Sound Off: Will Tornado Cash Sanctions Shake the DeFi World?Ari Redbord Sounds Off on 'Exceptional' Tornado Cash Sanctions
"Sound Off" is a new video series that explores one topical question, in depth, in under 10 minutes, with information security and privacy leaders.
On Aug. 8, the Department of the Treasury froze the assets of Ethereum blockchain cryptocurrency mixer Tornado Cash, stating that civil and potentially criminal penalties await anyone under U.S. jurisdiction who uses the service. On this week's "Sound Off," Ari Redbord, a former Treasury Department senior adviser and now the legal and government affairs lead at the blockchain analytics firm TRM Labs, explains why the sanctions are "exceptional."
Redbord, an ISMG contributor, says: "I think the other thing that really makes it exceptional is that unlike smaller crypto services or really sort of illicit actors in the space, Tornado Cash is used by regular users who are looking to enhance privacy in a more and more open financial system and I think that's really where this sort of interesting paradox lies.
"The real key for regulators and really the crypto space is: How do we stop illicit actors from taking advantage of decentralized protocols but at the same time not affect regular legitimate users who need a degree of privacy?"
In a video interview with Information Security Media Group, Redbord discusses:
- The difference between the sanctioning of the two cryptocurrency mixers, Tornado Cash and Blender.io;
- The challenges of sanctioning open-source crypto software such as Tornado Cash;
- Questions for regulators in the move toward an increasingly open decentralized financial system.
Prior to joining TRM, Redbord served as a senior adviser to the deputy secretary and the undersecretary for terrorism and financial intelligence at the U.S. Department of the Treasury.
Don't miss our previous installments of Sound Off, including the March 14 edition with former federal CISO Grant Schneider, who outlines the OMB's latest cybersecurity guidance, and the March 21 edition with identity expert Jeremy Grant, who discusses the gaps that the executive order on identity theft must address.
Anna Delaney: Hello, welcome to Sound Off. I'm Anna Delaney. In early August, OFAC sanctioned virtual currency mix Tornado Cash, which has been used to launder more than $7 billion worth of virtual currency since its creation in 2019. In this episode of Sound Off, we'll be exploring the challenges of sanctioning open-source software, and what it all means, more generally, the device space. And at this point, I'd like to welcome our resident crypto expert, Ari Redbord, a former Treasury Department's senior adviser, and now the legal and government affairs lead at the blockchain analytics firm TRM Labs. Great to see you again, Ari. Thank you very much for joining us.
Ari Redbord: Anna, it was great to join you. Thank you so much for having me.
Delaney: So Ari, as I mentioned, we've seen the recent sanctioning of Tornado Cash, which follows the sanctioning of Bitcoin mixer Blender.io in May this year. What's different about the Tornado Cash sanctions?
Redbord: Now, that's a great way to kick things off. And there are significant differences. And I would even go as far as to call Tornado Cash and this recent sanctions exceptional. And I think, on the one hand, the Tornado Cash sanctions are an extension of Blender.io. This is the US Treasury Department, for national security reasons, going after essentially a money laundering concern used by North Korea to launder - what TRM says - is about a billion dollars in hacked or stolen funds. And as we know, those hacked or stolen funds, when it comes to North Korea, will be used to fund weapons' proliferation and other destabilizing activities. So, in that respect, it's an extension of prior sanctions. But what's exceptional is this is the first time that the US Treasury Department has also gone after open-source software. This is not the typical entity or person that is added to the sanctions list - the SDN list kept by OFAC - this is essentially open-source software. And it was open-source software that was being used by North Korea. But there's lots of software that is used for malicious purposes. And the real question is where do we go from here? I think the other thing that makes it exceptional is that unlike smaller crypto services that were illicit actors in the space, Tornado Cash is used by regular users who are looking to enhance privacy in a more open financial system. And that's where this interesting paradox lies. And the real key for regulators and the crypto space is how do we stop illicit actors from taking advantage of decentralized protocols? But at the same time, not affect regular legitimate users who need a degree of privacy. I don't want anyone to see every credit card transaction I do, and it's the same reason that they're using these types of services.
Delaney: Well, let's talk more about the difficulties and sanctioning Tornado Cash. As you said, it's open source, decentralized by design, and exists on a globally distributed ledger. What are the challenges?
