37 comments

[ 4.7 ms ] story [ 77.0 ms ] thread
The Tornado Cash situation is interesting to me because being treated as a money laundering facility seems like the most foreseeable risk here.

Did the people working on this really think they wouldn’t be smacked down hard for it (unjustifiably so, imo) by governments that want to keep money laundering the province of bankers in their favor, high powered corporate donors, and government agents?

It’s a big club, and we aren’t in it.

Tornado cash still hasn’t been shut down. You can even visit it like a normal website if you have IPFS companion installed. Some people care more about freedom than compliance.
> Did the people working on this really think they wouldn’t be smacked down hard for it

Of course they knew. That doesn't stop a hacker.

Individual freedoms will always be hard-fought. And authoritarian governments will always resist them

Wait, is crypto a currency or a security? The SEC and OFAC apparently disagree on this point.
I never quite understood the bugabear about money laundering in the abstract.

If there's fundamentally a criminal or security problem, it seems like that should be the core thing that law enforcement should be chasing.

Disguising the source of funds, while arguably distasteful, shouldn't be the issue as long as appropriate taxes are paid. It's amusing that the IRS has explicit "declare your illegal income and we are not allowed to turn you over for doing so" mandates.

My guess is that it provides a simpler case for prosecution. So to speak, they'd rather go after Al Capone for tax evasion. Rather than having to build a case on the "base" crime-- "prove he sold specific drugs at a specific time" or "prove he was involved in a specific deal with $sanctioned_country" -- they can move to "prove that this neighbourhood Subway franchise isn't turning over $75 million a year", which can largely be proven with a couple people sitting over Excel, rather than on-the-ground investigations and witnesses.

In reality though, you wouldn’t ‘launder’ money that wasn’t ‘dirty’.

As an activity it’s basically always indicative of a crime. (Wether you agree with the law or not)

And by its very purpose, it makes the ‘base’ crime harder to prosecute and trace.

I think you’ve flipped the causality.

So I don’t think it’s so much that prosecutors just think it’s easier way forward, and if they put their mind to it they could prosecute the base crime, but don’t want to. As much as the laundering activity itself has made it too hard to prosecute.

And VPNs are only for downloading child porn.
I could imagine businesses in stealth phases trying to intentionally obfuscate their externally visible finances to keep a low profile. "Hey, $big_client, can you pay us through a chain of sham companies so it looks like you're buying office chairs from Crazy Teddy's Furniture and Waffles, so we can make a big splash when we announce our partnership at the launch event?" seems like something not that far out of line.

Legitimate firms might want to blur their supply chains and vendor relationships. If a manufacturer of some small component discovers the end buyer is Apple, for example, it might increase the temptation for "ghost shifts" and supplying extra components into the knockoff-product and aftermarket repair ecosystems.

Honestly, the thing that surprises me isn't that Tornado Cash got in trouble, it's that things like Ethereum haven't. Loads of Ethereum's work is explicitly to prevent government intervention and it's not like they even try to have plausible deniability, if you ask them why their doing it they will literally tell you they don't want the US government to be able to intervene in transactions in any way - even if the interventions are perfectly morally justified. It's like... ok guys, but I don't see how you aren't all just going to end up sanctioned when you eventually cross the line. It's like running a site that allows adult content - it doesn't matter how legit the service is, it ends up being a porn site. In the same way it doesn't matter what Ethereum devs intentions are, it will end up as a neat tool for North Korea and Iran.
(comment deleted)
I am actually shocked that the EFF seems to have no idea what is going on here.

An entity (Tornado Cash) was sanctioned for participating in money laundering activity. GitHub terminated their accounts not because of the code itself that existed, but because as a US organization they cannot do business with the sanctioned entity.

To provide a clearer example: A US based hotel chain would be free to rent a room to the developers for a vacation, but not for a meetup to work on Tornado Cash code.

The Github should have never been taken down. You can terminate a business relationship while maintaining a mirror of open source code.

Ultimately, Microsoft, a government-backed entity, performed censorship for the government.

As they are required to do by law. Take your grievance to your federal representatives.
> An entity (Tornado Cash)

An entity? Can you link me to its physical, geographic address? Or its board of directors? Maybe its charter or mission statement?

Do they have a revenue model?

Can you clarify what transforms a deployed solidity document into "an entity"?

The US broadly defines entity as “a partnership, association, trust, joint venture, corporation, group, subgroup, or other organization.” This is written in 31 CFR 510.305, https://www.ecfr.gov/current/title-31/subtitle-B/chapter-V/p....

This is one of the interesting intersections of US law where interpretation is everything. Until you can find a judge that wants to strictly define all of these words and the term “entity” to establish precisely what an entity is, or unless the code is rewritten, an entity can practically be anything OFAC wants it to be.

