The Blockpass Show - Adam Vaziri discusses “Tornado Cash Sanctioning”

August 2022

At Blockpass, we are reviving our regular podcasts about compliance and regulation in crypto and blockchain. This episode's participants include Adam Vaziri, Blockpass CEO, and Hans Lombardo, Blockpass CMO. The topic of discussion is the recent sanctions of Tornado Cash by the US Treasury Department's OFAC.

Hans : Hi, I am Hans Lombardo, co-founder and CMO of Blockpass. Happy to be the MC today for the revival of the Blockpass Show - our podcast about compliance and regulation in Crypto and Blockchain.I am here today with Blockpass co-founder and CEO Adam Vaziri. Hi Adam.

Adam: Hi.

Hans: Let me provide an introduction of our topic today, which is the infamous Tornado Cash. Then we will get started with some questions.

Last week the US Treasury Department’s Office of Foreign Assets Control (OFAC) did something that rocked the crypto world, already hit in recent months by the collapses of Luna token, Celsius Network, Voyager and others. The shocking news for many was OFAC sanctioning virtual currency mixer Tornado Cash.

OFAC stated that Tornado Cash “…has been used to launder more than $7 billion worth of virtual currency since its creation in 2019. This includes over $455 million stolen by the Lazarus Group, a Democratic People’s Republic of Korea (DPRK) state-sponsored hacking group that was sanctioned by the U.S. in 2019, in the largest known virtual currency heist to date. Tornado Cash was subsequently used to launder more than $96 million of malicious cyber actors’ funds derived from the June 24, 2022 Harmony Bridge Heist, and at least $7.8 million from the August 2, 2022 Nomad Heist. Today’s action is being taken pursuant to Executive Order (E.O.) 13694, as amended, and follows OFAC’s May 6, 2022 designation of virtual currency mixer (Blender).” (

Hans: Adam, what is a crypto mixer? What happened in the case of Tornado Cash?

Adam: Sure, well, thanks everyone for being able to join us today on this. So there are some complicated details of course, and we will try to unpack them as best as we possibly can. The first question is, what is a mixer. In basic terms it is what it says on the tin. You put funds within this smart contract on a blockchain and those funds. You can then designate to transfer or deliver funds to another address But when the funds are delivered to another address, the source or the linkage to the original source is broken. And that operates in a very simple way in respect to Tornado Cash. There are people that put all of their money in a pool. And within that pool, everyone registers into this pool, and then people that put their money into the pool so it's USDC and other stable coins or Ether. They're then able to exit from another door and when they execute the other door, the transaction is happening from the pool to the exit so it breaks the linkage. Of course, if you go there deposit and then withdraw immediately, then you can somehow see the connection between the two but I mean even on the Tornado Cash website, it says please delay between making a deposit, making withdrawal. So it's actually relatively something simple technically, for a system like Ethereum. I mean simple in the sense of the basic logic. But the goal here is just to disseminate the origin of the funds.

Hans: So there's been an argument - a huge backlash from the crypto community crypto enthusiasts on social media, were saying that the sanctioning of Tornado Cash code falls under free speech protection laws. That it’s actually against free speech is what they were trying to argue quite vehemently. What do you think about that? Is this violation of free speech?

