe.

Related: My story of telling the SEC ‘I told you so’ on FTX

Consider that when North Korean hackers made that specific transfer, it represented 20% of the entire Tornado Cash pool. The sheer volume of ETH North Korea was trying to move through the Tornado Cash protocol meant that it wasn’t obtaining any meaningful privacy by using the tool. It evokes a comical vision of Godzilla trying to cover himself with a fig leaf.

The Treasury Department would have achieved more for national security by allowing North Korean hackers to maintain a false sense of confidence and continue using the tool while it surveilled their transactions using statistical tracing analysis. What OFAC achieved instead amounts to little more than national security theater.

Meanwhile, it has done real harm to the Ethereum blockchain. One example, as noted by Ethereum co-founder Vitalik Buterin, is that Tornado Cash anonymized donations to support Ukraine. If the Treasury Department’s sanction against Tornado Cash is allowed to stand, it can sanction anything from computer code and applications to specific assets.

Related: Coinbase is fighting back as the SEC closes in on Tornado Cash

Almost as if on cue, former Treasury official Juan Zarate argued in a recent interview that the Treasury Department should use the Patriot Act more “creatively” to sanction entire classes of assets in crypto. It’s a short step from there to sanctioning gold coins or other everyday assets.

Society doesn’t countenance the sanctioning of things merely because criminals happen to use them. Criminals drive on roads. They use tools available at the hardware store. They use these things in furtherance of their crimes.

If OFAC’s vague sanction of “Tornado Cash” is allowed to stand, it can sanction any protocol or asset in crypto. And that threatens to destroy any meaningful vision of crypto’s future.

J. W. Verret is an associate professor at the George Mason Law School. He is a practicing crypto forensic accountant and also practices securities law at Lawrence Law LLC. He is a member of the Financial Accounting Standards Board’s Advisory Council, a member of the Zcash Foundation’s board of directors, and a former member of the SEC Investor Advisory Committee. He also leads the Crypto Freedom Lab, a think tank fighting for policy change to preserve freedom and privacy for crypto developers and users.

This article is for general information purposes and is not intended to be and should not be taken as legal or investment advice. The views, thoughts and opinions expressed here are the author’s alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.

Breaking: Ankr confirms exploit, asks for immediate trading halt

The decentralized-finance protocol said it is working with exchanges to immediately halt trading of its BNB staking rewards token, aBNBc.

BNB Chain-based decentralized finance (DeFi) protocol Ankr has confirmed it has been hit by a multi-million dollar exploit on Dec. 1.

The attack appeared to be first discovered by on-chain security analyst PeckShield at approximately 12:35 am UTC on Dec. 2. 

Within an hour of the attack, Ankr confirmed on Twitter that the aBNB token has been exploited and that they’re working with exchanges to immediately halt trading of the compromised token.

The attacker was purportedly able to mint 20 trillion Ankr Reward Bearing Staked BNB (aBNBc), a reward-bearing token for BNB staked on the protocol.

According to a Twitter post from on-chain analysis firm Lookonchain, the exploiter has since used services such as Uniswap, Tornado Cash, and various bridges to swap and obfuscate the funds in order to gain around $5 million worth of USD Coin (USDC).

It also added in a following post that “all underlying assets on Ankr Staking are safe at this time, and all infrastructure services are unaffected.”

In comments to Cointelegraph about the attack, blockchain security firm Beosin suggested the exploit was likely the result of vulnerabilities in the smart contract code combined with compromised private keys, which may have come from a technical upgrade by the Ankr team about 12 hours ago.

Beosin also noted that the mass minting episode caused the price of aBNBc to fall 99.5% from $303.89 to $1.53 in a matter of hours, according to data from CoinMarketCap.

“It is possible that the deployer’s private key was exposed in this upgrade, leading to an attacker using deployer privileges to modify the contract,” a Beosin spokesperson told Cointelegraph.

In a Dec. 2 Twitter post, crypto exchange Binance also confirmed its team is engaged with relevant parties to investigate the matter further, adding that Binance’s user funds are not at risk.

