Friday, December 10, 2021

Tornado.cash and money laundering


All Ethereum transactions can be tracked.

But there is a neat little tool that lets you remove this traceability: Tornado.cash. Alice submits her Ethereum tokens to a Tornado.cash smart contract where it gets commingled and mixed up with other people's tokens, then re-sent back to Alice at a separate address. (There are some extra things that happen, too. Read here.) Voila, the transaction trail has been obfuscated. All that an outside observer knows is that Alice's coins have been sourced from Tornado (for the rest of this post I'll use Tornado and Tornado.cash interchangeably). They know nothing about their history before then.  

Who uses Tornado? 

Some users are hobbyists and advocates of anonymity. They're not engaged in anything illegal. They want to consume privacy as a financial service. We'll call them legitimate users.

The other batch of users are criminals keen to hide the provenance of the Ethereum tokens that they've stolen by hacking or exploiting exchanges and other financial tools. When BitMart, an exchange, was hacked on December 4, $200 million was laundered through Tornado.cash. A few days later, $1.75 from an 8eight Finance exploit was processed by Tornado. (If you want more examples, ask me in the comments).

My question is this: given the presence of criminal funds on Tornado.cash, is it dangerous for legitimate users to connect to it? More specifically, does a legitimate user who submits their Ethereum tokens to a Tornado smart contract risk a money laundering conviction given that they may be interacting with criminally-derived money?

In the U.S., an individual can be convicted of money laundering if they knowingly conduct transactions in criminally-derived funds. For example, if Joe, a car dealer, sells a Lexus to a criminal for $75,000 in dirty cash, and knows that the transaction was made for the purposes of evading the authorities, then Joe can be found guilty of money laundering. It's a serious offence punishable with up to 20 years in jail.

Would the same principles apply to Tornado.cash users?

If a thief steals some Ethereum and deposits it into a Tornado smart contract where it is commingled with deposits made by a legitimate user, and this legitimate user withdraws their portion of that amount, then it seems to me that the legitimate user may have engaged in money laundering. That is, it's possible that they have conducted a financial transaction that involves the proceeds of an unlawful activity.

But that's not quite enough to establish money laundering. As I said earlier, to be convicted of money laundering a mental state of knowing has to be proven.

Many legitimate Tornado users interact with the tool without knowing much about it. They've never considered the possibility that by connecting to Tornado, they may be serving as a nexus for the laundering of criminally-derived property. Since knowing can't be established, then these users probably can't be judged guilty of money laundering.

But other legitimate users are not so unwitting. It's common knowledge that hacks and thefts are laundered on Tornado.cash. Some of the larger and more savvy Tornado users are no doubt aware that by commingling their funds in a Tornado smart contract they are providing criminals with a means of concealing the source of proceeds of unlawful activity. With knowing having been established, it's possible that their usage of Tornado.cash transcends into money laundering.

But even if the mental state of knowing can be established, one thing is still missing. There doesn't seem to be a clear and well-defined exchange of dirty crypto for clean. That is, when some stolen Ethereum gets deposited into a Tornado smart contract along with legitimate Ethereum, and then later withdrawn, there doesn't seem to be any way to explicitly link the withdrawal of that stolen Ethereum to a specific person. It's hidden by the software.

Put differently, there's no smoking gun.

I think it might be useful at this point to introduce an analogy using physical cash. It is clearly illegal for Joe, our auto-dealer, to knowingly take a criminal's $75,000 in cash. But let's imagine that Joe and the criminal decide to interpose a cash mixing box between themselves. Joe figures that this mixing box will allow him to receive payment without actually taking the criminal's banknotes. Does that make it legal?

It works like this. Two third-parties – Ted and Alice – put in $75,000 in "clean" cash into the mixing box. The criminal puts his dirty $75,000. Ted and Alice's $75,000 gets mixed with the criminal's $75,000. Ted and Alice each remove $75,000. Joe, the auto dealer, also removes $75,000. Joe then transfers the criminal the car.