Adam: These are very kind of heated arguments in a sense, because obviously, it goes to what you believe in and people have certain different interpretations as to the extent of freedom of expression that people should be entitled to now. Technically, speaking, Tornado Cash is a piece of distributed software. It exists on the blockchain. So if we didn't have a blockchain, we've been on a server. And people that are interacting would just simply be connected with a server and it would then be running the code. And if that was the case, which was the case previously with the Silk Road, the FBI or government agencies will just shut down the server. But in the case of Tornado Cash, they have to take additional steps or change the approach in relation to that target. So in relation to Tornado Cash, because they cannot shut down server, the order was presented, that the actual, the mixing smart contract mechanism should be subject to sanctions, which essentially renders the tool useless, because it means that a legitimate user that wants to use the tool, which there are legitimate users, they do, or they did, they can't use it at all. Because if they do interact with the tool, then they are breaching sanctions. And for non legitimate users, it starts to become less interesting, because you can only really launder funds with other people that have clean funds. It only makes sense if other people that are willing to pool with you. It doesn't make sense basically if Tornado Cash is only used by criminals because then you can just track all the exits from for education. And you know, you can taint all of them. So that was a very innovative remedy that was produced presented. Now people have said, in the crypto community that this is an infringement free speech. But they haven't been very specific about it. First off, writing code could be an expression of free speech. I write code, like writing an article for publication to a large degree, the sharing of ideas, I think wisely speaking, people would not dispute that fact. However, to be more precise, Tornado Cash is not a bit of a piece of human language. Human language, as one may know, is compiled into machine language, which is ones and zeros. The machine language is running on the blockchain network, not someone's drafted JavaScript or whatever the language is that humans might use to code. So that first of all, that's just false claim to claim that the actual code itself is free speech, because it's not it's it's compiled application on a distributed system. It is, if it's anything, it is an object rather than an expression or expression of words. And then the other analogy here is that if you if you essentially prohibit people from using this object, I mean, you could say it's a tool, that by prohibiting that object from being used, you're inhibiting people's liberty. And but these are very broad claims, plenty they've been made. And it's very normal in any society, to not have an absolute freedom, such as the absolute right, to do everything that we would want to do. And that it's just a question of whether the interference of that right was just important proportionate to to what was being achieved. And that that is open for debate.

Hans: Could you also argue that the code actually there's a direct correlation between the code and what happens from the code where free speech is something that it could it's just like Donald Trump saying something that provokes people to do something that is very hard to say, to draw causation where the code, you could say, Okay, this code did this, it could cause a cascade on the internet or something like that. Right? It's a software bomb. And so, so in that sense, it's a bit different from speech. Would you agree with that?

Adam: Yeah, I mean, I, first of all, I just disagree that compiled code is speech. That's first thing. And then the second thing is the interference of people's right to use the code, which essentially, is what OFAC have done. They have said you are prohibited from interacting with this piece of code. By saying that, it means if anyone does interact, they're breaching sanctions. But the question really is whether that in intervention, is just and proportionate in the circumstances. And these are not like legal, technical terms, but it's a way of evaluating interferences in general of one's human rights. In this situation, you mentioned.. Yeah, it could be a ticking time bomb effectively, to just let them you know, do damage is, I mean, largely negligence, if you just sit there and observe this item, causing damage to other people's lives. And there are victims in this case, from the hacking attempts that have occurred, of course, and those those persons have to be borne in mind when, when thinking about what is the remedy. But we have to also know, of course, it has produced a really some unintended consequences, this action. So by saying, you cannot interact with this, the result has been some people have decided to use Tornado Cash to then send funds to bonafide participants as a kind of financial doxing in a way. You know, they call it dusting wallets, essentially. And the result of that is you now pass the obligation on to that person. And to be clear with the obligation is, those funds are blocked in Tornado Cash. And if you have your funds, yeah.

Hans: Can I ask you about that? So those funds are blocked now but let's get to the nitty gritty of what what's happening in that block. For example, why was circle forced to block blacklist or block certain wallets because that in effect caused a lot of people issues, right? Because they weren't able to get their funds?

Adam: That's it. Yeah, that's, that's a really interesting question about circles involvement, I mean, USDC had been used within Tornado Cash as one of the accepted Kryptos. As, as you may know, circle, although it has created a kind of bearer instrument, which is USDC I transfers do not require KYC. It does have the ability to essentially blacklist wallets, which essentially removes from that account the ability to transfer, they can do that remotely. And so when the order came out, the order is drafted in a manner that all persons or US persons selected as a US person are bound by the order. And although it's not their property, it's the property of other people that have USDC deposited with Tornado Cash, they take it upon themselves, that from probably from a risk point of view, that they have to comply with this order themselves, even though it is not necessarily their property that has been blocked.

Hans: Okay. Now, the other part of this is that there was a developer arrested, I believe in Holland. And we know it's in relation to the Tornado Cash, sanctioning. If that's the case, oh, how are so how are developers of the smart, contract driven DeFi platforms like Tornado Cash? How are they in legal jeopardy because of money laundering bad actors using those platforms?

Adam: Yeah. In that situation, we actually don't know what the facts are. There was a press release on the Dutch Dutch release, the press release referred to facilitation on that money laundering that was the description. And then referenced the fact that he was a development when either cash now really plain interpretation, you're not facilitating money laundering if you're writing code and contributing to an open source project, at least not directly by any means. And I doubt I mean, my personal opinion, is that there's more to this. And yes, of course, if the person has been prosecuted for writing code, then you go back to this question of freedom of expression, and the right to share ideas and you know, contribute to common knowledge, and all of these, all of these aspects kick in where you want to have some human rights protection, of course, but we don't know what the facts are. And of course, crypto community is coincidental the timing are quite sensitive to a piece of news like that they feel like, you know, the walls are closing in.

