OFAC rebrands ‘Tornado Cash’ as ​​US regulators continue to target virtual currency



On August 8, 2022, the US Treasury Department (Treasury) Office of Foreign Assets Control (OFAC) announced that it has named virtual currency mixer Tornado Cash to the list of Specially Designated Nationals and Blocked Persons (the SDN list) under Executive Order 13694 for allegations that more than $7 billion in virtual currency has passed through Tornado Cash since its inception in 2019, much of it through illicit actors. On November 8, 2022, OFAC simultaneously delisted and renamed Tornado Cash under Executive Orders 13722 and 13694 due to allegations that Tornado Cash had also materially aided, sponsored, or provided financial, material, or technological support to the government of North Korea.

One of the innovations of the blockchain – a public ledger of transactions – is the ability, under normal circumstances, to trace a flow of funds from the original sender to the final recipient. Virtual currency mixers, or goblets, use various techniques to obscure the ultimate recipient of the transaction, so that someone tracing the flow would only see that the sender had sent funds to the mixer, but would lose track of the destination. final. Illicit actors are known to use mixers to obfuscate transaction flows. For example, the Lazarus Group, a North Korean state-sponsored hacking group, used Tornado Cash to launder over $455 million in the largest known virtual currency hack to date. Other malicious cyber actors have used the blender to launder millions more in illicit proceeds, including $96 million from the June 2022 Harmony Bridge heist and at least $7.8 million from the June 2022 Nomad Bridge heist. August 2022. OFAC has determined that Tornado Cash has repeatedly failed to impose effective controls to address this misuse.

OFAC’s designation of Tornado Cash is another example of US regulators’ efforts to expose components of the virtual currency ecosystem that cybercriminals use to obfuscate transactions and evade US sanctions. Financial institutions and those with exposure to the virtual currency ecosystem may consider assessing their exposure to transactions involving mixers, anywhere in the chain, and reviewing the adequacy of their AML controls and sanctions .

Regulators target virtual currency

As we discussed earlier, US regulators are channeling law enforcement resources to target those who allow criminals to profit from cybercrime and other illicit activities. For example, in May 2022, OFAC announced that it had designated Blender.io – the Treasury’s first designation of a virtual currency mixer – following OFAC’s determination that the mixer had been used for launder funds stolen from the Lazarus Group and several Russian-linked ransomware groups. Additionally, in 2020, the U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN) imposed a $60 million civil penalty on Larry Dean Harmon, the operator of two unlicensed virtual currency mixers, for violating the Bank Secrecy Act (BSA) and its implementing regulations. According to FinCEN, Harmon failed to register to license the two mixers and did not implement effective AML controls. As a result, FinCEN found that Harmon conducted more than $311 million in convertible virtual currency transactions without performing proper transaction or customer due diligence.

The Treasury’s efforts to target virtual currency mixers have occurred alongside the actions of other regulators. Notably, in June 2022, the US Department of Justice (DOJ) announced charges against six people in four cases of alleged cryptocurrency fraud offenses involving more than $100 million, including the largest NFT scheme to date, fraudulent cryptocurrency exchanges, a global Ponzi scheme of unregistered cryptocurrency securities and a fraudulent initial coin offering. In August 2022, the Commodity Futures Trading Commission (CFTC) filed an injunction suit against Rathnakishore Giri and his companies for $12 million in fraudulently obtained investments, alleging he created a Ponzi scheme to defraud investors interested in digital assets. In a September 2022 statement on digital assets, the White House encouraged regulators “to aggressively pursue investigations and enforcement actions against illegal practices in the digital asset space.” The recent turbulence of bankrupt cryptocurrency exchange FTX portends further regulatory scrutiny in this space.

Tornado Cash is unique among virtual currency mixers in that it is non-custodial and relatively decentralized, which means that Tornado Cash executes transactions without an intermediary’s direct control over the mixing process and does not obtain the keeps deposits of its users. In contrast, Blender.io was a centralized blender because only one company handled the transactions. Tornado Cash, on the other hand, mixes cryptocurrency using smart contracts, which are essentially code running on a blockchain (Ethereum, in this case). Tornado Cash website is down; however, the underlying smart contracts that do the shuffling are still running because it is self-executing code that can run without further intervention. OFAC sanctions effectively shut down the service as the designations prevent users from easily accessing Tornado Cash wallets and user-friendly website, highlighting that even seemingly decentralized cryptocurrency projects still rely on a variety of players centralized to operate. Additionally, and although not the subject of this article, the developer behind Tornado Cash has been arrested by Dutch authorities (and is currently in jail awaiting charge), fueling the argument in the cryptocurrency circles about the level of guilt developers carry for their actions.

Tornado Cash’s new designation is significant as it recalls OFAC’s regulatory scope for centralized and decentralized businesses in the virtual currency ecosystem, including virtual currency mixers, bridge protocols, crypto miners -currency, privacy wallets, privacy-focused cryptocurrencies, and other platforms dependent on smart contracts.

Takeaways for businesses and cryptocurrency project participants

In light of US regulators’ efforts to target the virtual currency industry, companies and those pursuing cryptocurrency projects may consider assessing their exposure to potential sanctions and implementing and reviewing their AML checks and penalties. OFAC’s enforcement guidelines state that it will consider the existence, nature, and adequacy of a risk-based sanctions compliance program in determining the appropriate action in response to a apparent violation of sanctions. An effective risk-based compliance program may include: (1) management commitment; (2) periodic risk assessments; (3) internal controls; (4) testing and auditing; and (5) training. Companies may consider reviewing their policies in light of these expectations.

Participants in the virtual currency ecosystem face increasing pressure to protect user privacy. However, companies can take steps to mitigate the risk of penalties while protecting privacy. For example, cryptocurrency developers might consider embedding compliance checks directly into the foundation of their blockchain network, writing code containing verification checks with minimal personal data intrusions. New coding techniques and emerging blockchain technology can help ensure compliance without compromising privacy.


The Tornado Cash designation demonstrates that US regulators continue to target the virtual currency industry and are determined to counter the use of virtual currencies to facilitate illicit activities, from sanctions evasion to money laundering. Businesses could consider these risks and take steps now to review the adequacy of their anti-money laundering and sanctions controls.

Source link


Comments are closed.