Friday, April 19, 2024

Thoughts on the Tornado Cash defence and what happens when everyone adopts it

Payments companies are regularly punished for engaging in money laundering. MoneyGram, for instance, has has to pay multiple fines. Western Union was famously busted in 2017. Meanwhile, Cash App is being probed as we speak for inadequate anti-money laundering controls.

In the future, these companies may have in their grasp a very simple techno-legal trick that allows them to deal with dirty money and get away with it. All they need to do is transfer their entire IT apparatus from a regular set of databases onto "immutable" smart contracts hosted on blockchains.

This, at least, is what happens when you take the arguments put forward by the Tornado Cash defence team to their logical conclusion.

If you follow this blog, you'll know I've written a lot about Tornado Cash.

Cryptocurrency isn't private; it's radically transparent. The function that Tornado Cash serves is to accept traceable crypto from users, both licit and illicit, and return it to them in untraceable format. Beginning in late 2020, a steady stream of stolen crypto began to be moved by thieves onto Tornado Cash for the purposes of obfuscation. In effect, money laundering was now occurring on the platform. But who were Tornado Cash's money launderers? More specifically, someone was to blame for helping these thieves to disguise their tracks  who was this someone?

Last August the U.S. government indicted two people involved with Tornado Cash for conspiracy to commit money laundering.  I wrote about the government's indictment here. (They were also indicted for conspiracy to evade sanctions and the operation of an unregistered money transmitting business, but that's another story.)

Roman Storm and Roman Semenov, the accused, wrote the original smart contracts for Tornado Cash and exercised a degree of control over a key website for accessing those smart contracts. The government alleges that Storm and Semenov knew that the property being transferred to Tornado Cash was criminally derived, and that they also knew that the hackers wanted to disguise its source. Yet the duo conducted the financial transactions anyways. These three elements knowledge, the conducting of financial transactions, and the presence of unlawful money  are key ingredients to building a money laundering charge. (See specifically 18 U.S.C. § 1956(a)(1)B(i).)

Last week the defence lawyers for one of the accused parties, Roman Storm, filed a motion to dismiss the case, giving observers some initial insights into what arguments will be used to try and beat the government's money laundering charge. As I'll show, assuming these arguments are right, then a big chunk of the existing payments system has a fool proof plan for avoiding money laundering laws.

The distinction between the Tornado Cash front end and the actual Tornado Cash smart contracts looms large in the case, so let's touch on that briefly. The smart contracts are bits of code that reside directly on the Ethereum blockchain. This code allows users to deposit their trackable crypto to a pool along with many other users and then withdraw it, obfuscated. A front end, by contrast, is a regular website that allows users to interact with the smart contracts, and is hosted through a normal internet provider .

While users are free to interact directly with the Tornado Cash code, the most popular way to access Tornado was allegedly via the intermediation of the main website that was under the control of Storm and his colleagues.

The key argument made by Storm's lawyers is that the accused are not subject to the money laundering statutes because the money laundering statutes only apply to people who "conduct" what are defined as "financial transactions," and Storm did not conduct financial transactions.

The defence says that in order to show that someone was conducting a financial transaction it must be the case that control was exercised by that person over the actual criminally-derived funds. Storm may have had some control over the front end, but the defence claims this doesn't really matter because the front end itself did not exercise any control over the proceeds. "It did not access the funds directly," the lawyers argue. "It merely provided an interface to permit a user to interact with the smart contracts."  

As for the smart contracts, Storm clearly had no control over them. He had relinquished control back in May 2020, when a trusted setup ceremony ensured that no further changes could be made to the code. At that point, the smart contracts worked automatically. Bad actors only discovered Tornado Cash several months after the ceremony, at which time Storm had long gone. Furthermore, the smart contracts didn't actually control the funds, say Storm's lawyers, it was users of Tornado Cash who controlled the funds within the pool.

So, there you have it. The government's money laundering charge against Storm and Semenov requires locating a person or institution who is in control of the dirty funds and conducts financial transactions with them, says the defence. But it isn't the accused who exercised this control, it is the users who did so, via the intermediation of a set of financial automatons, the smart contracts.

For the philosophically crypto-pilled, the defence's arguments will make sense, since according to this view crypto is a revolutionary force for good, one destined to "break" what they see as a corrupt and old-fashioned financial system. For this breaking to happen, crypto shouldn't be forced to conform to the same old laws as stodgy payments companies like Western Union. New laws, or new ways of looking at old laws, should be shaped around crypto.

But to the non-crypto pilled, a successful defence of Storm and Semenov is quite concerning. As described by Bruce Schneier and Henry Farrel, it could potentially mean that anyone who wants to facilitate illegal activities would have a strong incentive to copy Tornado Cash, effectively turning their operation into a "golem"  a deathless artificial being run on smart contracts  and then throwing away the keys to avoid the law.