There is no way for law enforcement to prove that the actual banknotes that Joe has received are the specific banknotes that were deposited by the criminal. Because they were commingled with legitimate money, Joe can deny having accepted criminally-derived funds. (As can Ted and Alice).

But does this set up absolve Joe of guilt? I doubt that the interposition of a cash mixing box would be perceived by a judge as altering the underlying relationship between Joe and the criminal. The mixing box would rightly be seen as a contrivance to throw the cops off. (See last footnote, below)

What about Ted and Alice? If Ted unwittingly contributes his $75,000 to the mixing box – i.e. he doesn't realize that he is helping to obfuscate the criminal's funds – then he probably wouldn't be found guilty of laundering money.

Alice, however, suspects that her contribution to the mixing box will be used to obfuscate the transaction trail between the criminal and Joe, but contributes anyways. The establishment of intention surely increases Alice's odds of a money laundering conviction. She might hope that she can get off because the commingling provided by the mixing box breaks the cash trail between her and the criminal. But again, there's a good chance the judge won't buy this argument.

It's important to keep in mind that Alice may have her own specific reasons for using the cash mixing box. Perhaps she values privacy and therefore periodically mix up all her notes. Maybe she likes to collect certain banknote serial numbers (i.e. ending in 2) and a cash mixing box is a convenient way for her to get exposure to a broad range of potentially collectible pieces.

A judge would somehow have to balance Alice's legitimate reasons for using the mixing box against the fact that she has knowingly conducted transactions in criminally-derived property. Is her right to pursue a peculiar hobby more important than protecting the public's welfare? I'm not sure how that balancing act would end up.
 
Bringing this back to Tornado.cash, I do wonder how safe it is to be a Alice. That is, I wonder how safe it is to be someone who knows that there are stolen Ethereum tokens inside Tornado smart contracts looking for an exit, yet despite the presence of this taint contributes Ethereum to that contract anyways. Even if Tornado obscures any explicit link between Alice and criminals, a judge could look past that.

Alice may say that "I used Tornado.cash because I value my financial privacy." This may be an adequate defence. Maybe not.

Clouding the story is the fact that Tornado.cash is currently paying a juicy financial reward to anyone who puts their cryptocurrency into its smart contracts. (See this video). The fact that Alice is earning 30-40% a year might make her claim to be a mere consumer of financial privacy less credible.

Perhaps one day we'll see a court case where this all gets thrashed out. A decent result would be if a judge ruled in favor of Alice, or at least partly so. The judge suggests that any incidental laundering of funds on Tornado.cash by licit consumers of privacy (like Alice) should be a non-criminal matter, subject to limit. Consider how several U.S. states have decriminalized the possession of small amounts of marijuana for personal use. In that same vein, a fixed amount of intentional commingling of funds on Tornado should be tolerated, the judge suggests, but only for the purposes of personal consumption. Anything above that would remain a felony.



PS: Privacy advocates, please don't shout at me that money laundering laws are unethical. I am making a positive claim here, not a normative claim. That is, I'm not suggesting how things *should* be, but how they actually are. And my positive claim is that there is a risk, perhaps only a small one, that a legitimate user of Tornado.cash could be accused of money laundering. Yes or no?

PPS: Notice that I am no making the claim that Tornado.cash is itself engaged in money laundering, or that the people who have written the Tornado smart contracts are money launderers. I'm treating Tornado.cash as mere software, a digital hammer. A hammer doesn't break the law, people do. My assumption in this post is that society's rules against money laundering fall on the *users* of this software, not on the software itself or on the people who have developed the software.

PPPS: For software developers, if my positive claim is accurate (i.e. that it is risky to use Tornado.cash), is there a way to redesign the software that would solve the problem? More specifically, is there a way to limit the tool to licit users i.e. those who have a legitimate desire to consume anonymity, and keep out criminals? 

