Regulation by indictment: DOJ charges Tornado Cash founders – key takeaways

On Wednesday, August 23, 2023, in a joint press release, the Department of Justice, FBI, and US Attorney’s Office for the Southern District of New York announced they had indicted Roman Storm and Roman Semenov, two of the three founders of Tornado Cash, the once popular cryptocurrency mixing service. On the same day, the Treasury Department’s Office of Foreign Asset Control (OFAC) also sanctioned Semenov and eight cryptocurrency wallet addresses belonging to him. The third founder already faces trial in the Netherlands following his arrest a year ago.

The indictment charges conspiracy to commit money laundering, conspiracy to violate sanctions, and conspiracy to operate an unlicensed money transmitting business in connection with the founders’ creation, operation, and promotion of Tornado Cash. It comes less than a week after a federal district court affirmed the Treasury Department’s designation of Tornado Cash as a Specially Designated National (SDN), in part because the service helped launder money stolen in high profile cybercrimes. According to the OFAC, Tornado Cash laundered more than a billion dollars, including $455 million for the North Korean-sponsored Lazarus Group hacker ring, which, according to OFAC, allegedly used the hacked funds in support of North Korea’s nuclear weapons program.

Well-known to law enforcement and the subject of US Treasury Department and international money laundering risk bulletins, mixers, also called tumblers, permit users to transact on the blockchain with near-complete anonymity. Despite this, the press release indicates IRS Criminal Investigations Special Agents were able to “follow the flow of cryptocurrency transactions,” which provided the basis for the indictment.

The indictment

The indictment alleges that “[d]espite knowing full well that the Tornado Cash service was being used to launder criminal proceeds, and that the Tornado Cash [liquidity] pools contained large amounts of [Ethereum] representing criminal proceeds commingled with other customer deposits for the purpose of concealment,” Storm and Semenov “chose not to implement know your customer or anti-money laundering programs.” The defendants further “knowingly” allowed a globally sanctioned cybercrime group to launder hundreds of millions of dollars on behalf of the North Korean regime, even as they publicly announced they were compliant with sanctions.

The allegations are notable because by 2020, the founders had burned their administrative keys, permanently surrendering authority to control the protocol to a Decentralized Autonomous Organization (DAO). Yet the indictment alleges that the founders knowingly facilitated the laundering of criminal proceeds by implementing an algorithm – purportedly through a voting mechanism using governance tokens – that increased the anonymity-enhancing effects of the platform with services provided by third parties known as relayers. The indictment also quotes extensively from the founders’ flippant “encrypted” messages, in which they admitted to being aware that cyber criminals were using their protocol. They even considered implementing anti-money laundering (AML) compliance controls and user interface updates, but ultimately chose not to.

Another warning

Attorney General Merrick Garland called the indictment “another warning to those who think they can turn to cryptocurrency to conceal their crimes.” FBI Director Christopher Wray added that the “FBI is going to keep dismantling the infrastructure used by cyber criminals to commit and profit from their crimes, and holding anyone who assists those criminals accountable.”

If found guilty, each founder could face a maximum sentence of five years for operating an unlicensed money transmitter business, 20 years for conspiracy to violate the International Economic Emergency Powers Act, and up to 30 years for conspiracy to commit money laundering (with a wire fraud affecting a financial institution object).

The charges serve as a powerful reminder of DOJ’s tools to police the cryptocurrency landscape, including the ability to trace transactions on decentralized ledgers and the “strict liability” crime of failing to register as a money transmission business – we previously highlighted significant DOJ actions in February and March.

However, DOJ’s approach leaves open important questions for the future of decentralized governance of blockchain protocols. Such questions include whether individual human actors can be held responsible for actions taken by independent third parties and/or algorithms voted on by a loose community of participants. US-based defendant Storm faces his initial appearance and arraignment in the coming days. Afterwards, the court may have an opportunity to address these open questions.

Key takeaways

• Will FinCEN join the fray? Will Treasury’s Financial Crimes Enforcement Network (FinCEN) bring a parallel civil action against the individual defendants or Tornado Cash for failing to register as a money transmission business? Notably, FinCEN did not file an action against Tornado Cash in 2022 when OFAC added it to the SDN list.


• US nexus: DOJ cited to various acts occurring in the United States as a basis for its jurisdiction (and venue in Manhattan), including Tornado Cash users located in New York City, as well as a payment (presumably in fiat currency) by a Tornado Cash-affiliated entity from a New York City-located corporate bank account to a hosting service provider for hosting the Tornado Cash website. The indictment is consistent with previous sanctions-related enforcement actions brought by DOJ that relied on little more than a US touchpoint – such as a transaction through a bank account – and the charge of conspiracy, to establish jurisdiction over non-US defendants.


• Compliance is key: The Indictment illustrates that the US government will continue to leverage sanctions and anti-money laundering regulations to pursue companies that allow illicit actors to access and use their services. Companies should work with counsel to develop risk-based compliance controls reasonably designed to prevent the company from being used to facilitate money laundering, terrorist financing, sanctions evasion, or other illicit activity. Companies should also create thoughtful policies and procedures, including an “escalation” plan in the event they learn about illicit activity involving customers, users, or counterparties.


• True decentralization? DOJ evidently believes that Tornado Cash did not, in reality, operate in a decentralized manner. Instead, defendants “continued to exercise control over the Tornado Cash User Interface and to pay and maintain critical infrastructure for the Tornado Cash service,” yet “took no steps to block or even monitor deposits or withdrawals or to collect any identifying information from customers of the Tornado Cash service.”


• Regulation by…indictment? Cryptocurrency regulation and legislation in the US remain in flux and actions by agencies such as the DOJ, SEC, CFTC, and OFAC indicate that these regulatory gaps may continue to be filled by enforcement efforts that leverage existing sanctions, money laundering, fraud, and conspiracy laws. As early as 2020, DOJ’s Cyber Digital Task Force noted: “A wide variety of federal charges can be brought to bear” for illegal conduct involving cryptocurrency.

DLA Piper boasts award-winning, nationally recognized teams focusing on Blockchain and Cryptocurrency, White Collar Defense and Global Investigations, and National Security and Global Trade (including sanctions) featuring former federal prosecutors and regulators and former senior officials from the OFAC and State Department. To learn more about these enforcement developments, please contact any of the authors or your usual DLA Piper contact.