On August 10, 2022 law enforcement arrested Alex Pertsev, one of the Tornado Cash contributors, in Amsterdam, sparking protests and discussions. Was the apprehension justified if the person wrote code for a smart contract? Does it make sense to sanction a smart contract? Should code enjoy freedom of speech protections? We will get to these questions after explaining what happened to Tornado Cash and Pertsev, and share the community’s answers.
What are privacy protocols?
First things first: how did it come to such drastic measures? Before unpacking that, we need to understand what Tornado Cash is used for. Knowing how it works will also shed some light on the buzz around the situation.
As you might already know, most cryptocurrencies are entirely transparent but pseudonymous. In other words, all transactions and actors are represented by strings of characters. At first glance, these are not linked to a person in the real world. However, it is possible to deanonymize addresses and transactions on the blockchain through research in public sources or even data analysis. After all, things like timestamps and addresses you interacted with remain indelibly on the blockchain.
As the transparent nature of blockchain was sinking in, more ways to protect privacy started to appear. The right to privacy is a recognized human right, so why should crypto transactions be exempt from it? These days there are multiple ways to make chain surveillance difficult or outright impossible.
Coin Mixers
These services or protocols mix up and match UTXOs (transaction inputs and outputs) to give you the same amount with different people’s coins. Imagine it like this: Alice and Bob’s notes and coins have their names on them. Alice wants to send Bob $10 but doesn’t want others to know she sent them. When she sends her $10 to a mixer, the mixer picks an equal amount (minus the service fee) with other people’s coins. Bob receives ~$10 but in coins and notes that don’t have Alice’s name on them.
Coin mixers are simple and easy to understand, but have their drawbacks. Centralized ones sometimes run away with the customers’ deposits or become “honey pots” for law enforcement. There are decentralized coin mixers, for example, Bitcoin’s CoinJoin protocol which is built in Wasabi or Samurai wallets. Nevertheless, they only provide obfuscation but not full privacy, and chain forensics claim even coin-mixed transactions can get untangled.
Privacy coins
Most blockchains are transparent by design, so instead of turning to additional protocols and services, some blockchain researchers changed the design itself. Monero was built from the CryptoNote protocol into a fully-fledged cryptocurrency, and it uses cryptography to mask the inputs by default. Other cryptocurrencies, such as Zcash, make privacy-oriented features optional but they are still built-in.
Much to cypherpunks’ disappointment, cryptocurrencies do not exist in a libertarian utopia, in which the government doesn’t infringe on the right to privacy. Instead, they became a part of the existing monetary system and crime prevention, and there is hardly any place for tools like privacy coins. So should you want to use them, you will have very limited options because most crypto businesses that comply with regulations don’t support those.
Tornado Cash and How It Works
Even though these solutions predate Ethereum, it is as transparent as Bitcoin and even easier to parse. Instead of UTXOs, it uses a system of accounts that links addresses with inputs and outputs. Luckily, Ethereum has smart contracts which allow coding in any cryptography, including privacy-protecting techniques and protocols. These smart contracts can be applied not only to ETH but to Ethereum tokens, including stablecoins, as well.
Tornado Cash is one of these privacy-protecting tools powered by a smart contract. From an outside perspective, it works similarly to a coin mixer but in fact, it is more similar to Zcash’s masked addresses. Let’s see how it works.
When a user initiates a deposit to the Tornado Cash smart contract, it generates a note with its hash on their end locally. These strings of characters will later act as receipts. A user sends the ETH or ERC tokens with the note’s hash to the contract’s address. Since the hashes are an encrypted representation of the deposit notes, they are unlinkable to the user even if public.
The withdrawal step is when zero-knowledge proofs come into play. A user provides their note to the contract, which in turn checks the deposit and proofs. Tornado Cash doesn’t reveal the correspondence between the public deposit note and the user’s address, because it uses proof generated from the note rather than the note itself.
As a result, users can break the link between addresses where they send ETH or ERC tokens. For example, Tornado Cash can come in handy if you own multiple wallets but don’t want them to be linked to each other. Similarly, you can deposit some funds into it and withdraw when you need to make a payment.
The best part is that Tornado Cash is non-custodial: the tokens never get mixed, and you receive the same tokens you deposited. The only difference is the address your withdrawal arrives from, making it no longer possible to track them back to you. Tornado Cash is not a centralized entity but rather a set of smart contracts with a library of related resources, and since May 2020 has been governed by a DAO.
Why was Tornado Cash sanctioned?
On August 8, 2022, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) put Tornado Cash on the Specially Designated Nationals list. The service was allegedly used for money laundering by North Korea-backed hackers Lazarus Group and other criminals. This case became the first time when a blockchain protocol itself rather than its operators or developers was sanctioned.
The inclusion in the list came together with a long set of Ethereum addresses, some of which were not related to the hacking at all. Nevertheless, it made it illegal for US citizens to even interact with these addresses — including receiving cryptocurrencies. The excessiveness of this is illustrated by a troll “dusting” attack targeting celebrities which followed soon after the news. The public figures technically would become criminals under the OFAC regulations the moment they got minuscule amounts of ETH from sanctioned addresses.
In the fallout of the decision, OFAC was forced to come forward with clarifications and possibly even back down on some restrictions. Almost a month later they announced interacting with Tornado Cash open-source code or its interfaces will not be illegal, as long as prohibited transactions are not included. Nonconsensually receiving negligible amounts of cryptocurrency is not one such incriminating case. But the damage has already been done.