PPPPS: It's worth giving U.S. money laundering laws a read. Two of the big ones are located at 18 U.S.C. § 1956 and 18 U.S.C. § 1957. See here.

PPPPPS: On commingling... "Moreover, we cannot believe that Congress intended that participants in unlawful activities could prevent their own convictions under the money laundering statute simply by commingling funds derived from both 'specified unlawful activities' and other activities." U.S. v Jackson, 1991

17 comments:

  1. Very interesting post.
    You say that the introduction of yield for using Tornado makes Alice's claim to be a consumer of financial privacy less credible. What about Bob, who is not so much a financial privacy connoisseur but a yield junkie, who explicitly wants to earn returns on his investments. He doesn't know about money laundering or other illicit activities. But his claim that he uses the protocol for the yield is definitely credible, isn't it?

    ReplyDelete
    Replies
    1. If Bob's mental state is genuinely not one of "knowing," then he probably couldn't be accused of money laundering.

      Mind you, if Bob is a large and sophisticated operator in the DeFi space -- maybe he regularly has 100 Ethereum on deposit in Tornado contracts -- I'd be skeptical if he were to claim to not realize that thefts are regularly commingled on Tornado.

      Delete
  2. How does tornado cash earn the yield it pays people? Wouldn't the people who own the governance tokens be subject to KYC laws?

    ReplyDelete
    Replies
    1. Tornado pays the yield by issuing its governance token, TORN.

      "Wouldn't the people who own the governance tokens be subject to KYC laws?"

      I'm operating on the assumption that Tornado is just software (with upgrades being initiated via governance), and so it can't be accused of committing a crime. (See my PPS at the end).

      Delete
    2. Relayers get paid a fee to act as money mules. :-)

      The smart contract is immutable with no admin so there's nothing to govern. The governance token looks like a side-joke, just some memorabilia token that you used the protocol, that can be speculated on.

      Delete
    3. Good points. I'm aware of the relayers, but I don't entirely understand their role. There's not much information out there on them. They certainly add an extra layer of complexity.

      Delete
    4. Relayers are another layer of mixing to lower the chance of linking the withdrawal tx with the output payment (which are in the same block by definition). Imagine you have a block where ETH address 123 requests a withdrawal, and the contract pays out something to address 456. You now know 123 is linked to 456, and the amount (which is revealed on the way out). At best you get mixed with other payment requests in the very same block.

      https://ethereum.stackexchange.com/questions/94740/how-tornado-cash-relayer-trustless-protocol-works

      Delete
  3. I believe your argument hinges on a rather arbitrary definition of "commingled" with regards to smart contract addresses.
    You're stating that because the fund are in the same ETH address, they are commingled. I strongly disagree with this interpretation.

    While I appreciate the mixing box analogy, I think a better physical analogy is a bank vault with anonymous safe deposit boxes. Imagine Aelliseau has stolen 2 kilograms of gold and the police are hot on her trail so she enters a bank with anonymous safe deposit boxes inside a vault that has no cameras. Nobody can see which box she is accessing. She stashes her gold, then disappears. Many other legitimate people use the same vault to store and retrieve their gold from their own anonymous boxes. Some are using the vault to protect their privacy. Others, like Carol, are using the vault for purposes other than privacy (e.g. to farm $TORN).
    The police have limited resources and can’t harass every person who enters and exits the vault so in practice they would have to choose which vault customers appear the most suspicious. After 1 month, Aelliseu disguises herself as Bob who is seen leaving the bank with 1 kilogram of gold. Then she gives her key to her fence, Dave, who also retrieves 1 kilogram of gold. In this case, Aelliseu gets away with the theft unless the police can find other evidence tying Aelliseu to Bob and Dave.
    If the police claimed they had credible intelligence that Carol’s gold was stolen, they could harass her. Then she'd show them her ledger, logging when she deposited and withdrew gold, along with a record of serial numbers, thus showing that her gold was legitimately acquired.

