• Tech
  • privacy

A New U.S. Crackdown Has Crypto Users Worried About Their Privacy

9 minute read

The battle between the crypto community and the U.S. government over financial privacy just escalated dramatically, amid government efforts to crack down on criminals.

Tornado Cash is a service that helps some cryptocurrency owners protect their anonymity by scrambling information trails on the blockchain. On Monday, the Treasury Department prohibited Americans from using the service, arguing that it has played a central role in the laundering of more than $7 billion.

In a statement, the Office of Foreign Assets Control (OFAC), a Treasury Dept. agency, called Tornado Cash “a significant threat to the national security” of the United States, and alleged that it has been used repeatedly by North Korean hackers to launder money from multiple million-dollar thefts.

But the decision drew vicious backlash from many in the crypto community, who see it as a governmental overstep that runs contrary to their core values of privacy and autonomy. On Twitter, the crypto lawyer Collins Belton called it “arguably the most significant legal action that has occurred in crypto” and warned that it could produce “absolutely gargantuan ripple effects.”

The Treasury’s decision could end up significantly altering the way users engage with crypto. It also sets the stage for a slew of fierce legal and rhetorical battles between the crypto industry and the U.S. government.

Hiding crime

When someone sends cryptocurrency from one account to another, a record of the transaction is etched into the blockchain forever. Investigators or eagle-eyed sleuths can then use this public information to follow money flows and learn about a person or company’s financial activity. The U.S. Department of Justice, for example, traced blockchain records to shut down a global child abuse website and arrest hundreds of offenders.

This transparency has given rise to the creation of “mixing” services, which are designed to hide activity on the blockchain. A user can deposit cryptocurrency into a mixer, which uses complex cryptography to obfuscate the money’s trail and then send it to a brand new wallet address. From there, the user can recover the funds and eventually cash them out anonymously.

As cryptocurrency has exploded in usage both for legal and illegal activity, mixers have become a “go-to tool for cybercriminals,” according to a recent report from the blockchain analysis firm Chainalysis. The study says that nearly 10% of all funds sent from illicit addresses are sent to mixers, and that the usage of mixers in illicit activity has increased significantly in 2022.

“Mixers account for a small share of the overall cryptocurrency ecosystem, but play a significant role in illicit activity,” Andrew Fierman, the head of sanctions strategy at Chainalysis, wrote to TIME in an email.

The role of North Korea

One of the main drivers of this uptick is the increased activity of North Korean hackers, U.S. officials say. In April, U.S. Treasury officials accused the Lazarus Group, a hacking organization allegedly sponsored by North Korea’s government, of spearheading the $600 million hack of the popular crypto game Axie Infinity’s Ronin network. Those officials accused the North Korean government of using the hack to “generate revenue for its weapons of mass destruction and ballistic missile programs.”

And the Ronin attackers used Tornado Cash to launder the money, officials say. They say that after $600 million was drained from the Ronin network into a wallet controlled by the Lazarus group, it was then sent to intermediary wallets, then rinsed via Tornado Cash, $10 million at a time. Tornado Cash developers’ attempts to block the Lazarus wallet from interacting with Tornado Cash were unsuccessful: about 18% of the total amount of Ether flowing through Tornado Cash in recent months—167,400 ETH—came from the Ronin hack, according to the blockchain analytics firm Nansen.

Ari Redbord, the head of legal and government affairs at the crypto regulatory startup TRM Labs, says the Ronin hack was a major turning point with regards to crypto regulation. “Ronin really changed the way the U.S. government sees money laundering in the crypto space: they shifted from the idea that hacks were a financial crime to the idea that they were a true national security concern,” he says.

Redbord estimates that a billion dollars in North Korean-related laundered funds have gone through Tornado Cash, and that the ten biggest hacks perpetrated by North Korean hackers employed Tornado Cash to launder those funds.

So on Monday, the Treasury Department placed Tornado Cash and related smart contract wallet addresses on their Specially Designated Nationals (SDN) list, in the way they would an enemy of the state. Any Americans who interact with those addresses now may face criminal penalties.

Crypto backlash

But while Tornado Cash is used by criminals, it is also used widely and legally by all types of users. “There are all kinds of reasons people want to build anonymity: I don’t want anyone looking at my credit card statements or Venmo,” Redbord says.