Cointelegraph contacted Ankr when the exploit was first discovered but did not receive an immediate response.

Ankr confirms exploit, asks for immediate trading halt

The decentralized-finance protocol said it is working with exchanges to immediately halt trading of its BNB staking rewards token, aBNBc.

BNB Chain-based decentralized finance (DeFi) protocol Ankr has confirmed it has been hit by a multi-million dollar exploit on Dec. 1.

The attack appeared to be first discovered by on-chain security analyst PeckShield at approximately 12:35 am UTC on Dec. 2. 

Within an hour of the attack, Ankr confirmed on Twitter that the aBNB token has been exploited and that it’s working with exchanges to immediately halt trading of the compromised token.

The attacker was purportedly able to mint 20 trillion Ankr Reward Bearing Staked BNB (aBNBc), a reward-bearing token for BNB (BNB) staked on the protocol.

According to a Twitter post from on-chain analysis firm Lookonchain, the exploiter has since used services such as Uniswap, Tornado Cash, and various bridges to swap and obfuscate the funds in order to gain around $5 million worth of USD Coin (USDC).

It also added in a following post that “all underlying assets on Ankr Staking are safe at this time, and all infrastructure services are unaffected.”

In comments to Cointelegraph about the attack, blockchain security firm Beosin suggested the exploit was likely the result of vulnerabilities in the smart contract code combined with compromised private keys, which may have come from a technical upgrade by the Ankr team about 12 hours ago.

Beosin also noted that the mass minting episode caused the price of aBNBc to fall 99.5% from $303.89 to $1.53 in a matter of hours, according to data from CoinMarketCap.

“It is possible that the deployer’s private key was exposed in this upgrade, leading to an attacker using deployer privileges to modify the contract,” a Beosin spokesperson told Cointelegraph.

In a Dec. 2 Twitter post, crypto exchange Binance confirmed its team is engaged with relevant parties to investigate the matter further, adding that Binance’s user funds are not at risk. The BNB Chain Twitter page also stated that the exploiter’s wallet address has been blacklisted.

Cointelegraph contacted Ankr when the exploit was first discovered but did not receive an immediate response.

Update 4:30am UTC Dec. 2: Added in an official statement from Ankr comments from Beosin.

Update 5:30am UTC Dec. 2: Added a statement from Binance’s BNB Chain Twitter account.

The ‘Brussels Effect’ wields real influence over US crypto regulation

The European Union is leading the way when it comes to global cryptocurrency regulations.

The right to privacy is enshrined in many legal traditions around the world. In the United States, it’s protected by the Fourth Amendment; in the European Union, it falls under Article 8 of the European Convention for Human Rights. While definitions differ between jurisdictions, most of us have a right to a reasonable expectation of privacy for our correspondence, in our homes and about our persons.

In the 1970s, businesses, families and individuals started generating data like never before, and the degree to which it fell under existing privacy mandates was increasingly unclear. This proliferation of data was first acknowledged as a problem in the late 70s and picked up pace in the decade that followed. In response, the EU introduced its Data Protection Directive in 1995, guaranteeing certain fundamental rights around the processing of personal data.

The crucial thing to understand in this context is that an EU directive leaves space for member states to determine how it will be incorporated into national laws. It is a recommendation, not a regulation that would legally require members to enforce laws from a set date.

From 1995, the regulation of privacy in the EU trod a well-worn path. Starting as a directive, it eventually developed into the General Data Protection Regulation (GDPR), which became a lawful requirement in 2018.

Related: Biden’s cryptocurrency framework is a step in the right direction

GDPR became the benchmark for privacy law and influenced regulation in other jurisdictions, including the United States. It’s a phenomenon Anu Bradford coined “The Brussels Effect,” where EU law sets the global regulatory standard. We’ve seen it happen in a number of fields besides data privacy, such as environmental law and online hate speech, which often enter the U.S. via a similar mechanism: the “California Effect,” whereby California sets a strict standard that is later widely adopted in the United States.