Developer’s Arrest
The ban itself was enough to cause a stir in the community. But what set the case off the edge is the arrest of one of the contributor developers of Tornado Cash. Just two days after the SDN list was updated, Amsterdam law enforcement arrested Alex Pertsev on August, 10. On August 23, the judge ruled he must remain in custody until a public hearing for no less than 90 days from that date. At the time of writing, no formal charges have been levied. The investigation into allegations of his involvement in money laundering and terrorism financing is ongoing.
This spark set off a fire that made Pertsev’s fellow web3 and open-source developers take it to the streets. Arresting a developer for how their code is used after they stop working on it is concerning, to put it lightly. Since there are no formal charges yet, speculation about the reasons is abound. Some suggest Alex was directly involved in communicating with or aiding the perpetrators, to which there is no evidence yet. Others think his alleged ties to the Russian Secret Service set the investigators off — which was also denied. The majority, though, seems to be on Pertsev’s side and considers the arrest a catastrophic overreaction.
Community’s Reaction
#freealexpertsev :fist:
— ILYABOEV.COM (@boeff) August 21, 2022
A protest was held in Amsterdam against the arrest of Alex Pertsev, one of the developers of the Tornado Cash cryptocurrency mixer, who was under US sanctions the day before.
The protesters repeated that writing open source code is not a crime. pic.twitter.com/gbG8NrI50K
Even not taking verbal reactions into account, the community’s actions in response have been manifold. The Amsterdam protest against Alex Pertsev’s arrest used the slogan: “open source is not a crime”.
1/7
— paulgrewal.eth (@iampaulgrewal) September 8, 2022
This morning, Brian Armstrong shared why Coinbase is funding and supporting a challenge by six individuals (including two CB employees) against the Treasury Department and OFAC's novel sanctions of open source software associated with Tornado Cash. https://t.co/8l5iKAjVZg
Coinbase in particular expressed the intention to take the US OFAC to court on the ground of the ban being unconstitutional. The FAQ on the regulator’s site was updated a few days later so the threat of legal action could be a factor.
I sent a letter to Treasury Secretary Yellen regarding the unprecedented sanctioning of Tornado Cash. The growing adoption of decentralized technology will certainly raise new challenges for OFAC. Nonetheless, technology is neutral and the expectation of privacy is normal.:arrow_down: pic.twitter.com/0aN4a4A6tb
— Tom Emmer (@RepTomEmmer) August 23, 2022
US Congressman Tom Emmer published his letter, addressed to Treasury secretary Janet Yellen, asking to detail the means and purposes of the sanctions. As often is the case, many of these questions already contained answers between the lines.
Made a fork of your fork in here, so I can use the code for teaching purposes this winter. https://t.co/D1ba52JfPB
— Matthew Green (@matthew_d_green) August 13, 2022
Last but not least, community members quickly took on that while the service was sanctioned, its open-source code and smart contracts remained accessible. To drive the point that banning a decentralized service is an exercise in futility, community members such as JHU professor Matthew Green and anonymous cypherpunk arbed_out forked (copied) the repositories.
Things to Take Away…
So, from the reaction and background of the incident, there are several conclusions to be made and questions to ponder.
Is the ban unwarranted? There is no denying it, Tornado Cash has been used in criminal activity. As much as 52% of scam NFT proceeds, as well as hacked funds from Harmony and Nomad bridge exploits, among other cases, were forwarded through Tornado Cash. Were the measures taken overkill? Absolutely, and it simply illustrates how novel financial technologies are at odds with the existing regulation. Tornado Cash DAO previously tried to implement measures to block sanctioned addresses. However, the Chainalysis tool was implemented only on the front end, proving to not be very effective.
Is this a US-only concern? Alex Pertsev’s arrest in the Netherlands proves that the sanctions reach all over the world. Is it a reasonable measure? If Pertsev’s only connection to the sanctioned groups is that they used a smart contract he once developed, the consensus out there is he was detained unjustly. The US set a precedent in 1996 Bernstein v. DOJ, under which code is protected under the right to freedom of speech. Unfortunately, in the EU’s case, this is not as straightforward and Alex’s fate will depend on the investigation results and court rulings.
…And Things to Consider
This incident also highlighted concerns about the centralization in the Ethereum ecosystem, even more so than the Merge. Shortly after OFAC’s announcement, regulated crypto businesses such as Coinbase and Circle had no other choice but to comply. The consortium is the issuer of the USDC stablecoin, and it froze addresses that fell under the OFAC sanctions.
Pro-regulation industry leaders like Brian Armstrong and Jesse Powell made statements that sanctioning Tornado Cash is against the US Constitution. Does it mean they are anti-AML/CTF? Obviously, not, which they made clear in their statements and actions. As mentioned above, mass adoption for cryptocurerncies is not yet possible without it being integrated into the existing economic system and legislation. Leading platforms thrive only by the virtue of playing by the rules and impeding the crime.
Is making open-source software if criminals use it later necessarily a crime, though? For many jurisdictions, this is uncharted waters, and the judge in the Pertsev’s case will have to decide. Nevertheless, common sense points to the fact that from a legal perspective, code is akin to speech and expression, and should be treated and protected as such.
Bottom Line
The whole situation surrounding Tornado Cash, US Treasury sanctions, and Alex Pertsev is not something that came out of nowhere. Neither it is a watershed moment nor a declaration of war on crypto, as some put it. This is a cautionary tale about the technology outpacing the law and an illustration of the current state of the crypto industry.
Even two months later, this story is still developing. If you want to stay tuned to the news from the crypto and blockchain world, watch this space. We post updates regularly on our social media, so subscribe to ChangeHero on Twitter | Facebook | Reddit | Telegram.
