Treasury sanctions Tornado Cash for money laundering

Open-source software protocol for virtual-currency mixer at issue in money-laundering sanction action

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced on Aug. 8 that it had sanctioned virtual currency mixer Tornado Cash, which it described as “notorious.” This action, according to Wall Street Journal reporting, amounts to a sanctioning of open-source software protocols, i.e. computer code.

Cryto-industry advocates quoted in the Journal reporting assert that this sanctioning of what amounts to computer code is unprecedented and may put the industry at risk. Previously, U.S. Treasury sanctions focused on crypto-wallet addresses and centralized services.

Treasury: Tornado Cash a major facilitator of money laundering

 According to the U.S. Treasury, Tornado Cash has been used to launder more than $7 billion worth of virtual currency since its creation in 2019. This includes over $455 million stolen by the Lazarus Group, a Democratic People’s Republic of Korea (DPRK) state-sponsored hacking group that was sanctioned by the U.S. in 2019, in the largest known virtual currency heist to date.

The U.S. Treasury also asserts that Tornado Cash was subsequently used to launder more than $96 million of malicious cyber actors’ funds derived from the June 24, 2022 Harmony Bridge Heist, and at least $7.8 million from the August 2, 2022 Nomad Heist. Today’s action is being taken pursuant to Executive Order (E.O.) 13694, as amended, and follows OFAC’s May 6, 2022 designation of virtual currency mixer Blender.io (Blender).

“Today, Treasury is sanctioning Tornado Cash, a virtual currency mixer that launders the proceeds of cybercrimes, including those committed against victims in the United States,” said Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson. “Despite public assurances otherwise, Tornado Cash has repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis and without basic measures to address its risks. Treasury will continue to aggressively pursue actions against mixers that launder virtual currency for criminals and those who assist them.”

Virtual-currency mixers and similar often provide cover for illicit activity

According to its official press release, Treasury has worked to expose components of the virtual currency ecosystem, like Tornado Cash and Blender.io, that cybercriminals use to obfuscate the proceeds from illicit cyber activity and other crimes. While most virtual currency activity is licit, it can be used for illicit activity, including sanctions evasion through mixers, peer-to-peer exchangers, darknet markets, and exchanges. This includes the facilitation of heists, ransomware schemes, fraud, and other cybercrimes.

The Treasury Department describes Tornado Cash (Tornado) as a virtual currency mixer that operates on the Ethereum blockchain and indiscriminately facilitates anonymous transactions by obfuscating their origin, destination, and counterparties, with no attempt to determine their origin. Tornado receives a variety of transactions and mixes them together before transmitting them to their individual recipients. While the purported purpose is to increase privacy, mixers like Tornado are commonly used by illicit actors to launder funds, especially those stolen during significant heists.

____________________

Logo for RegTech One--RegTech Platform for AML/KYC and GRC

Governance, Risk, and Compliance: Software solutions that transform results, costs

AML Partners designs GRC and AML software solutions that transform the work of Governance, Risk, and Compliance. With AML Partners’ platform technology for RegTech, AML and GRC software solutions are easier, faster, and so much more efficient.  With extraordinary configurability and built for API extensibility and Business Intelligence, the RegTech One platform powers a range of AML/KYC tools but also CECL workflows, vendor management, cyber risk workflows, FCPA workflows, and so much more. RegTech One: For your institution’s Network of Applications and Ecosystem of Permissioned Data. Contact us today for more information and to schedule a Proof of Concept demonstration.