The DOJ announced yesterday that it has returned an indictment charging the founders of Tornado Cash with money laundering and sanctions violations. DOJ Press Release Two individuals, Roman Storm and Roman Semenov, have been charged with operating Tornado Cash Service, a cryptocurrency mixer, which allegedly laundered more than $1 billion in criminal proceeds. The U.S. Department of Justice (DOJ) announced the unsealing of the indictment, detailing multiple charges against the defendants, including conspiracy to commit money laundering, sanctions violations, and operating an unlicensed money transmitting business.
Charges and Arrest: Roman Storm was arrested in Washington and will be presented in the U.S. District Court for the Western District of Washington. Roman Semenov remains at large.
Operation of Tornado Cash Service: The defendants are accused of creating, operating, and promoting Tornado Cash, a cryptocurrency mixing service that helped facilitate more than $1 billion in money laundering transactions, including laundering funds for the Lazarus Group, a sanctioned North Korean cybercrime organization.
Official Statements: Multiple government agency officials emphasized the severity of the charges and reaffirmed their commitment to enforcing the law against cryptocurrency-related crimes. They warned that the use of cryptocurrency does not provide anonymity or immunity from legal action, and praised the collaborative efforts of law enforcement agencies.
The Allegations: According to the indictment, Storm and Semenov were two of the three founders of Tornado Cash who earned millions in profits. The government charges the service was used to launder criminal proceeds and the defendants allegedly knew about these activities but refused to implement required controls. The government also charges they helped the Lazarus Group (a sanctioned North Korean cybercrime organization) in transferring criminal proceeds from a cryptocurrency wallet, even after making a public announcement of compliance with sanctions.
The Charges: Defendants are each charged with one count of conspiracy to commit money laundering and one count of conspiracy to violate the International Economic Emergency Powers Act, which each carry a maximum sentence of 20 years in prison. They are also each charged with conspiracy to operate an unlicensed money transmitting business, carrying a maximum sentence of five years in prison.
Breakdown of the Indictment:
COUNT ONE—Conspiracy to Commit Money Laundering: Between September 2020 and August 8, 2022, defendants and others conspired to commit money laundering. The government charges they knew the funds involved were from unlawful activities, specifically computer fraud and abuse, and wire fraud and they aimed to conceal and disguise the nature, source, ownership, and control of these funds.
COUNT TWO—Conspiracy to Operate an Unlicensed Money Transmitting Business: The government charges that between March 2022 and August 8, 2022, defendants , and others conspired to operate an unlicensed money transmitting business. They allege that they knowingly managed the "Tornado Cash" service, a business transferring funds without meeting Federal registration requirements for money transmitting businesses and that they knew these funds came from criminal offenses and were meant to support unlawful activity.
COUNT THREE—Conspiracy to Violate the International Emergency Economic Powers Act (IEEPA: The government changes that between April 14, 2022, and August 8, 2022, defendants, and others conspired to violate orders under the IEEPA, Executive Order 13722, and 31 C.F.R. § 510.201. They alleged defendants received funds and services from the Lazarus Group, a sanctioned entity, without OFAC's approval and they provided funds, services, and money laundering for the Lazarus Group, a sanctioned entity without obtaining required approvals. The government alleges they engaged in these transactions to evade and avoid U.S. laws regarding the provision and receipt of services and funds from the Lazarus Group without OFAC's approval.
Summary on Tornado Cash Service:
The government alleges that from 2019 until at least August 8, 2022, two individuals, ROMAN STORM and ROMAN SEMENOV, were actively involved in the creation, promotion, and operation of a cryptocurrency mixing service known as Tornado Cash. While the service was portrayed as a platform promoting financial privacy, the DOJ alleges that it was primarily used as a tool for large-scale money laundering and for evading sanctions. They charge the defendants were aware that a significant portion of the assets processed by Tornado Cash were illicit proceeds. Furthermore, they also alleged that defendants knowingly facilitated transactions for the Lazarus Group, a sanctioned North Korean cybercrime entity, handling cryptocurrency from an Ethereum wallet associated with this group.
Origins: Tornado Cash founders began developing the Tornado Cash service around 2019, launching it in August 2019. It was publicly advertised as a "mixer" for sending Ethereum anonymously using advanced, non-custodial cryptographic technology.
Service Description: The service allowed users to conduct anonymous and virtually untraceable financial transactions on the Ethereum blockchain. Customers deposited Ethereum (ETH) into Tornado Cash and could later withdraw it to a new Ethereum address, with no visible connection between the deposit and withdrawal on the public Ethereum blockchain. The service integrated a user-friendly interface, smart contracts on the Ethereum blockchain, and Tornado Cash pools containing mixed customer deposits. They also utilized a network of "relayers" who improved user anonymity for a fee.
Investments and Funding: In 2019 and 2020, the founders pitched to investors, eventually securing funding from a California-based venture capital fund ("Venture Capital Fund-1"). This fund transferred approximately $900,000 to a bank account associated with the Tornado Cash founders in 2020 to support the service's startup and operational costs.
