The “DAO Jungle” Chronicles: Federal Judge Upholds Treasury Department’s Sanction of Tornado Cash for Involvement in Laundering Hacking Proceeds
This post was primarily authored by Daniel Zarchy, a “Rising Star” for five of the past six years who is a litigation attorney at Patton Sullivan Brodehl LLP.
In two prior posts, this blog tracked the ongoing intrigue of how the various branches of the United States government interact with blockchain and cryptocurrency organizations. We discussed the Wyoming law allowing Decentralized Autonomous Organizations (“DAOs”) to register as LLCs, and the California federal court decision holding that a DAO would be treated as a general partnership for purposes of a new class action lawsuit.
The most recent domino in this saga fell in August 2023 when a federal judge in Texas upheld the designation by the U.S. Treasury Department’s Office of Foreign Assets Control (“OFAC”) placing Tornado Cash on the “Specially Designated Nationals” (SDN) list, which would effectively prohibit anybody in the United States from interacting with or doing business with Tornado Cash. The Order arose from the case Van Loon, et al., v. Department of Treasury, in the United States District Court, W.D., Texas, Austin Division.
What is Tornado Cash?
To understand the significance of Tornado Cash, it is important to understand two seemingly inconsistent pillars that define distributed ledger technology and cryptocurrency in general: transparency and anonymity. When users interact with most public blockchains, and Ethereum and Bitcoin in particular, those users typically interact by way of a digital “wallet.” This wallet includes the current balance of currencies owned by the wallet, as well as a public ledger of every transaction ever performed by that wallet since it came into existence. However, these wallets are identified merely by a random string of letters and numbers (in the case of Ethereum, a wallet is identified by a 42-character hexadecimal address). For the vast majority of these wallets, nobody has any idea who the wallet belongs to or who has control over the currencies held therein. However, if somebody wanted to trace the movement of currencies across wallets, they could do so given that all transactions across the blockchain are public.
Enter Tornado Cash. Tornado Cash is what is known as a “mixer,” in that it allows users to send sums of cryptocurrencies to the system, at which point the Tornado Cash software will pool those funds with the rest of the assets under its control. The software will then, at some point later (usually designated by a third-party “relayer”), send the deposited funds to a new wallet address that has no public affiliation with the depositing wallet. In effect, Tornado Cash “launders” the currencies by making it virtually impossible to trace, and in exchange, earns a fee.
Like many crypto protocols, as discussed in the previous chapter of the DAO Jungle Chronicles, Tornado Cash is run by a DAO that votes on issues such as new features, and is run by a governance token called TORN. Through the DAO, Tornado Cash regularly updates its services by implementing new software through smart contracts, while taking older smart contracts out of operation. The DAO also manages ordinary business tasks like posting job advertisements, managing funds to compensate contributors, and paying third parties for facilitating transactions through the Tornado Cash software.
While ostensibly a tool for “privacy,” these mixing services are highly sought-after for those attempting to hide their funds, such as hackers who steal funds or engage in ransomware. Upon receiving their ransom payments in cryptocurrency, the hacker can then launder the funds through a mixer and send the funds to a separate address without anybody being able to trace it.
Tornado Cash’s most notorious user has been the Lazarus Group, a North Korean state-sponsored hacking group that has stolen more than $455 million. According to the Treasury Department, Tornado Cash was also used by hackers related to at least two other large-scale cryptocurrency hacks, including a $96 million hack in June 2022 and a $7.8 million hack in August 2022.
OFAC designated Tornado Cash on the SDN list in August 2022, then rescinded and re-designated Tornado Cash in November 2022 to include additional bases for the designation, citing Tornado Cash’s purported laundering of the proceeds from the Lazarus Group hack, as well as other material support that OFAC alleged Tornado Cash provided to the North Korean government.
Whether Tornado Cash is an “Entity”
Following OFAC’s designation, the Treasury Department was sued by a group of plaintiffs in the U.S. District Court in the Western District of Texas, seeking to reverse the designation. In their lawsuit, the Plaintiffs argued that OFAC exceeded its statutory authority in making the designation, and the Plaintiffs and Treasury Department brought opposing motions for summary judgment.
The SDN designation was made pursuant to the International Emergency Economic Powers Act (“IEEPA”) (50 U.S.C. § 1701(a)), which gives the President broad powers to declare national emergencies based on threats coming from outside of the United States. The President signed several executive orders pursuant to the IEEPA, including one that allows OFAC to block the property and interests in property of “any person” that engages in “cyber-enabled activities” originating from outside the United States that are reasonably likely to cause “a significant threat to the national security” or cause a “significant misappropriation of funds or economic resources,” among other activities. (Executive Order 13757.)
