123 comments

[ 4.9 ms ] story [ 138 ms ] thread
Good riddance. A lot of people here defended the living hell out Tornado. Hopefully this will change your mind but somehow I doubt it.
(comment deleted)
Why would this change my mind? They created Tornado, government said it was illegal a year ago, now they are arrested. I still think having a panopticon watching all financial transactions is bad, and cash should not be outlawed. I also think watching all my internet history is bad, so I use tools to hide that above and beyond what the default legal protections are, because I don’t trust the government, ISPs, and adtech data miners.
> cash should not be outlawed

Good news! It's not.

Yeah like what does that even mean? I don't even care to know the answer at this point.
The government would absolutely ban cash if they could, because it’s anonymous value transfer. Tornado enabled bearer instruments - cryptocurrency is digital cash equivalent - to be anonymous. The government obviously hates this for the same reason it hates cash.
> cryptocurrency is digital cash equivalent

It's legally not, though. That may be the fundamental disconnect in the two viewpoints here.

Yes, because the government only prosecutes people who do “bad” things.
It's for laundering. The notion that it's for privacy is to get hordes of suckers like you to defend them on the internet.
I mean, I work on privacy-preserving technology, so I think I know what I'm talking about technically.
> Storm suggested creating a version of Tornado with KYC / AML enabled, but Tornado’s unnamed venture capital investors were dismissive, saying, “I just don’t know if anyone will actually want this.” The investor added, “It would be unlikely as a fund that we’d use a ‘compliant mixer.’”

Doesn’t this directly implicate the investor as well?

It’s always frustrating to see founders punished and the money get away scot free when everyone knows they’re pressuring the founders to grow at all costs.

That sourcing of that paragraph is pretty ambiguous. My guess is that this is coming from the Romans' lawyers, and it's precisely that: an attempt at constructing a defense where they were just pawns of a bigger fish. And maybe it'll work, but given the context I'd apply salt until we have a name attached to the "unnamed venture capital investors" and some level of documentation of that conversation.
Well that's a terrifying precedent they are trying to set.

Tornado Cash devs blocked known OFAC sanctioned addresses or associated addresses from interacting with the service yet they are still being put on the hook for people hiding their identity to attempt to bypass those sanctions.

I don't think this is unprecedented: the USG's reasoning (appears) to be that all actions here were ultimately the product of human behavior.

Put another way: it's still a crime to kick puppies, even if you only indirectly kick puppies through your newly-invented fully-automatic Puppy Kicker 3000.

Edit: to refine the analogy: it doesn't stop being a Puppy Kicker 3000 just because you add a screening phase that eliminates puppies designated by the American Kennel Club.

Your analogy would only make sense if Tornado Cash (Puppy Kicker 3000) was created for the purpose of money laundering (kicking puppies), but it seems like it was created for consumer privacy reasons.
Privacy for consumers of money transmitting services is called money laundering.
Seems like cash users (everyone) and cash issuers (the government) are money launderers under this exceedingly broad definition.
Transmitting cash for others without reporting it would in fact make you a money launderer as well.
Try doing things with large amounts of cash, and see what happens.

Take a million dollars and buy something with it. Even just depositing 10k in a bank account gets reported to the feds, and possibly investigated (And using lower amounts is illegal under structuring.)

That's setting aside the instances of civil asset forfeiture where money is seized because driving with large amounts of cash is assumed to be the product of a crime.

So yeah, whether it's a good policy or not, it definitely seems to be the view.

No it is not. Maybe you need to look up the definition of money laundering.
I think what it seems to you is different from what it seems to others. But this is the reason we have a court system -- a judge will end up deciding if TC intentionally allowed for money laundering and if TC violated KYC/AML laws.
Sure and if their intent was to make a tool for money laundering or they attempted to subvert the law, I'm all for it
If someone took the Tornado Cash contract source code and redeployed it on Ethereum under a new contract address today and people began using it, do you think someone deploying such a contract should face similar charges?

Should the original developers face additional charges for that?

What if the original developers only published the contracts but never deployed them on Ethereum, leaving that up to someone else to do? Is it the author or the deployer or the user who is liable?

I mean, someone has to be liable if it didn't exist before and then it did, but if it's the author and not the deployer, you could be charged for code you wrote entirely offline and published to GitHub (if someone else later deploys it and it sees use).

My “should” doesn’t enter into it. What matters is whether it’s indistinguishable from a criminal enterprise, which it is.
In this case the "devs" are the owners and operators and they profit on the contract being run.

The answer to all of your questions is the same. When you run this code to facilitate money laundering the deployer gets in trouble and that's how it should be I can't imagine how else it could work.

Yes, no, deployer.

The code is absolutely free speech, the application of it is not. I can sell you a book that says how to circumvent financial controls, I can even give a talk about circumventing financial controls, what I can't do is fly to North Korea to talk about it.