Based on how this was written, I almost think that if a judge ruled that sanctioning the contract didn’t count, the entire ethereum network could easily be classified as an “entity” as a group of networked computers. The possibilities of this definition are quite profound.

Agreed.

But even by this vague standard, it's an incredible stretch. Tornado Cash is a document, published on github. Anybody can deploy it, or fork it and deploy their fork, and many people have done that.

If OFAC wanted to go after members of the $TORN DAO under the theory that, together, they represent an entity, then at least I can see some vague adherence to the rule of law (albeit one in which vagueness is abused in the ways that you point out).

But they didn't do that, because they would be difficult, both logistically and politically. Instead, they designated a document, held on many thousands of computers around the world, a "specially designated national."

This is a facially childish and unserious move, and is not befitting a state which wishes to be viewed as a serious arbiter of its laws.

The designation letter from the Treasury Department[0] reads like something from The Onion.

0: https://ofac.treasury.gov/recent-actions/20220808

What do you propose be done instead about things like Tornado Cash that would be more effective at stopping it?
I don't even understand the question. It's like asking, "what can you imagine might be effective at stopping integer factorization?"

Math is real. It works reliably. The idea that it can be "stopped" is just... I don't know - childish is the word that comes to mind.

I mean as in a tool that streamlines money laundering and sanctions evasion.

The underlying math/science is beside the point. The service tornado cash is ran on physical hardware owned by physical human beings who can be placed in handcuffs.

...so, if that's the assertion (that _running an ethereum node_ is against the law), why not place those people in handcuffs?

Why do this bizarre song-and-dance of writing a designation letter which passive-aggressively refers to an algorithm?

There's nothing anybody can do to stop this particular piece - or any other piece - of math. And that comes as a relief to freedom-loving humans everywhere.

So why pretend to make an effort to do so? Other than to decrease respect for the rule of law, what's being achieved here?

Fission and high end radar designs are just math too. We restrict those, which is both effective and does not degrade freedom or the rule of law. Your meandering suppositions are baseless and unsupported.
I am no expert in reading these notices, but they seem to be designating a bunch of addresses, not a PDF.

I imagine that a reasonable way to handle these things would be to designate a problematic contract or implementations thereof as well as the outflows from it. So any tornado cash contract would be sanctioned, and the assets removed from it would be sanctioned, and assets derived from them, etc.

A law-abiding cryptocurrency should have a way to track these assets so they can be frozen properly. If, say, Ethereum can’t do that, then Ethereum has a problem and it would be reasonable to entirely ban the conversion of ETH to USD.

> they seem to be designating a bunch of addresses, not a PDF.

Those are some of the addresses to which the contract suite was deployed at the time the letter was written (of course there are now many more). They are a reference to the source code.

> A law-abiding cryptocurrency should have a way to track these assets so they can be frozen properly. If, say, Ethereum can’t do that, then Ethereum has a problem

What you see as a problem, many people see as a feature.

The whole point of an agnostic piece of software able to resolve transactions is to subvert the role of criminal cartels in censoring them.

> Tornado Cash is a document, published on github

I think this misunderstanding is causing the confusion: Tornado Cash is also a running service which North Korea used to launder money. That’s what was sanctioned, not the source code – if Matt Green wanted to run his own copy he’d be free to do so but no doubt would want to limit it to his students unless he really enjoys spending time in court. The guy who was arrested was specifically charged with receiving funds so it seems likely that the charges are going to be based on him personally receiving a cut of the transaction fees the NK ransomware ring paid.

This also seems reasonable in the larger context: they must have situations like this frequently where they know funds are linked to criminal activity but haven’t yet identified every person involved on either end of the transaction. They can say account X is verboten before they can identify the true owner.

> I think this misunderstanding is causing the confusion: Tornado Cash is also a running service which North Korea used to launder money.

The "misunderstanding" in question is the result of obtuse and confusing language, such as you are using here.

The "service" to which you refer is, of course, the ethereum blockchain. And I don't know who "Tornado Cash" is with respect to your sentence, but they aren't "running" the ethereum blockchain any more than any node operator is.

> That’s what was sanctioned, not the source code

"It's not the source code that was sanctioned, it was the contract deployed to the ethereum blockchain". That's... source code.

The sanction isn't against nodes who subsequently evaluate that source code for the purposes of executing a transaction, but against the code itself (listed by the addresses which refer to it), as you can plainly read in the designation letter.

> The guy who was arrested

As you obviously already know, that is a separate, but similarly capricious, case to the one we're discussing here - a criminal case in The Netherlands. OFAC has said nothing about Pertsev and has only designated this contract (again, source code) as a "specially designated national".