Hans: Is that is the this is tornado cache that we're referring to an installation of an open source software code. And is it not necessarily development of that code, but the installation of it, meaning that setting it up, launching it, pushing the start button, and then letting it go automatically? Then after that, there's no one? I assume keeping it going? I don't know. But is the person that press that start button that developer, programmer or technical person in legal Jeopardy?

Adam: That's never really been tested yet. These questions of like the ceremony of starting a unstoppable smart contract, like someone has to press a button somewhere, right. But even if you were pressing that button, it's not clear directly what that offense would be. you're deploying. you're deploying compiled code onto a blockchain, that transaction of it in of itself. You need to be very specific about what that offense might be. Yeah, but of course, these are very specific actions and facts. And we need to look at, of course, the the legal circumstances around that. But I think in this case, when you know, someone contributing source code, if they are being prosecuted for that they would have a very strong defense. And, and the facts in question, we don't know, the full details. So I think people are jumping to conclusions on that case. And of course, it's an ongoing investigation. So the police don't exactly and provide all the details.

Hans: Could it be possible that OFAC wasn't really intentionally targeting developers of software code? That is really more about the circle? You know, wallet addresses, like in Circles case? One? Things like that, you know, so because because I'm wondering, are they thinking, Okay, this is going to result in the rest of developers who start, you know, launch this thing or build the software? Is that what they're thinking when they make these kinds of sanctions? Or they because they're sanctioning the official application? Which is quite odd.

Adam: Yes, it is very odd. And, and of course, it's never been done. But then you would never sanction an application in a normal context, because you just go in and shut down the servers, you'll get a warrant for the building and go in, shut down the servers or send it to AWS and do the same. So you wouldn't need to sanction the application is because it's a distributed system that you have to sanction the application to effectively halt its continued usage. There, you know, I doubt that the question here is about going after depths. Really. The key thing here is this, this tool has been used by knowing money launderers and property of money launderers, maybe inside the tool at the point when the sanctions order was issued, and that property has to be seized. It's that simple. And the action of seizing causes collateral damage, the collateral damage is simply and other people have their money tied up in the pool as well. And the question is, what recourse do they have well, There is a procedure whereby they can apply to OFAC for license to withdraw their funds from the address from the application. And although the crypto community and making out that this is a really complex, arduous process, it is recourse that is available to people. It's not there, they don't have any recourse whatsoever. And, yeah, I think that that's a point to note. You know, another point that was raised was essentially, because effectively there's no intermediary behind Tornado Cash. There's no one to liaise with as to what remedies people have and knowing kind of go between with OFAC and the customers that have been affected. But you don't really need that, frankly speaking because the application is unaffected, technically speaking, from the order that's come through from OFAC. So all you need to do is get the license from OFAC, press a button on Metamask and get your funds back. There are a set of unintended consequences. To a certain degree talks about the dusting issue. There are technicalities that OFAC will need to clarify. I mean you can't have a situation effectively where people are causing upon you an administrative burden and criminal liability potentially if you aren't aware of it by just sending you fund some Tornado Cash. So there are definitely some complexities there that will need to be clarified by OFAC. But frankly speaking and in any situation where they're introducing a novel mode of enforcement ever going to be unexpected consequences that that that arise from that.

Hans: So my next question is, are there other platform platforms like Tornado Cash, or or somewhat… what I'm referring to is anonymous DeFi platforms? Could other ones be under threat from OFAC or regulatory sanctions? Assuming enough? It seems to be that the more money that goes into these platforms, the more attention they get from regulators, like OFAC or other regulators. Are there other platforms that are under threat like that?

Adam: Yeah, I mean, I think anyone that is involved in or using mixing services are dealing with very, very high risk systems, systems that can be exploited, essentially. And I completely understand that there's a legitimate need for privacy, especially in regards to Ethereum. Because then account based blockchain or there are other, there are other means of achieving that end. For instance, if I wanted the same effect as using Tornado Cash legitimately, I would simply just deposit onto an exchange and withdraw to another address. And then I would have simulated the origin of the funds in relation to third parties that may be spying on me on the blockchain, but I would have done so in a compliant manner. And so I think MC mixes are under threat. Most definitely.

