Does OFAC Really Know What They’re Doing? A War On Crypto And Privacy
This month, we witnessed one of the most significant attacks on crypto privacy in the form of the US Treasury’s Office of Foreign Assets Control (OFAC) sanctioning Tornado Cash. This led to protocols blocking addresses, funds being seized, and one of the Tornado Cash developers being arrested. The action was unprecedented, given that it was the first time we have effectively had sanctions placed on a piece of open-source software – essentially, restrictions on lines of code.
For those unfamiliar with Tornado Cash, it has long been one of the most well-known mixing protocols on Ethereum. What it would essentially do is obfuscate or camouflage transaction history. This means it would anonymize transactions and remove all traces of where funds originated. Thousands of people used this privacy tool in the Defi space.
Unfortunately, it was also used for laundering the proceeds of cybercrime, which is the use case the Treasury focused on, stating that Tornado was a favorite tool of North Korean hackers and had been used to launder more than $7 billion.
The moment Tornado was sanctioned, its website was taken down, and the code disappeared from GitHub. Not only that, but one of the contributors had his GitHub account banned. Circle blacklisted any USDC in the affected wallets, and RPC providers such as Infuror and Alchemy started blocking requests to Tornado Cash Smart contracts.
Additionally, some decentralized applications also began to restrict access to their front ends for wallets that had interacted with the Tornado Cash Smart contract. For example, both Aave and dYdx reported blocking access from wallets that had interacted with Tornado Cash and even those that had received funds from it. Regarding dYdx, users who had insignificant amounts but were associated with Tornado Cash in the past were also blocked.
Dusting Celebrity Wallets Gag
Things were further complicated because someone in the community started dusting several public ETH addresses of celebrities in the space. In other words, they sent many small transactions to hundreds of known wallets associated with ETH addresses and their .ens official addresses.
The likes of Brian Armstrong, Jimmy Fallon, and Steve Aoki were potentially committing sanctions violations by appearing to be doing business with a sanctioned protocol. What's even crazier than that is that some of those users who were subjected to the dusting found that they could not interact with Aave’s front end. These included the likes of Anthony Cesano and Justin Sun.
The gag effectively points out the absurdity of such sanctions for users receiving funds from blacklisted addresses that they have no power to decline. The open nature of crypto is designed to cut out intermediaries, unlike the traditional financial sector that would use banks and other financial institutions to act as gatekeepers against such transactions.
Image source: eff.org
Is Code Fundamentally Free Speech?
Perhaps the most chilling development, at least so far, was the arrest by Dutch police of one of Tornado Cash’s developers. Alexey Pertsev was picked up by the Dutch Fiscal Information and Investigation Service (FIOD) two days after Tornado Cash was sanctioned. The Dutch police have yet to clarify which exact rules Pertsev broke, but if it's just because he wrote some code, this is a dangerous precedent for several reasons. Furthermore, he is still detained and forbidden from communicating with his wife.
The first thing we need to ask ourselves, however, is whether these actions by the treasury were legal. It is the first time that the treasury has effectively sanctioned a tool, a piece of Open Source Code that exists on the Ethereum Blockchain and which can be used by anyone for any purpose, albeit good or bad. Given that it is open source, that means it is akin to the likes of a public good.
So that could be comparable to a road or a park; it would be as if OFAC were to sanction the use of an interstate highway because drug dealers drive on it. Or a more relevant example would be the treasury sanctioning the TCP IP protocol because hackers use the internet for hacking: It's impractical.
Moreover, just because a tool is sanctioned does not mean that the criminals will not use it. That's because criminals, by definition, have zero consideration for the law; they're likely to continue using the Smart contract as they see fit. Then there is the fundamental question of whether sanctioning a piece of code violates the First Amendment.
To put it in perspective, thanks to a 1996 case Bernstein versus the DOJ, it's been established that code should be considered as speech, and if it is indeed speech, then it should be protected by the First Amendment. By sanctioning this tool, the treasury effectively says that speech itself is illegal.
Now there is a real possibility that should someone want to challenge these sanctions, they could have a strong case in court. The Coin Center lobbying group is doing just that and believes the Treasury has overstepped its legal authority. The group wants to engage with OFAC to share their thoughts and will be exploring with counsel a court challenge. Additionally, they have had inquiries from members of Congress about the situation and are keeping the interested parties briefed on the matter.
Furthermore, if, indeed, the only thing the developer did was write code, then that could also be seen as a violation of free speech. But if any legal challenges are mounted, they will take a long time to settle. Until then, the sanctions will have to be enforced, which means that specific Defi projects and protocols will continue blacklisting the Smart contract for fear of arrest.
What Are The Practical Issues?
