Skip links

Liability, Privacy, and an Arrested Developer: The Ongoing Case of Tornado Cash

The recent turn of events surrounding the case of Tornado Cash was centred in the U.S. and the Netherlands. Nevertheless, they are relevant worldwide and showcase how emerging technology, autonomous in particular, renders the mission of rethinking what liability and privacy mean – as a constant work-in-progress.

Tornado Cash is a privacy tool that allows crypto-currency users to send and receive crypto-currencies anonymously. Technically speaking, it is an Ethereum-based crypto mixing service that overcomes the transparency of Ethereum’s transaction history by concealing the link between the origin and destination of the cryptocurrencies.

Tornado Cash was launched in August 2019 and was developed as a project by more than a thousand contributors. In May 2020, the open source code was audited and the contributors collectively turned it into a permissionless blockchain protocol – i.e. a code that is automatically executed and cannot be changed. While the Tornado Cash protocol was available for execution over the blockchain, decisions about the project were left to be collectively managed by its DAO (decentralized autonomous organization).

Fast forward to August 8, 2022: the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued sanctions against Tornado Cash and those who transact with it. OFAC added Tornado Cash’s website and Ethereum Blockchain addresses to the ‘Specially Designated Nationals And Blocked Person List‘. The rationale: This cryptocurrency mixer concealed the origin of illicit financial activities such as the $455 million stolen by the infamous North Korea-sponsored hackers – Lazarus Group. Overall, 7 billion USD worth of cryptocurrencies were laundered (however, a leading blockchain analytic firm estimates it to be 1.5 billion). By placing Tornado Cash on their blocklist, they banned Americans from legally interacting with it. 

To make the story more complex, a day after the sanctions were declared, an anonymous user performed a dusting attack – i.e. transferring a small amount of crypto-currency (‘dust’) a large number of times, to a large number of crypto-wallets. The attacker transferred, through Tornado Cash, 0.01 ETH (~20 USD at the time) to 600 different Ethereum addresses. Some of the crypto-wallets that received the dust belonged to high-profile figures, such as Jimmy Fallon and Brian Armstrong, and were held in law-abiding exchanges. 

This act caused much trouble. To comply with the new OFAC regulations, the exchanges had to systematically block wallets that received transactions from the sanctioned Tornado Cash. Those who received a transaction from the blocklisted addresses discovered their wallets were banned – although they haven’t done anything wrong. This dusting attack revealed the absurdity of violating OFAC’s sanctions.

The dust has not yet settled, and a day later – on August 10, the Dutch Fiscal Information and Investigation Service (FIOD) arrested one of Tornado Cash’s leading developers, Alexey Pertsev. According to FIOD, he is suspected of “involvement in concealing criminal financial flows and facilitating money laundering through the mixing of cryptocurrencies through the decentralised Ethereum mixing service Tornado Cash”. His arrest fueled protests, placing privacy and open source development under fire. A request to bail him was rejected, and a judge set a 90 days limit for an initial public hearing to take place. Since then, it has been speculated that the arrest might have been related to issues of Russian espionage.

Novel Issues of Liability, Open Source, and Privacy

These series of events raised several ‘game changer’ issues. First, Tornado Cash is not an individual or corporation with human executives – but lines of code. It is a precedent that technology, rather than a legal entity, was placed under sanctions. Some cryptocurrency investors, funded by the cryptocurrency exchange Coinbase, sued the Treasury Department based on their failure to distinguish between people and code. 

Some places in the U.S., such as Wyoming, Vermont, and Tennessee, have already approved DAOs and similar structures as legal fiction entities. However, following the sanctioning of technology, rather than a legal entity, questions about liability arise: under which conditions can technology be ascribed as a legal entity? Can that be done retrospectively? Who can actually exercise control (and therefore be liable) when the technology is autonomous or when so many stakeholders are involved?

Second, the arrest of Alexey Pertsev, a precedent too, raises questions about the liability of developers in open source projects. What if a project is used by bad actors? How many lines of code will render a programmer liable? To what extent can code be considered free speech? Are there things you are not allowed to say, or code, in public? What implications will this precedent have on the future development of technologies?

Lastly, there is the issue of privacy. Cyber-criminals may use cryptocurrency mixers to launder stolen funds, ransom, and other illegal sources of money. However, these mixers also have a very legitimate use: they preserve the privacy of their users by protecting their anonymity. Perhaps the most straightforward argument is that people want privacy simply because they want privacy. Similar to why we close bathroom doors or don’t share email passwords even if we ‘don’t have anything to hide’, people don’t want their entire financial history to be transparent to others. This is especially true when corporations and governments are involved.

Financial information of activists in authoritarian regimes could get them jailed or executed. For example, Tornado Cash was used for donating to Ukrainian humanitarian groups without potentially exposing themselves to the Russian authorities. However, even citizens under democratic governments might not want the Russian authorities to have details of these transactions. In this respect, Ethereum founder, Vitalik Buterin, doxxed himself as someone who used Tornado Cash for this cause.

Placing the events of Tornado Cash in the context of digital money development, whether cryptocurrencies or digital legal tenders, the issue of maintaining anti money laundering and counter terrorism financing regulations that preserve privacy will surely surface. The ability of others to access one’s financial information in the age of digital money has crucial implications on financial privacy. The concern here is not only about privacy but also about preserving financial autonomy – and democracy.

The events of Tornado Cash are still ongoing. Nevertheless, we have already been surprised by sanctioning technology rather than people and organizations, the arrest of the developer, and the tension between preserving privacy and fighting money laundering. These issues give us an additional glimpse of how technology challenges and changes our social fabric and proves, once again, that the meanings of liability and privacy – are changing.

Read about our contributors here