[1] https://www.bbc.com/news/business-61090064

No, put another way this is Nike getting punished for creating a shoe that was used to kick puppies.
The purpose of kicking puppies is not embedded in the concept of a Nike sneaker.
Creating a shoe specifically designed for kicking puppies with enhanced puppy kicking features and instructions on how to kick puppies with said shoe
Which is, and certainly should be, entirely legal.
No, in this analogy the punishment is aimed at Nike employees who after creating a shoe for kicking puppies also operated puppy-kicking-as-a-service with that shoe.

The people charged are the subset of the Tornado Cash devs who ran the service, not for solely developing some code.

There's no section 230 for money laundering. If you want safe harbor from the crimes of your customers, you need to lobby for explicit protection in the law.

In this case, there actually are safe harbor laws in place that protect banks from being prosecuted in exactly this way as long as they correctly implement KYC/AML protocols. Tornado didn't feel they wanted to do this, so quite deliberately and publicly flaunted the law that would have protected them. And this is what happens.

What's the "precedent" being set exactly here? Follow the law like your competitors do and you won't get fingered as an accomplice?

So "move fast, break things" isn't a valid defence?
Gotta move fast enough you can't get caught.
And also gave advice on how to remain anonymous, and put in place no AML or KYC processes.
Oh, the nerve of developing a piece of software, and advising people on how to not put in place processes! I thought the default state of transactions was not putting in place processes. How exactly do we square this with freedom of speech? When Phil Zimmerman published the book with the PGP source code, Could they have simply arrested him for exporting munitions despite the first amendment? That is a serious question, how come he was able to get away?
> How exactly do we square this with freedom of speech

Freedom of speech in the US is not, and never has been, absolute. There is all sorts of speech that is illegal to engage in.

> That is a serious question, how come he was able to get away?

He was absolutely investigated for ITAR violations, but the government elected not to press charges in the end. I forget why they made that decision, but I think it was a combination of the book being published only in the US at the time (which was undeniably legal) plus the huge amount of pressure -- especially public ridicule -- from the hacker community about the ridiculousness of the ITAR regulations.

They didn't just develop software and give advice. They ran the service itself.

If they had just written some software and told people how to operate it anonymously, they could not be prosecuted under these laws.

Might as well ban cash transactions and any services that facilitate cash transactions.
There have been laws requiring reporting cash transactions above a certain amount for a very, very long time. Engaging in such transactions without doing the proper reporting is already banned.
Yes, many jurisdictions have limits and rules for large cash transactions, and have for many years. Suddenly showing up with $1 million in cash that can't be traced to anything is more than a little suspicious, wouldn't you say? To what degree these laws should exist is something you can have an opinion on, but fact is that crypto is not being singled out here as is being implied.
The vast majority of cash is used for its intended legal purpose. The vast majority of tornado transactions were likely used to launder money.
I don't see where it says in the article that they were blocking known OFAC sanctioned addresses, etc., but they do state that they were operating without any KYC provisions whatsoever, and that is a big no-no if you don't want to run afoul of money laundering laws in the US:

> Tornado Cash operated without know-your-customer (KYC) or anti-money laundering (AML) programs as required by US law, the document alleges. It also did not register with FinCEN as a money-transmitting business, the indictment says. Semenov and Storm also created a document called “Tips to Remain Anonymous,” which advised customers to consider using Tor or a VPN, delete data from their web browsers, and leave their money in Tornado for longer periods of time to better anonymize their transactions. They also advised users to employ different IP addresses for deposit and withdrawal.

As a bonus, the investors wouldn't fund a compliant version:

> Storm suggested creating a version of Tornado with KYC / AML enabled, but Tornado’s unnamed venture capital investors were dismissive, saying, “I just don’t know if anyone will actually want this.” The investor added, “It would be unlikely as a fund that we’d use a ‘compliant mixer.’”

I'd say these investors are as complicit in whatever conspiracy the devs are being charged with as well.

This isn't a precedent at all. As expected, prosecutors were not impressed by the blockchain smokescreen. People were joking about this programmer habit of thinking they can just inject "reasonable doubt" into everything and be fine years ago on HN, and that's just not how lawyers look at things.
But you see your honor, I’m a sovereign citizen!

For some reason too much time spent working with machines clouds the judgement of how law and the court work.

(comment deleted)
> Storm and Semenov in fact knew that they were helping hackers and fraudsters conceal the fruits of their crimes.”

Let me fix that for you …

Storm and Semenov in fact knew that they were helping criminals conceal the fruits of their crimes.”

