skip to main content
Close Button
Last Name
First Name
Practice Area
Keywords

Non-Fungible Tokens (NFT) Newsroom

Hype Fades, but Oversight Stays Part II – Issues Surrounding Sanctions against Mixer

Hype Fades, but Oversight Stays Part II – Issues Surrounding Sanctions against Mixer

Following our previous blog post on the changes of the EU’s anti-money laundering laws and its associated implications, the U.S. competent authority administering sanction programs, the Office of Foreign Assets Control (“OFAC”), has recently surprised the cryptocurrency and NFT community by designating a cryptocurrency mixer “Tornado Cash” as a sanctioned target.

On August 8, OFAC identified Tornado Cash (with aliases “Tornado Cash Classic” and “Tornado Cash Nova”) on its Specially Designated Nationals and Blocked Persons List (“SDN List”) as the sanctioned entity and indicated that certain smart contract addresses related to the Tornado Cash protocol are also placed on the SDN List as a part of the Tornado Cash “entity”. OFAC pointed out that Tornado Cash has been used to conceal illicit financial activities conducted in violation of OFAC’s sanction programs (such as the $455 million stolen by North Korea-sponsored Lazarus Group, and the designation is made as a part of the “actions against mixers that launder virtual currency for criminals and those who assist them.” While OFAC has previously designated another cryptocurrency mixer Blender.io as a sanctioned entity, this designation made this time, as it turns out, has led to oppositions and uncertainties that are to be clarified.

What is Tornado Cash?

Tornado Cash is a decentralized protocol that offers cryptocurrency mixing services through self-executing smart contracts built on zero-knowledge proof feature. To put it simply, the protocol allows a cryptocurrency holder to preserve his/her/its transactional privacy and disrupt on-chain activities by obscuring the flow of deposited/withdrawn cryptocurrencies in its liquidity pools. If someone wishes to covertly transfer 1 ETH from his publicly-identified wallet to a secret, non-publicly identified wallet, he could simply deposit that 1 ETH into the protocol, receive a deposit note as the private key for his subsequent withdrawal, and request that 1 ETH (subject to the protocol’s fees) to be sent to the designated wallet address. An unrelated third party tracing this transaction would not be able to ascertain when and to which address that 1 ETH is withdrawn as the Tornado Cash protocol will be layering all the ETHs it has received (and thus disrupt the traceability of the concerned 1 ETH) and sending out ETH in various amount to one or more wallet addresses whenever a withdrawal request is made. It is reported that with such mixing services, “over $7 billion in cryptocurrency have gone through Tornado Cash since its launch, with around 20% of those funds tied to illicit activity.”

What are Sanctions?

Sanction is a set of restrictions imposed on certain states, entities or individuals in order to achieve certain goals or alter the behavior of the sanctioned targets. The most common restrictions of a sanction program are the prohibitions on transactions or trades with a sanctioned target, meaning that no U.S. entity or person (and in certain circumstances, non-U.S. entity or person) may engage in any transaction with the sanctioned target in any form unless a license permitting such transaction is granted by OFAC. In general, sanctions can be categorized into the following two types in accordance with the scope of their applicability:

  • Primary Sanction Primary sanction applies to U.S. citizens, U.S.-incorporated entities and transactions coming into or out of the U.S. (such as USD denominated transactions). If the source of a product originates from the U.S., that product could as well be subject to the primary sanction. In general, the key to determine whether the primary sanction applies is whether a transaction has any “U.S. nexus” that could tie it with the U.S.- once the nexus is found to exist, then the parties involved must comply with the primary sanction.

  • Secondary Sanction Secondary sanction, on the other hand, offers the ground pursuant to which the U.S. government penalizes foreign individuals or entities who violate U.S. sanctions in absence of any U.S. nexus. Contrary to the primary sanction, the restrictions imposed by the secondary sanction are typically administered in connection with a sanction program (e.g., the Iran and North Korea sanction programs) and/or as an extraterritorial effect by which foreign entities/individuals find it necessary to comply with U.S. sanctions for their own interests. The common consequence of violating secondary sanctions is the denied access to U.S. financial systems, which can be effected by being placed on the SDN list.

