red 
On August 8, 2022, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned Tornado Cash. The mixer — which resides on the Ethereum network and other blockchains — was fined for its role in facilitating more than $1.5 billion in illegal transactions, including transactions for North Korean cybercriminals.
The Tornado Cash token has sparked significant debate and controversy throughout the crypto industry, and even sparked a lawsuit seeking to have the token invalidated. The sanctions also raised complex technical issues for compliance teams in light of the vast number of transactions in the crypto ecosystem that were “tainted” by even indirect or historical links to Tornado Cash. This has led to calls from the crypto industry for more guidance from OFAC on how to comply.
On September 13, OFAC issued Frequently Asked Questions (FAQs) regarding the Tornado Cash designation. While not offering the comprehensive and comprehensive clarification that many in the industry would like to see, the FAQ does address important points regarding Tornado Cash sanctions. Here we explain the key implications of OFAC’s frequently asked questions.
Funds were mixed after the sanctions
One scenario OFAC is looking at is how US persons – which include crypto exchanges with a US presence – should have handled funds that were sent to Tornado Cash before the sanctions were imposed on August 8, but were commingled and dispersed from Tornado Cash – and after the sanctions. This appears to address the concerns expressed by legitimate users of the platform who had no intention of violating sanctions but are unable to repay their assets because US exchanges will not manage their “tainted” funds.
OFAC’s FAQ states that under these circumstances, a US person may apply for a special license from OFAC to engage in a transaction with funds that were sent to Tornado Cash prior to sanctions but received from the platform or commingled after sanction. To obtain a license, anyone involved in a transaction of this type should include in their license application information about:
- sender’s and user’s wallet addresses;
- transaction hashes;
- the date and time of the transaction(s); and
- the amount of virtual currency involved.
OFAC also indicates that it will generally adjudicate these authorization requests favorably – as long as there is no other punishable conduct (for example, if one of the wallets involved in the transfer of funds to or from Tornado Cash belongs to another sanctioned entity, such as a North Korean Lazarus group).
Interestingly, OFAC has decided to make this a matter of special licensing (where each individual must seek approval for each relevant transaction) rather than general licensing (which would provide a broad exemption to US persons involved in these types of transactions).
Either way, the licensing clarification has important implications for crypto exchange compliance teams. This suggests that a US crypto exchange could process a transaction that blockchain analytics solutions identify as being exposed to Tornado Cash if OFAC issues a license to engage in that specific transaction under these circumstances.
This will hardly allow exchange with carte blanche unblock funds belonging to a large number of customers who used Tornado Cash – as some may have hoped. However, it clarifies the steps required to unblock funds in certain circumstances and may help some legitimate Tornado Cash users to issue their assets by cashing them out on exchanges.
Handling of dusting attack agents
Another topic that OFAC is dealing with is dusting attacks. In the days after OFAC sanctioned Tornado Cash, a number of high-profile individuals and celebrities were sent small amounts of cryptocurrency that went through a mixer—a deliberate prank designed to “taint” the recipient’s wallets. That has led some in the crypto industry to question whether individual victims of dust attacks — or crypto exchanges that may ultimately manage the funds of customers who have been victimized — have an obligation to block those funds.
In the FAQs, OFAC states that its regulations technically apply to these transactions. However, it is recognized that dusting attacks result in victims receiving “unclaimed and nominal amounts” of funds, and that this is a relevant factor in determining the severity of these cases. OFAC states that it “will not prioritize enforcement over delayed receipt of initial freezing reports and subsequent annual freezing asset reports from [dusting attack victims]”.
This pragmatic approach to enforcement is not surprising. It would not make sense for OFAC to devote its limited resources to conducting an in-depth investigation of these cases. Victims of dust attacks – and the crypto industry as a whole – will likely be relieved to hear that they will not be subject to proactive government enforcement if they do not report these cases to OFAC within ten days of receiving funds from Tornado Cash, as OFAC typically requires.