    Now let’s say instead of 2 kg of gold, Aelliseu stole 1524.0 kg of gold and deposited them in the vault. Then 6 minutes later, Bob was seen leaving the vault with 1524.0 kg of gold. (This is a textbook example of a “multi-denomination reveal” that everybody in-the-know is already familiar with.) The police find this suspicious and ask Bob to show them the receipt for the gold, at which point they realize Bob is actually Aelliseu with a fake mustache.
    The difference between our interpretations is whether everything in the vault is commingled. I would say that because each user has a separate safe deposit box within the vault, the gold was never commingled, even if you can't always tell which box users were accessing. Some users can show their gold was legitimately acquired, others cannot. This example is not unlike a case that is in Los Angeles. I’m no lawyer, I think it's clear that the victims in this case had their 4th amendment rights violated.

    If you take the position that all ETH in the same smart contract address is commingled, then you run into other problems. For instance, Aelliseu could exchange stolen ETH for another ERC-20 via uniswap, which would result in the ETH in the uniswap pool being commingled with stolen ETH.
    Tornado could be redesigned so that funds aren't stored across many addresses in order to avoid this arbitrary commingling definition but ultimately it would just add inefficiency to comply with an arbitrary interpretation of an archaic law.

    Many people who use privacy services are attempting to protect themselves from crimes such as fraud, identity theft or even violent robbery. If users protect themselves and make such crimes more difficult to commit, law enforcement will be stretched less thin and have more resources to focus on the crimes which couldn’t be prevented.

    ReplyDelete
    Replies
    1. "Aelliseu could exchange stolen ETH for another ERC-20 via uniswap, which would result in the ETH in the uniswap pool being commingled with stolen ETH."

      Sooner or later this will very likely happen and networks will split into clean and dirty coins (or clean and dirty chains), that are not fungible (so you'll get two uniswaps, one for ETH-dark and one for ETH-clear, and there will be a black market price to swap, off-chain, between ETH-dark and ETH-clear), or equivalently two forks (on the clear one all the non-KYC coin will be burnt or otherwise disabled, to keep the clean ones clean).

      Delete
    2. I agree that this is certainly plausible but I hope this isn't how it plays out.

      Unfortunately, firms such as Chainalysis and CipherTrace actually profit from crime and have an incentive to make things as complicated as possible. More crime/criminalization --> more cases for them -->more revenue.

      I think that this would lead to more profits for those who are willing to skirt laws and launder funds through black/gray markets -- which would not be dissimilar from alcohol prohibition.

      IMO, crime prevention would be significantly more cost-effective. That is, hold parties who are negligent with user funds accountable, educate consumers about audits and general security, and design front-ends so that it is more difficult to fall victim to a crime (MetaMask is already attempting to warn users about phishing but unfortunately their current approach turns into a game of whack-a-mole).

      Delete
    3. DrNick,

      It's an interesting analogy. I agree, commingling doesn't occur in a bank vault with anonymous safe deposit boxes. Every person's funds stay compartmentalized.

      But is this the right analogy for Tornado?

      It seems to be that a bank vault with many safe deposit boxes would be more analogous to a Ethereum-based tool that has many separate smart contracts, such that if Bob's ETH gets deposited it stays separate from Aelliseu's ETH.

      Tornado relies on a collective smart contract. Anyone can deposit into the 10 ETH pool, for instance. The 10 ETH pool seems more analogous to a bank vault without individual safe deposit boxes, just one big shared box. Without any separation, it's risky to use since one might accidentally commingle one's funds with criminally-derived funds.

      The same problem arises with Uniswap, as you point out. My guess is that explains why tools like Aave are setting up completely isolated pools for traditional finance to experiment with. Lawyers at these institutions probably realize that they can't risk having their funds come into contact with money deposited by anonymous entities.

      Delete
    4. Since one can prove the correspondence between their own deposit and the specific note they withdraw, I would argue its an apt analogy. Just as there can be many deposit boxes in one physical location, so too can there be many distinct deposits in one virtual location.