This week, Tornado Cash supporters have argued that the service is simply a neutral tool that can be used for good and bad: that it’s akin to virtual private networks (VPNs) or The Onion Router (TOR).

“This is a rough equivalent to sanctioning the email protocol in the early days of the internet, with the justification that email is often used to facilitate phishing attacks,” Lia Holland, the campaigns and communications director at the digital rights nonprofit Fight for the Future, wrote in a statement.

There are many reasons why someone would want to use Tornado Cash: An employee who gets paid by their company in crypto, for example, may not want their employer to know all of their financial details. An NFT enthusiast who has recently made a lot of money thanks to a savvy investment may not want to become the target of potential harassment or robbery.

Tornado Cash may also be useful for those who live under oppressive governments. Vitalik Buterin, the founder of Ethereum, came out in defense of the service this week, writing on Twitter that he himself used Tornado Cash in order to donate to Ukrainian causes without putting the recipient organizations under extra scrutiny. And following the overturning of Roe v. Wade, donors to abortion funds may want to use Tornado Cash to keep their identities hidden.

The brewing battles

The Treasury’s decision to ban Tornado Cash could prove to be a significant turning point for crypto in several ways. First, it shows how far the U.S. government is willing to go in its attempts to corral crypto as it creeps toward mainstream adoption. Tornado Cash defenders have pointed out that the decision is unprecedented in that sanctions have been placed upon a piece of code as opposed to an entity. (Tornado Cash is not an incorporated organization, but a mechanism controlled by software logic.) This step could mean that other types of decentralized bodies, including other smart contracts or DAOs (decentralized autonomous organizations), might soon be in the crosshairs.

Redbord, at TRM Labs, says that the treasury’s decision reveals the U.S. government’s desire to push crypto toward more centralized systems and platforms that are easier to regulate. The trading platform Coinbase, for example, has requirements that tie every crypto wallet to a verifiable human identity. “This action sends a message to crypto exchanges that they need to ensure that they have compliance controls in place to stop cyber criminals from using their platforms,” Redbord says.

And some major crypto players have fallen in line. Circle, the issuer of the USD Coin (USDC), the second biggest stablecoin, froze over $75,000 worth of funds linked to Tornado Cash addresses. And Github, a software development platform owned by Microsoft, deleted the accounts of Tornado Cash developers.

But crypto enthusiasts resist centralized attempts to control policies or transactions. Bitcoin, after all, was created in the wake of the 2008 financial crash, with early adopters seeking a global and unregulated form of currency resistant to the pressures of Wall Street. Many have flocked to crypto because it allows anonymous financial transactions, hidden from surveillance by authorities.

In the last few days, Tornado Cash defenders have launched their own offensive against the decision, in several ways. First, they have drawn attention to a perceived logical flaw in the decision: that anyone who interacts at all with a Tornado Cash contract is doing so illegally. Individual users cannot reject incoming transactions—small amounts of cryptocurrency have been sent to prominent public wallet addresses—including those associated with Jimmy Fallon and Shaquille O’Neal—in a stunt that essentially dares the Treasury to take action upon an entire community. (Redbord, for what it’s worth, says he doubts that individuals were the target of the decision in the first place, or that OFAC will pay much attention to the campaign.)

A much bigger battle may be in store: some prominent crypto lawyers have begun floating the idea of challenging the decision on constitutional grounds. “Banning software publication is banning speech,” Peter Van Valkenburgh, the director of research at Coin Center, said onstage at a crypto conference in Las Vegas on Monday. “Even laws that unreasonably chill speech are constitutionally suspect, and can be challenged even before enforcement.”

As crypto enthusiasts look for a way forward, they must contend with several tough choices: how much to compromise their values in their quest to reach the mainstream; how to tamp down on illegal activities in systems that were built to be oversight-resistant; and whether to cooperate with governments or oppose them, thereby invoking even more ire and scrutiny. For now, it seems that many in the crypto space are responding forcefully to the Treasury’s decision by taking an ideological stand. “While most people won’t ever use a service like Tornado Cash, the government’s approach represents a dangerous precedent for limiting the right of Americans to use privacy tools for legitimate and lawful reasons,” Miller Whitehouse-Levine, policy director of The DeFi Education Fund, wrote in an email to TIME. “Privacy is not—and cannot become—a crime.”

More Must-Reads from TIME

Contact us at letters@time.com