- Two founders of privacy protocol Tornado Cash were charged with money laundering and sanctions violations in a Wednesday indictment unsealing.
- Founder Roman Storm was arrested in Washington but quickly released on bail.
- The indictments, which come a year after Tornado Cash was sanctioned for helping North Korean hackers launder stolen crypto, allege the founders considered adding know-your-customer and anti-money laundering procedures to the protocol.
This week’s indictment of Tornado Cash revealed a peculiar detail. As far back as 2021, the founders of Tornado Cash agonised over whether they should build know-your-customer and anti-money laundering procedures into their privacy protocol, according to US prosecutors.
When they did finally take action to limit hackers’ use of the protocol, it was too little, and came too late, according to an indictment of two of the three founders, which was unsealed Wednesday.
Almost a year after the Treasury Department placed Tornado Cash on its list of sanctioned entities, those founders — Roman Storm, 34, and Roman Semenov, 35 — are facing charges that come with a maximum sentence of 25 years in prison, according to prosecutors.
Prosecutors also said they had arrested Storm, a naturalised US citizen who had been living in Auburn, Washington. Storm’s attorney said Thursday his client had been released on bail.
Theo, a pseudonymous Tornado Cash developer, told DL News that Storm’s arrest came as a surprise “because we thought that he [does not live in the] US.”
Semenov, a Russian national, is still at large, according to the Department of Justice.
Tornado Cash’s third co-founder, Alexey Pertsev, was arrested last year in the Netherlands. He was released in April and is awaiting trial under house arrest.
Tornado Cash was built in 2019 to enhance privacy on Ethereum, an immutable public ledger that records and broadcasts every users’ transaction history.
A so-called crypto mixer, Tornado Cash allowed users to obscure the flow of otherwise traceable crypto.
But it became popular with cybercriminals. Last August, the US sanctioned Tornado Cash, citing its use by hackers affiliated with North Korea.
As it gained notoriety, its founders debated whether to take steps to make it compliant with government regulations, according to the indictment, which cites messages exchanged between the founders on an unnamed encrypted messaging app.
“Would you like to install KYC on Tornado?” Semenov asked his co-founders in November 2021, according to the indictment.
Storm shot it down.
“I’m fucking speechless / after such suggestions,” he replied.
Several months later, however, he floated the idea himself, pitching “privacy for blockchain with full compliance … basically fork of tornado cash but with kyc/aml in it.”
Because some protocols are immutable, updates effectively require the release of a new, amended copy known as a fork. Although the founders controlled a website that gave users easy access to the protocol, it isn’t clear they could have amended the protocol itself.
This time, however, an unnamed venture capital firm that had invested $900,000 in the protocol nixed the idea.
“I just don’t know if anyone will actually want this,” they wrote in May 2022 in response to Storm’s suggestion. “Market need seems quite thin.”
When Axie Infinity was hacked by the North Korea-affiliated Lazarus Group for more than $600 million last year, the stolen funds were quickly routed through Tornado Cash.
“Guys we are fucked,” Storm wrote to his co-founders after the FBI attributed the hack to the Lazarus Group.
“These hackers are using Tornado, we need to tell everyone urgently that we do not let such individuals on the front.”
The founders decided to amend the Tornado Cash website to block the Lazarus Group’s Ethereum addresses, which the US government had put on its list of sanctioned entities.
But it wasn’t enough, according to prosecutors.
“To evade the screen, a customer of the Tornado Cash service who was using [a sanctioned] address could simply transfer the funds to a new Ethereum address and then deposit the funds into the Tornado Cash service, using the UI,” prosecutors wrote.
“This change to the [user interface] was ineffective and could be easily evaded in the absence of any KYC procedures, transaction monitoring, or blockchain tracing.”
Storm and Semenov have been charged with one count of conspiracy to commit money laundering, one count of conspiracy to operate an unlicensed money transmitting business, and one count of conspiracy to violate US sanctions.
The industry has decried the charges, calling them an attack on digital privacy. Crypto think tank Coin Center said they run counter to the US government’s own guidelines.
In a blog post published Wednesday, Coin Center cited guidance from the Financial Crimes Enforcement Network that states an anonymizing software provider “is not a money transmitter.”
If convicted, Storm and Semenov face a maximum of 25 years in prison.
Storm is scheduled to appear in court in New York Sept. 6.