In August 2022, the U.S. Treasury's Office of Foreign Asset Control (OFAC) took the unprecedented step of sanctioning the smart contract address of Tornado Cash, a decentralized cryptocurrency mixer operating on Ethereum. This marked the first time a set of smart contracts—rather than individuals or organizations—was placed on the Specially Designated Nationals (SDN) list (although the founder of Tornado Cash was also named on the sanction list).
The sanctions came after reports that North Korean state-sponsored Lazarus Group and other criminal actors laundered over US$7 billion through the protocol, including US$96 million from the Harmony Bridge hack. Despite Tornado Cash developers' earlier attempts at compliance through implementing Chainalysis tools to block sanctioned addresses, OFAC determined these measures were insufficient.
This action sparked immediate backlash from cryptocurrency stakeholders who viewed it as governmental overreach against open-source software rather than against specific bad actors, and a lawsuit was launched alleging that OFAC overstepped their authority in sanctioning code.
The legal challenge to OFAC's authority gained significant momentum when the U.S. Fifth Circuit Court of Appeals, in November 2024, delivered a landmark ruling that OFAC exceeded its statutory powers. The court distinguished that Tornado Cash's immutable smart contracts cannot be classified as "property" under sanctions laws like the International Emergency Economic Powers Act. This critical distinction—that code itself cannot be owned or blocked—undermines the legal foundation of OFAC's sanctions and represents a significant victory for blockchain technology advocates who have long argued that code itself should not be criminalized based on how third parties might use it.
Meanwhile, the Department of Justice has pursued parallel criminal proceedings against Tornado Cash developers Roman Storm and Roman Semenov, charging them with money laundering conspiracy and operating an unlicensed money transmitting business. Storm sought to dismiss the proceedings unsuccessfully. The prosecution contends the developers failed to implement adequate KYC and sanctions screening measures, while the defense maintains that Tornado Cash doesn't qualify as a "financial institution" and that developers cannot control immutable smart contracts once deployed. This case raises profound questions about developer liability for autonomous code that operates without ongoing human intervention. After the publication of the appeal judgment and subsequent orders being made to have Tornado Cash's address removed from OFAC's designated list, OFAC published a press release saying:
Based on ... review of the novel legal and policy issues ... we have exercised our discretion to remove the economic sanctions against Tornado Cash
(our emphasis)
After this announcement OFAC then filed a motion with the Court that the whole case was "moot" since the smart contract was no longer sanctioned, seeking to end the proceedings without a final order.
This puzzled many, since OFAC has lost the case, and was called out by Coinbase Senior Counsel:
they now claim they've mooted any need for a final court judgment. But that's not the law, and they know it...Treasury has ... removed the Tornado Cash entities from the [sanctions list], but has provided no assurance that it will not re-list Tornado Cash again. That's not good enough, and will make this clear to the district court.
The sanctions sparked intense debate throughout the cryptocurrency industry about the limits of government authority over open-source code, raising fundamental questions about financial privacy rights, the technical enforceability of sanctions in decentralized systems, and the potential for regulatory overreach. Meanwhile, software developers and DAOs face potential criminal and civil liability where open source software and smart contracts are misused by third party actors.
The appeal court decision was celebrated as a victory for code development but the last minute maneuvering by OFAC is a reminder that the fight to keep software from being the subject of sanctions is not yet over. By Michael Bacina with Steven Pettigrove
Comments