On August 8, 2022, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) sanctioned virtual currency mixing service Tornado Cash, which OFAC said has been used to launder billions of dollars in virtual currency, including $455 million stolen by the Lazarus Group, a Democratic People’s Republic of Korea (“DPRK”) state-sponsored hacking group that OFAC sanctioned in 2019.  Though OFAC’s action marks the second instance it has sanctioned a virtual currency mixer—OFAC sanctioned Blender.io in May 2022—this is the first time that OFAC has designated a non-entity software protocol. Tornado Cash is a “smart contract” that allows users to anonymize the origins, destinations, and counterparties for virtual currency transactions. 

OFAC’s action builds on its action against Blender.io, and the enforcement action of OFAC’s sister agency, the Financial Crimes Enforcement Network (“FinCEN”), against the founder and operator of mixers Helix and Coin Ninja.  It also builds on a general rise of OFAC enforcement against virtual currency businesses. These actions point to OFAC’s growing concern about the use of virtual currency to facilitate sanctions evasion and the activities of sanctioned actors broadly, and its increasing willingness to take enforcement action against crypto market participants that facilitate such activities.  Virtual currency exchanges, decentralized finance (“DeFi”) entities and developers, non-fungible token (“NFT”) platforms, Web3 companies (together, “Virtual Currency Market Participants”), and traditional financial institutions (or “TradFi”) should continue to assess the risks associated with the use of mixers by sanctions targets and other illicit actors, and consider adjustments to their sanctions compliance and anti-money laundering (“AML”) programs to address such risks.     

OFAC’s Action

OFAC designated Tornado Cash pursuant to Executive Order (“EO”) 13694, as amended, for providing support to malicious cyber actors, along with 38 Ethereum (“ETH”) virtual currency wallet addresses and six USD Coin (“USDC”) virtual currency wallet addresses.  In addition to the $455 million stolen by the Lazarus Group, OFAC said that Tornado Cash had been used to launder more than $96 million of malicious cyber actors’ funds derived from the June 24, 2022 “Harmony Bridge Heist,” and at least $7.8 million from the August 2, 2022 “Nomad Heist,” and that Tornado Cash had failed to impose effective controls designed to prevent its use for laundering funds for malicious cyber actors, “despite public assurances otherwise.”  As a result of the sanctions, U.S. persons are prohibited from having any direct or indirect interactions with Tornado Cash unless authorized by a general or specific license issued by OFAC. Additionally, U.S. persons must block and report to OFAC all property and interests in property of Tornado Cash.    

Unlike Blender.io, Tornado Cash is a non-custodial, smart contract-based software application, not an entity.  In designating Tornado Cash, OFAC effectively sanctioned a technology that resides on the Ethereum blockchain.  Thus, while Tornado Cash remains operational, Virtual Currency Market Participants should be mindful that OFAC and the U.S. Department of Justice may pursue civil or criminal enforcement proceedings for direct or indirect interactions with the Tornado Cash code.  This is particularly the case for instances when those agencies view persons as evading U.S. sanctions or causing U.S. persons to violate sanctions.  There also is some risk that OFAC may view assets that have passed through the mixer as blocked property. Further, non-U.S. persons not subject to OFAC’s jurisdiction may wish to consider risks of continued transactions with Tornado Cash, as OFAC may consider such persons as potential targets for secondary sanctions pursuant to EO 13694.

Key Takeaways: Has the Tide Turned Against Mixers?

Treasury’s sanctioning of Tornado Cash follows a series of actions in which the U.S. Government has highlighted the risks of mixing services.  In October 2020, FinCEN assessed a $60 million penalty against Larry Dean Harmon, the founder, administrator, and primary operator of the Helix mixer, for violations of the Bank Secrecy Act (“BSA”).  In August 2021, Harmon pleaded guilty to conspiracy to commit money laundering in connection with his operation of Helix.  Last summer, FinCEN penalized BitMEX, a virtual currency exchange, for its failure to file suspicious activity reports (“SARs”) on transactions involving virtual currency mixers. Then, as discussed above, in May 2022, OFAC sanctioned virtual currency mixer Blender.io for assisting cryptocurrency transactions on behalf of the DPRK.   

