Thursday, August 31, 2023

Who are the money launderers in the Tornado Cash stack?

Over the last few years I've written a bunch of posts about Tornado Cash, an Ethereum-based mixing service, because I find it to be a fascinating tool. With the recent indictment of two people involved in the Tornado Cash "stack" for money laundering, here's another post to add to the list.

Let's get this clear from the outset. Somewhere in the Tornado Cash stack, someone is committing the crime of money laundering. That's been the case since at least mid-2020 or so, the moment that crooks started to send their criminally-derived ether proceeds to Tornado Cash for cleansing.

I'm going to repeat that. One of the parties (or groups of parties) woven together via the Tornado Cash apparatus has been knowingly acting as a financial counterparty to criminals, helping to "conduct" transactions that obfuscate dirty ether.

The question always was: who in the stack is guilty of money laundering? Is it the developers who are  laundering money? Miners? TORN token holders? Relayers? Licit users who engage with the smart contracts? And if so, are all licit users guilty, or just some users? Are the operators of the popular user interface the guilty parties?

A recent indictment from the U.S. Department of Justice claims to have figured out who the money launderers are.
Before getting to the indictment, let's tally up all the actors involved in the Tornado Cash stack. To begin with there are the users and developers. The central element of the Tornado Cash stack is a set of smart contracts, or pools, where users  both crooks and non-crooks can send their easily-traced ether to be mixed, getting it back anonymized and untraceable. These core smart contracts were originally coded by three developers in 2019. In mid-2020, the developers removed the core contracts' upgradability, in effect "throwing away the keys" and ending their influence over them.

The next key set of actors are the relayers. Doing stuff on the Ethereum blockchain requires paying a fee to validators. The visibility of these fee payments effectively unwinds Tornado Cash's anonymity and reveals who Tornado Cash's users are. A group of third-party individuals, the relayers, are recruited to handle fees on behalf of users, thus restoring privacy.

The Tornado Cash stack also includes a popular user interface that acts as an overlay over the smart contracts, making them easier to interact with. Control over the user interface is delegated to individuals who own TORN tokens. TORN allows its owners to vote on how the front-end functions, in addition to earning profits from it. TORN holders have no influence over the core smart contracts.

Of these many actors, the DoJ has singled out Roman Storm and Roman Semenov, along with "others known and unknown," as the putative money launderers. (The government also accuses the two of failing to register as a money transmitter, but I'll set that aside.)

Storm and Semenov were the original developers of the core smart contracts, but that doesn't seem to be the nub of the DoJ's money laundering case. Rather, it is the accused's ongoing control over the user interface, exercised through their ownership of a large block of TORN tokens, that seems to have implicated them. Despite knowing that the Tornado Cash stack had become popular with criminals, the owners/operators of the user interface did nothing to screen bad actors from accessing said interface. On the contrary, they made efforts to both improve the interface and increase the profits they made from it.

The government's illustrates this by explaining the involvement of Storm and Semenov in managing the list of relayers that appear on the user interface, as well as in crafting the system for rewarding and levying fees on these relayers. The indictment cites a vote made by TORN holders in early 2022 that led to an update of the user interface's mechanism for listing relayers. The change allowed anyone to appear on the list, as long as they could stake a certain quantity of TORN tokens. The DoJ alleges that this decision improved anonymity by lengthening the user interface's list of relayers.  

The indictment further alleges that Storm and Semenov, through their ownership of TORN, profited financially from the user interface's new method of listing relayers. To get on the user interface list, a relayer had to buy TORN, which pushed up TORN's price. In addition, whenever a relayer that appeared on the user interface's list was selected, a portion of that relayer's staked TORN was "slashed," or reduced, forcing relayers to top up with additional TORN purchases in order to continue to qualify for the list. This added more upward pressure on TORN's price to the benefit of holders like Storm and Semenov.
In the government's view, the totality of these actions constitute money laundering, specifically a violation of  18 USC § 1956. The DoJ believes that the two defendants "conducted" transactions, a key element of money laundering, via their ongoing control over the user interface, along with other TORN owners. The indictment also shows that a large portion of Tornado Cash transactions were in fact criminal proceeds, including those made by the Lazarus Group. (I mean, we all knew that already.) Lastly, they show that the accused were aware that the funds coursing through the Tornado Cash stack were dirty, a mental state of knowing being a key plank in charging someone for money laundering.