User Interaction: Customers could deposit funds into the service through a user interface (UI) accessible via a standard internet browser or by directly engaging with the service's smart contracts. The latter option required more technical expertise. The UI enabled deposits, provided a unique "secret note" for each deposit, and facilitated withdrawals using that secret note.
Anonymization Process: The service used various methods to obscure the connection between customer deposits and withdrawals. Deposits made by customers were pooled together in the Tornado Cash pools and mixed with other deposits, making them indistinguishable. When a customer wished to withdraw, they used the "secret note" provided during deposit. The corresponding amount of ETH was then taken from the commingled pool for withdrawal, with no public link identifying the original deposit source.
Deposit Increments: The service only permitted deposits in 0.1, 1, 10, and 100 ETH increments, further obscuring transaction analysis on the public blockchain by creating a uniform stream of transactions.
Privacy Enhancement Recommendations: The government alleges the founders advised customers to wait for some time after depositing funds before making withdrawals to further increase anonymity. They also introduced an "anonymity set" metric on the UI to inform users of the number of deposits in each pool, enhancing user confidence in the system's privacy.
Service Infrastructure: The Tornado Cash founders contracted with a US-based service provider to manage the large volume of traffic between the UI and the Ethereum blockchain.
Relayers: To further enhance user anonymity, the government charges the founders introduced "relayers." These were intermediaries who facilitated transactions, paying the necessary transaction (or "gas") fees on the Ethereum network on behalf of users. This allowed users to make withdrawals to a new Ethereum address with no prior transaction history, increasing their anonymity.
The DAO: In December 2020, the founders launched a decentralized autonomous organization (DAO) called the Tornado Cash DAO to govern certain aspects of the service, while still holding power over other decisions, such as the User Interface's operation and design.
In connection with the DAO's establishment, the Tornado Cash founders introduced the TORN token on the Ethereum blockchain. They minted 10 million TORN tokens, distributing 30% among the founders and certain investors. Each founder received approximately 800,000 tokens. The remaining tokens were allocated to early Tornado Cash users, an "Anonymity Mining" fund, and the DAO's treasury. After a lock-up period, TORN tokens could be traded, incentivizing holders to boost their value.
The Tornado Cash DAO was created to make governance decisions, with TORN token owners being able to vote by staking their tokens in a governance contract. Subsequently, the founders and associates planned to profit from fees charged by relayers. In February 2022, they proposed an algorithm in the Tornado Cash UI to pick a relayer for each withdrawal, which the DAO approved. This relayer algorithm encouraged the purchase and staking of more TORN tokens by linking the chance of a relayer being picked to the number of TORN tokens they staked.
The Money Laundering Allegations:
Introduction to Money Laundering: Federal law mandates that all money transmitting businesses, inclusive of those transferring cryptocurrencies, need to register with the Financial Crimes Enforcement Network (FinCEN) under the U.S. Department of the Treasury. These businesses must also adhere to the Bank Secrecy Act, which requires reporting suspicious transactions and creating an effective anti-money-laundering (AML) program. The program should prevent the business from aiding in money laundering or financing of terrorism. An effective AML program should have policies and controls to verify customer identification (Know Your Customer or KYC), file required reports, maintain records, and cooperate with law enforcement.
Tornado Cash Service Allegations:
The government charges that Defendants, along with others, operated a money transferring service known as Tornado Cash Service. They charge neither Tornado Cash nor its founders were registered with FinCEN. The government further alleges Tornado Cash did not implement an effective AML program or any KYC efforts. As a result customers could allegedly transact without offering any identification except an Ethereum blockchain address.
The government charges the founders promoted Tornado Cash for its capacity to offer anonymous transactions. They allegedly provided tips and guides for customers on ensuring anonymity through the use of VPNs or the TOR browser. Although aware of the need and ways to integrate KYC/AML into their service, the government believes they deliberately chose not to.
The government maintains that the absence of AML or KYC mechanisms meant the Tornado Cash Service could be exploited by criminals to launder substantial sums of money. They charge that at least $1 billion in criminal funds were funneled through the Tornado Cash service between its inception and August 8, 2022.
According to the indictment, the founders were informed by September 2020 that their service was linked to specific cybercrimes and that they regularly received complaints from cybercrime victims about criminal proceeds being funneled into Tornado Cash. Notably, in September 2020, a cryptocurrency exchange was hacked, with millions in proceeds subsequently being deposited into the Tornado Cash service.
Overall, the indictment alleges that the founders of the Tornado Cash service knowingly and willfully disregarded federal laws regarding money transmitting, leading to their platform being used for significant money laundering activities.
The Sanctions Violations Charge:
Background of Sanctions Law: The International Emergency Economic Powers Act (IEEPA) empowers the U.S. President to impose economic sanctions in response to threats to the country's national security and foreign policy, once a national emergency is declared. A person is prohibited from violating any regulations or prohibitions under this act.
