USA’ Tornado Cash Sanctions, Banking Organisations’ Crypto Obligations and SEC’s 4-year Plan


Coinfirm’s Regulatory Affairs department takes a look into the United States’ crypto regulatory moves in August, including the:

  • Crypto Guidance Released by US Federal Reserve Guidance Letter
  • OFAC Tornado Cash Designation
  • SEC’s New 4-year Plan Related to Crypto-assets

Crypto Guidance Released by US Federal Reserve Guidance Letter

The US Federal Reserve has issued a guidance letter reminding FED-supervised banking organisations of their obligations to fulfil prior to engagement in crypto-assets activities.

This letter provides that a Federal Reserve-supervised banking organization engaging or seeking to engage in crypto-asset-related activities should notify its lead supervisory point of contact at the Federal Reserve.

A supervised banking organization must take the following steps prior to engaging in crypto asset activities:

  • Ensure such activity is legally permissible and determine whether any filings are required under applicable federal or state laws;
  • Have in place adequate systems, risk management, and controls to conduct such required activities;
  • Notify its lead supervisory point of contact at the Federal Reserve.

Systems in place to identify, measure, monitor, and control the risks associated with crypto-assets activities should cover:

  • Operational risk (for example, the risks of new, evolving technologies; the risk of hacking, fraud, and theft; and the risk of third-party relationships);
  • Financial risk;
  • Legal risk, compliance risk (including, but not limited to, compliance with the Bank Secrecy Act, anti-money laundering requirements, and sanctions requirements);
  • Any other risk necessary to ensure the activities are conducted in a manner that is consistent with safe and sound banking and in compliance with applicable laws, including applicable consumer protection statutes and regulations.

OFAC Tornado Cash Designation

The Office of Foreign Assets Control (OFAC) released an official statement on the designation of Tornado Cash.

Sanctioned addresses:

Congressman Tom Emmer‘s letter to OFAC asking for guidance related to the designation of Tornado Cash.

On August 8, the ETH mixer, Tornado Cash became an OFAC designated entity, making it the second mixer to be added to the list, after The circumstances that led to this development revolve around the entity’s failure to impose effective controls designed to stop money laundering and sanctions circumvention, even after previously publicly stating it had measures in place to address these risks.

OFAC disclosed that since its creation in 2019, more than $7 billion worth of virtual currency was laundered. Part of the funds apparently came from the Ronin Network hack on March 23, 2022, the June 24, 2022 Harmony Bridge Heist and the August 2nd, 2022 Nomad Heist. The perpetrator behind some of these transactions was Lazarus Group, a North Korean hacking group sanctioned by OFAC in 2019.

“Tornado is being designated pursuant to E.O. 13694, as amended, for having materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services to or in support of, a cyber-enabled activity originating from, or directed by persons located, in whole or in substantial part, outside the United States that is reasonably likely to result in, or has materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States and that has the purpose or effect of causing a significant misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain.”

Coinfirm has conducted an internal investigation tracing the flow of illicit funds stemming from the above-mentioned three hacks, to identify if the funds were sent directly from the perpetrators’ addresses used in the hacks or if there was an added level of layering. To view that analysis, go here.


OFAC has mentioned that, as resulting implications of Tornado Cash’s designation:

  • “all property and interests in property of the entity above, Tornado Cash, that is in the United States or in the possession or control of U.S. persons is blocked and must be reported to OFAC”
  • “These prohibitions include the making of any contribution or provision of funds, goods, or services by, to, or for the benefit of any blocked person and the receipt of any contribution or provision of funds, goods, or services from any such person.”

Along with the entity’s designation, 40 addresses, listed as being under Tornado’s control have been sanctioned.

The above listed sanctions implications and the naming of the addresses comes with a twist, in the form of Congressman Tom Emmer’s letter to OFAC. He mentions that the designation of this mixer, represents a divergence from the OFAC’s best practices. The designation was pursuant to Executive Order 13694, which targets entities (defined as a “partnership, association, trust, joint venture, corporation, group, subgroup, or other organisations”) responsible for, or complicit in” malicious cyber-enabled activities that pose a threat on United States national security, foreign policy, economic health, or financial stability. 

This divergence is argued by some of the addresses listed by OFAC as being designated, which are smart contracts, widely distributed technological tools which are not under the control of any entity or natural person and do not fall under the above definition.