And now there’s another industry poised to follow this well-trodden path — from EU directive to EU regulation to global regulatory standard.

The case of Tornado Cash — which saw a protocol designed to mask financial transactions and increase privacy shut down by regulators because of its use by bad actors — is an example of why regulation is so vital to decentralized finance (DeFi). Infrastructure must be built along regulatory lines.

Like data in the 1980s, the proliferation of digital securities and the wider DeFi space is inevitable. Regulation will be essential to supporting innovators, promoting innovation and protecting investors, not to mention the widescale adoption of digital securities trading globally.

In the U.S., digital securities fall into a regulatory gray space, with neither the Securities and Exchange Commission nor the Commodities Future Trading Commission willing to put their heads above the parapet and claim responsibility for them.

In California, the regulation of digital assets is an ongoing conversation, and the Senate is expected to push for an amendment to California’s Financial Code to include digital assets: the Digital Financial Asset Law. If passed, it would be enforceable beginning in 2025.

By contrast, EU regulators have been quicker to get to grips with DeFi. The German regulator, in particular, the Federal Financial Supervisory Authority, or BaFin, has gone to great lengths to encourage innovation and offers a regulatory blueprint for DeFi elsewhere. A 2020 amendment to the German Banking Act put crypto assets on parity with traditional securities.

Related: Biden’s anemic crypto framework offered nothing new

In Brussels, regulation is also picking up pace. The EU’s Markets in Crypto-Assets (MiCA) comes into force in the fourth quarter of this year and will kick off an 18-month transition period for member states. Meanwhile, the newly published European Financial Stability and Integration Review 2022 showed a laudable understanding of the sector. It advocated for a rethink of the current regulatory approach, centering regulation on activity rather than an entity.

It’s still early when it comes to DeFi. However, digital securities regulation in the EU could well follow a similar path to the one that led to GDPR. Brussels this year issued an opinion on activity-based regulation, which we ultimately might see incorporated into its Markets in Financial Institutes Directive. (A directive, remember, is a guiding recommendation for member states.) From there, it could become regulation as part of MiCAR.

With a real-world example of DeFi regulation to lean on and decentralized finance becoming the technology layer where ultimately the entire financial market will be moving, other regulators will follow. Indeed, jurisdictions like Israel have made a habit of it. The question is whether the U.S. will be most influenced by the “Brussels Effect” or the “California Effect.”

Philipp Pieper is the co-founder of Swarm, a regulated DeFi platform in Germany.

This article is for general information purposes and is not intended to be and should not be taken as legal or investment advice. The views, thoughts, and opinions expressed here are the author’s alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.

Tornado Cash left a void, time will tell what fills it — Chainalysis chief scientist

There’s a hole to be filled where Tornado Cash once was, and “junior mixers” are vying for position in the wake of the mixer’s sanction and ban by the U.S. Treasury.

The sanctions on cryptocurrency mixer Tornado Cash has left a vacuum for illicit fund mixing services, but more time is needed before we’ll know the full impact, according to Chainalysis’ chief scientist.

During a demo of Chainalysis’ recently launched blockchain analysis platform Storyline, Cointelegraph asked Chainalysis chief scientist Jacob Illum and country manager for Australia and New Zealand Todd Lenfield about the impact of the Tornado Cash ban.

Illum said whilst there is still some usage of the mixer, more time was needed to “see what’s happening” and how the ”world responds to that designation,” adding that people are trying to figure out what to do now the crypto mixer is effectively gone:

“People are getting more cautious in the space and are not sure how to interact with Tornado Cash, we’ve seen deposits into services providing similar activity go down at least temporarily, because people are measuring like ‘what does this mean for me?’”

But, where others see obstacles, some are clearly seeing an opportunity, Illum noted a crop of what he calls “junior mixers” have popped up looking to cash in on the void that Tornado Cash left.

