Tornado Cash devs charged with laundering more than $1 billion

Tornado Cash developers Roman Semenov and Roman Storm have been charged with three conspiracy counts in an indictment unsealed today. Storm has been arrested and Semenov remains at large, according to a statement from the Southern District of New York.

Tornado Cash is a so-called “mixer,” a privacy service meant to obscure the trail of ownership for cryptocurrency that passes through it. The mixer “knowingly violated” US sanctions and “laundered more than $1 billion in criminal proceeds,” according to a statement from US Attorney Damian Williams. “While publicly claiming to offer a technically sophisticated privacy service, Storm and Semenov in fact knew that they were helping hackers and fraudsters conceal the fruits of their crimes.”

The indictment alleges that Tornado Cash was used by North Korea’s Lazarus Group to launder hundreds of millions of dollars. Mixers such as Tornado Cash are also used to launder funds from ransomware, security experts have said.

It wasn’t just criminals using Tornado Cash; privacy is a real concern for cryptocurrency. Once an identity is linked to a wallet, it’s possible to trace every transaction. That makes privacy tools popular among those who aren’t engaged in wrongdoing. But Tornado Cash was also allegedly used by North Korean hackers to launder $615 million in stolen tokens from the Ronin Network.

Tornado Cash operated without know-your-customer (KYC) or anti-money laundering (AML) programs as required by US law, the document alleges. It also did not register with FinCEN as a money-transmitting business, the indictment says. Semenov and Storm also created a document called “Tips to Remain Anonymous,” which advised customers to consider using Tor or a VPN, delete data from their web browsers, and leave their money in Tornado for longer periods of time to better anonymize their transactions. They also advised users to employ different IP addresses for deposit and withdrawal.

Storm suggested creating a version of Tornado with KYC / AML enabled, but Tornado’s unnamed venture capital investors were dismissive, saying, “I just don’t know if anyone will actually want this.” The investor added, “It would be unlikely as a fund that we’d use a ‘compliant mixer.’”

Besides the Ronin hack, two other incidents were referenced, one in 2020 and one in 2021. This appears to line up with the KuCoin hack in 2020 and the BitMart hack in 2021, according to CoinDesk.

“Despite knowing full well that the Tornado Cash service was being used to launder criminal proceeds, and that the Tornado Cash pools contained large amounts of ETH representing criminal proceeds that were commingled with other customer deposits for the purpose of concealment, the Tornado Cash founders took no steps to implement effective AML or KYC programs,” the indictment said. Rather, the developers took steps to increase anonymity so they could profit from the volume of transactions they were processing.