United States: Critical Tornado Cash Developments Have Significant Implications For DeFi AML And Sanctions Compliance

After months of anticipation, a federal judge has finally ruled in the closely watched case of Joseph Van Loon, et al. v. Department of Treasury, et al. This important case addressed challenges to the US Department of the Treasury's Office of Foreign Assets Control (OFAC) decision to impose sanctions on Tornado Cash as a Specially Designated National and Blocked Person (SDN). The judge granted summary judgement in favor of OFAC, finding it had sufficient legal authority to designate Tornado Cash, and denied summary judgement on the plaintiffs' claims. Shortly after that ruling, OFAC announced the SDN designation of Roman Semenov, one of three alleged co-founders of Tornado Cash, and the Department of Justice (DOJ) charged Semenov and Roman Storm, another Tornado Cash founder, with multiple alleged criminal violations related to anti-money laundering (AML) and economic sanctions laws.

All three actions are critical developments that contain key insights on how the US government views the AML and sanctions obligations of decentralized protocols and individuals associated with those protocols. The developments make clear that, at least in certain scenarios, individuals involved in the creation of a DeFi platform can be held responsible for the activities conducted on that platform where such conduct violates US economic sanctions or AML laws, or constitutes sanctionable activity under applicable executive orders.

Sanctionable activity can include a wide range of conduct such as malicious cyber activities, proliferation of nuclear weapons and weapons of mass destruction, narcotics trafficking, significant corruption interfering with the rule of law, suppressing human rights or related surveillance abuses, and other malign activities.

Given the challenges in building decentralized tools that are capable of operating in full compliance with these regimes, the case may significantly complicate the creation, launch, and maintenance of DeFi protocols that operate in the United States or involve US persons, including by having US users.

Among the key takeaways from these recent US government actions are:

• OFAC has authority to impose sanctions on "associations" that operate with a common purpose as "persons" linked to DeFi protocols and to treat the smart contracts associated with those protocols as blocked property or interests in blocked property;
• OFAC may impose sanctions on founders of DeFi projects where it believes the project is supporting bad actors or supporting illicit financial flows that constitute a threat to US national security or foreign policy objectives;
• Founders of at least certain DeFi protocols and associated tools, including those established outside the United States, may be viewed as operating a money services business and be subject to civil and criminal penalties for failure to obtain the required registrations and licenses needed for such a business operating in the United States or with sufficient US touchpoints;
• Persons who willfully facilitate transactions in blocked property or other illicit financial transactions via DeFi protocols may be subject to civil and criminal penalties for such conduct; and
• The jurisdictional scope of US AML and sanctions regulations is geographically broad, and these regulations can reach actors located outside of the United States provided there is a sufficient US nexus; in the case of secondary sanctions, including the SDN designation of non-US persons, no jurisdictional nexus is required at all.

The Van Loon Ruling

Background

OFAC designated Tornado Cash in 2022 under two executive orders (EOs), EO 13694, as amended, and EO 13722. Among other conduct, EO 13694 authorizes the SDN designation of persons determined to have engaged in malicious cyber-enabled activities, or that provide certain forms of support for such activity, and EO 13722 authorizes the SDN designation of persons that provide certain support or goods or services to the Government of North Korea. In particular, OFAC cited the use of Tornado Cash by the Lazarus Group, a North Korean state-sponsored hacking group, to launder hundreds of millions of dollars for the benefit of North Korea.

The property and interests in property of an SDN must be blocked (i.e., frozen) when within the United States or under the possession or control of a US person, and US persons are generally prohibited from dealing with or engaging in transfers with SDNs. In certain circumstances, OFAC can impose so-called "secondary sanctions" on non-US persons that provide financial, technological, or material support to, or furnish goods or services to, an SDN.