An August report by blockchain security firm SlowMist stated that 74.6% of stolen funds on the Ethereum network were transferred to Tornado Cash in the first half of 2022, a sum of over 300,000 Ether (ETH), around $380 million.

Data from Chainalysis showed the 30-day moving average of the total daily value received by crypto mixers reached a new all-time high of $51.8 million in April.

“If the liquidity isn’t there, you effectively dry up a lot of [a mixers] capability,” Lenfield added:

“The hunting for places where there is liquidity, when it’s highly visible after things like the OFAC sanctioning of Tornado Cash, I think makes a very interesting space to keep an eye on.”

Tornado cash was sanctioned by the United States Treasury Department on Aug. 8, meaning criminal or civil penalties could be brought against U.S. citizens or entities who interact with the mixer. Over 40 cryptocurrency addresses purportedly connected to Tornado Cash were added to the Specially Designated Nationals list of the Office of Foreign Asset Control (OFAC).

Related: Tornado Cash is the latest chapter in the war against encryption

Asked about the level of sophistication that law enforcement agencies had in dealing with crypto-related crime, Illum mentioned one of the biggest gaps in law enforcement at the moment is blockchain-related training:

“As [blockchain] gains adoption, there’s more people that are getting exposure to crypto, which also means that there are more agents or law enforcement personnel that need to have exposure to crypto as well.”

Lenfield noted that authorities are starting to build capabilities around cryptocurrencies, citing the Australian Federal Police’s (AFP) recent establishment of a cryptocurrency unit focused on monitoring crypto transactions:

“It is active in their minds, they are setting goals, and they’re working through that. But, as in any aspect, there’s that learning curve to get them there, but there is 100% visibility and development in this space by those agencies.”

Earlier in September, Chainalysis Crypto Incident Response team helped law enforcement recover $30 million in crypto stolen in the Ronin Bridge hack by the North Korean linked Lazarus Group who used Tornado Cash to launder stolen assets.

Tornado Cash is the latest chapter in the war against encryption

Government disdain for end-to-end encryption is nothing new. The effort to kill Tornado Cash is just the latest chapter in this age-old war.

The sanctions imposed by the United States government on Tornado Cash have reignited a public debate on privacy. For many in the relatively young crypto community, such an intervention by the federal government seems groundbreaking. However, tussles between the private sector and the state on the issue of privacy are far from new and can provide compelling insights on what we might expect next for privacy in the crypto industry.

In the 1990s, Phil Zimmermann released Pretty Good Privacy (PGP), one of the first openly available public-key cryptography applications that featured end-to-end (E2E) encryption. Zimmerman’s creation prompted a criminal investigation that was eventually dropped, resulting in federal court decisions that protect encryption under the U.S. Constitution’s First Amendment. This clash on personal privacy became dubbed the encryption wars.”

Related: Tornado Cash shows that DeFi can’t escape regulation

The encryption wars rage on today, with officials from the U.S. and other countries urging major tech companies to forgo strong E2E encryption in their products. This would permit law enforcement to access an enormous spectrum of sensitive personal data.

The crypto wars

The next chapter in the encryption wars comes from the Office of Foreign Assets Control (OFAC) sanction of Tornado Cash. The OFAC sanction represents the first outright ban on an application itself, doing away with the line between “providers of anonymizing services” and “anonymizing software providers;” a distinction drawn by another department of the Treasury, the Financial Crimes Enforcement Network (FinCEN).

Identifying that software can be detached from an entity controlled by a group or an individual, Representative Tom Emmer sent a letter to Treasury Secretary Janet Yellen last month requesting clarification on the sanctions. This decision marks one of the most significant clashes on privacy since Snowden exposed the National Security Agency’s mass surveillance practices.

Does history repeat or rhyme?

The sanctions bear hallmarks of when PGP was used as a vehicle to justify an outright ban on encrypting data. Fortunately, the ultimate failure of the ban led to innovation on the web like internet commerce, personal communication and secure logins. Similarly, upholding the sanctions on Tornado Cash creates a dangerous precedent that would bury technological breakthroughs and any associated economic prosperity under a ball of red tape.

