Cryptocurrency has been a godsend for cybercriminals, enabling them to profit from ransomware, launder money, and move stolen funds internationally with impunity. In many cases, unless those criminals are careless or based in a country that takes policing cybercrime seriously, there’s no way to get that money back once it’s gone. But U.S. law enforcement is now focused on stopping those illegal cryptocurrency transfers from occurring, rather than trying to deal with them after the fact.
These efforts have just been given a major boost. In August, a court in Texas ruled that the U.S. government could sanction not just cryptocurrency wallets or exchanges, but also an open-source cryptocurrency mixer called Tornado Cash that had been used to cloak more than $7 billion in illicit transactions since its founding in 2019. This is part of a larger U.S. strategy to prevent cryptocurrency-enabled cybercrimes by targeting the underlying cryptocurrency infrastructure that criminals rely on—a strategy that represents a pretty significant departure from the government’s earlier efforts.
In November 2018, the Treasury sanctioned digital currency wallet addresses for the first time as part of its measures directed at two Iranian individuals who helped convert extortion payments made as part of the SamSam ransomware attacks. But the Treasury quickly learned that sanctioning specific wallet addresses was not a terribly effective way of blocking payments to criminals—they could set up new wallets, with new addresses, just as fast (in fact, much faster) than the Treasury could detect and sanction them.
While it was relatively easy for criminals to create new wallets, it wasn’t as easy for them to find new exchanges to process their transactions and convert their stolen cryptocurrency to fiat currency. Many exchanges, especially in countries where cryptocurrency is regulated to some extent, keep records of the transactions they process, require that their customers provide them with some identification when they convert currency, or have limits on how much currency can be converted at one time.
However, there were still exchanges willing to do business with criminals. In September 2021, the Treasury Department sanctioned a cryptocurrency exchange called SUEX that was widely used by criminals to process transactions (according to the Treasury’s analysis, more than 40 percent of SUEX’s transactions were associated with illicit actors).
The Treasury then decided to go after the infrastructure that criminals use to cloak their funds and make them harder to trace. It turned its focus toward cryptocurrency mixers, which allow users to mix and intermingle their stolen funds in a way that makes it much more difficult to link specific cryptocurrency payments to a specific origin account or wallet. And so in August 2022, the Treasury announced that it would sanction its first mixer, Tornado Cash, which it had determined was heavily used by criminals, including the state-sponsored North Korean Lazarus Group responsible for the 2014 Sony Pictures breach and the 2017 WannaCry ransomware campaign, among many other high-profile cyberattacks.
But sanctioning a mixer protocol was not exactly the same as sanctioning a specific cryptocurrency wallet address or a particular exchange. Unlike an exchange, Tornado Cash was not a formal company—it was, essentially, some open-source code on GitHub that anyone could use to mix their cryptocurrency, and was loosely developed and maintained by a “decentralized autonomous organization”—also called a DAO—which security researcher Nicholas Weaver described as “basically a corporation that doesn’t bother to do the paperwork to gain the legal protections of a corporation.”
When the Treasury Department announced the sanctions, Tornado Cash was immediately pulled down from GitHub. This alarmed not just cybercriminals but also some internet freedom advocates and cryptocurrency exchanges who were worried about the future of their industry and questioned whether the government was free to simply remove any cryptocurrency protocol it didn’t like from the internet. Coinbase, a popular U.S. cryptocurrency exchange, even funded a lawsuit against the Treasury, challenging the sanctions on the grounds that a DAO couldn’t be sanctioned because it wasn’t a formal company, and arguing that removing the code from GitHub prevented people from making cryptocurrency donations and also constituted a First Amendment violation by forcing the deletion of online speech (in this case, code).
The Treasury tried to allay these concerns by clarifying that even though the sanctions forbade conducting transactions using Tornado Cash, they didn’t prevent people from viewing or interacting with the code for the protocol. That clarification didn’t satisfy everyone, especially since it came after the code had already been taken down. The Electronic Frontier Foundation, for example, advocated for the government to have said “at the outset” that its sanctions “would not be applied to the open-source project hosted on GitHub” and would instead “only be applied to actual transactions, not the publication of the code itself.”
But for Judge Robert Pitman, who ruled on the Coinbase-funded case against the Treasury, there was no First Amendment problem with the sanctions of Tornado Cash. For one thing, Pitman pointed out, people could still use other services to “make donations to important political and social causes.” And for another, the Treasury had already stated that its sanctions would “not restrict interaction with the open-source code unless these interactions amount to a transaction.” That meant that people could “lawfully analyze the code and use it to teach cryptocurrency concepts,” Pitman said, so long as they did not “execute it and use it to conduct cryptocurrency transactions.”
As for the argument that Tornado Cash couldn’t be sanctioned because it was operated by a DAO rather than a centralized organization, Pitman pointed out that it wasn’t terribly convincing given that the DAO was capable of doing many of the same things as a company, including placing job advertisements and paying contributors to the code base.
The Treasury has an uphill battle ahead—Coinbase’s chief legal officer, Paul Grewal, has already said the company will support an appeal of Pitman’s ruling—but the ruling is still a desperately needed win. It’s a positive sign that the government is likely to have a fair bit of leeway when it comes to trying to police not just cryptocurrency wallets and companies, but also the more amorphous, loosely organized networks of people supporting protocols and projects that have the ability to do billions of dollars’ worth of damage.