When designating Tornado Cash, OFAC determined that Tornado Cash was a "person" that was eligible for designation under the relevant authorities. OFAC also identified the smart contracts underpinning the Tornado Cash protocol as property in which Tornado Cash has a "property interest," i.e., OFAC concluded that the smart contracts were blocked property. Those findings were challenged in Van Loon and ultimately upheld by the court. The plaintiffs were not the cofounders of Tornado Cash, but rather individuals that had been users of Tornado Cash.

The court found that Tornado Cash was a "person," which is defined in the relevant EOs to includes "entities" and, in particular, "associations." While the term "association" is not defined in the EOs or elsewhere in applicable OFAC rules, the court defined an association as "[a] body of persons who have combined to execute common purpose or advance a common cause." The court explained that the Tornado Cash "association" is "composed of its founders, its developers, and its [decentralized autonomous organization, or] DAO."

The court then explained that the underlying smart contracts were "property" in which the association had an interest (and, therefore, were subject to blocking pursuant to OFAC rules). The court first noted that "property" is broadly defined in existing OFAC rules to include a wide range of items, including "contracts of any nature whatsoever" and "services of any nature whatsoever." It found that the smart contracts were "contracts", and even if some of the underlying code could not be accurately described as a contract, "Tornado Cash promoted and advertised the contracts and its abilities and published the code with the intention of people using it—hallmarks of a unilateral offer to provide services." The court also noted that a contract does not necessarily require two parties to negotiate relevant terms, and analogized the smart contracts in Tornado Cash to a vending machine that accepts specified quantities of money for food or drink.

The court also found the association had an "interest" in this property, pointing to OFAC's broad regulatory definition of "interest" as "an interest of any nature whatsoever, direct or indirect." It explained, "Tornado Cash has a beneficial interest in the deployed smart contracts because they provide Tornado Cash with a means to control and use crypto assets. The smart contracts generate fees in the form of TORN tokens for the DAO when users execute a relayer-facilitated transaction."

The court rejected First Amendment claims brought by the plaintiffs, including arguments that OFAC's action would have a chilling effect on code developers. The court explained, "OFAC's designation blocks only transactions in property in which Tornado Cash holds an interest, such as the smart contracts. It does not restrict interaction with the open-source code unless these interactions amount to a transaction .... Developers may, for example, lawfully analyze the code and use it to teach cryptocurrency concepts. They simply cannot execute it and use it to conduct cryptocurrency transactions." The court also dismissed Fifth Amendment takings claims as not made timely and waived.

Implications

The Van Loon decision may have significant implications for DeFi founders and developers. It is worth noting that the decision may be appealed and that a separate action brought by Coin Center is continuing to be litigated in another federal court in Florida. Therefore, the Van Loon decision may not be the last word on this matter in US courts. Nonetheless, it marks a significant victory for OFAC and a decision to which the DeFi industry must pay careful attention.

The Van Loon decision did not find that OFAC could designate the underlying code itself, but rather that OFAC did and could designate an "association" of individuals connected to an underlying protocol or software and who have a "property interest" in that code, or at a minimum, in transactions that are executed by that code. (Code itself may be considered "information" or "informational materials," which generally cannot be targeted by OFAC under applicable statutory authorities.)

Inherent to that ruling was the court's view that, although the smart contracts are self-executing, they are supported by identifiable persons, acting toward a common purpose, that were able to provide governance via the DAO and "place job advertisements, maintain a fund to compensate key contributors, and adopt a compensation structure for relayers, among other things." As such, the individuals combined to engage in the common purpose of "developing, promoting, and governing Tornado Cash," making OFAC's action permissible under applicable executive orders.

The ruling, unless reversed, indicates that OFAC can designate any DeFi platform it determines has engaged in sanctionable conduct, so long as the platform is developed, operated, or governed by an "association" of persons engaged in a "common purpose" or is otherwise able to be construed as an "entity," as defined under applicable OFAC regulations. That holding is likely to apply to a broad array of DeFi platforms currently in operation.