On June 26, 2008, an Executive Order (13466) was issued under the IEEPA, declaring a national emergency due to threats from the proliferation of weapons on the Korean Peninsula. Later, on March 15, 2016, another Executive Order (13722) was issued in response to North Korea's nuclear and missile program activities. This order blocked all property and interests related to North Korea, its Workers' Party, and any entities that meet specific criteria.
Executive Order 13722 also detailed prohibitions, including:
1. Dealings with any blocked property or interests within the U.S.
2. Making or receiving any contributions, funds, goods, or services to/from such blocked entities.
3. Any transaction that evades or attempts to violate the order's prohibitions.
4. Conspiracies formed to violate the prohibitions.
To put Executive Order 13722 into effect, the North Korea Sanctions Regulations were amended on March 5, 2018. This order incorporated the restrictions and identified the blocked persons, who were then listed in the Federal Register and on the Specially Designated Nationals and Blocked Persons (SDN) List on OFAC's website.
Finally, on September 13, 2019, a hacking group tied to North Korea's intelligence bureau, known as the "Lazarus Group," was designated as an SDN. By April 14, 2022, OFAC pinpointed and blocked an ETH wallet address used by the Lazarus Group, linked to a hacking incident in the Ronin Network in March 2022.
The Ronin Network Hacking Incident Summary:
On March 29, 2022, the Ronin Network, which operates the Ronin Blockchain, announced a security breach. According to the Indictment, the Ronin Blockchain is used for online video games like Axie Infinity, an NFT-based video game. Hackers gained unauthorized access to five of the nine validator nodes used to execute transactions on the Ronin Network bridge. These nodes help move cryptocurrency between the Ronin Blockchain and other blockchains, such as Ethereum. As a result, about $620 million in ETH and another cryptocurrency was stolen.
Tornado Cash Involvement: The government changers the founders of Tornado Cash, a privacy-centric Ethereum mixer, were immediately aware of the incident. They suspected the hackers might use their platform to launder the stolen assets. Indeed, at least $455 million traceable to the hack was funneled through Tornado Cash between April 4 and May 19, 2022.
The FBI linked the Ronin Network hack to the Lazarus Group on April 14, 2022. On the same day, the Office of Foreign Assets Control (OFAC) designated an address (0x098B716) holding most of the hack's proceeds as property of the Lazarus Group.
Response by Tornado Cash Founders: The government alleges that knowing the funds were being laundered through their platform and the potential legal implications, the Tornado Cash founders discussed blocking deposits directly from OFAC-designated addresses. However, they knew this measure would be superficial and easily bypassed. While publicly they showed compliance by blocking OFAC-listed addresses, in private, they recognized that their measures were easily avoidable.
It was observed that the Lazarus Group could still deposit their ETH into Tornado Cash by first moving the assets to a different Ethereum address not blocked by OFAC, then proceeding with the deposit. The government charges the founders did nothing to stop this evasion method, effectively enabling continued money laundering. The government notes that an analysis showed that 15% of all Tornado Cash deposits in the prior three months originated from the Ronin Network hack. More so, 90% of all identifiable deposits during that time were from criminal exploits.
The DOJ charges that despite knowing their platform's use in money laundering, the founders continued to operate and promote Tornado Cash. They profited from the ongoing activity until at least May 19, 2022.
Defendants' Alleged Profits from the Operation of the Tornado Cash Service:
The government charges that in December 2020, founders of Tornado Cash received approximately 800,000 TORN tokens each. These tokens were initially locked for a year, after which one-third became transferable, and the remaining two-thirds would become transferable linearly over the next two years. According to the indictment, in early 2022, TORN tokens had an average value of $30 each. However, this value increased significantly to about $47 after the implementation of the Relayer Registry on March 2, 2022, which required TORN tokens for certain functions. They charge the Tornado Cash founders then aimed to increase the Tornado Cash service's profitability and the TORN token's value to attract potential investors.
The government alleges that throughout 2022, ROMAN STORM sold TORN tokens belonging to him, SEMENOV, and another collaborator (CC-1). To keep these sales secret, STORM used an account on Binance, a cryptocurrency exchange, registered under a Russian national's name. He conducted transactions from this account, hiding their trading activities from the public.
The government alleges that after the Ronin Network hacking incident, STORM revealed that he traded TORN tokens for stablecoins pegged to the USD. He conducted these transactions using a Russian IP through VPN. On August 8, 2022, OFAC imposed sanctions on Tornado Cash for its failure to stop money laundering. Following this, STORM allegedly accessed the Binance account holding around $8 million worth of cryptocurrency. He then transferred about $7.8 million to three separate cryptocurrency wallets, each belonging to one of the Tornado Cash founders, and advised the other founders to move their funds to new wallets to avoid tracing.
The government charges that defendants manipulated their TORN tokens' value, sold them discreetly, and then moved large sums around to evade detection after sanctions were imposed on their service.
The allegations in the Indictment are merely accusations, and the defendants are presumed innocent unless and until proven guilty.