(comment deleted)
"It is difficult to get a man to understand something, when his salary depends on his not understanding it."
Wouldn't the developers of privacy-focused blockchains like Zcash and Monero also be liable under this logic? Surely they also knew that criminals would use anonymous transactions and they did nothing to implement KYC / AML.
There was evidence that north korea specifically used tornado cash to hide stolen crypto, which is where this has all stemmed from
I wouldn't be surprised if crypto makes up a good chunk of their cash right now. They have definitely stepped up their hacking attempts in the last decade.
Actually, with governments around the world, increasingly stepping up the war on end to end, encryption, anyone caught developing software that facilitates encrypted communication without allowing the government to execute a man in the middle attack, will be liable for anything that takes place on those networks. Whether it’s sharing, illicit content, seditious, content, or planning some sort of violent act, or perhaps sending billion dollar transactions through encrypted channels in an attempt to circumvent capital controls, or hiding their speech from censorship, thereby harming the body politic with vaccine, denial, or criticizing some war effort. The list goes on and on. The United States has literally the best protections for freedom of speech of any country in the world, and even here there are constant attacks on encryption. So yes, I think they would simply go after the businesses first, since those do The actual transactions. Every business would have to look over their shoulder every time they use paper, cash, or Z cash, or Monero. If they use an encrypted channel to communicate, they can get a knock on the door from the state. And that’s in this country. The majority of other countries are much worse.
The developers of Signal, WhatsApp, iMessage, Matrix, Tor, and BitTorrent would also be liable under this logic.
None of those are money transfer protocols, AFAIK. Except wasn't Signal adding some cryptocurrency silliness too? So maybe they would be liable.
Signal integrated someone else's crypto. Presumably mobilecoin would be liable, not signal.
Movement of money is different from movement of information. That being said I believe Signal has a cryptocoin nowadays.
This is a false sense of solidarity: each of the above (with maybe the exception of BitTorrent) is a communications platform, not something expressly designed to violate KYC/AML laws.

The USG can be legitimately accused of all kinds of gross excesses, but they can't be accused of not understanding the difference between these things. Pretending otherwise doesn't do any party any particular justice.

The real answer is that the IEEPA has an informational materials exemption.
> not something expressly designed to violate KYC/AML laws.

Tornado Cash was not designed to violate laws as per intent of the authors. Maybe it is your judgement of the design itself.

Whether or not it in fact does is something we may possibly find out (if the US plea-deal system doesn't prevent it). Even then, a guilty verdict might hinge on technicalities around the TORN token.

They’re not being charged for the design:

> As alleged, when it became clear that a sanctioned North Korean cybercrime organization was using the platform to launder hundreds of millions of dollars derived from cyber heists, Storm and Semenov turned a blind eye to the illicit activity and made public representations that they were compliant with sanctions laws.

Now, we don’t know how much evidence they have about that knowledge but federal prosecutors usually don’t bring cases like this speculatively. I would be surprised if they didn’t have specific example of them clearly being aware of that information and choosing not to act - for a relatively high-profile case they’re not going to want the embarrassment of losing.

EDIT: Tracking down the actual PDF has things like this:

> 59. ROMAN STORM, ROMAN SEMENOV, the defendants, and CC-1 were fully aware within days of the Ronin Network hack that the proceeds of the hack were in fact being deposited into the Tornado Cash service. For instance, on or about April 4, 2022, a reporter sent an email to an email address used by all three Tornado Cash founders asking for comment on the Ronin Network hack, in which the reporter included a link to a blockchain analytics website and stated that "it appears that these hackers are trying to use Tornado.cash to launder stolen funds."

> 67. ROMAN STORM and ROMAN SEMENOV, the defendants, and CC-1 well knew that the Tornado Cash service was continuing to launder proceeds of the Ronin Network hack held in the Lazarus Group's 0x098B716 Address. On or about April 30, 2022, SEMENOV sent a message to STORM and CC-1 through the Encrypted App with a link to a blockchain analysis showing that 15% of all of the deposits into the Tornado Cash service over the preceding three months had come from the Ronin Network hack. The analysis also showed that more than 90% of all the deposits into the Tornado Cash service for which a source could be identified during that same time period were attributable to criminal exploits.

https://www.justice.gov/media/1311391/dl

90% is a pretty large number, and that pattern of ongoing knowledge is significant, too. As an analogy, if I run a bike shop and some dude brings in a stolen bike, I’m not getting arrested but that’s not true if 90% of the bikes in my shop are from the same dodgy guys the cops are looking for.

> I would be surprised if they didn’t have specific example of them clearly being aware of that information and choosing not to act.

Yeah, I'm sure the FBI needed to bring out their top detectives to find "evidence" that the Tornado Cash devs where not aware that criminals used their service. I guess they never googled themselves or talked to anyone ever.

This case isn't a dispute about the facts. It's a fight about if existing AML legislation can be stretched to include new types of financial actors on blockchains.