Related: Coinbase is fighting back as the SEC closes in on Tornado Cash

To put it another way, criminals have leveraged technological developments throughout history for illicit activity, and banning the technology would be more detrimental than constructive. Should the Tornado Cash sanctions go unchallenged, so many things we take for granted could be jeopardized while inhibiting future advancements and breakthroughs we can’t even imagine today.

Society is well aware of how big tech exploits our personal data en masse under a “surveillance capitalism” paradigm. The reality is that many citizens are willing to consensually forfeit data privacy in exchange for free tech products. However, invasions of privacy mandated by law are another step entirely. For example, newly proposed legislation in the European Union would effectively outlaw E2E encryption.

While the goals behind these policies are usually well intentioned, legislation forcing the development of “backdoors” for E2E encryption will do more harm than good and inevitably be exploited by malevolent actors.

The future of privacy

E2E encryption infused with Web3 identity standards is the solution, not the problem. Big Tech companies have come to function as centralized identity providers, representing a massive bullseye for cybercriminals of every kind. Advances in decentralized infrastructure and cryptography illustrate that this does not have to be the case. Self-sovereign identity tools that strike a balance between privacy, accountability and regulation are being built on Web3.

Humanity has a habit of resisting technological development. As described by Calestous Juma, early Motorola cell phones were written off as toys for rich people. Now, mobile devices have developed beyond what anyone imagined. Juma posits that people tend to display reluctance to technological advancements when the perceived benefit accrues to a small minority. Similarly, the prospects of E2E encryption are being cast aside because privacy is for criminals.

Related: Tornado Cash sanctions will undermine the US and strengthen crypto

The multichain future of the web will see users managing their identifying data without sacrificing personal privacy or security. In this way, communities could participate in ethical self-regulation rather than relying on digital service providers and authorities. Moral behavior could be easily incentivized, allowing ethical coding and the wisdom of the majority to police ecosystems.

After all, programming is just another form of speech. Some people use their words for good and others for bad. Unsavory or hateful use of the English language should not preclude anyone else from writing. As such, the OFAC sanctions are unconstitutional and should not go unchallenged. Humanity deserves better.

Chad Barraford is the technical lead at THORChain, a noncustodial decentralized liquidity protocol that enables decentralized exchanges and users to transfer their digital assets across blockchains seamlessly.

This article is for general information purposes and is not intended to be and should not be taken as legal or investment advice. The views, thoughts, and opinions expressed here are the author’s alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.

Coinbase is fighting back as the SEC closes in on Tornado Cash

Six individuals are challenging the Treasury Department. Two seemingly separate stories. One terrifying precedent. It’s all about privacy.

On Sept. 8, Coinbase announced it was bankrolling a lawsuit against the United States Treasury Department. The cryptocurrency exchange is funding a lawsuit brought by six people that challenges the sanctions on Tornado Cash. And on Sept. 9, Securities and Exchange Commission (SEC) Chair Gary Gensler announced he was working hard with Congress to create legislation to increase cryptocurrency regulations.

But these two stories are not mutually exclusive. The sequence of events proves that governments are purely reactive rather than proactive when it comes to decentralized finance (DeFi).

Tornado Cash was sanctioned by the Office of Foreign Assets Control (OFAC) back in August. OFAC claimed the smart contract mixer has helped to launder more than $7 billion worth of cryptocurrency since its creation in 2019, including over $455 million stolen by the North Korean-linked hackers Lazarus Group.

Coinbase CEO Brian Armstrong said in a statement that Treasury went too far, taking “the unprecedented step of sanctioning an entire technology instead of specific individuals.” In addition to claiming the sanctions exceeded the department’s authority, Coinbase argued the measures:

  • Remove privacy and security for crypto users;
  • Harm innocent people; and
  • Stifle innovation.

The next day, Gensler doubled down on his push for tougher regulation of the DeFi market, claiming crypto companies wouldn’t prosper without it. “Nothing about the crypto markets is incompatible with the securities laws. Investor protection is just as relevant, regardless of underlying technologies.”