Such platforms may wish to carefully consider the measures they can take to promote sanctions compliance and prevent the platform from being used by bad actors, which could expose the platform to a similar designation. However, there are significant challenges that come with implementing such measures in a decentralized context, including identifying who is responsible for determining and implementing the appropriate changes and how to accomplish those objectives of not violating applicable laws or engaging in sanctionable conduct, while maintaining the decentralized nature of the protocol. These challenges are heightened by the fact that movement toward greater centralization can have negative implications under other legal regimes, such as securities law and even the AML rules of certain jurisdictions that do not extend to fully decentralized platforms.

The Van Loon court also relied heavily on the specific facts of Tornado Cash, which may not necessarily be present in all cases. For example, it is unclear how the court's ruling would apply to a situation where a developer wrote code, published it on GitHub (or another platform) for free public use, and then walked away with no further involvement, management, or financial stake in how the code operates or executes transactions. Similarly, it is unclear if the court would have reached the same conclusion if there was no DAO and no financial benefit flowing to the DAO from the execution of relayer-facilitated transactions. Therefore, Van Loon may not necessarily apply to all decentralized blockchain protocols, particularly those with facts that are significantly different from Tornado Cash.

Nonetheless, because many, if not most, DeFi projects have some level of ongoing involvement from the founders, a DAO, or otherwise, the Van Loon ruling is likely to have significant implications for those platforms, and OFAC's victory may embolden it to pursue "associations" and other entities connected to such platforms more aggressively, where such actors allegedly violate US sanctions laws or engage in sanctionable conduct.

Designation of Roman Semenov

Background

Shortly after the Van Loon ruling, OFAC announced the designation Roman Semenov, one of the three cofounders of Tornado Cash, who is purportedly a citizen and resident of Russia, as an SDN. According to OFAC, he was designated for "his role in providing material support to Tornado Cash and to the Lazarus Group." In announcing the designation, Deputy Secretary of the Treasury Walley Adeyemo stated, "Even after they knew the Lazarus Group was laundering hundreds of millions of dollars' worth of stolen virtual currency through their mixing service for the benefit of the Kim regime, Tornado Cash's founders continued to develop and promote the service and did not take meaningful steps to reduce its use for illicit purposes." Semenov was designated pursuant to EO 13694 and EO 13722, the same EOs used to designate Tornado Cash itself. The fact that the designation was announced shortly after OFAC's victory in Van Loon suggests the agency may have been waiting for that ruling before announcing the designation.

Implications

This designation may have significant implications for founders of DeFi protocols, as it suggests that OFAC will seek to hold founders (including those acting outside the United States) accountable for conduct occurring on the platform, at least in certain circumstances. OFAC has significant discretion in deciding when to designate persons under its various authorities and, therefore, the designation of Semenov should not be read to suggest that OFAC will seek to designate every founder of a platform used for illicit purposes, no matter the circumstances. However, it does highlight that OFAC expects any person who is a founder to take appropriate measures to prevent platforms from being used by bad actors or persons located in comprehensively sanctioned jurisdictions, particularly where the founders are aware of the conduct in question and have the ability to take at least some measures to prevent such activity. While the Tornado Cash founders may not have been able to force the DAO to adopt changes to the underlying protocol, the founders were allegedly in control of a frontend user interface through which most users accessed the protocol, and they allegedly failed to make meaningful changes to that user interface (see below for additional detail on this point).

Therefore, founders should be cautious when launching new DeFi projects, and founders of existing DeFi projects may want to consider whether there are any sanctions compliance enhancements or mitigation measures they can take. It is also important to note there is no jurisdictional requirement to be targeted by OFAC sanctions. Therefore, OFAC could designate a founder located anywhere in the world, regardless of whether that individual has any connection to the United States, if that founder engaged in sanctionable conduct (Semenov is allegedly based in Russia).