More specifically, by shifting their entire IT infrastructure over to smart contracts or some other equivalent automaton, payments institutions like MoneyGram that are currently subject to the money laundering statutes (and have already been punished under them several times) might be able to avoid future prosecution. If criminals start using the autonomous MoneyGram robot to make payments, MoneyGram can simply say: "The robot allowed them to do it, not us!" As for the official MoneyGram front end, even if the mob becomes a happy customer MoneyGram needn't worry since the front end is nothing but a filmy gauze between users and the autonomous robot, the company never actually controlling the funds (although according to the Tornado Cash lawyers the front end can continue to safely generate a profit for its owners!)*

The money laundering statutes  18 U.S.C. § 1956 and § 1957  are two of democratic society's key legal bulwarks against criminal behaviour. In a world in which the Tornado Cash defence prevails and payments companies adopt it as a techno-legal shield against money laundering charges, 1956 and 1957 become much less effective  and not because we decided to soften them via a democratic process, but because financial institutions found sneaky ways to get around the rules.

Mind you, the money laundering statutes wouldn't disappear entirely. The Tornado Cash defence's point is not that there is *no* money launderer. Rather, their argument is that it is the users of Tornado Cash, the public, who had "exclusive control," and not Storm and Semenov, so the latter duo aren't the guilty parties. Taking this control theory further, if the government wants to charge anyone with money laundering, it should probably be trying to target folks like Vitalik Buterin, a member of the public who regularly put his funds into Tornado Cash and thus potentially participated in the concealment of unlawful proceeds deposited by criminals.

What a dangerous financial tool to make available to the public!

Right now, I can safely transfer $1000 to Western Union without having to worry about commingling my $1000 with a criminal and thus facing a potential money laundering charge. The company takes on that liability for me. But if Western Union stops performing this legal responsibility by building financial automatons to which everyone has open access, both good and bad actors, then I am suddenly at risk of being a counterparty to criminals when I transfer $1000 to Western Union, and that could turn me into a money launderer. Money launderers can face up to 20 years in prison.

For users, a Western Union transfer suddenly becomes the financial equivalent of handling nuclear waste or operating a five-story crane. It's a task most people can't, and shouldn't, handle. Given the inherent legal risks, it's possible that the market will never widely adopt financial services delivered in the form of robots or golems or immutable smart contracts, preferring to stick with the traditional safe intermediaries who take on the burden of compliance. Or not?

Storm's lawyers may win this particular case. Their logic certainly seems sound, but I'm no lawyer. If so, there's a good argument to be made for lawmakers to consider modifying the definitions of words like "conducting" and "financial transactions" found under the money laundering statutes to prevent future efforts to use the Tornado Cash techno-legal trick. If  by merely swapping the technology used to deliver financial services a payments institution can suddenly avoid the law and offload legal responsibility onto users, that's probably a hole that needs closing.

* MoneyGram would still be able to financially profit from the combination of smart contracts and a front end, much like how Storm and Semenov did with Tornado Cash, by finding canny ways to use their control over the front end. According to the indictment, Storm and Semenov, along with others who had control over the front end, curated a list of "relayers"  third parties who provided users with bolstered privacy protection  and then extracted resources from relayers who wanted the privilege of getting on the list.

This profit motive can't help prove that Storm was engaged money laundering, says the defence, since there are many examples of criminals using "lawful tools for unlawful ends," and even though the tools' developers have "profited from that use" those developers were not punished.


  1. A person who drives a getaway car is guilty of the crime that it enables. Tornado was created with full knowledge of its potential for money laundering.

    1. You could be right, but as far as the actual court case goes, the government's indictment makes no allegations that Tornado was created in 2019 with knowledge of its potential for money laundering, or intent to facilitate money laundering. The nature of the government's arguments are quite different.

    2. If bank robbers are able to “get away” by casually walking onto a bus that happens to pull up at just the right time, are the bus driver and passengers then “accomplices”? That seems like the more appropriate analogy, no?

  2. What would the analogous treatment be when OFAC tries to apply a similar approach to the entire Monero blockchain? This entire blockchain protocol is designed from the ground up to be opaque in addresses as well as amounts.

    1. To be clear, what I'm talking about in this post doesn't have anything to the OFAC designations of Tornado Cash-the-entity. This is a different case. It's the US government bringing charges against Storm and Semenov for money laundering and two other charges.

  3. "I am suddenly at risk of being a counterparty to criminals when I transfer $1000 to Western Union, and that could turn me into a money launderer. Money launderers can face up to 20 years in prison."

    Couldn't this logic be applied to plain normal cash transactions as well? (the fact that cash is way more difficult to prosecute should be legally irrrelevant)

    Indeed, there are countries where regulations prohibit cash transactions greater than $1000. Seems to me that governments are tending to qualify as irregular any transaction they cannot control, regardless of the "technology".

    1. For sure, that same logic can be applied to normal cash transactions. People are prosecuted all the time for acting as money mules; accepting stolen cash and helping to obfuscate it.

      for example:

  4. Did the front end take a cut somehow? I assumed that was the rope that the Feds would hang the operators with. If they ran a "non-profit" front end it's a weaker case of a somewhat different nature. A "no-cut" front end with ads for cam girls would be an intermediary case. ;-)

    1. The front-end did take a cut (albeit not from users, but from "relayers," i.e. intermediaries who improved the privacy of the tool). These profits went to owners of TORN tokens, of which Storm and Semenov owned about 10% each if I'm not mistaken.