Rules:
Other communities of interest:
The whole reason the sanctions were ruled to be illegal by the courts is that it isn't a service. The law does not give OFAC authority to make it a felony for people to use open source software, that isn't what sanctions are for.
Well... now I'm confused. This is a lot more bizarre than I thought it was when I just posted the story.
Tornado Cash launders cryptocurrency for Russian gangsters: That's bad
It gets sanctioned: That's good
But it's just a decentralized protocol, not a "service" per se, it's open source, it has a github page: That's bad
The developers were apparently directly involved in money laundering, not a small amount either: That's... ?
The EFF says making Tornado Cash illegal was always bullshit: That's plausible
Someone figured out how to abuse Tornado Cash's cryptographic smart contracts to steal all the Tornado Cash money for themselves, then gave a lot of it back, but then laundered back through Tornado Cash around a million dollars which they kept and apparently still have: ???
Trump wants it to be legal: ???
Can I go now?
Yeah it does get a little complicated... a few small corrections:
Afaik the devs were not actually directly involved in laundering money, this is something prosecutors were/are trying to say on the basis of, they wrote the software, so when people used the software to launder money it's their fault. Government asked them to stop the money laundering, they responded with explaining how that's not how it works and literally impossible, then they got arrested, but the tool remained usable because it didn't depend on them to run, they had no control over it. I might be missing something on this one but that's my understanding.
The hack was of "governance tokens" (basically a glorified memecoin), which are entirely disconnected/separate from the Tornado Cash smart contracts used for anonymizing funds that were under the removed sanctions, which themselves never stopped working.
My bias here is, I'm a fan of the blog of lawyers doing the defense on these cases, they have written a lot on this topic if anyone's interested
Hm... maybe I was careless in reading.
On May 21, 2023, a hacker used a malicious proposal to gain full control of Tornado Cash's DAO.[15] The hacker put forth a proposal for the DAO to vote on with hidden code that would issue the fraudulent voting tokens to them. The vote was passed, giving the hacker enough voting tokens to control any future proposals. On May 26th the hacker effectively relinquished control, but had converted a portion of the stolen governance tokens to Ether valued at around $900,000, and laundered them through the service.[16]
Sounds like they made off with $900k of currency that had belonged to the users of the service before they got involved, no? I guess you are correct that it was governance tokens instead of directly entrusted assets, but I'm not sure I see that that changes the most directly relevant equation.
And yeah, it kind of looks like the Wikipedia article is misleading about their charges. I read it and got the impression that they'd been convicted of doing money laundering themselves, but it looks like the accusation was that developing the software amounted to creating a specific money-laundering service. Which, honestly, sounds like they kind of have a point. I get the counterpoint about individual freedom but it sounds like disguising the source of a bunch of money is exactly what it's made for so it's weird if they're trying to claim it's not their business if people are doing that. If you set up a mail-order service sending pipe bombs, and then people are using your pipe bombs to blow up bridges, the feds are going to have some questions even if explosives have some legitimate uses too.
One developer got sentenced to 5 years in the Netherlands, one is still at large, and one... is now fine because of a change of US policy? Do I have all that right? I couldn't completely make sense of it.
Sounds like they made off with $900k of currency that had belonged to the users of the service before they got involved, no?
What you wrote made it sound like "Tornado Cash" as in the privacy tool got hacked, which would lead to the assumption that its operation was disrupted or it was proven insecure, so just wanted to clarify that is not the case.
One developer got sentenced to 5 years in the Netherlands, one is still at large, and one… is now fine because of a change of US policy? Do I have all that right? I couldn’t completely make sense of it.
I believe Roman Storm (the one in the US) is still facing charges, but it's way more likely to go well for him after the precedent set in the sanctions case. The way that case went isn't directly because of US policy, though the choice not to appeal to a higher court could be considered a result of US policy. It's still possible he'll lose and get sent to prison.
What you wrote made it sound like “Tornado Cash” as in the privacy tool got hacked, which would lead to the assumption that its operation was disrupted or it was proven insecure, so just wanted to clarify that is not the case.
Yeah, I misunderstood. But it does sound like it was hacked. Right? The code that was supposed to be doing governance was compromised by a malicious type of access, and someone exited the building with $900k worth of governance tokens. The value of which had originally come from the users? Right?
Here is a reddit thread and an article that give a little more context. Governance (voting based on how many TORN tokens you had) was only over the non-immutable parts of the project (like the domain for the website), which were all replaceable and not strictly needed to use it. TORN was initially airdropped to wallets that had used Tornado Cash previously in a one-time event, they then mostly sold it on the market. TORN tokens weren't needed to actually use TC, and the money was coming from a separate group of people trying to invest, rather than users.
So I guess it could be fair to say the project as a whole got hacked, but I think it's a crucial detail that the smart contracts under legal scrutiny in the sanctions case here, the ones that had user's money-to-be-anonymized in them, were not.