Apart from the legal aspect, there is a practical consideration for how this will be enforced. Remember, criminals will be criminals, and they will continue to use it. The code is open source and free to fork. Should that happen, the treasury will ultimately be playing whack-a-mole with a bunch of newly deployed Smart contracts.
Not only that but those other crypto projects and protocols will also have to monitor not only the funds coming from the original Tornado Cash Smart contract but also from all the forked ones. This could quickly become a logistical impossibility, and projects will always have to worry whether any ETH they handle has gone through a forked version of the original Tornado Cash.
And speaking of which, there's also the broader question around who could technically find themselves violating OFAC rules due to these sanctions.
If someone sends ETH from the Tornado contract to you, does that mean you are in violation? I mean, it's not like you can refuse to receive it. As we saw with those dusting attacks, protocols themselves have started blocking some of these dusted addresses. Could the Feds start going after any of those wallets that have received Tornado-tainted ETH? Could we soon see Jimmy Fallon dragged away in handcuffs?
It's not even about addresses that have received funds. What about liquidity providers on a DEX? What happens if they unknowingly convert ETH that has been through Tornado Cash into some other cryptocurrency? Are they thus engaging with sanctioned entities?
What about Ethereum miners? What liability did they have if they were to propagate a block that included a Tornado Cash transaction? Does that mean that they could also be flirting with illegality? Or how about that ETH that is sent to the ETH2.0 staking contract? What would that mean for Ethereum’s Proof-of-Stake?
What happens once the transition to proof of stake is complete? Will validators have to decide to censor certain transactions that their jurisdiction deems illegal? Could they get censored? So you can see how quickly this grows out of control. The crypto space has just seen a massive can of worms open up right in front of it.
Now, of course, there will be some who claim that these actions are justified. Swiped funds from some of the most high-profile crypto hacks of the past two years have gone through Tornado. This was seen in the wake of the $100 million Harmony hack a few weeks ago.
Why Do We Want Privacy?
Many people have been asking whether there are any legitimate use cases for Tornado Cash, a tool designed specifically for privacy. Essentially this all comes down to the broader question of why someone would want to have financial privacy in the first place. As the old saying goes, “why do you worry if you have nothing to hide?”
Well, for plenty of reasons; firstly, because blockchains are public and transparent, everyone can see exactly what your wallets are doing and what you could be buying or investing. This is not the case with traditional finance, where your bank account balances and spending habits aren't public. The moment they are public, and someone can attach them to your IRL identity, it opens you up to potential physical harm if criminals ever want access to your crypto.
Or perhaps you wanted to donate crypto to a cause that may get you into serious trouble in your country. For example, what happens if you were a citizen of Iran or Venezuela who wanted to donate to a journalist or newspaper that the government didn't like? Blockchain is immutable; you’d live in constant fear of being placed on a list of some kind.
Or how about if you were a Russian who wanted to donate to Ukraine, not something you would like the FSB to know about? On the flip side, you could be a Ukrainian refugee wishing to hide where you are getting your donations from. This is something that Vitalik Buterin himself highlighted earlier this year when he donated to the country.
Beyond such high stakes implications, it could also just be a situation where you don't want people you interact with on-chain to know what you do with your money. For example, let's assume that you get paid in crypto. That means your employer can see exactly what you do with that money and what you're buying.
Or perhaps you're buying something from an online Merchant, and you don't want them to know what else you've been spending the money on or how much you have; just imagine the targeted advertising coming your way. Ironically this would be much easier to achieve when paying with a wholly open and permissionless form of money.
These are reasons why someone would want to anonymize their transaction history. Some might say you could just use a centralized exchange; however, the whole point of the decentralized and censorship-resistant currency is that you don't have to rely on a centralized gatekeeper. Moreover, some people are just not comfortable having others holding their private keys, and can you blame them?
OFAC’s False Press Release
In its press release, it was also pretty disingenuous for the Treasury to claim that $7 billion was laundered through Tornado Cash. That was the total volume of transactions, many of which would have been for such perfectly legitimate reasons.
In fact, according to stats from Chain Analysis, only about 17% of the funds that flow through the protocol were tied to sanctioned activity. The vast majority, 50%, was related to DefI activities. That means that these users were thrown into the laundering bucket by the Treasury when all they were really doing was trying to anonymize their funds.
Image Source: Chain Analysis
First Crypto War Had Net Positive Result
So this raises the question of what all this means for crypto privacy and also privacy in general. It's pretty clear that privacy is under attack, albeit this move by the treasury was prompted by concerns around the North Korean hacking. Still, this radical approach by the Treasury is so nonspecific for what it's trying to achieve that you have to wonder whether the folks at OFAC gave any thought to collateral damage.
