Tornado Cash Litigation Update
Published by The Lawfare Institute
in Cooperation With
The Treasury Department on May 3 provided its most thorough defense to date of its proclaimed authority to impose sanctions on novel, decentralized finance technologies. As part of a lawsuit challenging the Office of Foreign Assets Control’s (OFAC’s) August 2022 designation of the cryptocurrency protocol Tornado Cash—a collection of “smart contracts” that enable users to transfer funds anonymously—Treasury responded in-depth to plaintiffs’ claims that the sanctions exceed OFAC’s statutory authority and run afoul of the First Amendment. The department argues that the sanctions are well within OFAC’s jurisdiction and do not implicate the First Amendment because Tornado Cash is an “entity,” the smart contracts are “property,” and there is no constitutionally protected right to transfer funds anonymously.
Below is a summary of the legal arguments advanced in the litigation and some key issues still unresolved.
Background
On Aug. 8, 2022, OFAC added 45 Ethereum addresses associated with Tornado Cash to its Specially Designated Nationals (SDN) list, prohibiting U.S. persons and those subject to U.S. jurisdiction from transacting with them. The sanctions prompted a range of reactions from commentators, from supportive and sympathetic to more critical and outright incensed.
To understand Tornado Cash’s function, it is helpful to briefly review the pseudonymous nature of blockchain technology. Because all cryptocurrency transactions are recorded on a public ledger, anyone can see all transactions a particular wallet address engages in. Based on these transactions, it is often possible to discern certain identifying information about the wallet owner. To put it simply, Tornado Cash, by combining a sender’s funds with those of other users’ in a common “pool” before sending them to the sender’s intended recipient, obscures the source of the funds and thereby preserves the sender’s anonymity.
According to OFAC, North Korean hackers took advantage of this function to launder at least $455 million of illicit funds using Tornado Cash. At the time of its designation, Tornado Cash had processed $7.6 billion worth of the cryptocurrency Ether over its two-year existence, at least 30 percent of which was tied to sanctioned or other illicit users.
OFAC initially designated Tornado Cash addresses pursuant to Executive Order 13694 (as amended by Executive Order 13757), an April 2015 order aimed at countering malicious cyber-enabled activities. That executive order rested primarily on authority conferred by the International Emergency Economic Powers Act (IEEPA), which gives the president, and by extension OFAC, broad power to impose economic sanctions.
On Sept. 8, 2022, six individuals who had previously used Tornado Cash for lawful purposes filed a complaint in the Western District of Texas challenging OFAC’s authority to designate the protocol. Coinbase, one of the world’s largest cryptocurrency exchanges, announced that it would fund the lawsuit. A second lawsuit raising similar claims was filed in the Northern District of Florida on Oct. 12, 2022.
To address some of the novel compliance questions raised by the sanctions, OFAC issued limited guidance on Sept. 13, 2022. On Nov. 8, 2022, OFAC delisted and simultaneously redesignated Tornado Cash. In addition to its previously identified authority under Executive Order 13694, OFAC cited Executive Order 13722, a March 2016 order issued pursuant to IEEPA and several other statutes, including the North Korea Sanctions and Policy Enhancement Act of 2016, that aimed to counter the threat posed by the North Korean regime and its nuclear weapons program.
On March 20, 2023, the district court hearing the first lawsuit adopted the magistrate’s report and recommendation and granted the Treasury’s Department’s motion to transfer the case from the Waco Division of the Northern District of Texas to the Austin Division, in part due to the administrative record containing classified information more easily accessible in Austin. The plaintiffs then moved for partial summary judgment on April 5. The Treasury Department filed its cross-motion for summary judgment and motion in opposition on May 3.
Legal Arguments in the Texas Suit
In their motion for summary judgment, plaintiffs in Joseph Van Loon et al. v. Department of the Treasury et al. claim that OFAC’s designation of Tornado Cash is “not in accordance with law” under § 706(2)(A) of the Administrative Procedure Act for two reasons.
Statutory Claim
Plaintiffs allege that OFAC exceeded its statutory authority because Tornado Cash is not a “person,” foreign “national,” or “property.” The president’s authority under IEEPA, specifically 50 U.S.C. § 1702(a)(1)(B), extends to “any property in which any foreign country or a national thereof has any interest by any person, or with respect to any property, subject to the jurisdiction of the United States.” Similarly, the North Korea Sanctions and Policy Enhancement Act, 22 U.S.C. § 9214(c), authorizes the president to prohibit transactions only in “property and interests in property.”