The Treasury Department’s regulations define “person” to mean “an individual or entity” (31 C.F.R. § 510.322) and defines “entity” as a “partnership, association, trust, joint venture, corporation, group, subgroup, or other organization.” (31 C.F.R. § 510.305.)
The Plaintiffs asserted that the Treasury Department could not designate Tornado Cash on the SDN list because Tornado Cash is not a foreign “national” or “person,” but rather, autonomous software. The Plaintiffs also argued that the Tornado Cash DAO did not “manifest[] any agreement to a common purpose,” citing to other types of cases involving RICO that required such a manifest purpose. The Plaintiffs argued that mere ownership of the TORN tokens does not indicate an intention to participate in the governance of the protocol. Finally, the Plaintiffs argued that because the SDN designation excluded Tornado Cash’s founders, developers, members, and users, it could not designate Tornado Cash itself.
However, the Court held for the Treasury Department on all elements. First, because Tornado Cash was formed by individuals and run by developers and the DAO, it is not truly autonomous software.
Second, the Court adopted OFAC’s definition of “association” which, citing to the Oxford English Dictionary, means a “body of persons who have combined to execute common purpose or advance a common cause.” The “manifest agreement” that the Plaintiffs sought to require, the Court held, was not applicable to this matter. As a result, OFAC only had to prove that Tornado Cash consists of a body of individuals, and that this group exists to further a common purpose. As OFAC had done that, the Court held that Tornado Cash met the definition of an “association,” and therefore, a “person” under the regulations.
Finally, the Court held that the act of designating Tornado Cash while excluding the DAO, users, and other supporters, was routine and did not undermine the designation. As a result, the Court upheld OFAC’s assertion that Tornado Cash is an entity that may be designated per OFAC’s regulations.
Whether Tornado Cash Has a Property Interest in its Smart Contracts
In addition to challenging Tornado Cash’s status as an “entity,” the Plaintiffs alleged that Tornado Cash does not have a property interest in the smart contracts that OFAC intended to block, given that smart contracts are by their nature immutable and therefore cannot be owned. Rather, the Plaintiffs argued, smart contracts are akin to a vending machine, because smart contracts exist to carry out “a particular, predetermined task without additional human intervention.”
The Plaintiffs also argued that the definition of “interest in property” should be defined as “legal or equitable claim to or right in property” from Black’s Law Dictionary, rather than the definitions that OFAC had already adopted within its regulations. However, recognizing that “interest in property” is an ambiguous term, the Court rejected the Plaintiffs’ definition and determined Tornado Cash’s potential interest based on the OFAC definitions.
The OFAC definitions of “property” includes “contracts of any nature whatsoever.” (31 C.F.R. § 510.323.) The Court noted that federal courts had already held that smart contracts are simply a species of unilateral contracts enabled by code, and that Tornado Cash promoted and advertised its smart contracts to attract people to come and use them. The Court also held that even if a smart contract is nothing more than a digital vending machine, vending machines are also effectively unilateral contracts, so that analogy would not defeat OFAC’s conclusion that Tornado Cash holds a property interest in its smart contracts.
The Court adopted OFAC’s definition of “interest” to mean “an interest of any nature whatsoever, direct or indirect.” (31 C.F.R. § 510.313.) The Court held that because Tornado Cash controls and uses crypto assets through the smart contracts, and Tornado Cash earns fees for the DAO when people use its software, Tornado Cash has a beneficial interest in its smart contracts based on expectations that the contracts would continue to generate revenue for the protocol.
As a result, the Court upheld OFAC’s designation of Tornado Cash on the SDN list. Tornado Cash is an entity that may be designated and has a property interest in the smart contracts targeted by the designation.
Impact
This decision may serve as a roadmap for future interactions between cryptocurrency protocols and federal executive agencies. While you may not be concerned about your crypto protocol being the target of executive orders aimed at terrorist organizations, it is important to recognize that federal courts are likely to defer to agencies’ definitions as to which organizations are under their jurisdiction, and these definitions may be broader than expected. Those operating in this space should look carefully at the jurisdictional definitions of any agency involved in regulating their industry to determine the likelihood they will fall within that agency’s definitions.