The Eye of the Storm

"If you have nothing to hide, you have nothing to fear."

But when there’s nowhere to hide, you should be very afraid.

The crackdown has begun, and although it has everyone's attention, it has not caused much surprise.

Tornado Cash, the most controversial of Ethereum apps, has been living on borrowed time. And it seems recent attempts to placate the authorities were not enough to keep them at bay for long.

With over $1B TVL at its peak, the notorious mixer has been the top choice for washing stolen funds. And although we know for a fact that North Korea, with their indefensible human rights record, is amongst those who benefit from the anonymity provided by Tornado, we still fight for our right to use it.

If not sanctions, then what’s the solution? If we permit privacy, are there any exceptions?

Yesterday, Tornado Cash, and some of its smart contract addresses, were added to the US Treasury’s OFAC list of Specially Designated Nationals (SDNs) And Blocked Persons.

This sanction makes it illegal for any US citizen, resident or company to interact with the sanctioned addresses, which currently contain $437M in ETH, WBTC and stablecoins.

Any interaction with the addresses would be considered a criminal act under strict liability, meaning that a prosecutor does not need to prove intent, or even knowledge of the sanctions, for a user to be guilty.

The Treasury defines its “Specially Designated Nationals” as: “a list of individuals and companies owned or controlled by, or acting for or on behalf of, targeted countries. It also lists individuals, groups, and entities, such as terrorists and narcotics traffickers designated under programs that are not country-specific”.

As this definition makes clear, the Treasury is using Tornado Cash as a proxy target for any organisation or individual fitting OFAC’s description, and criminalising any user pursuing privacy for perfectly legitimate reasons in the process.

And as the following chart shows, less than 30% of funds deposited into the protocol come from illicit sources.

This is the first time in history that a piece of code has been sanctioned as if it were a person, or an organisation.

By pointing the finger at publicly acceptable enemies such as terrorists and drug barons, many in the mainstream may see this as a win against online lawlessness.

In a time when state-sponsored evil actors are no longer hiding in the shadows, it’s easy for the regulators to crack down on tools such as Tornado.

But it appears that those calling the shots don’t understand what it is they’re banning. US Secretary of State Blinken yesterday confused Tornado Cash for the Lazarus Group itself:

These are the people who make the laws many of us must live by: unable (or unwilling) to tell the difference between people and tools, malicious actors from neutral infrastructure.

But while easy to mock, these dogwhistle justifications for banning a neutral tool come at the expense of privacy for regular users.

In a transparent system, those who wish to break the trail between addresses have two options, non-custodial mixers and CEXs. And as we have seen recently, entrusting your crypto to a CEX is far from a risk-free alternative.

There are many legitimate reasons to use a service such as Tornado Cash but ultimately, privacy is a human right, and shouldn’t that be enough?

The announcement brings many previously theoretical questions to centre-stage.

Will all addresses to ever have interacted with the contracts be affected? Is the $437M TVL effectively trapped in the contracts? Are those who donated via GitCoin now criminals?

The carelessness with which OFAC executed the sanction has left much to be clarified.

The affected addresses were blindly copied from Etherscan tags, including their GitCoin donation address, and only include the mainnet contracts, despite Tornado Cash being active on BSC, Arbitrum and Optimism.

What will happen to the (+400 and counting) addresses tainted by funds from the banned contracts? Will doxxed addresses see their accounts ‘salted’ or extortion campaigns emerge from those with ‘dirty’ funds?

And will it stop at individual addresses? What about whole pools? Protocols? Can these be tainted, too, with all subsequent interactions tarred with the same brush?

The impacts of the sanction were felt immediately, as Microsoft-owned GitHub quickly banned the entire Tornado Cash repo, and deleted accounts of its contributors, and even GitCoin suspended the project’s grant.

It was less surprising to see that Circle was quick to fall into line, freezing the ~$75k USDC that was in Tornado’s contracts, plus the $150 donated via GitCoin, despite having previously promised to “legally fight” blanket blacklisting.

We fear the CBDC, but perhaps it’s already here…

How long until Circle suddenly decides that every address must KYC before moving their funds?

The established order behaves as if to protect itself; it must destroy the systems it does not understand.

If we want to stay ahead of the governments who are racing to protect their vested interests, we must now move to strengthen the weak points in our own system.

The actions of centralised stablecoins under governmental pressure could do unprecedented damage to ‘decentralised’ finance.

A safe decentralised stablecoin, and a secure anonymous system, are the obvious solutions to the threats we now face.

Yet while it’s easy to be outraged by this attack on anonymity, it would be naive to think that we can continue to code our way around the rules of society.

Of course criminality is present in cryptocurrency, but does that mean that by OFAC’s logic we should also outlaw the internet, and even cash itself?

As a community, crypto must prioritize privacy over simply profiteering, or lose any hope of becoming a tool for financial autonomy and instead turn into the greatest surveillance tool ever devised.

Opting out of a system designed to vilify, surveil and control those who dare to step out of line should not be considered criminality by default.

Choose privacy while it’s still an option.

It’s time to go dark...

share this article

REKT serves as a public platform for anonymous authors, we take no responsibility for the views or content hosted on REKT.

donate (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C


REKT is not responsible or liable in any manner for any Content posted on our Website or in connection with our Services, whether posted or caused by ANON Author of our Website, or by REKT. Although we provide rules for Anon Author conduct and postings, we do not control and are not responsible for what Anon Author post, transmit or share on our Website or Services, and are not responsible for any offensive, inappropriate, obscene, unlawful or otherwise objectionable content you may encounter on our Website or Services. REKT is not responsible for the conduct, whether online or offline, of any user of our Website or Services.