Basketball Entrepreneur, Shaquille “Big Sexy” O’Neal just crossed the line. Here’s the Etherscan page for Shaq’s NFT project showing the sanctioned, illegal transaction. The US Treasury announced sanctions applied to Tornado Cash transactions beginning last Monday. I’m not suggesting that Shaq’s done anything wrong, but this is an example of why the Treasury’s attack on Crypto mixing services via sanctions is unworkable.
Who Gets Invited To The Crypto Mixers?
Mixers are tools within the Cryptocurrency ecosystem that allow users to deposit tokens, combine them with other people’s tokens, and then withdraw to an unrelated wallet. They can be used simply for privacy reasons, or it can be used to hide the tracks of illicit funds.
The US Treasury was obviously focused on the latter when it sanctioned Tornado Cash, with an estimated $455M washed through Tornado over the last few years by North Korean hacker group Lazarus.
I’m not defending the ability to hack and launder money, but you can walk the line if one can actually be laid down. Lazarus has been a scourge on the Crypto industry since at least 2017 and I would love nothing better than to see them dealt with effectively and severely. But that’s the problem…
The solution to Crypto hacks needs to be effective or there’s no point.
According to Chainalysis’ research on the topic, for every criminal use of crypto mixers, there appears to be a legitimate use. So a large part of the pushback on this round of sanctions is to do with preserving privacy tools in an increasingly aggressive surveillance state that jeopardizes citizens’ legitimate need for privacy in everyday life.
Privacy is normal and needs to be defended.
Among notable legitimate and extremely necessary uses of privacy tools that have come out since the sanctions announcement are Ethereum founder Vitalik Buterin using Tornado Cash to donate money to Ukrainians. This reduced their risk. Blockchain developers can also use untraceable funds to seed new projects without exposing their entire net worth.
However, this article isn’t about privacy. There’s plenty written about that elsewhere. I’m talking about why sanctions aren’t the right tool for this problem.
Sanctions Didn’t Stop Party Crasher Lazarus
This isn’t the first mixer the US has sanctioned. In May, the Treasury sanctioned Blender.io, another mixing service that had also been used extensively by Lazarus group. In that case, the sanctions worked well to shut down the service.
They had no meaningful effect on the Lazarus group who simply kept hacking and moved to the next mixer.
Blender.io was a custodial mixer. Users deposited funds into a centralized custodian who would then mix your funds and return them. The people running the service were targeted by sanctions and shut down.
Tornado Cash is structured differently. Rather than having a centralized custodian making decisions it’s simply a smart contract hosted on the Ethereum blockchain which holds funds prior to mixing and withdrawal. It’s just a piece of code that will continue running indefinitely and doing what it was designed to do. No one that can take it down. It is an immutable smart contract.
Tornado Cash is Bitcoinesque. It cannot be changed. It cannot be removed.
The Treasury seems to not really be aware of this distinction. The actual text of the sanctions has identified a range of wallet addresses associated with the smart contract as being prohibited to transact with. Treasury hasn’t identified any specific people or organizations, other than a website that hosts a front end for accessing the service. That makes this the first time the Treasury has sanctioned code, rather than people or corporations.
Enforcement: “Buzzkill” US Treasury Just Doesn’t Get It
How will this be enforced? No one really knows, but so far Circle has frozen USDC currently held in the smart contract awaiting withdrawal. Circle’s CEO doesn’t seem very happy about being forced to do this. There are also significant amounts of Ethereum and Wrapped Bitcoin also held in the smart contract.
BitGo, the issuer of Wrapped Bitcoin can’t freeze their tokens and Ethereum also can’t be frozen at the protocol layer. The only logical way that US based companies like Coinbase can comply with sanctions is to prevent tokens that have been through Tornado Cash from being deposited onto their platforms.
Which raises a huge issue. Because tokens can’t be frozen on the protocol layer, these tokens are free to move around in the Ethereum DeFi ecosystem prior to deposit on Coinbase. Regular users will have a very hard time knowing whether or not tokens that they receive are going to be accepted with major US based companies.
We don’t have any guidance from the Treasury on how this is supposed to be dealt with, but I imagine there are currently extremely frustrated calls between Crypto exchanges and the Treasury department trying to sort out this issue without breaking Ethereum.
The Treasury department might have just accidentally broken Ethereum fungibility.
Do I think that is the likely outcome here? No, not at all. But it does speak to how recklessly uniformed and uncaring the US Treasury is becoming regarding the collateral damage of using sanctions to solve every problem. There doesn’t appear to have been any consultation with major Washington based Crypto education groups like Coin Center and the DeFi Education Fund.