Most people here simply have no idea how Tornado Cash operated, don't care to ask themselves what the underlying principles should be, what kinds of obligations should be in miners, and would probably support the arrest of Vitalik Buterin on money laundering charges.

[flagged]
I would strongly suggest toning down the outrage until you learn about the laws. In particular, how money changing hands is more restricted than speech. Civil disobedience is always a choice, of course, but it’s not like there was any question that KYC applied to financial vehicles - they were just hoping to reach “too big to fail” status before attracting the attention of prosecutors.
> they were just hoping to reach “too big to fail” status before attracting the attention of prosecutors.

Are saying that although this is evil, evil money laundering, if they just get a chance to do more of it, US prosecutors will leave them alone? They failed, so now they have acdha explain to them how they should have known better?

This is nonsense - they didn't hope to get "too big to fail". If you are looking for a reason why Roman Storm felt confident to operate out of and stay in the US it is because:

- there were many questions about whether KYC applied. - these questions remain today.

If you personally want the law to criminalize what the TC founders did, feel free to argue as such, but be prepared to explain what exactly that is, because there are a whole bunch of other people wondering if you'd want to seem them jailed for their particular work on financial vehicles.

> If you are looking for a reason why Roman Storm felt confident to operate out of and stay in the US it is because:

> - there were many questions about whether KYC applied. - these questions remain today.

Which means that they took a gamble and may have lost (none of us know whether they'll be found guilty or not). It's hard to feel too outraged about someone rolling the dice and coming up snake eyes, especially when there are other people who looked at the same uncertainty and concluded it was too risky to take on.

I have the same question. I know people who created blockchains that were specifically not privacy coins (when they could have done it) specifically because they were scared of going to prison.
(comment deleted)
Lawyer here - you may have plausible arguments about things if you just create software without KYC/AML, and you are outside the US or whatever.

If you run an actual service without KYC/AML, uh, yeah, you are probably f'd.

If you have specific knowledge that a sanctioned-by-OFAC north korean hacking group is using your service to launder hundreds of millions and you do nothing, you are definitely screwed.

Once the contracts were installed on the block chain, nobody was "running" them. They're still out there running right now, and nobody could shut them down if they wanted to. A sufficiently sophisticated user can continue to use Tornado Cash regardless of anything these guys do now or in the future.

They might have hosted some user interface code; I don't know. They would have been able to shut down or modify anything they were actually hosting. They could have created alternative contracts, and maybe encouraged somebody to use them. But the basic already-running Tornado Cash contracts are immutable and unstoppable without shutting down all of Ethereum.

If anything, something like Monero or ZCash seems to have less cover, because if the developers of those release modified code, and if they succeed in actually getting the bulk of the users to use it, they really can change the way the whole chain works. Although if they tried to remove all anonymity, all that would probably happen would be that somebody would fork the project.

> They're still out there running right now, and nobody could shut them down if they wanted to.

No, but the US could start arresting validators on AML charges, and no doubt, many people here would support this too.

> They might have hosted some user interface code; I don't know.

That's just a static website though talking only to your wallet app. Somewhat similar to the fight around whether the piratebay is culpable for copyright violations. Many geeks used to support the piratebay.

The TC interface is hosted on IPFS. Can IPFS gateway operators not blocking the content be arrested on AML charges?

I think some, maybe all, US validators are refusing to include Tornado transactions in their blocks. But unless all validators do it, that just increases the latency.

They could go after people for accepting and building on top of other people's blocks with such transactions in them. But I suspect they'd prefer not to have to do that, because the more rarefied the "interactions" they try to enforce against, the more chance they have of courts telling them they're beyond their statutory authority, or conceivably even of authority they actually do have getting repealed.

I haven't looked into it in any detail, but I suspect their authority for the Tornado sanctions is actually pretty shaky. They can sanction any entity, but it's not clear, to me at least, that a smart contract is an "entity" in the sense intended by the legislation they're presently relying on for all of this. That means that after all the lawsuits shake out, they may have to ask for new legislation to give them authority. I suspect they'd eventually get that authority, but it's harder to sell it to legislators if anybody can say you've been overreaching.

Clarification on edit: Their authority for the sanctions against interacting with the smart contracts looks weak. I don't know about the company or the people; those may be fully within their authority, depending on what they were actually doing. But the smart contracts are the heart of the whole thing. And OFAC seems to be trying its best to muddy the distinction.

So the charges say they charged money to run relayers. Let's ignore that one.

In practice, they are being charged with conspiracy, and the conspiracy is mostly about running the website with the UI, not about the smart contracts (as i read it). they seem to have been careful not to try to charge them for creating some ethereum contracts.

Conspiracy does not require that they could have done something later to stop the conspiracy from completing.

The crime of conspiracy was complete when they committed an overt act (towards the overall criminal act). Once that was done, you lose.

Here, the overt act cited is paying for the website :)

In this case, the thing to do is to withdraw before an overt act.