Given these enforcement actions, Virtual Currency Market Participants should consider ways to address and mitigate sanctions and AML risks arising from transacting with mixers.  Last November, OFAC issued its first-ever Sanctions Compliance Guidance for the Virtual Currency Industry (“Sanctions Guidance”), along with updated “Frequently Asked Questions” regarding virtual currency sanctions compliance.  In its Sanctions Guidance, OFAC highlighted the potential usefulness of blockchain analytics tools to help identify transactions with listed addresses, and provided advice on how to mitigate the risks associated with dealing with unlisted virtual currency addresses that transact with sanctioned wallets.  Additionally, in April, 2022, the New York State Department of Financial Services (“NYDFS”), the State of New York’s crypto regulator, issued its own virtual currency guidance that similarly stressed the importance of blockchain analytics.  NYDFS indicated that blockchain analytics are relevant to effective compliance programs, customer due diligence, transaction monitoring, and sanctions screening by NYDFS-licensed virtual currency businesses, as this technology can help trace the provenance of virtual currency transactions, including through the review of on-chain “hops”. Such “Know Your Transaction” technology could help mitigate compliance risks and address red flags.

Cryptocurrency exchanges should be mindful of continued scrutiny by OFAC and other agencies for sanctions compliance in the virtual currency sector.  In October, 2021, Suex OTC became the first virtual currency exchange to be placed on the SDN List for facilitating transactions involving ransomware payments.  Media reports indicate that OFAC is investigating at least one other major virtual currency exchange for allowing almost 2,000 accounts from Iran, Syria, and Cuba, potentially in violation of U.S. sanctions.

Despite Tornado Cash’s stated connection to the Lazarus Group, OFAC’s actions against Tornado Cash has prompted debate about the role that mixers, privacy coins, and other anonymizing technologies play in the broader virtual currency ecosystem, and what qualifies as legitimate use of such technologies.  For example, Vitalik Buterin, a co-founder of Ethereum, used Tornado Cash to donate to Ukraine following Russia’s invasion.  It remains to be seen whether similar uses might expose those mixers, or those users, to potential sanctions or other forms of regulatory scrutiny.

OFAC’s action also suggests a willingness to pursue sanctions against decentralized protocols—even where these protocols are not clearly associated with an entity—when the protocol is used by sanctioned actors to evade sanctions or to engage in malicious activity.  It also raises the risk of action against the developers or persons with control over these decentralized protocols.

Compliance Considerations

In light of OFAC’s recent actions:

  • Virtual Currency Market Participants may wish to: (1) review OFAC’s October 2021 Sanctions Guidance and virtual currency Frequently Asked Questions, as well as NYDFS’s April 2022 Virtual Currency Guidance for  best practices for virtual currency sanctions compliance; (2) assess their potential touchpoints to mixers, including Tornado Cash, and consider how they will address the potential uses of such technology in a manner consistent with their sanctions and AML obligations, including, potentially, the use of blockchain analytics and other controls to identify transactions or clients that use such technologies and to understand the implications of such technologies for those customer relationships.
  • Virtual Currency Market Participants should add Tornado Cash, along with the 44 associated virtual currency wallet addresses sanctioned by OFAC to their sanctions screening programs, and identify whether they receive or transmit any virtual currency, directly or indirectly, associated with these sanctioned wallet addresses, and any other address believed to be associated with Tornado Cash.
  • Financial institutions and technology companies that have Virtual Currency Market Participants or DeFi customers or users, may wish to conduct diligence on these participants’ AML and sanctions compliance programs as part of their own compliance practices.
  • DeFi developers should consider sanctions risks as they develop projects, particularly in pre-launch stages where there may be opportunity to implement protections against potential sanctions risks before a product is launched, a point OFAC emphasized in its 2021 virtual currency sanctions guidance.  OFAC’s designation of Tornado Cash, in part for failing to “impose effective controls,” implies that Treasury feels such measures are reasonable and possible, even in DeFi.
  • Consult with experienced sanctions and AML counsel regarding potential risks associated with developing, supporting or operating a business involving identity mixers, DeFi, or virtual currency anonymizing technologies.

We will continue to monitor enforcement actions involving virtual currency.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Carlton Greene Carlton Greene

Carlton Greene is a partner in Crowell & Moring’s Washington, D.C. office and a member of the firm’s International Trade and White Collar & Regulatory Enforcement groups. He provides strategic advice to clients on U.S. economic sanctions, Bank Secrecy Act and anti-money laundering…

Carlton Greene is a partner in Crowell & Moring’s Washington, D.C. office and a member of the firm’s International Trade and White Collar & Regulatory Enforcement groups. He provides strategic advice to clients on U.S. economic sanctions, Bank Secrecy Act and anti-money laundering (AML) laws and regulations, export controls, and anti-corruption/anti-bribery laws and regulations. Carlton is the former chief counsel at FinCEN (the Financial Crimes Enforcement Network), the U.S. AML regulator responsible for administering the Bank Secrecy Act.