Redbord: The challenges are great. First of all, the purpose of sanctions is essentially to stop conduct or to punish conduct. And that is potentially very difficult when it comes to open-source protocols. You can essentially copy, paste and create Hurricane Cash tomorrow. And I think that is a huge issue, although I will say that OFAC has been dealing with that for years. When you go after one shell company, or the Department of Justice or any global law enforcement entity, you go after one shell company and another pops up. We talk about whack-a-mole in the law enforcement space - the carnival game - and that's what this is like. So, on the one hand, it's difficult because when it is just code, it's easy to create again, but then I think, also is the key of how do you provide guidance that speaks to regular users - this is what you can and cannot do vis-a-vis Tornado Cash, but then also to crypto entities like centralized exchanges or DeFi protocols or stable coin issuers? How should they mitigate risk related to these recent sanctions, and at TRM, that's what we're working with clients throughout the crypto space to figure out, to provide the data that they need to make risk-based decisions.
Delaney: So, it seems that you have further questions. It's interesting that how this move has drawn criticism from the crypto space. Crypto leaders say that they're unsure what they need to do to stay on the right side of the law. And you've been quoted this week. You've been quoted for describing the vagueness of the sanctions announcement as uncharacteristic. So I'd love to know more, but also, what further questions you have? What clarity do you want?
Redbord: I'm not sure vague is fair. But I think what is definitely fair is that the crypto industry, the crypto economy, is in need of guidance, here from regulators, for a number of reasons. One, I think it's clear to anyone who thinks about these issues that regular users who have had inadvertent or unsolicited transactions with sanctioned addresses are not going to be the target of enforcement actions by OFAC. For example, we've seen what we call these dusting attacks, where people have sent small amounts of crypto to known, famous individuals, people whose addresses are known, to make a statement. Now, I think the reality is, we all know, having spent a number of years at Treasury, that Treasury does not use its enforcement authorities to go after individuals in the space. But I think we need guidance that says that. But more importantly, the guidance needs to go to cryptocurrency businesses to DeFi protocols to say, "Hey, these are the types of addresses you should and should not block." Because I think what we're seeing here is users who are being blocked for having transaction history or transacting with Tornado Cash in a less than meaningful way. And on the one hand, it is clear that if the address is on the sanctions list, if it is one of those 45 addresses that is listed by OFAC associated with Tornado Cash, that it should be blocked. Because if you're a US person or entity, you are prohibited from transacting with those addresses. The real gray area, the area that we need a more granular understanding on is that secondary exposure. Have you transacted as an address with one of those sanctioned entities? And I think that's what we're looking to get guidance on, not just for the individuals affected, but for the entities and how they should mitigate risk.
Delaney: And this incident has rattled the security versus privacy debate. Where do the goals of fighting cybercrime end? And where do people's privacy rights need to begin in the context of these new technologies? How do we get that balance right?
Redbord: So, you're asking the easy questions, today. We'll get into religion and politics in a moment, I'm sure. The answer is this has become, at least since 911, the conversation of our time. This issue of privacy versus security. And I think the reality is that there's always going to have to be a balancing. And as a society, we're going to have to decide how far we're willing to go or what rights we're willing to give up in exchange for that security. I will say this. The reality is the crypto economy does not survive if people do not have trust in it, if we don't build that trust layer for it. I'm not going to put funds in a DeFi protocol, in a centralized exchange, if I think those funds are going to be hacked. I think that we have to stop threat actors, Russian cybercriminals or Lazarus group out of North Korea, from using funds, to using crypto to fund destabilizing activity. But at the same time, we are moving more to an open financial system. And my employer someday - doesn't today, admittedly - will pay me in crypto. They will have my wallet address. I don't want my employer, as much as I love them, to be watching every transaction that I do. So you're going to want some degree of privacy in your transactions. And I think this question of balancing that you're getting to will continue to be the question of our time. It'll happen, it'll happen at airports, like it always has, but it will also happen on blockchains. And I think that's the moment that we're moving toward, and maybe we'll look back at these Tornado Cash sanctions and say that this was the beginning of this robust debate in the crypto space.
Delaney: Well, it's very interesting times. Indeed. Thank you very much Ari for joining us. Very informative, as always.
Redbord: Thank you so much for having me, Anna.
Delaney: I've been speaking with Ari Redbord of TRM labs and for ISMG, I'm Anna Delaney.