Indictment of Roman Storm and Roman Semenov

The DOJ indictment against Tornado Cash cofounders Roman Storm and Roman Semenov contains a number of key takeaways of critical importance for DeFi founders. Storm and Semenov were charged with three counts, including: (1) conspiracy to commit money laundering, (2) conspiracy to operate an unlicensed money transmitting business, and (3) conspiracy to violate the International Emergency Economic Powers Act (IEEPA).

Conspiracy to Commit Money Laundering

Background

With respect to conspiracy to commit money laundering, the indictment alleges a violation of 18 U.S.C. § 1956(a)(1)(B)(i), which prohibits conduct where a person "knowing that the property involved in a financial transaction represents the proceeds of some form of unlawful activity, conducts or attempts to conduct such a financial transaction which in fact involves the proceeds of specified unlawful activity ... knowing that the transaction is designed in whole or in part ... to conceal or disguise the nature, the location, the source, the ownership, or the control of the proceeds of specified unlawful activity."

The indictment alleges the defendants were aware that the Tornado Cash protocol was being used by a number of bad actors to launder the proceeds of hacks and other illegal conduct. It also alleges that the defendants profited from such activity through their holding of TORN tokens (the governance token of the Tornado Cash DAO) and the implementation of a "relayer register" that required Tornado Cash relayers to purchase TORN tokens in order to be chosen to process withdrawals from the Tornado Cash frontend user interface.

Notably, the indictment alleges the transactions in question were intended to "conceal or disguise" the underlying proceeds of specified unlawful activity. It is unclear from the indictment if DOJ is seeking to attribute responsibility to Storm and Semenov only for transactions flowing through the frontend user interface or also transactions flowing through the protocol, but not the frontend user interface. While the protocol itself was not under the sole control of Storm and Semenov, the user interface was, according to DOJ, under the control of the defendants. (Users did not have to access the platform through that user interface, but it was more difficult to access the platform otherwise, and according to the DOJ most users accessed the platform via the user interface). The indictment is unclear as to whether Lazarus Group actually used the interface or accessed the protocol through other means, but suggests that Lazarus Group did in fact use the interface.

Implications

The charges have significant implications for platforms that combine a decentralized smart control protocol with a frontend user interface, a model that is relatively common in the DeFi space. At a minimum, the indictment indicates that DOJ may assert a money laundering crime where founders control a frontend user interface and do not implement appropriate AML/know-your-customer (KYC) controls with respect to users accessing the protocol via that interface despite the knowledge that bad actors are using the interface. However, a broader reading of the indictment suggests DOJ may assert violations of criminal money laundering laws where founders have knowledge that bad actors are using a protocol to disguise the proceeds of specified unlawful activity. In that latter scenario, it is somewhat unclear what steps founders could take with respect to the underlying protocol once it has been released and decentralized.

As such, founders of new DeFi projects will need to carefully consider the measures they can take to prevent bad actors from using their platforms to launder funds, and founders of existing projects may want to make changes to any frontend user interfaces or the underlying protocol (if possible) or both.

Conspiracy to Operate an Unlicensed Money Transmitter Business

Background

The indictment alleges that Storm and Semenov conspired to operate an unlicensed money transmitting business by failing to register their business with the US Department of the Treasury's Financial Crimes Enforcement Network (FinCEN) and by operating a business that "otherwise involves the transportation or transmission of funds that are known to the defendant to have been derived from a criminal offense or are intended to be used to promote or support unlawful activity."

The indictment further explains the defendants "together with others involved in the Tornado Cash service, including the relayers, engaged in the business of transferring funds on behalf of the public. However, neither the Tornado Cash service, nor any of the Tornado Cash founders, was registered with FinCEN as a money transmitting business."

A money transmitter is a type of money service business (MSB) that is required to register with FinCEN and to comply with a range of FinCEN AML rules, including conducting KYC and monitoring for and reporting suspicious transactions, among other requirements.

However, it is unclear from the indictment precisely which conduct gave rise to the money transmitting business in question. Was it the underlying protocol, the user interface, the relayer service, or a combination thereof?