Photo of Caroline Brown Caroline Brown

Caroline E. Brown is a partner in Crowell & Moring’s Washington, D.C. office and a member of the firm’s White Collar & Regulatory Enforcement and International Trade groups and the steering committee of the firm’s National Security Practice. She provides strategic advice to…

Caroline E. Brown is a partner in Crowell & Moring’s Washington, D.C. office and a member of the firm’s White Collar & Regulatory Enforcement and International Trade groups and the steering committee of the firm’s National Security Practice. She provides strategic advice to clients on national security matters, including anti-money laundering (AML) and economic sanctions compliance and enforcement challenges, investigations, and cross border transactions, including review by the Committee on Foreign Investment in the United States (CFIUS) and the Committee on Foreign Investment in the U.S. Telecommunications Services Sector (Team Telecom).

Caroline brings over a decade of experience as a national security attorney at the U.S. Departments of Justice and the Treasury. At the U.S. Department of Justice’s National Security Division, she worked on counterespionage, cybersecurity, and counterterrorism matters and investigations, and gained unique insight into issues surrounding data privacy and cybersecurity. In that role, she also sat on both CFIUS and Team Telecom and made recommendations to DOJ senior leadership regarding whether to mitigate, block, or allow transactions under review by those interagency committees. She also negotiated, drafted, and reviewed mitigation agreements, monitored companies’ compliance with those agreements, and coordinated and supervised investigations of breaches of those agreements.

Photo of Anand Sithian Anand Sithian

Anand Sithian is a counsel in Crowell & Moring’s New York office. He is a member of the International Trade and the White Collar & Regulatory Enforcement groups. Anand advises clients on a variety of regulatory issues and investigations relating to anti-money laundering…

Anand Sithian is a counsel in Crowell & Moring’s New York office. He is a member of the International Trade and the White Collar & Regulatory Enforcement groups. Anand advises clients on a variety of regulatory issues and investigations relating to anti-money laundering (AML), the Bank Secrecy Act (BSA), U.S. economic sanctions, including those administered by the Office of Foreign Assets Control (OFAC), and asset forfeiture matters. Anand routinely counsels clients on the novel application of these laws and regulations to issues involving financial institutions, technology and social media, virtual currency and digital assets (including the seizure and forfeiture of virtual currencies), and the evolving cannabis industry.

Photo of Nicole Succar Nicole Succar

Nicole Sayegh Succar is a counsel in Crowell & Moring’s New York office. She is a member of the firm’s International Trade Group and works closely with White Collar & Regulatory Enforcement Group. Nicole provides compliance counseling and investigations services related to U.S.

Nicole Sayegh Succar is a counsel in Crowell & Moring’s New York office. She is a member of the firm’s International Trade Group and works closely with White Collar & Regulatory Enforcement Group. Nicole provides compliance counseling and investigations services related to U.S. economic sanctions, and the Bank Secrecy Act (BSA), and anti-money laundering laws (AML) and regulations. Nicole is a former sanctions officer with the Office of Foreign Assets Control (OFAC), the U.S. Treasury Department agency responsible for administering and enforcing economic sanctions. While at OFAC, Nicole handled complex matters relating to U.S. sanctions against Russia, Iran, North Korea, Cuba, and Syria.

Photo of Alexander Urbelis Alexander Urbelis

Alex Urbelis is a senior counsel in the New York office and a member of the Privacy & Cybersecurity Group. Alex has more than 20 years of experience in the information security community and has varied experience as a Chief Information Security Officer…

Alex Urbelis is a senior counsel in the New York office and a member of the Privacy & Cybersecurity Group. Alex has more than 20 years of experience in the information security community and has varied experience as a Chief Information Security Officer (CISO), Chief Compliance Officer, in-house counsel, and private practice litigator.

Alex has a unique skill set that has allowed him to create a bridge between the technical and legal side of cybersecurity. As a result, he is the primary architect of an exclusive DNS (Domain Name Search) monitoring and intelligence platform. Through this intel platform, Alex advises his clients on identified and early-stage indicators of cybersecurity threats and provides counsel on legal actions and technical defensive remedies to neutralize those threats. Alex tracks sophisticated cyber adversaries and advanced persistent threats (APTs) through his intel platform and, notably, detected a state-sponsored cyber intrusion attempt targeting the World Health Organization in March 2020. For combining legal and technical skill sets with public service, the Financial Times selected Alex as a finalist for its Innovative Lawyers awards for pandemic response in 2020.