If you successfully withdraw, you are no longer chargeable with conspiracy, even if the act later completes.

The model instruction for the defense of withdrawal looks like this: "“(1) One of the defendants, (Defendant’s name), has raised the defense that he withdrew from the agreement before any overt act was committed. Withdrawal can be a defense to a conspiracy charge. But Defendant has the burden of proving to you that he did in fact withdraw.

(2) To prove this defense, Defendant must prove each and every one of the following things:

(A) First, that he completely withdrew from the agreement. A partial or temporary withdrawal is not enough.

(B) Second, that he took some affirmative step to renounce or defeat the purpose of the conspiracy. An affirmative step would include an act that is inconsistent with the purpose of the conspiracy and is communicated in a way that is reasonably likely to reach the other members. But some affirmative step is required. Just doing nothing, or just avoiding the other members of the group, would not be enough.

(C) Third, that he withdrew before any member of the group committed one of the overt acts described in the indictment. Once an overt act is committed, the crime of conspiracy is complete. And any withdrawal after that point is no defense to the conspiracy charge.

(3) If Defendant proves these three factors by a preponderance of the evidence, then you must find him not guilty. Preponderance of the evidence is defined as “more likely than not.” In other words, the defendant must convince you that the three factors are more likely true than not true."

So, for example, for the charge related to running the website, "stop paying for website, tell others this is not okay, cut off all support and help you can" seems likely have been enough to withdraw here, even if you couldn't stop others from using it because it's immutable.

... but the question was how they were different from Monero or ZCash. Why couldn't you apply the same argument to those? The developers of both Monero and ZCash definitely know that their systems are in fact used for illegal activity. Monero is probably predominantly used for drug transactions. Surely at least some money laundering too. And absolutely no AML/KYC or other "due diligence".

Some of the developers probably even know about specific illegal acts by specific actors. And the illegal activity has been happening throughout the lifetimes of those systems, with plenty of overt acts during any given developer's personal involvement.

So if the Tornado Cash people were conspiring with their users to launder money, how are the Monero or ZCash people not conspiring with their users to launder money? What's the required threshold of coordination or participation? In both cases, you're basically looking at somebody sticking some software out there and letting other people use it.

It's possible that Tornado had more active participation in specific incidents, but if so, what aspects of that participation matter? If it's a matter of hosting the UI, well, many the Monero and ZCash developers probably also run nodes, so they're actively operating systems that are accepting and relaying obscured transactions, with no attempt to filter out illegal ones. And they can't exactly claim they're ignorant about that.

I'm not claiming Tornado Cash is or was not a conspiracy, but if it is, then it seems hard to say that Monero or ZCash isn't.

By the way, as far as I know charging money doesn't matter, and I'd put about zero weight on allegations about "running relayers", since there aren't any recognizable "relayers" in the system anyway. The government has a strong interest in ignoring how it actually works, and in muddying any potential distinctions between the automated actions of the smart contracts and the intentional actions of the developers. They've issued actual sanctions forbidding "any interaction with" the smart contracts themselves, and if they let those distinctions become significant, they run the risk of having to explain how the smart contracts are "entities" within their authority to sanction.

> but the question was how they were different from Monero or ZCash. Why couldn't you apply the same argument to those?

IANAL, and maybe DannyBee can correct me if I'm mistaken, but I think the answer to this is "Maybe they do and just haven't been charged yet." If there are a lot of independent people doing the same crime, they're not all going to be charged simultaneously. Each requires a separate investigation. Someone's going to be the first in line.

I'll try to give you a line for those devs:

If the developers are running for a UI that helps, or paying for a UI that helps, or paying to run services that help get the money out, then i would say they may be on the hook for charges.

These all have to be knowing, btw. If you just donate somewhere and they do something bad with it, not your issue. If you donate somewhere, knowing they will do something bad with it, that's different :)

You are correct that charging money or not doesn't really matter, it just gets used to show they profited from the illegal enterprise overall.

As for further lines, if all they did was write some Ethereum contracts and let them loose, I doubt someone would come after them. If they are making it easy by building UI/services around it, without any KYC/AML, and then the UI/services get used to launder money, then yes, they are likely on the hook.

I also doubt the government wants to start a case about interaction with smart contracts - it would be very muddy and possibly set bad precedent, at least right now. They would rather take cases like the one you see here, where someone did something more than make an ethereum contract, and the facts don't look great, and prosecute those.

Maybe sometime later if they win a bunch like this they will go after more complex cases around smart contracts, but you generally want to ease courts into this sort of thing if you want the best chances. It's not always possible, mind you.

If you look at early decisions in new fields where someone threw a really complex and hairy technology case at a court, the decisions are sometimes weird/strange. The courts do their best (and often hire special masters with expertise in the area and ....), but the legal system is a deliberately iterative one, and often takes iterations over years to get things to a stable point.