Related: US Treasury clarifies publishing Tornado Cash’s code does not violate sanctions

Not only does his choice of words such as “regardless of underlying technologies” betray his lack of understanding of crypto and blockchain technology, but his speech prompted an outcry from the Web3 community, with many claiming government regulation is a wolf in sheep’s clothing.

Jake Chervinksy, a lawyer and head of policy at the Blockchain Association, tweeted in response, “Crypto is a novel & unique technology: how it should be regulated is a major question for Congress (not the SEC Chair) to decide.”

Security legislation is worrying enough. But the Tornado Cash sanctions set an alarming benchmark for anyone involved in digital assets. Not only are blockchain technology and cryptography constantly changing — what’s secure now might not be secure in the near future and almost certainly won’t be secure next year — but there are a myriad of legitimate applications for the likes of blockchain tech.

DeFi is all about privacy. The clue’s in the name — decentralized finance. Mixers such as Tornado Cash further protect the privacy of its users by mixing users’ deposits and withdrawals in liquidity pools, hiding their addresses and safeguarding their identities. Users want to protect the privacy of their transactions for a range of lawful reasons.

In this case, one of the plaintiffs used the mixer to donate funds to Ukraine anonymously. Another was an early adopter of crypto and now has a significant social media following, with his public ENS name connected to his Twitter account. He used the smart contract to protect his security while transacting. Now their assets are trapped in Tornado Cash.

A person’s finances include some of their most sensitive personal information. And law-abiding citizens have the right to keep this private. But it’s this very privacy that will be eroded by the sort of regulation recently proposed by Gensler, the SEC and other governments around the world.

Related: Crypto investors backed by Coinbase sue U.S. Department of Treasury after Tornado Cash sanctions

As is the case with these sanctions, arresting people for using services for lawful and even benevolent acts, not to mention locking up developers for writing open-source code that wasn’t illegal at the time of creation, feels like Orwellian-levels of dystopian.

Treasury officials have since backtracked, clarifying in guidance that, in fact, “interacting with open-source code itself, in a way that does not involve a prohibited transaction with Tornado Cash, is not prohibited.” The guidance adds that copying the protocol’s code, publishing the code and visiting the website, are all allowed.

Although not officially related, the timing and similarities between the two stories are telling. Gensler likened regulation to traffic control, saying — “Detroit would not have taken off without some traffic lights and cops on the beat.” Armstrong used a highways and heist analogy, saying, “Sanctioning open-source software is like permanently shutting down a highway because robbers used it to flee a crime scene.” And he’s not wrong.

How many talented developers will now be dissuaded from writing game-changing code that could not only innovate industries, but help people across the world? A small number of bad actors should not hinder the progress of a technology with such huge potential to revolutionize sectors beyond even finance.

The Coinbase lawsuit is a pivotal case in the history of cryptocurrency, and the result — whatever it is — will have huge ramifications for DeFi. And of course, its users.

Zac Colbert is a digital marketer by day and freelance writer by night. He’s been covering digital culture since 2007.

This article is for general information purposes and is not intended to be and should not be taken as legal or investment advice. The views, thoughts, and opinions expressed here are the author’s alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.

US Treasury clarifies publishing Tornado Cash’s code does not violate sanctions

Residents would not be violating sanctions by visiting Tornado Cash’s website, copying the mixer’s open-source code, nor making the code available online or in print.

The United States Department of the Treasury said “interacting” with cryptocurrency mixer Tornado Cash’s open-source code, with certain provisions, would not be in violation of sanctions imposed by the Office of Foreign Assets Control, or OFAC.

In the guidance posted to its frequently asked questions pages on Tuesday, the Treasury Department clarified some concerns previously voiced by many U.S.-based crypto users regarding the controversial mixer Tornado Cash. According to the government department, U.S. residents would not be violating sanctions by copying the mixer’s code, nor making it available online or publishing it through another medium.

