Tornado.cash and money laundering
All Ethereum transactions can be tracked.
But there is a neat little tool that lets you remove this traceability: Tornado.cash. Alice submits her Ethereum tokens to a Tornado.cash smart contract where it gets commingled and mixed up with other people's tokens, then re-sent back to Alice at a separate address. (There are some extra things that happen, too. Read here.) Voila, the transaction trail has been obfuscated. All that an outside observer knows is that Alice's coins have been sourced from Tornado (for the rest of this post I'll use Tornado and Tornado.cash interchangeably). They know nothing about their history before then.
Who uses Tornado?
Some users are hobbyists and advocates of anonymity. They're not engaged in anything illegal. They want to consume privacy as a financial service. We'll call them legitimate users.
The other batch of users are criminals keen to hide the provenance of the Ethereum tokens that they've stolen by hacking or exploiting exchanges and other financial tools. When BitMart, an exchange, was hacked on December 4, $200 million was laundered through Tornado.cash. A few days later, $1.75 from an 8eight Finance exploit was processed by Tornado. (If you want more examples, ask me in the comments).
My question is this: given the presence of criminal funds on Tornado.cash, is it dangerous for legitimate users to connect to it? More specifically, does a legitimate user who submits their Ethereum tokens to a Tornado smart contract risk a money laundering conviction given that they may be interacting with criminally-derived money?
In the U.S., an individual can be convicted of money laundering if they knowingly conduct transactions in criminally-derived funds. For example, if Joe, a car dealer, sells a Lexus to a criminal for $75,000 in dirty cash, and knows that the transaction was made for the purposes of evading the authorities, then Joe can be found guilty of money laundering. It's a serious offence punishable with up to 20 years in jail.
Would the same principles apply to Tornado.cash users?
If a thief steals some Ethereum and deposits it into a Tornado smart contract where it is commingled with deposits made by a legitimate user, and this legitimate user withdraws their portion of that amount, then it seems to me that the legitimate user may have engaged in money laundering. That is, it's possible that they have conducted a financial transaction that involves the proceeds of an unlawful activity.
But that's not quite enough to establish money laundering. As I said earlier, to be convicted of money laundering a mental state of knowing has to be proven.
Many legitimate Tornado users interact with the tool without knowing much about it. They've never considered the possibility that by connecting to Tornado, they may be serving as a nexus for the laundering of criminally-derived property. Since knowing can't be established, then these users probably can't be judged guilty of money laundering.
But other legitimate users are not so unwitting. It's common knowledge that hacks and thefts are laundered on Tornado.cash. Some of the larger and more savvy Tornado users are no doubt aware that by commingling their funds in a Tornado smart contract they are providing criminals with a means of concealing the source of proceeds of unlawful activity. With knowing having been established, it's possible that their usage of Tornado.cash transcends into money laundering.
But even if the mental state of knowing can be established, one thing is still missing. There doesn't seem to be a clear and well-defined exchange of dirty crypto for clean. That is, when some stolen Ethereum gets deposited into a Tornado smart contract along with legitimate Ethereum, and then later withdrawn, there doesn't seem to be any way to explicitly link the withdrawal of that stolen Ethereum to a specific person. It's hidden by the software.
Put differently, there's no smoking gun.
I think it might be useful at this point to introduce an analogy using physical cash. It is clearly illegal for Joe, our auto-dealer, to knowingly take a criminal's $75,000 in cash. But let's imagine that Joe and the criminal decide to interpose a cash mixing box between themselves. Joe figures that this mixing box will allow him to receive payment without actually taking the criminal's banknotes. Does that make it legal?
It works like this. Two third-parties – Ted and Alice – put in $75,000 in "clean" cash into the mixing box. The criminal puts his dirty $75,000. Ted and Alice's $75,000 gets mixed with the criminal's $75,000. Ted and Alice each remove $75,000. Joe, the auto dealer, also removes $75,000. Joe then transfers the criminal the car.
There is no way for law enforcement to prove that the actual banknotes that Joe has received are the specific banknotes that were deposited by the criminal. Because they were commingled with legitimate money, Joe can deny having accepted criminally-derived funds. (As can Ted and Alice).