Funny how the crypto people always think they found a legal loophole. "Akcshually the contracts...." They're like the sovereign citizens of tech.
How many people here on HN have submitted a PR that criminals could use to do bad things?

Security tools, encrypted messaging, jailbreaking tools, VPNs, file hosting tools, anonymity tools...etc.

The complaint itself cites 'writing instructions on how to use a VPN' as evidence that the developers were knowingly doing something criminal. A VPN!

You might hate crypto and believe that open source private money is different than open source private messaging. But that is not what the government's ability to jail these developers hinges on. Any argument prosecutors are making here could be made (and in many countries has been made) about any of the tools I list above. To cheer this on is to throw the past 40 years of legal advocacy around privacy, encryption, and anticensorship tools in the trash.

(comment deleted)
You can't cherry pick that out of context, criminal indictments often cite things that can be ordinary. Buying duct tape isn't a crime, but it can be evidence of a kidnapping.

As far as I can tell these people created a business to profit off of money laundering, and they were helping teach people how to hide their identity.

Yes. We agree completely on the facts here. These people built a business to profit off the provision of online privacy, and as part of they were helping teach people how to preserve their online privacy.

Some people used their tool for money laundering, just as some people have surely used encrypted messaging and VPNs for theft, terrorism, child abuse, and other crimes.

The point is that online privacy always has significant legitimate, non-criminal use cases, and developers can have legitimate, non-criminal (noble, even) reasons for building for those use cases.

And the larger point is that, if we want to have tools that give us any meaningful online privacy, we must stand up for the developers that build such tools when they are (inevitably, perennially) accused of aiding criminals and terrorists.

The government is going to make the case not that a tool was made that could be used for money laundering, but that a tool was made to intentionally allow for money laundering. The former is not illegal, the latter is.

But regardless of intentions, not following KYC/AML rules is illegal.

> But regardless of intentions, not following KYC/AML rules is illegal.

KYC/AML rules are of questionable legitimacy themselves, IMHO.

With less and less of society allowing to pay in anonymous currency (i.e. cold hard cash), either because it's dropped for "security" (i.e. shop owners don't want to pay for security to make sure the cash ain't stolen) or because of legal requirements (see e.g. Italy limiting cash transactions to 5.000€ in value, or Germany requiring a notification if you pay more than 10.000€ in value for a car), and many people moving to card payments due to convenience, there will be no way to escape the dragnet of governmental and private surveillance as all bank accounts are identifiable per KYC/AML regulations and virtually all banks report all account holders to Equifax and the other credit bureaus so to find out where a person banks is only a subpoena or a hack away. Oh, and completely forget about hiding legal but still sensitive payments: sex work of all kinds, political engagement, everything becomes yet another line in a trove of data lakes.

And that doesn't even touch the subject of card processing fees. Mastercard and Visa are rent-seekers of the worst kind, and no one seems to be willing to break them up or cap their fees, with PayPal close behind. Instead, everyone looks away when they cave to Evangelical pressure campaigns and drop sex workers left and right.

KYC/AML regulations deserve to be torn apart, and the people deserve privacy in their lives. Or, alternatively, we should force elected officials to open up their bank accounts to the public. If we can't have privacy, they certainly don't deserve it either.

You're making an argument about what the law should be. In many ways, I'm very sympathetic to those arguments.

But that's not what the law is, and law enforcement agencies as well as the court system only deal with what the law actually is.

You can (and should!) agitate and work towards changing the law to be more in line with what you think is right. That's the sort of change that is entirely possible in our system. But until then, the law is what the law is.

These are federal conspiracy counts. Overt acts don't need to be crimes, they just need to be proof of the furtherance of a criminal conspiracy.

Making a crowbar isn't illegal. Buying a crowbar isn't illegal. Emailing your buddy and talking about how you're going to bust up a person and their shop because they aren't paying you protection money, then making or buying the crowbars? That could be evidence of an overt act in furtherance of a criminal conspiracy.

That example reminds me of some follow-on commentary:

> And the only thing I would add is a few other scenarios. The third scenario: A person says to themselves "I'm going to go out and buy a crowbar to [...]" and then I go out and buy a crowbar. Still not a crime because there's no conspiracy, i.e. an agreement with another person.

> [...] And then there's the fourth scenario: A person says to themselves "I'm going to go out and buy a crowbar to [...]", buys the crowbar, and and then actually starts hitting people [...] Now there's still no conspiracy, but you've taken a substantial step towards the crime and and likely completed the crime and you're guilty of the initial crime.

[0] https://www.youtube.com/watch?v=SbIhNmoZLJQ&t=3m00s

The indictment says they knew they were laundering proceeds of a specific hack, by a specific group.