Plaintiffs contend that Tornado Cash is not a “person.” OFAC’s North Korea Sanctions Regulations, 5 C.F.R. § 510.101 et seq., define “person” as an “individual” or “entity,” which includes “a partnership, association, trust, joint venture, corporation, group, subgroup, or other organization.” Plaintiffs argue that OFAC has not designated any “individual” because its own guidance explicitly says that OFAC “has not designated Tornado Cash’s individual founders, developers, members … or users, or other persons involved in supporting Tornado Cash at this time.” Plaintiffs also argue that Tornado Cash is not an unincorporated “entity” because its founders, developers, and governance stakeholders—members of the Tornado Cash decentralized autonomous organization (DAO)—do not have an agreement to pursue a common purpose or objective. (By contrast, in a less controversial move in May 2022, OFAC designated cryptocurrency mixer Blender.io, a centralized service indisputably controlled by individuals.) Plaintiffs take issue with OFAC’s broad definition of a DAO member—anyone who owns Tornado Cash’s native token, TORN—because some TORN holders never contributed anything to the platform’s development or voted on a governance proposal and therefore did not manifest a common purpose. Plaintiffs analogize these TORN holders to individuals deemed members of a Taylor Swift fan club simply because they received an email inviting them to vote for the club’s next president. Plaintiffs instead argue that Tornado Cash is merely a decentralized collection of immutable, self-executing lines of code.
Plaintiffs argue next that immutable smart contracts are not “property” because they are “incapable of being owned.” They cannot be “property” because “no one has the right to delete them” and “no one has the right to exclude another person from using them.” Nor can OFAC designate the Tornado Cash smart contracts under the theory that they are “identifiers” of property, like an address of a building, because nothing underlies the smart contracts.
Finally, plaintiffs argue that the Tornado Cash “person” that the Treasury Department purports exists does not have an “interest in property” in the smart contracts. An “interest in property,” they claim, entails a “legal or equitable claim to or right in property,” whether direct or indirect. Plaintiffs reject OFAC’s first theory—that Tornado Cash’s developers had a beneficial interest in the platform because they expected it to have value when they expended time and effort to create and advertise it—because the developers ultimately relinquished control of the smart contracts. They also argue that OFAC’s other theory—that TORN owners derived value from Tornado Cash because use of the platform increased the value of their tokens—is flawed because a beneficial interest in TORN is not the same thing as a beneficial interest in the smart contracts themselves. OFAC’s interpretation of “interest,” the plaintiffs argue, would give it “nearly limitless” sanctions authority.
In response, the Treasury Department argues that Tornado Cash is in fact a “person” because it is an “entity.” Treasury maintains that the definition of “entity” is “broad and flexible” and that Tornado Cash—consisting of a group of individuals with a “well-defined organizational structure” and common purpose—“easily” qualifies under the term’s ordinary meaning. The Treasury Department contends that Tornado Cash’s structure in many ways resembles that of a traditional corporate entity, with responsibilities divided between its developers and the Tornado Cash DAO. The Treasury Department points to several concrete, coordinated actions the developers took to advance their common purpose, including placing job advertisements, organizing code deployments, and adopting a fee structure. The Treasury Department dismisses plaintiffs’ attempt to highlight the few TORN holders who have not actively participated in the platform’s governance, arguing that “a corporation is still an entity even if many stockholders never intend to vote.” With respect to plaintiffs’ argument that it is incoherent for OFAC to designate an “entity” supposedly made up of “individuals” but not designate any singular person, the department maintains that its choice to designate the organization does not require it to separately designate each of its members.
The Treasury Department also argues that Tornado Cash smart contracts are “property.” It makes several points to support this claim. First, OFAC’s regulations broadly define “property” to include “contracts of any nature whatsoever,” “any interest of any nature whatsoever, direct or indirect,” “services of any nature whatsoever,” and “any other property, real, personal, or mixed, tangible or intangible, or interest or interests therein, present, future, or contingent.” These definitions supersede the dictionary definitions cited by plaintiffs. Second, the Tornado Cash smart contracts operate like quintessential unilateral contracts: Tornado Cash offers to mix cryptocurrency, and users accept this offer by sending funds to the Tornado Cash smart contracts. Third, several federal district courts have recognized smarts contracts to be contracts. Fourth, even if the Tornado Cash smart contracts are not contracts, they are “services”—and therefore fall under OFAC’s definition of “property”—because the smart contracts perform a useful function for a fee. Fifth, plaintiffs’ contention that the smart contracts are not “property” because no one can alter them or exclude another from using them ignores that property interests can be qualified. And in practice, Tornado Cash has excluded others from using certain smart contracts by disconnecting outdated contracts from its public interface, effectively rendering them useless. In any case, the smart contracts are “property” because they routinely confer a beneficial interest (TORN tokens) to the Tornado Cash DAO.
Having established that the smart contracts are “property,” the department argues that Tornado Cash has an “interest in property” because the smart contracts are coded to automatically pass along fees to the Tornado Cash DAO. While it is technically possible for a user to circumvent this process, doing so would reveal the user’s identity, thereby defeating the purpose of using Tornado Cash. The Treasury Department also points to “highly probative circumstantial evidence,” including the fact that Tornado Cash developers set up the platform, helped advertise it, created a token, and offered “bug bounties” to anyone who could find errors in their code. The Treasury Department stresses that this identifiable beneficial interest serves as a limiting factor preventing OFAC from sanctioning anything intangible it chooses.