It seems to me like the DoJ has a solid case, although we can debate whether operating the Tornado Cash user interface and its relayer list is tantamount to "conducting" transactions. The legal definition of conducts is a broad one, including "participating in initiating, or concluding a transaction." While the user interface, and thus those who operated it, never directly initiate transfers of ether to the underlying Tornado smart contracts, it doesn't seem a stretch to describe them as participating in the initiation of those transfers. We'll have to see what the judge says.

Counterintuitively, the indictment seems like a win, if only a lukewarm one, for fans of decentralized finance, or DeFi.

Proponents of DeFi have long worried that developers of autonomous smart contracts might be held liable in court for crimes. In this case, however, the same actors who happen to be the developers of Tornado's core smart contracts also built a complex and centralized business structure around those same contracts, and it is this tertiary apparatus that is serving as the basis for a money laundering charge, not the original coding of the core smart contracts.

It's a useful thought experiment to imagine how things might have played out if Storm and Semenov had acted differently. Let's imagine that the two coders hadn't created a profitable apparatus around the original smart contracts. Once the core smart contracts were up and running, they ceased to associate in any way with the Tornado Cash stack. Secondly, imagine there was no user interface. To deposit or withdraw funds, users had to interact directly with the smart contracts. Lastly, let's assume that TORN tokens had never been issued, so there was nothing to govern (or govern with), and thus no basis for the government to use "operating control" as a lever for a money laundering prosecution.

Given a very slimmed-down Tornado Cash stack, who does the DoJ now accuse of money laundering? Because they have to accuse someone. Crooks depositing dirty ether are still ending up with laundered ether, so there is by definition a "someone" in the stack who is providing laundering services to them.

In our hypothetical story, Storm and Semenov are not the money launderers, and the thrust of the DoJ's indictment confirms this. The two developers created software with presumably noble intentions: to provide regular folks with privacy from the panopticon that is Ethereum. Then they walked away, leaving the tool indelibly etched on the blockchain. It was only then that people started to interact with the tool, some of them to carry out illegal activity. It's this latter group who constitutes the guilty party.

Relayers are excellent candidates for a money laundering charge, a point I made last year. Because they process withdrawals on behalf of users, it would likely be a cinch to pin them for "conducting" transactions. Showing that relayers do this despite knowing that criminals may be their counterparties shouldn't be difficult for prosecutors to establish. And indeed, the DoJ's actual indictment is going in the right direction when it says that Storm and Semenov, along with "others involved in the Tornado Cash service, including the relayers," were engaged in the business of transferring funds, and goes on to accuse these "others," presumably relayers, of engaging in money laundering.

The second logical target for a money laundering charge is the licit users of Tornado Cash, in particular the large and savvy ones who used the tool regularly. A person who is aware that criminals are depositing dirty money into Tornado Cash smart contracts, yet decides to deposit their own funds into those same smart contracts, knowing that their effort will help these criminals conclude transactions that disguise the source of their funds, ticks all the boxes for a money laundering charge.

A licit user of Tornado Cash accused of money laundering might try to wiggle out of the charge by saying: "Sure, I knew crooks were using Tornado, and I know my efforts helped them. But I was only using it for legal reasons. I wanted to get privacy for myself." But that's not a very good defence against a money laundering charge, for the same reason that someone who tries to make a profit from obfuscating criminal funds can't evade a money laundering charge by saying they were only motivated by profit, and profits are legal. The desire to improve one's position, whether that be to get privacy or profits, isn't an excuse to launder money for crooks.

To sum up, the task of any prosecutor trying to bring money laundering charges against the Tornado Cash stack is to find the actual third-parties who misuse the platform for laundering. In a slimmed-down Tornado, that means chasing down relayers and savvy licit users. In the DoJ's actual indictment, it's also trying to show that owners/operators of user interfaces qualify, and while it's not a bad theory, we'll have to wait for the court date to see if it gets confirmed.


  1. Thanks - this is the first coverage of the indictment that I find myself nodding along to, in particular the hypothetical at the end. I think on the hypothetical’s facts, we end up with a much clearer picture of what the developer ecosystem needs to worry about when they are designing and publishing smart contracts, which is the reason we are all following along anyways, isn’t it?

    1. Thanks.

      If you're looking for some more coverage, I thought these two articles were quite good, both from law firms:


      My hypothetical at the end is just a hypothetical, so don't build anything on the blockchain based on it; better to wait for the conclusion to the case for more clarity.