See page 24

Not "they created a tool and it got misused" but instead "these specific criminally sanctioned folks are using our tool to launder 600 million dollars, and we know, should we do something about that?"

Their messages back up that they know it was being used in a specific instance, by criminals, to launder money, and they did nothing.

Sorry, no sympathy. I'm with you that we need to ensure tools are available, and i'm even okay arguing about KYC/etc.

But when you have specific, actual, knowledge that a criminal actor is using your tool to launder money, and you do nothing, sorry, that's just aiding and abetting.

The smart contracts are immutable nobody can change them including the devs. When prosecution says "did nothing" they should probably mention that it was not technically possible to do anything productive.
You seem to think this matters, but the charges are conspiracy, so it in fact, does not. Their part of the conspiracy was already complete, whether they could do anything or not.

If you create parts for a bomb and hand them to someone else, knowing they are likely to use it as a bomb, and they in fact do, you are as guilty of conspiracy as the actual bomber.

Your crime was complete when you gave them the parts, which is an overt act (some act in furtherance of the conspiracy).

(Unlike the typical gun analogies that get brought up in response, i'm choosing something that does not have a legitimate purpose and is in fact illegal to create as-is)

If you create a thing in the US that is required to comply with KYC/AML and don't, and someone users it to launder, and you know they use it to launder, you are still guilty even if you couldn't stop them from using it.

Again, your crime is complete at the point you complete an overt act .

You have to withdraw from the conspiracy before then.

Here, the government is charging them for the website, mainly, not the smart contracts

If the government has records that you wrote a service that specifically violates the law, that you contemplated a change that would make it compliant but didn’t because your customers won’t use it, they are right to charge you with a crime.

I’m a privacy advocate, who thinks kyc laws have gone too far. But if you knowingly break a law you can’t cite the unjustness of that law unless you are engaged in an act of civil disobedience. Profits will suffer is not civil disobedience.

When Signal becomes illegal in, say, the UK, will you support the extradition of Signal developers to the UK simply because they're knowingly breaking the law? At what point does it matter what's right?
What about the GP's comment implies that they support extraditing people to foreign countries?
Signal is threatening to leave jurisdictions where they become illegal rather than comply. They're not threatening to keep operating in violation of the law.
What does "leaving a jurisdiction" mean? Can Tornado Cash "leave the US jurisdiction" as well and will then be left alone?

Will you support the UK if they ask for the extradition of Signal developers, on the basis that say Signal will continue to have UK users accessing their service?

Where are your values?

> What does "leaving a jurisdiction" mean? Can Tornado Cash "leave the US jurisdiction" as well and will then be left alone?

You can - by not being inside the US, doing proper KYC and rejecting US customers.

> You can - by not being inside the US, doing proper KYC and rejecting US customers.

Looking forward to doing KYC on my Signal account then.

(comment deleted)
They're not being charged with "writing a service", because writing software isn't illegal no matter what it does.

They're being charged with operating a service. Which they may very well have done. It sounds like they were at least running the front end user interface stuff, and that might be enough.

But what makes it interesting is that the real core parts of the whole system were (and still are) autonomous. Those contracts could (and still can) be used without them doing anything at all. So they were not operating those. And it's not so obvious that there is any settled law that applies to those core contracts.

The government has records (presumably electronic) of the charged individuals making a specific decision not to be compliant to improve their profits. It’s hard to see any precedent being set by that other than “don’t run explicitly illegal services”.
(comment deleted)
> The complaint itself cites 'writing instructions on how to use a VPN' as evidence that the developers were knowingly doing something criminal. A VPN!

Do you have a link and paragraph number for this quote? I searched in the press release [0] and OCR'd the indictment [1] and can't find any match to any part of that quote ("VPN", "writing", or "instructions"). I also can't find any match for that quote anywhere on Google.

[0] https://www.justice.gov/usao-sdny/pr/tornado-cash-founders-c...

[1] https://www.justice.gov/media/1311391/dl?inline

> The complaint itself cites 'writing instructions on how to use a VPN' as evidence that the developers were knowingly doing something criminal. A VPN!

As if the modus oparendi of sketchy crypto sites wasn't shouting off the rooftops "You can't use this site cause we detected a US IP we don't do business with US citizens. BTW, here's how to use a VPN!"

They didn't "just" send a PR or "just" write some code, they made a financial tool which earned them millions while ignoring regulations for these type of financial tools. No one who sent a PR was arrested or even investigated: just the people running Tornado. This has been pointed out time and time again.

Crypto wants to be taken serious as a financial tool. Okay, fine. This also means you have to follow the same rule as anyone else.

Don't like these rules? Fine, you're allowed to – we have a democratic process for changing that so go vote, lobby, etc. Remember the 2008 banking crisis? There are reasons these regulations exist.