First Amendment Claim
Plaintiffs also allege that OFAC’s designation of Tornado Cash violates the First Amendment. Plaintiffs contend that prohibiting transactions with Tornado Cash has incidental effects on speech and, therefore, the court should apply intermediate scrutiny. Plaintiffs concede that the government has a substantial interest in preventing money laundering but argue that a total ban on Tornado Cash is not narrowly tailored since OFAC concedes that most funds sent to Tornado Cash were for lawful purposes. Instead of prohibiting all transactions with Tornado Cash, plaintiffs argue, OFAC could have imposed targeted sanctions only on its illicit users, as it did when it sanctioned the North Korean Lazarus Group, a prolific Tornado Cash user, in September 2019.
Plaintiffs also argue that a blanket ban on using Tornado Cash is overbroad, deterring constitutionally protected speech. Plaintiffs highlight the benefits of Tornado Cash’s privacy-preserving function, including enabling individuals to anonymously donate to controversial political causes such as Ukraine’s war effort. Amicus briefs also stressed this important use case for Tornado Cash. In addition, two of the plaintiffs allege that the sanctions deter them from interacting with and building on Tornado Cash’s open-source code, a violation of the First Amendment, since publication and development of software code has been recognized as constitutionally protected speech.
In response, the Treasury Department argues that OFAC’s designation of Tornado Cash does not implicate any First Amendment-protected interest. It argues that there is no First Amendment right to transfer funds anonymously. Furthermore, there is no constitutional right to transfer funds using one’s preferred service when other means are available. With respect to plaintiffs’ claim that the designation deters them from interacting with open-source code, the department cites OFAC’s guidance issued on Sept. 13, 2022, in which it made clear that “interacting with open-source code itself, in a way that does not involve a prohibited transaction with Tornado Cash, is not prohibited.” Treasury disclaims any involvement in GitHub’s decision (later partially reversed) to remove Tornado Cash code from its repositories.
Looking Ahead
In its motion in opposition, the Treasury Department does not appear to go as far as to claim that OFAC has authority under IEEPA to sanction a fully decentralized smart contract. Rather, the department contends that Tornado Cash is not completely decentralized because a group of individuals—its developers and DAO members—retain effective control over the smart contracts and have a beneficial interest in them. Thus, even if OFAC prevails in this case, the question of OFAC’s authority to designate a truly decentralized protocol—to the extent one is even possible—may remain unresolved.
The Treasury Departments arguments are consistent with those made by Dutch prosecutors at a hearing in November for Tornado Cash developer Alexey Pertsev, who was detained in August and has subsequently been charged with money laundering offenses. At the hearing, prosecutors argued that Pertsev maintained de facto control over Tornado Cash. Though Tornado Cash was set up as a DAO, Pertsev and his collaborators allegedly retained the majority of voting power and thus could influence the protocol in any way they chose. Pertsev was recently released to home confinement pending trial.
The extent to which any individual or group of individuals controls the Tornado Cash protocol mirrors questions raised by the Commodity Futures Trading Commission’s (CFTC’s) enforcement action against Ooki DAO, a nominally decentralized cryptocurrency trading and lending protocol. Among other alleged violations, the CFTC claims that Ooki DAO failed to abide by anti-money laundering regulations. In its complaint, the CFTC similarly argues that the protocol’s founders, and later the protocol’s governance token holders, exercised multiple types of control over the protocol.
Neither lawsuit challenging OFAC’s designation of Tornado Cash addresses whether certain actors in the cryptocurrency ecosystem, such as the validators that verify transactions, may be exempt from the sanctions under IEEPA’s “informational materials” exception, 50 U.S.C. § 1702(b)(3). Advocates at Coin Center and crypto investment firm Paradigm contend that validators and others are covered by the exception. Initially, most Ethereum validators complied indirectly with the Tornado Cash sanctions due to their reliance on Flashbots’ Maximal Extractable Value (MEV)-Boost software, which excludes transactions involving designated Tornado Cash addresses. Such enforcement at the validator level—coupled with enforcement by infrastructure providers and front-end applications—ensured that the Ethereum ecosystem remained generally compliant with the Tornado Cash sanctions. However, following efforts to reduce validators’ reliance on Flashbots’ OFAC-compliant software, less than a third of validations are now compliant. OFAC might soon feel compelled to take enforcement action to address declining compliance at the validator layer.
If the legal challenges to OFAC’s statutory authority prove successful, the Treasury Department will need to either ask Congress to amend IEEPA’s jurisdictional provision to expressly cover decentralized smart contracts or resort to other authorities. One possible alternative suggested by Juan Zarate, a former Treasury Department official and deputy national security adviser, would be to utilize Section 311 of the Patriot Act, 31 U.S.C. § 5318A, which authorizes the secretary of the treasury to require U.S. financial institutions to impose certain “special measures” against “classes of transactions” that pose a “primary money laundering concern.” In January, the Financial Crimes Enforcement Network (FinCEN) used this authority to crack down on cryptocurrency exchange Bitzlato for its role in laundering funds for Russian cybercriminals. Designating Tornado Cash under Section 311 would also invite legal challenges, however. Eventually, Congress may need to provide U.S. national security agencies with updated authorities to combat threats facilitated by decentralized finance.
Plaintiffs’ response to the Treasury Department’s motion in opposition is due by May 24. The department will then have until June 14 to reply.