“U.S. persons would not be prohibited by U.S. sanctions regulations from visiting the Internet archives for the Tornado Cash historical website, nor would they be prohibited from visiting the Tornado Cash website if it again becomes active on the Internet,” said the Treasury Department.

The Treasury specified that users could generally interact with the Tornado Cash code provided it didn’t involve a prohibited transaction. Those who initiated transactions using the mixer prior to sanctions being imposed on Aug. 8 can apply for an OFAC license to complete the transaction or to make a withdrawal:

“OFAC would have a favorable licensing policy towards such applications, provided that the transaction did not involve other sanctionable conduct.”

The seeming uncertainty around the U.S. sanctions and how companies were expected to be in compliance came amid many platforms removing or restricting the activity of individuals associated with Tornado Cash. One of the mixer’s co-founders, Roman Semenov, reported on Aug. 8 that his account at developer platform GitHub had been suspended. He suggested at the time that his interactions with Tornado Cash’s code might have been part of the reason, questioning “is writing an open source code illegal now?”

Related: Tornado Cash ban could spell disaster for other privacy protocols — Manta co-founder

Others have attempted to use the U.S. legal system to push back against the Treasury Department’s actions. On Sept. 8, Coinbase announced it would be supporting a lawsuit brought by Tornado Cash users against the Treasury Department, alleging it illegally sanctioned the crypto mixer’s smart contract addresses.

Crypto investors backed by Coinbase sue U.S. Department of Treasury after Tornado Cash sanctions

Coinbase says that the Treasury overstepped its authority in issuing the Tornado Cash sanctions.

According to a new lawsuit filed in the U.S. District Court, Western District of Texas. On Thursday, six users of the Ethereum blockchain and cryptocurrency mixer Tornado Cash sued the U.S. Department of Treasury, alleging that its recent designation of 44 Tornado Cash smart contract addresses to the Specially Designated Nationals (SDN) list of the Office of Foreign Asset Control (OFAC) is “not in accordance with law.”

Since Aug. 8, U.S. persons and entities have been prohibited from interacting with the sanctioned Tornado Cash smart contract addresses, blockchain or business-wise, under the threat of criminal or civil penalties for non-compliance. The plaintiffs seek to annul the designation based on three arguments. First, they argue Tornado Cash does not meet the definition of a property, a foreign country, or a national thereof, nor a person and therefore cannot be added to the SDN list.

Second, they claim a violation of their First Amendment (freedom of speech) rights under the U.S. Constitution:

“Tornado Cash allows Plaintiffs to engage in important, socially valuable speech. However, due to the designation, plaintiffs cannot use Tornado Cash to make donations to support important, and potentially controversial, political and social causes.”

Thirdly, the plaintiffs say that because of the Treasury designation, they could not access the Ether stored in Tornado Cash pools. They argued that such alleged lack of proper pre-deprivation process was in-violating legal procedures.

Later that day, cryptocurrency exchange Coinbase publicly supported the lawsuit. The firm hailed the move as “defending privacy in crypto,” and pledged to fund the lawsuit. “The sanctions exceed Treasury’s authority, harm innocent people, remove privacy and security options for crypto users, and stifle innovation,” said Coinbase. It then raised individual examples of purported benefits of Tornado Cash:

“One person used Tornado Cash to donate money to Ukraine anonymously. Afterward, his wallet received potentially malicious airdrops. But because he anonymized his crypto before donating, he avoided attacks against his personal accounts. He has funds trapped in Tornado Cash.”

“Developers are worried that they could be held responsible for something they had nothing to do with and no ability to control,” said Coinbase in an argument claiming the Treasury’s move will stifle innovation. The U.S. Department of Treasury claims that over $7 billion worth of crypto has been laundered via Tornado Cash since its inception. Stablecoin issuers, such as Circle, have taken steps to freeze blacklisted Tornado Cash smart contract addresses due to the ban. Others, such as Tether, have refrained from such a move until they receive instructions from law enforcement.