Many have drawn parallels with the early Crypto Wars, for example. For unfamiliar people, this was when the US government arrested Phil Zimmerman, a developer who distributed PGP cryptography online. They accused him of “munitions export, without a license.”
They contended that his PGP encryption system was a weapon that adversaries could use. Really? It would seem they don’t consider that any citizen wants and has a right to privacy. Only criminals and enemy governments would want to encrypt their communications.
Well, it turned out that there were many practical uses for encryption online, and various encryption standards have helped power the multibillion-dollar e-commerce revolution we've experienced over the last 20 years. What was initially considered a way to hide state secrets has allowed legal commerce to thrive.
Many have also wondered why Tornado Cash got hit and not other well-known crypto projects, like Monero. Virtual mixers seem to be viewed with much more suspicion than privacy-by-default currencies. People could see on-chain how the Lazarus group was laundering its funds through the tool. This isn't something that you can easily observe with Monero.
Moreover, the sheer volume of funds running through Tornado Cash made it a prime target, but this doesn't mean Monero isn't being studied and tracked. There may well be a robust state-backed effort to crack the ring signature technology for which Monero is famous. This is perhaps one of the reasons why the Monero developers pushed through some new upgrades to the protocol only recently.
Crypto And Congress Take A Stand
There has been a genuine outcry from the crypto industry arguing that the Treasury Department’s actions to shut the Tornado Cash could be “unconstitutional” as people have a right to privacy.
Abraham Piha, co-founder, and CEO of Web3-focused firm Tomi, told Cointelegraph,
“Tornado existed only because most blockchains were not private enough. If successive updates of Ethereum or Bitcoin include protocol integrations like Mimblewimble, will the next step be to block them as well? This act is yet another reason to push for Web3, a free web, controlled by users and not by some big brother governments.”
Kenny Li, co-founder and core developer for Manta Network, a privacy-preservation protocol, said that the Treasury’s decision to sanction Tornado Cash is far-fetched and extreme, even though, in the past, specific individual crypto wallet addresses have been subject to the same treatment. But in most cases, he said, there was a clear case of fraud, hacks, or a Ponzi scheme:
“In this case, smart contract addresses are being blacklisted. Smart contracts aren’t people. Not only that, but people forget that Tornado Cash is a protocol, not a person or an entity, which means it will continue to run regardless of the sanctions. It is time that we realize privacy and anonymity aren’t the same, and Web3 is all about privacy.”
Additionally, some Congress members are standing up, demanding an explanation from OFAC. Specifically, United States Congressman Tom Emmer sent a four-page letter to Treasury Secretary Janet Yellen regarding the unprecedented sanctioning of Tornado Cash.
He posed a series of questions that sought to clarify the position of the Treasury Department’s OFAC. They were practical questions noting that Tornado Cash is a collection of several Ethereum Smart contract addresses that are not controlled by an individual or entity.
Emmer asked what persons could be associated with those addresses and:
“Given that the Tornado Cash back-end will operate unchanged […] as long as the Ethereum network continues to operate, who or what entity did OFAC believe was reasonably responsible for imposing controls on the Tornado Cash blockchain contracts?”
Emmer posted the full letter on Twitter, stating that the growing adoption of decentralized technology would certainly raise new challenges for OFAC. Nonetheless, technology is neutral, and the expectation of privacy is normal.
Firstly, I dare say we can all agree that those who engage in criminality should be brought down. The laundering of ill-gotten gains, be it through a bank account or a Defi protocol, should be prosecuted to the full extent of the law.
Those wallets linked to criminal activity should also be sanctioned and flagged. This is precisely what the treasury did before the Tornado Cash sanctions were imposed. And it's not as though this approach wasn't enjoying some success. Thanks to some pretty advanced tools and tracking services, law enforcement can catch such miscreants more effectively than they could in the past.
They also have the power of subpoenas and search warrants. They simply didn't need to take this action against Tornado Cash. The collateral damage resulted in a loss of privacy for some and a massive disruption for all in the Defi space.
As for those North Korean hackers, they'll switch to one of the other 100 or so laundering techniques they were using long before Tornado started operating. Moreover, given that tornado cash is nothing but code, it'll be hard to outlaw permanently; it'll be a game of whack-a-mole. It won't have the desired effect. And the collateral damage is already permeating the crypto industry.
These actions also raise legal questions. Is this a breach of the First Amendment, and what happens to any citizens who have used it in the past? Or anyone that interacts with it? It's a legal quandary, to say the least.
With legal challenges brewing, this could turn into a new crypto war. One, with a positive long-term impact, as we saw with the first crypto war. Or maybe the large centralized institutions will conform, and we’ll have a more amenable but less free crypto space. It does demonstrate how some developers will continue to embrace decentralization, and many of us as individuals will fight for our right to freedom and privacy.