Issues Surrounding SDN List Designation

The first issue arising from OFAC’s designation is the legality of listing smart contracts as sanctioned entities on the SDN List. As pointed out by the research center Coin Center, the whole Tornado Cash protocol in fact consists of several Ethereum smart contract addresses that operate independently and automatically, meaning that no entity/individual would have the authority to control those smart contract. While OFAC has the authority under Executive Order 13694 to designate any person or “entity” as a sanctioned subject, the term “entity” is defined as “a partnership, association, trust, joint venture, corporation, group, subgroup, or other organization,” which, given a smart contract’s nature and how it operates, is unlikely to be deemed as including autonomous codes. Accordingly, the inclusion of those autonomous smart contract addresses inevitably leads to the question concerning the legality of the designation and whether it would be appropriate to separate autonomous smart contracts from entity/individual-controlled entity when determining the scope of subjects to be placed on the SDN List.

Another issue following OFAC’s designation is the “dust attack” initiated by unidentified individual (or entity). As stated above, individuals and entities are barred from transacting with parties on the SDN List and may face sever consequence (e.g., fines and denied access to U.S. financial system) if such prohibition is violated. While it is fairly straightforward to comply with sanctions in conventional financial services setting because a party could actively screen and filter other transacting parties, in the cryptocurrency setting, however, the “active screening and filtering” may not suffice as cryptocurrency may be sent to publicly identified addresses without any actions on the recipient’s end. The concerned dust attack is initiated on the basis of such difference, where an individual (or entity) requests minimal amount of ETH to be withdrawn from Tornado Cash and transferred to celebrities’ (e.g., Coinbase CEO and Youtuber Logan Paul) so that such celebrities’ wallet addresses will be tainted and labelled as high risk addresses by cryptocurrency service providers (such as exchange and NFT platform). While the holders of those tainted wallet addresses could certainly argue and (arduously) prove that they have never accessed Tornado Cash and requested to withdraw, they would still face the question of how to treat and dispose of those “tainted ETH” received from Tornado Cash. In conventional financial services settings, funds that are determined as originating from a sanctioned target would commonly be segregated in one or more independent interest-bearing accounts by financial institutions so that they would not be mingled with other funds or properties not subject to sanctions and could remain frozen, monitored and reported (as mandated by relevant requirements promulgated by OFAC). In the cryptocurrency setting, however, it remains unclear as to how the “tainted ETH” could be handled. Obviously, individuals would not have interest-bearing account to segregate the tainted ETH, and it may be unfeasible to request established cryptocurrency exchange to take over such tainted ETH given various considerations. In the event an average Joe is stuck with the tainted ETH, he/she would be subject to ongoing compliance obligations that may eventually become unbearable, facing the risks of inadvertently violating applicable requirements. All such concerns would take time, efforts and regulatory guidance to be clarified.

Lastly, further considerations may need to be given to risk assessments performed in connection with the designation of Tornado Cash. As mentioned in our previous post, risk assessment is the core that underlies an AML/CFT program, and how an individual or entity is assessed in accordance with its activities would require a material review of the program’s AML/CFT methodology, policies and procedures. Assuming one innocent individual receives ETHs from another individual but those ETHs have previously been routed and layered through Tornado Cash. How far back should those routing and layering occurred for this innocent individual to be considered “genuinely innocent”? Also, in the dust attack trolling context, should the recipient of the tainted ETH be assessed as high risk customer by default until he/she is proven otherwise? Would the assessment be different for an individual that is subject to secondary sanction only? Until relevant practices are built up and/or regulatory guidance is provided, the most plausible answer to all this considerations may be an lawyerly one- it depends. The AML/CFT program would essentially require a case-by-case review based on the actual needs and unique operations of the program administrator.

The world is changing and the laws are catching up. It is important to keep an eye on how all of these developments would play out. Stay tuned to Ingram’s NFT Newsroom to learn more about the latest developments with NFTs.

By: Chih-Hsun (Tim) Lin


TimLin