Hans: With platforms like Uniswap or Quickswap, could there be potential sanctions? I mean this question of threat of sanction from OFAC and also security regulators, who want because ultimately, because people can go through Uniswap from any kind of geographical location, get, receive and send tokens or sell tokens and buy tokens which in United States, for example, most of them are considered unlicensed securities. So what platforms might be under threat?

Adam: There may be some consequences for DeFi in general. So I think these platforms they already have some degree of compliance. For instance, a lot of them are operating the front end of the website. And as a result, they have to enable sanction screening. So when people can exit when you go to Uniswap their main website and you connect your wallet, they do an sanctions screen on the wallet. And that's why a lot of people are quite disgruntled with this because they're getting locked out of Uniswap, Aave etc because the frontend is picking up that they have a Tornado Cash association.

Hans: Are there solutions like that, that would allow some anonymity and can be used for mainstream of people that will still consider privacy but for example a compliance layer being embedded in these platforms?

Adam: I mean, I think for those that say, well, I don't want to deposit with Coinbase or withdrawal from Coinbase. I want to do this in a non-custodial way. At present that doesn’t exist - a compliant mixer, but one could see such tools can be built. It is not so inconceivable, but that the ethos of crypto at least at present is one of permissionlessness. The result of that ethos is it looks like it's creeping more towards lawlessness. And I think there needs to be somewhat of a compromise taken here. I don't think we can bring crypto to the masses, to a mainstream audience, taking a highly radical view certainly permission surround permissionlessness. Also there's there's some real problematic areas. But if OFAC has decided to target distributed application itself, for essentially nefarious actions, and then people argue that well, that application doesn't belong to anyone. It is distributed. It is decentralized etc. that the argument of using decentralization to avoid legal enforcement is starting to fall away which then brings you to the next layer, which is do validators now, in Ethereum network or other blockchain networks continue to consider their own liability. And there'll be questions that arise from this and I think they're taking a very radical view regarding decentralization at all costs is not going to be conducive to finding a solution to this problem. The solution to this problem has been trying to find the balance view which on the one hand maintains part of the ethos of crypto which is user empowerment, and on the other hand, addresses the real world laws that apply today and political imperatives. Without compromise between the two, it is likely to result in marginalization, not embracing of crypto.

Hans: Is there any sort of other news regarding compliance and sanctions in crypto - recent news that you could talk about?

Adam: Just a few pieces of news. What we can see now is that the EU has introduced a new regime called MiCA. This regime would require the registration of virtual assets and is likely to come into force this year, with a rollout implementation period of a couple of years from then, because EU law tends to be issued as a directive and then each state has a period of time to bring into force within their own jurisdiction. We’re also seeing in the EU, they are going to introduce a specific regulator of crypto for AML purposes. That would be the first assigned regulator to deal with crypto industry, which is very interesting. Aside from that, we can see that in US market, of course, there's this ongoing discussion about securities about how that's gonna play out over the coming months or year and the treatment of tokens in general, which regulator is going to take charge of these tokens. Is it going to be CFTC? Is it going to be the SEC? And the consequences of that. But yeah, we will certainly keep everyone tuned in with all the regulatory updates and make sure that people are on the ball and understand the consequences. You know, opposition, of course of at Blockpass is that we want to enable compliance for the crypto industry. Because our goal is that this enters the mainstream and for it to enter the mainstream there needs to be some realism around the role of crypto, legal and regulated context.

Hans: Yeah. And to add to that… in Blockpass building of sort of blockchain compliance or crypto compliance solutions, and software, we have the user in mind, that the user-centricity in mind is important, I'm sure you agree that the users we want the users to continue to control their data and ultimately be in the driver's seat.

Hans: Absolutely. I think the challenge ahead is to be able to achieve mainstream adoption, we have on the one hand achieve compliance, and on the other hand, decentralization and data protection…all in one. So there's three separate challenges. means that when we build a product, it has to be able to tick all those boxes and address those directly.

Hans: Well, thank you, Adam, for talking to us and it's a pleasure to listen to someone who's so expert in the field. Maybe in the next call or the next show, we can talk about more about European regulations in crypto on the call. And so you know, good bye everyone!