Banks get fined for these types of things all the time too: https://duckduckgo.com/?t=ffab&q=bank+fined+money+laundering... – crypto isn't being singled out here.

If you knowingly ignore the laws for personal profit you can expect consequences like this. Cryptopeople want to live in some sort of magical fantasy world where they both want to interact with real money and the financial markets when it suits them, but also pretend specific laws and rules for it don't apply to them when they're inconvenient. All while they're lining their pockets of course. Maybe this world has unicorns and dragons and teletubbies too.

> They didn't "just" send a PR or "just" write some code, they made a financial tool which earned them millions while ignoring regulations for these type of financial tools. No one who sent a PR was arrested or even investigated: just the people running Tornado. This has been pointed out time and time again.

Since TC is still running with both guys in jail, they clearly weren't "running it" - but the Ethereum node operators are. Should they be arrested? Are you answering this question as a laywer, or as citizen engaged in the democratic process telling me what you feel the law should be?

They were developing it and making money from it, so that's "running it" by all but the most boring pedantic definition.

Ethereum is a protocol and a tool, which Tornado used it to knowingly profit from illegal transactions. Ethereum is somewhat akin (not identical) to USD, and Tornado somewhat akin to a bank operating with USD outside of the law.

I was unaware I need to get a university law degree before commenting here.

Laws are all about boring pedantic definitions. And when you talk about what counts as ignoring laws, or about what consequences people "can expect", those definitions matter.
I am obviously not argueing this case in court here, and expecting the same standard from random HN commentors is not reasonable. The basic facts from my previous comment are accurate and have been widely reported for a long time, and it's pretty clear what's intended. Trying to nitpick on the exact language as some form of "rebuke" is not exactly constructive.
> Ethereum is somewhat akin (not identical) to USD, and Tornado somewhat akin to a bank operating with USD outside of the law.

Many people are arguing that Ethereum node operators should be on the hook when they facilitate Tornado Cash transactions through their participation on the network. I'm glad we can count on your support should such arguments ever be pursued legally. Thank you.

It's a far cry from what some members of the tech community did when the government was trying to restrict code and cryptography in the 1990s. People were tattooing perl scripts onto their bodies in order to protest the restrictions. God forbid people break the law to protest bad laws.

"How to become an Arms Trafficker

Become an Arms-Trafficker in one easy step with this great way to register your protest of ITAR by Vince Cate. Just click to submit the form and join in the protest. Lots of excellent links. Have you exported RSA today? Includes an option to email a protest letter to US president." [0]

[0] http://www.cypherspace.org/adam/rsa/

> It's a far cry from what some members of the tech community did when the government was trying to restrict code and cryptography in the 1990s.

So? All that means is that there were people who thought that was a just fight and don't think that this is a just fight.

> God forbid people break the law to protest bad laws.

That's a legitimate form of protest and I won't condemn it. But when you break a law out of protest, you are still subject to arrest and prosecution for doing that. And often, that's the result you actively want because it brings attention to your cause and gives you a platform to argue the injustice in court.

That said, it doesn't look to me like the accused here were engaging in civil disobedience. It looks like they were pursuing profit.

Seems like it wasn't writing and giving away the tool but running it as a service? I don't know the facts here, was it OSS as well a service?
Not only open source, also deployed as a smart contact on the Ethereum blockchain.

It’s possible to deploy a smart contract with no way to modify it, meaning it’s literally impossible to shutdown (without shutting down the entire network). This is rare, most dev teams retain admin keys and compose the smart contact components from additional layers of abstraction to allow for updates. But those admin keys typically also allow the possessor to abscond with all funds locked in the contracts (a rugpull).

My understanding is Tornado Cash eventually added a limited form of KYC to the frontend web UI. That’s simply a convenient interface to use the smart contract though, and it’s possible to interact with the smart contact directly (where there’s no KYC).

Crypto’s still alive. The grifters get indicted, the greedy pivot to AI and only the true believers will remain.

And they’re building, and they’ll keep building, and a more open financial system will be built.

It might take decades but it will happen.

Anyone who thinks they deserve to be charged or punished in any way is a Mr Smith tier agent, those are developers, their software was used for money laundering, did they host it? Who cares? Lockheed Martin knows the shit they make and sell to X or Y country is used to kill people, no one cares about that, HSBC launders cartel money and whenever they get found they get a tap on the wrist, etc.

But hey, by now it's obvious totalitarianism is coming back and is probably here to stay.

One of the biggest users of Tornado Cash was Vitalik. He was not using it as a criminal, so there are some valid use cases outside of criminal behavior.
I find it insane that they chose to reveal their real identities. Despite building a tool ostensibly for preserving privacy they were extremely negligent about their own. They must be incredibly naive to think they wouldn't immediately be under intense scrutiny from LEOs.

I also find it insane that they had investors (who somehow remain unnamed and uncharged???).