The Congressman is asking for clarification on the following among other topics:

  • how are these smart contracts considered aliases or property of a person
  • How can legitimate US users of Tornado’s services who have funds trapped in these sanctioned smart contracts reclaim their funds
  • “How does OFAC intend to uphold the appeals process for the sanctioned addresses that have no ability to appeal the sanctions to OFAC, because [these] addresses are smart contracts with no agency, corporate or personal and as such cannot speak for themselves or those whose funds they hold.”

On September 8, however, a lawsuit against OFAC was filed by individuals who have made use of Tornado Cash’s services and whose funds are now trapped, pursuant to OFAC’s sanctions. They are backed by Coinbase, which funds the lawsuit.

As resulted from the filed complaint, these individuals whose funds are blocked and cannot be retrieved, have no criminal or terrorist ties, and their use of Tornado Cash’s services was legitimate.

The complaint states that Plaintiffs challenge OFAC’s addition of Tornado Cash to the Specially Designated Nationals and Blocked Persons (SDN) List and argue to declare the designation “null, void, and with no force and effect” and “not in accordance with law”; “contrary to constitutional right and in excess of statutory jurisdiction, authority, or limitations”.

Under the International Emergency Economic Powers Act (IEEPA), OFAC does have authority to: regulate certain activities involving “any property in which any foreign country or a national thereof has any interest by any person, or with respect to any property, subject to the jurisdiction of the United States.”. However, Tornado Cash does not represent any of the above, rendering the designation to not be “ in accordance with law” and in “in excess of statutory jurisdiction, authority, or limitations” under the [Administrative Procedure Act].

“[…]Because OFAC’s designation does not expire, United States persons who had funds in Tornado Cash pools at the time of Tornado Cash’s  designation are indefinitely prohibited from lawfully accessing those funds.”

The Plaintiffs argue that being denied access to their property “is unjustified by any national security interests, and the risk of erroneous deprivation of property from Defendants’ action is intolerably high under the Fifth Amendment to the U.S. Constitution”.

Coinbase funded lawsuit against OFAC

The only official statement made by OFAC on this situation was in the form of a newly issued FAQ on September 13: 1076. What is prohibited as a result of OFAC’s designation of Tornado Cash?. They clarify that U.S. citizens are prohibited from conducting transactions to or from Tornado Cash, hence the blocked funds cannot be retrieved.

“While engaging in any transaction with Tornado Cash or its blocked property or interests in property is prohibited for U.S. persons, interacting with open-source code itself, in a way that does not involve a prohibited transaction with Tornado Cash, is not prohibited.  For example, U.S. persons would not be prohibited by U.S. sanctions regulations from copying the open-source code and making it available online for others to view, as well as discussing, teaching about, or including open-source code in written publications, such as textbooks, absent additional facts.  Similarly, U.S. persons would not be prohibited by U.S. sanctions regulations from visiting the Internet archives for the Tornado Cash historical website, nor would they be prohibited from visiting the Tornado Cash website if it again becomes active on the Internet.”

SEC’s New 4-year Plan Related to Crypto-assets

The Securities and Exchange Commission (SEC) published a draft strategic plan for 2022 to 2026, outlining its goals and how they are planned to be addressed. The three main goals established by the plan are:

  • Protecting working families against fraud, manipulation, and misconduct;
  • Developing and implement a robust regulatory framework that keeps pace with evolving markets, business models, and technologies; and
  • Supporting a skilled workforce that is diverse, equitable, inclusive, and is fully equipped to advance agency objectives.

Crypto assets are mentioned within the second goal related to developing regulatory framework. Specifically, the following two steps within this goal address crypto assets:

2.2 Examine strategies to address systemic and infrastructure risks faced by our capital markets and our market participants.

Crypto assets are mentioned among others as representing ‘evolutionary risks’ urging the SEC to ‘pursue new authorities from Congress where needed, continue to effectively collaborate with other regulators, and engage more proactively on digitization initiatives’

2.3 Recognize significant developments and trends in our evolving capital markets and adjust our activities accordingly.

The SEC plans to ‘enhance its expertise in, and devote increased resources to’ crypto assets (alongside derivatives and fixed income assets).

The SEC must also continue to enhance its expertise in, and devote increased resources to, product markets beyond equities—including crypto assets, derivatives, and fixed income—and maintain a nimble and flexible approach to address market changes expeditiously.

Looking to comply with crypto AML compliance stipulations?

Contact Coinfirm or sign up/log in to the AML Platform to experience the most flexible crypto RegTech platform powered by more than 350 proprietary risk analysis algorithms.