But does this set up absolve Joe of guilt? I doubt that the interposition of a cash mixing box would be perceived by a judge as altering the underlying relationship between Joe and the criminal. The mixing box would rightly be seen as a contrivance to throw the cops off. (See last footnote, below)
What about Ted and Alice? If Ted unwittingly contributes his $75,000 to the mixing box – i.e. he doesn't realize that he is helping to obfuscate the criminal's funds – then he probably wouldn't be found guilty of laundering money.
Alice, however, suspects that her contribution to the mixing box will be used to obfuscate the transaction trail between the criminal and Joe, but contributes anyways. The establishment of intention surely increases Alice's odds of a money laundering conviction. She might hope that she can get off because the commingling provided by the mixing box breaks the cash trail between her and the criminal. But again, there's a good chance the judge won't buy this argument.
It's important to keep in mind that Alice may have her own specific reasons for using the cash mixing box. Perhaps she values privacy and therefore periodically mix up all her notes. Maybe she likes to collect certain banknote serial numbers (i.e. ending in 2) and a cash mixing box is a convenient way for her to get exposure to a broad range of potentially collectible pieces.
A judge would somehow have to balance Alice's legitimate reasons for using the mixing box against the fact that she has knowingly conducted transactions in criminally-derived property. Is her right to pursue a peculiar hobby more important than protecting the public's welfare? I'm not sure how that balancing act would end up.
Bringing this back to Tornado.cash, I do wonder how safe it is to be a Alice. That is, I wonder how safe it is to be someone who knows that there are stolen Ethereum tokens inside Tornado smart contracts looking for an exit, yet despite the presence of this taint contributes Ethereum to that contract anyways. Even if Tornado obscures any explicit link between Alice and criminals, a judge could look past that.
Alice may say that "I used Tornado.cash because I value my financial privacy." This may be an adequate defence. Maybe not.
Clouding the story is the fact that Tornado.cash is currently paying a juicy financial reward to anyone who puts their cryptocurrency into its smart contracts. (See this video). The fact that Alice is earning 30-40% a year might make her claim to be a mere consumer of financial privacy less credible.
Perhaps one day we'll see a court case where this all gets thrashed out. A decent result would be if a judge ruled in favor of Alice, or at least partly so. The judge suggests that any incidental laundering of funds on Tornado.cash by licit consumers of privacy (like Alice) should be a non-criminal matter, subject to limit. Consider how several U.S. states have decriminalized the possession of small amounts of marijuana for personal use. In that same vein, a fixed amount of intentional commingling of funds on Tornado should be tolerated, the judge suggests, but only for the purposes of personal consumption. Anything above that would remain a felony.
PS: Privacy advocates, please don't shout at me that money laundering laws are unethical. I am making a positive claim here, not a normative claim. That is, I'm not suggesting how things *should* be, but how they actually are. And my positive claim is that there is a risk, perhaps only a small one, that a legitimate user of Tornado.cash could be accused of money laundering. Yes or no?
PPS: Notice that I am no making the claim that Tornado.cash is itself engaged in money laundering, or that the people who have written the Tornado smart contracts are money launderers. I'm treating Tornado.cash as mere software, a digital hammer. A hammer doesn't break the law, people do. My assumption in this post is that society's rules against money laundering fall on the *users* of this software, not on the software itself or on the people who have developed the software.
PPPS: For software developers, if my positive claim is accurate (i.e. that it is risky to use Tornado.cash), is there a way to redesign the software that would solve the problem? More specifically, is there a way to limit the tool to licit users i.e. those who have a legitimate desire to consume anonymity, and keep out criminals?
PPPPS: It's worth giving U.S. money laundering laws a read. Two of the big ones are located at 18 U.S.C. § 1956 and 18 U.S.C. § 1957. See here.
PPPPPS: On commingling... "Moreover, we cannot believe that Congress intended that participants in unlawful activities could prevent their own convictions under the money laundering statute simply by commingling funds derived from both 'specified unlawful activities' and other activities." U.S. v Jackson, 1991