Will the US Treasury be educated enough to make restrictions and reform possible. We don’t yet know how strict the Treasury will instruct US corporations to be about blocking deposits from Tornado Cash. Using blockchain records, it’s perfectly possible to trace Tornado Cash use through several transactions. It’s less possible to do the same through a DeFi system which inherently mixes up funds so that their origin can’t be ascertained.
The maximum enforcement would be to block all deposits from DeFi because some deposits would have touched Tornado Cash at some point in time.
This highlights how useless sanctioning a medium of exchange really is. Usually transactions with a particular party are the sanctioned activity. This is what it means to have effective measures against cybercrime. These sanctions won’t shut down Tornado Cash and they won’t stop Lazarus Group. They have the potential to cripple Ethereum, if they’re applied strictly. It’s fundamentally a losing game. The USTreasury is playing whack-a-mole with privacy tools.
So what happens when a government enacts an absurd law that can’t be enforced and doesn’t really make any sense?
People immediately break the law.
Guilty By Association: Shaq, Fallon And Others Get Dusted
Numerous celebrities and notable Crypto figures including Shaq, Jimmy Fallon, Brian Armstrong the CEO of Coinbase, Crypto Exchange cold wallets and numerous others got dusted by Tornado Cash transactions.
Dust attacks aren’t new, they’ve been around as long as I’ve been in Crypto. They describe when a wallet gets sent useless or harmful tokens without their consent. There is no need to accept Crypto transactions, they just show up when someone sends them to your wallet.
Someone with a balance held in Tornado Cash started sending small Ethereum transactions to a range of known celebrity wallet addresses without their approval or knowledge. On the first day of sanctions over Tornado Cash.
Did Shaq violated sanctions? Arguably yes.
Sanctions violations are strict liability offenses. There doesn’t need to be any intention to perform a transaction with the sanctioned party. There doesn’t have to be any benefit gained by transaction. All that needs to be shown is that a transaction occurred.
There is a defense that best efforts were taken to comply with sanctions. The prosecuting body will look at what steps were taken to avoid breaching sanctions, that will affect their likelihood to prosecute and the severity of the punishment. But what could Shaq have done to avoid breaching sanctions?
There is nothing that anyone could have done to avoid breaching sanctions by receiving unsolicited Tornado Cash transactions.
Obviously Shaq and Jimmy Fallon are not going to get prosecuted for sanctions violation because someone else sent them some Ethereum, but the fact that these celebrities will need to be excused for something that is arguably a breach of US sanctions according to the letter of the law is a big problem.
If The Rules Are A Bluff, What Happens Next?
The sanctions are at best ineffective. Tornado Cash is the second mixer that has been sanctioned because it was used by Lazarus. The first set of sanctions just meant that Lazarus moved to using Tornado Cash instead of Blender.io. I imagine that due to the lack of enforceability of this round of sanctions, they won’t even stop Lazarus from using Tornado Cash as their mixer of choice.
Will it change how Crypto exchanges treat mixed funds? Unlikely. Major US exchanges already had a responsibility to refuse shady deposits under existing anti-money laundering provisions. There were already reports earlier this year of Coinbase refusing to credit deposits directly from mixers or funds that had recently been through a mixer.
What is the point of sanctioning Tornado cash if it doesn’t shut down the service or slow down Lazarus group?
Well it will likely prevent law abiding US citizens from accessing a financial privacy tool for non-criminal purposes. Fight for the Future compared the sanctions to banning email because it can be used for phishing scams. The Cato Institute noted that “Punishing every American by going after technology is not the solution for dealing with criminals”.
Banning mixers to stop cyber crime is like digging up roads to prevent carjackings.
I’m much more concerned about the big picture problems with this style of enforcement. The demonstrated lack of basic understanding of how this technology works and what they are doing at the Treasury department is frankly terrifying.
It’s one thing to deliberately destroy Crypto ecosystems with regulation. It’s an entirely different thing to do it by accident.
The Ethereum blockchain is open and readable. There are numerous firms and hobbyists who monitor transactions. All eyes will be on Tornado Cash to see if it continues to operate or if the sanctions shut it down. In the day after the sanctions came into effect almost $3M moved through Tornado Cash.
Sanctions are a powerful tool, but they are completely unsuited to dealing with decentralized or ungoverned entities like Tornado Cash. There is no one for the government to threaten here. There’s just users accessing open source code to assert their privacy.
If the US Government is going to bluff, I’d prefer it if the entire world couldn’t see that bluff fail in real-time.