      Delete
    5. "...can prove the correspondence between their own deposit and the specific note they withdraw."

      Sure, a Tornado user can show that they deposited funds to the Tornado 10 ETH pool. And they can also show that they withdrew funds from the pool. But they cannot prove that they are withdrawing the exact same funds that they deposited. They can't show that they haven't engaged in commingling.

      By contrast, a user of a bank vault can prove that they haven't commingled their money with anyone else's, because the safety deposit boxes are isolated from each other.

      What am I missing?

      Delete
    6. I think you're stuck on the fact that there's a single on-chain Ethereum address, when addresses are just an arbitrary label. You're ignoring that the funds are actually controlled by thousands of lines of smart contract code and math.

      >Every person's funds stay compartmentalized.

      I would say that the funds *do* stay compartmentalized, at least from a user interface and math perspective.

      Many Tornado.Cash users use "Note Accounts" which are encrypted backups of their deposit and withdrawal data. This data *is* stored on the blockchain and effectively acts as a user's anonymous "safe deposit box" in the aforementioned anonymous vault.

      We can even see thousands of transactions where users are initializing these Note accounts.

      When I use the Tornado.Cash front-end, it even shows me a nice table with all of my deposits and withdrawals in my note account, as well as some other information about them. (This is separate from Tornado's compliance tool.)

      The fact that a casual observer sees that the funds are stored in the same pool address is irrelevant. They are compartmentalized on a layer that is not viewable on etherscan.com. When I withdraw my funds, it's the same funds I deposited in my note account. They just are hard to trace by users who aren't me.

      If we apply that idea that funds in the same Ethereum address are commingled while ignoring the fact that they're in a programmatically-enforced smart contract, then we would say that all ETH stored on Solana, Arbitrum, Polygon, BSC, Avalanche, and other blockchains/layer-2 scaling solutions are commingled in their respective bridges, as these bridges have Ethereum addresses which hold large amounts of funds despite the fact that in *most* cases, this ETH is actually self-custodied on their respective blockchains (if you assume the bridge is secure and won't get hacked). Choosing to interpret it as "all funds on Arbitrum are commingled" wouldn't be a reasonable interpretation.
      The fact is, no reasonable prosecutor would start singling out Tornado.Cash users and trying to argue against them, as this logic would quickly lead to an interpretation where almost every Web3 user has funds which were commingled with stolen funds and would be unenforceable.

      I have no idea why some institutions are okay using Aave Arc instead of regular Aave (I'm told it's because of "risk appetites") but there are definitely some institutions whose lawyers will allow them to use regular Aave.

      Delete
    7. "When I withdraw my funds, it's the same funds I deposited in my note account."

      I still don't see it. When Bob withdraws ETH from Tornado, he's withdrawing them from the same pool that everyone else withdraws from. If Bob were withdrawing ETH from a stand-alone Tornado smart contract -- one to which only he had originally deposited, and to which only be had access -- then I'd certainly buy your argument that his ETH hasn't been commingled with other ETH deposits. But using isolated smart contracts would prevent the very obfuscation that is Tornado's motivating purpose, right?

      But I think we're getting distracted by analogies. Remember, money laundering occurs when someone knowingly conducts a transaction that allows criminals to disguise the source of the proceeds of unlawful activity. Any legitimate user who transacts on Tornado.cash is expanding the tool's anonymity set, making it easier for criminals to clean their cash. If these legitimate users are large and savvy (and know full well that Tornado is used by criminals), their contribution to that set puts them at risk of a money laundering conviction.

      Delete
  4. I'm not smart enough to figure out how to edit my comment. Probably introduced a few typos, first one:

    *so that funds are stored across many addresses

    instead of "aren't"

    ReplyDelete
    Replies
    1. I don't think you can edit the comments. Typos won't be held against you.

      Delete