Tornado Cash Devs Charged With Helping Hackers Launder $1B, Including Infamous North Korean Attacks

Tornado Cash developers Roman Storm and Roman Semenov were charged with money laundering and sanctions violations tied to their work with the privacy mixer that "facilitated more than $1 billion in money laundering," including "hundreds of millions" for North Korea's Lazarus Group. The DOJ has already arrested Storm.

The mixer, which obfuscates the origin of funds transacted through it, was sanctioned last year by the U.S. Treasury Department's Office of Foreign Asset Control after allegations that Lazarus had laundered the funds from multiple crypto hacks through it. OFAC sanctioned Semenov as well on Wednesday, alongside eight Ethereum addresses he allegedly controls.

In a statement, U.S. Attorney Damien Williams said Tornado Cash and its operators "knowingly facilitated" money laundering.

"While publicly claiming to offer a technically sophisticated privacy service, Storm and Semenov in fact knew that they were helping hackers and fraudsters conceal the fruits of their crimes. Today’s indictment is a reminder that money laundering through cryptocurrency transactions violates the law, and those who engage in such laundering will face prosecution," he said.

In a statement, Brian Klein of Waymaker LLP, an attorney for Storm, said the case hinged on a "novel legal theory."

"We are incredibly disappointed that the prosecutors chose to charge Mr. Storm because he helped develop software, and they did so based on a novel legal theory with dangerous implications for all software developers. Mr. Storm has been cooperating with the prosecutors’ investigation since last year and disputes that he engaged in any criminal conduct. There is a lot more to this story that will come out at trial," he said.

The U.S. government's sanctions against Tornado Cash, which began last year, have highlighted how difficult it can be to completely shut down a "decentralized" service. Programmers have borrowed from Tornado Cash's open-source code to spawn new programs with similar functionality.

The core blockchain-based software, or "smart contracts," that power Tornado Cash also remain possible to use on Ethereum. However, using these smart contracts is technically illegal in the U.S., and key blockchain infrastructure providers like Infura and Alchemy – used by many of the apps that interface with the Ethereum blockchain – have censored access to the Tornado Cash app in accordance with the sanctions.

According to the Department of Justice's Wednesday indictment, Storm and Semenov designed Tornado Cash with various privacy features despite knowing that their service would be used for illicit purposes. Moreover, the DOJ alleged they maintained control over Tornado Cash, which they could have used to implement transaction monitoring or other anti-money laundering features, despite publicly saying they could not actually control it.

The indictment also makes frequent references to Alexey Pertsev, another co-founder, who was arrested last year in the Netherlands, where he currently awaits trial on money laundering allegations.

The three founders created an optional compliance tool to track deposits and withdrawals, but made it opt-in. The tool did not collect any anti-money laundering or know-your-customer information either, the DOJ alleged.

"The defendants and [Pertsev] recognized that they did not incorporate KYC or AML programs as required by law, and so they made misleading public statements to minimize their ownership and control of the Tornado Cash service, and their operation of the Tornado Cash service as a business from which they expected to generate substantial profits," the indictment said.

This recognition included a message that Storm sent Semenov saying they "should never ... talk as if we own tornado," the DOJ said.

The DOJ further alleged that the defendants knew their service was being used to launder funds from hacks and other thefts, seeming to reference the KuCoin and BitMart hacks from 2020 and 2021, respectively. A later section walked through the Axie Infinity Ronin Bridge hack.

Employees representing the exchanges had reached out to the developers, but they declined to "offer any assistance," the filing said.

The DOJ also spoke to the TORN tokens tied to Tornado Cash, citing messages from Semenov saying they needed to pump the token's price. After Tornado Cash was sanctioned the first time, Storm distributed $2.6 million in an unnamed stablecoin to each of the founders and told them to transfer the funds to new addresses.

"Tornado Cash has been used to launder funds for criminal actors since its creation in 2019, including to obfuscate hundreds of millions of dollars in virtual currency stolen by Lazarus Group hackers," a Treasury press release said Wednesday.

Wednesday's arrests come barely a week after a federal judge ruled that crypto investors' and developers' rights had not been infringed by OFAC sanctioning Tornado Cash.

UPDATE (Aug. 23, 2023, 17:10 UTC): Adds detail throughout.

CORRECTION (Aug. 23, 2023, 17:42 UTC): Corrects to say that only Storm was arrested.

UPDATE (Aug. 23, 2023, 20:48 UTC): Adds statement from Brian Klein.