It is important to note, however, that in its FAQs, OFAC does not suggest that anyone in possession of dust attack assets is authorized to completely disregard their obligations to freeze the assets of a penalized person and report it to OFAC. The FAQ only indicates that it is willing to tolerate “delayed receipt” of block applications. However, it leaves open the possibility for OFAC to use its discretion to enforce its regulations in certain cases as it sees fit.
Therefore, victims of dust attacks and crypto exchanges that handle funds from dust attacks should still be vigilant and file blocking reports with OFAC, even if those reports are late. Crypto exchanges should also ensure that they use block analysis solutions – such as Elliptic Lens – that allow them to detect crypto wallets that contain small amounts of exposure to sanctioned entities, as even small amounts of blocked funds can constitute a technical violation.
Interactions with source code
One of the most controversial issues raised by the Tornado Cash sanctions is whether OFAC’s action restricts the ability of US persons to engage in constitutionally protected activities – such as speech. Indeed, the lawsuit backed by crypto exchange Coinbase alleges that OFAC’s action violates the rights of US citizens by limiting their ability to interact with the Tornado Cash code, which is a form of speech and expression.
In its FAQs, OFAC indicates that the sanctions do not prohibit US persons from engaging in certain types of interactions with Tornado Cash’s source code, so long as they do not conduct transactions involving Tornado Cash, or its assets or property interests.
For example, OFAC indicates that: “U.S. persons would not be prohibited by U.S. sanctions regulations from copying open source code and making it available on the Internet for others to view, and from discussing, teaching, or incorporating open source code into written publications, such as textbooks, without additional facts. Similarly, U.S. sanctions regulations would not prohibit U.S. persons from visiting the online archives of the historic Tornado Cash website, nor would they be prohibited from visiting the Tornado Cash website if it becomes active again on the Internet.”
This is an important clarification because it ensures that academics or developers who might want to tinker with the code for different purposes can continue to do so. It also appears to be aimed at clarifying to the courts that OFAC’s action was not intended to restrict speech in any way — but that it was intended to restrict certain types of conduct, specifically, transactions involving Tornado Cash.
The complaint against OFAC also alleges that by restricting Tornado Cash smart contract transactions, the agency is acting beyond its authority under the law because smart contracts are just code that runs on the blockchain, and are not owned by anyone.
The FAQ, however, suggests that OFAC is not bothered by this argument. It uses the FAQ to reiterate that “U.S. persons are prohibited from engaging in transactions involving Tornado Cash, including through virtual currency wallet addresses identified by OFAC. If US persons were to initiate or otherwise enter into a transaction with Tornado Cash – including or through one of its wallet addresses – such transaction would violate US sanctions prohibitions, unless exempted or approved by OFAC.”
Therefore, for now, crypto exchanges should continue to assume that all transactions involving exposure to Tornado Cash after the sanctions take effect are prohibited. Again, and more importantly, the guidance on dusting attacks suggests that exposure to funds from Tornado Cash that is inadvertent and involves nominal amounts is still a technical violation, but that OFAC may be willing to give leeway when it comes to delayed receipt of reports of blocking related to those circumstances.
Importantly, OFAC sanctions prohibit both direct and indirect dealings that benefit sanctioned entities. Crypto exchanges should therefore ensure that they use blockchain analytics capabilities – such as Elliptic Navigator – to identify indirect transactions involving Tornado Cash addresses that may have gone through multiple hops, as they may still lead to a breach.
Sanctions represent one of the most significant challenges for cryptocurrency compliance teams. To learn more about how Elliptic’s blockchain analytics solutions can enable you to comply with OFAC sanctions, contact us for a demo. You can also read our cryptocurrency sanctions compliance guide for additional insights.
Key takeaways
- Make sure you are familiar with OFAC’s Tornado Cash FAQs before deciding how to handle transactions.
- Make sure you use a crypto wallet verification feature, such as Elliptic Lens, which allows you to identify wallets with even small amounts of exposure to Tornado Cash, as transactions with those wallets may still be in violation.
- Ensure that you are using a transaction verification solution, such as Elliptic Navigator, which may allow you to detect indirect exposure to crypto addresses associated with Tornado Cash.
APAC America Sanctions