Implications

Regardless of how one understands DOJ's allegations with respect to unlicensed money transmission, the allegations will have a significant impact on industry.

If it was the underlying protocol that was the MSB, DOJ would be taking the view that decentralized (or at least partially decentralized) platforms such as Tornado Cash may be MSBs and that founders are responsible for ensuring such platforms meet their AML compliance obligations that arise from being an MSB. Treasury has previously indicated that fully decentralized platforms may be MSBs provided they are not limited to software for "disintermediated" transactions (see our prior blog post here), but DOJ and FinCEN have not brought an enforcement action on that theory alone. Furthermore, Treasury's prior statements did not clarify who would have responsibility for registering the decentralized protocol and ensuring compliance with AML rules. For example, would that responsibility fall to the developers, the DAO, individual governance token holders, etc.? One reading of the DOJ indictment is that this responsibility falls to the developers. Of course, this raises significant questions for founders that write code but then cease to be involved in a project going forward and for founders that stay involved in a project, but are unable to force changes to decentralized protocols that may be necessary for compliance reasons.

If it was the user interface that was the MSB, it is unclear why the so-called "network access exemption" – which exempts from MSB status a person that only provides "the delivery, communication, or network access services used by a money transmitter to support money transmission services" – would not apply. That exemption is frequently used for frontend user interface providers in both the digital asset and fiat contexts.

If it was the relayers, while the founders coded the algorithm that selected the relayers to process a given transaction, the relayers themselves were independent actors that elected to take part in the relayer network, and it is not clear how the AML obligations of relayers would flow to the founders.

Founders of new and existing DeFi protocols will need to study this indictment carefully and consider structures to ensure they either are not considered an MSB or can register and comply with the AML requirements applicable to MSBs.

Conspiracy to Violate IEEPA

Background

IEEPA is the federal statute underpinning the SDN designation of the Lazarus Group. Because the Lazarus Group is designated as an SDN, all property and interests in property of the Lazarus Group must be blocked when within the United States or the possession or control of a US person, and US persons are generally prohibited from dealing with the Lazarus Group. Assuming the Lazarus Group did in fact use the frontend user interface and the defendants had knowledge of this, the violations of IEEPA appear relatively straightforward. The defendants maintained a website that assisted users in engaging in financial transactions via the underlying Tornado Cash protocol and were aware that an SDN was using the services provided by the website. That seems to constitute a fairly standard violation of IEEPA by conspiring to knowingly deal in blocked property of an SDN.

The indictment does not specify whether the allegations relate solely to the defendant's activities in offering the frontend user interface or whether the defendants' roles as founders of the underlying protocol or as coders of the relayer network also form independent bases for the violations.

The indictment also alleges that the founders made changes to the frontend user interface to prevent transactions flowing directly from wallets that had been identified as blocked property of the Lazarus Group (and others), but privately acknowledged that the measures were inadequate because they could easily be bypassed by transferring tokens from the identified wallets into a new wallet and then using the Tornado Cash frontend.

Implications

The indictment highlights the importance of founders and developers considering economic sanctions compliance at the design, build, and operational stages of any new DeFi projects. It also highlights the need to take action when a founder or developer becomes aware that a project may be used by sanctioned parties and for that action to be meaningful, unlike the measures taken by Storm and Semenov, which the DOJ alleges the defendants knew would be insufficient. For example, DOJ might have taken a more favorable view of the compliance measures taken by Storm and Semenov if those measures had attempted to address not only direct transfers from the Lazarus Group's sanctioned wallets, but also indirect transfers from those wallets as well. The indictment identifies "KYC procedures, transaction monitoring, [and] blockchain tracing" as other measures that Storm and Semenov could have taken.

While it is somewhat unclear if the violation is linked only to the frontend user interface or also to the relayers and underlying protocol, all aspects of a DeFi project should be considered when thinking about sanctions compliance.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.