They could have chosen to designate individuals who holding $TORN DAO token (one of many which govern a contract running the software that OFAC sanctioned), but they didn't, because they would be difficult or impossible, both practically and politically.

I'm not sure why you are pretending that they took this (arguably more reasonable) action. Credit where credit is not due.

> they must have situations like this frequently where they know funds are linked to criminal activity but haven’t yet identified every person involved on either end of the transaction.

...yet they have never listed a piece of bank software as a specially designated national. Strange, don't you think?

> ...yet they have never listed a piece of bank software as a specially designated national. Strange, don't you think?

Did they? The list says “Digital Currency Address”, not software, and that makes sense since they don’t care about how the code works, only that it was involved in illegal activities. There’s nothing in there which says you couldn’t run your own copy with different addresses, although obviously it’d be unwise to do so unless you fixed it to comply with the law or restrict transactions to people you trusted.

I'm sorry if you are genuinely trying to participate in good faith; your comments are really not making sense to me.

> The list says “Digital Currency Address”, not software,

I don't understand what you're saying here. The addresses in question are simply the addresses which pointed to copies of the EVM bytecode in question at the time the letter was written. There are many more now of course.

If they instead used a URL (and a checksum for verification), do you then acknowledge that the sanction is against a document? What's the difference? An ethereum address (in the case of a deployed contract) simply points at a piece of software that can be run in a verifiable way. Just like a URL+checksum.

> they don’t care about how the code works, only that it was involved in illegal activities.

They have taken no action against anybody whom they purport to have engaged in illegal activities. If they did, they'd at least gain some credibility in the minds of the larger legal profession. As it stands, this particular sanction is making nobody happy.

> There’s nothing in there which says you couldn’t run your own copy with different addresses

The FAQ says, "While engaging in any transaction with Tornado Cash or its blocked property or interests in property is prohibited for U.S. persons..."

I agree with the EFF's concern here that this appears to mean that indeed you'd run afoul of the law is you ran your own copy with different addresses.

And if you're right, and that all the redeploys of the contract are completely legal and fine for use now, isn't that even _more_ capricious? What makes those OK, but the above addresses not OK? If someone from NK tumbles a single penny through a contract, does that suddenly make the address in question illegal, while all other identical deployments of the contract are not illegal?

The whole thing is just totally unserious.

Poor analogy. Speech and ideas are constitutionally protected in the U.S; accommodations are not (well, other than quartering of soldiers).

A better analogy is that the government can prosecute people for doing the actions described in the Breaking Bad scene on money laundering [1], but they cannot prosecute the writers of Breaking Bad, the networks it's shown on, YouTube, or people who link to it.

[1] https://www.youtube.com/watch?v=RhsUHDJ0BFM

Commercial speech does not have the same rights as personal speech under the law.

I can scream "dang for president!" to my hearts content, but if my employer pays me to scream the same sentence it is subject to campaign finance laws.

The developers are free to write all the code they want. The issue is doing to the benefit of the Tornado Cash criminal enterprise.

> To provide a clearer example: A US based hotel chain would be free to rent a room to the developers for a vacation, but not for a meetup to work on Tornado Cash code.

This sounds very wrong to me. Do you have a source for the idea that sanctions apply based on the purpose of the transaction, not the identity of the entity making it?

> as a US organization they cannot do business with the sanctioned entity

But are they doing business if no money changes hands?

For example, Github locked me out of all paid features because I used to sponsor someone and had russian billing address on file. I can still use github free plan, presumably because if no money is involved their lawyers aren't worried?

Just require companies that interact with funds from Tornado Cash (or any other privacy coin) to get KYC documents and funds explanation from users. Not really any different than cash deposits at a bank - you don’t know where the money came from, so have a presumption of suspicion but enable the users with a legitimate reason for privacy to prove themselves.

The OFAC thing, Elizabeth Warren’s “anti crypto army” advertisement, hyperventilations about crypto being used for crime… all of this while regular banks collapsed and crypto is the financial success story of 2023. I think the government has overplayed their hand and hopefully courts intervene to limit it.

Tornado has those audit tools built in - if asked, you can prove the source of funds to a third party.
You are not authorized to have financial privacy. Whether or not you comply with the law, it is assumed that attempting to maintain privacy proves that your behavior is illegal.

The faster you get used to the idea, the “happier” you will be.

Tell that to all the folks who set up trusts, shell corporations, multiply-redundant financial accounts, P.O. boxes for billing addresses, or just refuse to share their salary online.

In general, people with a lot more money than you have found that the more you maintain financial privacy (legally, of course), the happier your life will be. Money attracts problems, so the fewer people who know you have money, the fewer problems you have.

Yes, of course.

It’s a big club - and you ain’t in it.

Stay in your lane, work hard, pay your taxes and don’t ask questions.

You’ll own nothing - and you’ll be happy.