Tornado.Cash: Sanctioning a smart contract

On 8 August, OFAC announced that it had sanctioned popular Ethereum mixer Tornado Cash, adding it to the Specially Designated Nationals (SDN) List with 38 unique cryptocurrency addresses included as identifiers.  

The event generated a huge amount of discussion on social media, not least for what appears to be a novel approach US authorities are now taking to illicit DeFi activity.

Now that the dust is settling, lets take a look at some of its more interesting aspects.

The North Korea Connection
Without linking to the official notices, Secretary Blinken tweeted on Wednesday that Tornado Cash was a “DPRK  state-sponsored hacking group”.  This tweet has since been deleted and replaced with the following wording:

“…which has been used to launder money for a U.S.-sanctioned DPRK state-sponsored cyber hacking group.”

The new wording is correct.  There is no evidence that Tornado Cash was financially backed or sponsored by DPRK or indeed any other nation state.  Tornado Cash has been used by Lazarus Group, a North Korean state-sponsored cyber group sanctioned by OFAC in September 2019, on multiple occasions.  

The highly publicised 2020 hack of KuCoin was reportedly carried out by Lazarus, which routed funds through DeFi protocols, including Tornado Cash.  This was followed in March 2022 with the theft of more than $600 million from the Ronin Bridge Protocol (See our Blog post), also carried out by Lazarus.  As too were the Harmony and Nomad heists from this summer, which saw around $100 million allegedly laundered through Tornado Cash.

DeFi Vulnerabilities

Notice the pattern?  The last large-scale hack of a centralised exchange occurred in nine months ago, in December 2021.  That was the theft of $77 million from AscendEx.  

Since then, all large heists have involved DeFi protocols.  At least three have been carried out by Lazarus.  This is the DPRK’s apparent modus operandi; DeFi theft is now a major source of revenue for the hermit state.  

The US estimates that Lazarus has laundered approximately $455 million through Tornado Cash, which is around 6.5% of the $7 billion routed through the protocol since its creation in 2019.  The group has likely stolen, but been unable to obtain, far more funds than that.  Nonetheless, the pattern shows the group’s preferred method of attack.

By exploiting DeFi protocols lack of centralisation - with no KYC or AML checks - they are forcing authorities to react in new and different ways.  This is the conundrum that US regulators are now facing.  Having announced that they would not bring DeFi within regulatory scope at this stage, it leaves the US in a difficult position.  The remaining tool at their disposal is enforcement, through departments such as the Treasury.

Smart Contracts As a Person

The critical difference here is that OFAC designated Tornado Cash smart contracts.  In previous instances, OFAC have sanctioned persons or legal entities, and have also included in their identifying information cryptocurrency addresses.  Those are addresses that are owned/controlled by those persons - private wallets / accounts - rather than contracts or code created (in some cases) anonymously.

In this instance, however, no company or person is mentioned in the designation notice.  Instead OFAC has sanctioned smart contracts which run Tornado Cash.  Critically, they described the contracts as an “organisation”,  established in 2019.  

In effect, OFAC has added code to the sanctions list as a person or legal organisation.  As has already been pointed out on Crypto Twitter, this could be the first step towards recognising smart contracts (or the underlying code) as persons.  

While its too early to tell if this is the US Treasury’s ultimate intention, the direction of travel opens up many more - legal and technical - questions for DeFi, for protocols, and for coders and their work product.  Either way, North Korea may have forced DeFi regulations to be brought forward.

‍