Tornado.Cash: Sanctioning a smart contract

February 12, 2024

On 8 August, OFAC announced that it had sanctioned popular Ethereum mixer Tornado Cash, adding it to the Specially Designated Nationals (SDN) List with 38 unique cryptocurrency addresses included as identifiers.  

The event generated a huge amount of discussion on social media, not least for what appears to be a novel approach US authorities are now taking to illicit DeFi activity.

Now that the dust is settling, lets take a look at some of its more interesting aspects.

The North Korea Connection
Without linking to the official notices, Secretary Blinken tweeted on Wednesday that Tornado Cash was a “DPRK  state-sponsored hacking group”.  This tweet has since been deleted and replaced with the following wording:

“…which has been used to launder money for a U.S.-sanctioned DPRK state-sponsored cyber hacking group.”

The new wording is correct.  There is no evidence that Tornado Cash was financially backed or sponsored by DPRK or indeed any other nation state.  Tornado Cash has been used by Lazarus Group, a North Korean state-sponsored cyber group sanctioned by OFAC in September 2019, on multiple occasions.  

The highly publicised 2020 hack of KuCoin was reportedly carried out by Lazarus, which routed funds through DeFi protocols, including Tornado Cash.  This was followed in March 2022 with the theft of more than $600 million from the Ronin Bridge Protocol (See our Blog post), also carried out by Lazarus.  As too were the Harmony and Nomad heists from this summer, which saw around $100 million allegedly laundered through Tornado Cash.

DeFi Vulnerabilities

Notice the pattern?  The last large-scale hack of a centralised exchange occurred in nine months ago, in December 2021.  That was the theft of $77 million from AscendEx.  

Since then, all large heists have involved DeFi protocols.  At least three have been carried out by Lazarus.  This is the DPRK’s apparent modus operandi; DeFi theft is now a major source of revenue for the hermit state.  

The US estimates that Lazarus has laundered approximately $455 million through Tornado Cash, which is around 6.5% of the $7 billion routed through the protocol since its creation in 2019.  The group has likely stolen, but been unable to obtain, far more funds than that.  Nonetheless, the pattern shows the group’s preferred method of attack.

By exploiting DeFi protocols lack of centralisation - with no KYC or AML checks - they are forcing authorities to react in new and different ways.  This is the conundrum that US regulators are now facing.  Having announced that they would not bring DeFi within regulatory scope at this stage, it leaves the US in a difficult position.  The remaining tool at their disposal is enforcement, through departments such as the Treasury.

Smart Contracts As a Person

The critical difference here is that OFAC designated Tornado Cash smart contracts.  In previous instances, OFAC have sanctioned persons or legal entities, and have also included in their identifying information cryptocurrency addresses.  Those are addresses that are owned/controlled by those persons - private wallets / accounts - rather than contracts or code created (in some cases) anonymously.

In this instance, however, no company or person is mentioned in the designation notice.  Instead OFAC has sanctioned smart contracts which run Tornado Cash.  Critically, they described the contracts as an “organisation”,  established in 2019.  

In effect, OFAC has added code to the sanctions list as a person or legal organisation.  As has already been pointed out on Crypto Twitter, this could be the first step towards recognising smart contracts (or the underlying code) as persons.  

While its too early to tell if this is the US Treasury’s ultimate intention, the direction of travel opens up many more - legal and technical - questions for DeFi, for protocols, and for coders and their work product.  Either way, North Korea may have forced DeFi regulations to be brought forward.


Hoptrail Intelligence: Real-Time Risk Alerts on Wallets & VASPs

April 18, 2024
Alerts is the latest feature in the Hoptrail crypto compliance toolkit, designed to ensure users stay on top of counterparty risk issues in real-time.We are thrilled to announce the release of Alerts, our real-time risk monitoring tool for cryptocurrency wallets and Virtual Asset Service Providers (VASPs).

HM Treasury applies first-ever crypto sanctions amid coordination with US and Israel

April 8, 2024
HM Treasury issues sanctions on crypto addresses as part of wider efforts from allies to crack down on crypto use by terrorist groups
Media & Press

Hoptrail and Recap secure InnovateUK grant funding to develop crypto onboarding tools 

March 14, 2024
A consortium including Hoptrail and led by UK crypto tax software provider Recap has secured a £300,000 Innovate UK grant to build crypto onboarding and AML tools for professional services.

Subscribe to the Hoptrail newsletter

Sign up with your email address to get the latest insights from our crypto experts.

No spam! We respect your privacy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.