Veteran Crypto Lawyer Insights on Tornado Cash and The Future of Crypto Regulations

Blockpass CEO Adam Vaziri breaks down for Solanews readers the impact of OFAC’s move.

Tornado Cash has been blacklisted by the United States Treasury. This platform has been used by many dishonest players in the crypto space to launder and hide assets gained by nefarious means. With the current state of crypto security means a lot and many companies are focused on how to avoid more hacks and scams.

We recently were able to speak to Adam Vaziri,CEO and co-founder of Blockpass, a re-shareable KYC application and safe network for the crypto industry. Vaziri is also very successful lawyer. We spoke with him about Tornado Cash and were able to learn from his valuable insight on the situation. Below is our interview with Mr. Vaziri. We hope you learn as much as we did and we appreciate Mr. Vaziri for his expertise and time.

Solanews(SN): Hi Adam, could you please give us a brief overview of your background, when did you discover crypto and your activities in the crypto/blockchain space?

Adam Vaziri (AV):I am a regulatory lawyer and was the first crypto lawyer in London back in 2013. I assisted Bitpesa to get the first EU money transmission license involving bitcoin for settlement. I obtained the first EU license for a crypto derivatives platform Cryptofacilities, which was bought by Kraken. I obtained the first license in the whole world for a compliant lottery on Ethereum in the Isle of Man. I worked with regulators to organize the first regulated ICO with KYC which was Cardano. I worked with regulators to remove sales tax (back in 2014) from the sale of crypto. I am the technical author of a published standard for security tokens. I am the founder and CEO of Blockpass. Blockpass is the first re-shareable KYC system and safe network for the crypto industry. My objective has always been from the start to ensure that crypto would have a place in the mainstream. For that to happen it has to play by the same rules and embrace compliance.

SN: The Office of Foreign Assets Control (OFAC) recently added Tornado Cash to its Specially Designated Nationals list, a list of blacklisted individuals, entities and cryptocurrency addresses. All U.S. persons and entities are prohibited from interacting with Tornado Cash or any of the Ethereum wallet addresses tied to the protocol. Based on your experience in the legal and regulatory aspects of cryptocurrencies, were you expecting this type of development? Do you believe it should have been done earlier?

AV

Ethereum allows for core applications to largely run without central servers. Prior to Ethereum, it was easier for law enforcement to shut down tools that were being abused by money launderers. Some earlier examples are Silkroad and Liberty Reserve, which were shut down with relative ease. With Ethereum a smart contract can be deployed and, if set up without an administrator, no-one can be said to control the smart contract. This means when it comes to enforcement you can’t easily shut it down. That is what the crypto community means when referencing ‘unstoppable’ smart contracts. If there was a mixer pre-Ethereum then the servers would just be seized and the domain too. 

The crypto community is positioning that these unstoppable smart contracts should not be interfered with by governments. This is first a contradiction as, if something is unstoppable, you shouldn’t be concerned with government interference. 

The particular issue here with Tornado Cash is that it is a decentralized tool used by criminals and legitimate users. Criminals and legitimate users use the tool to make it more difficult to trace the origin of the funds. Ethereum is an open financial system which means if I have your account on Ethereum I can see your financial information. This open financial system exists as a security property of the blockchain, as the blockchain keeps a record of all accounts and movements of the same. Because of this unique transparency property, users of Blockchains have to consider taking steps to retain financial privacy and a tool such as Tornado Cash assists in that process.  That said, it is not the only tool. To break the connection between your wallet on Ethereum and the funds stored within, you can transfer a balance to an Exchange then withdraw to another wallet – that fulfills the same purpose but is a compliant alternative. 

Regarding whether the move of the US Treasury was predictable, I expected to see this level of enforcement much earlier than this. At the moment, the context is that the criminals using Tornado Cash are laundering at a different scale than before. So the level of abuse is greater. Also, the nature of the abuse entails questions of national security. For instance, Tornado Cash was used by North Korean hackers to launder the proceeds from hacks they had performed. So the use of Tornado Cash by countries subject to sanctions is presented as a national security threat. For that, it is understandable that a more robust, radical approach to enforcement can be expected.

SN:In reaction to OFAC’s move we have seen arguments on Twitter defending the Tornado Cash code as falling under free speech protection laws. Would you mind elaborating your views on these claims?

AV:

This is a complete red herring. Writing source code in Javascript or whatever language is a matter of freedom of expression. But Tornado Cash is not running in code, it is running in bytecode on nodes in a distributed system. Put simply, bytecode talks to microprocessors, if it is speech it is not human speech, it would be machine speech. Machines are not entitled to the protection of free speech last time I checked.  In other words, it is fine to say I have the right to freedom of expression in writing source code on Github. But once that code is compiled into a ‘unstoppable’ smart contract that the thing created is no longer speech, it becomes a ‘tool’. A tool is a thing not words. Although this distinction appears to be a technicality, it is a nonsensical argument to say that an object, and non-human language is free speech. 

Recently, we have seen a Tornado Cash developer being prosecuted in Holland. The Crypto community are claiming (without any evidence) that the reason for the prosecution is that the assailant wrote code for Tornado Cash. No-one knows the details of that particular case, but the press release from the Dutch police didn’t mention prosecuting the assailant for writing code. The press release rather mentioned facilitating money laundering. The quote is as follows: “[h]e is suspected of involvement in concealing criminal financial flows and facilitating money laundering through the mixing of cryptocurrencies through the decentralized Ethereum mixing service Tornado Cash”. This makes no mention of the criminal activity being writing code. If he is being prosecuted for submitting pull requests to Github and had no direct involvement in facilitating money laundering then yes there would be a question of there being an infringement of someone’s freedom of expression.


That said, we should also remember that freedom of expression is not an absolute right. In the EU context, freedom of expression is protected by the Charter of Fundamental Rights which is largely an enactment of the European Convention of Human Rights. Neither acts state that freedom of expression is an absolute right. In fact, all rights largely conflict with one another and conflict with the public interest. It is more a question of whether the government interference was within the public interest or not. For that, Holland has some discretion as to how that public interest is defined. National security is an obvious public interest used to justify human rights interferences. Also, there has to be a consideration as to whether the governmental measures are proportionate in the circumstances. I wouldn’t want to speculate but it is unlikely that the activity of prosecuting someone for simply writing code is a proportionate measure. 

There are other misinterpretations by the crypto community in my view. The first is the assertion that Tornado Cash is not an ‘organization’ and cannot be the subject of sanctions. This is a complete fallacy. Al Qaeda was not a public listed company with recognised board members. This did not prevent it being labeled as a sanctions target. I doubt formalities as to the type of entity concerned has any relevance. For that matter, Tornado Cash can be labeled simply an unincorporated entity with anonymous partners – which is the default legal categorisation for any DAO.  

Lastly, we have touched on the question of Tornado Cash being a tool. Some have presented an analogy to a phillips screwdriver saying that the measure of adding Tornado Cash to the SDN list was akin to banning the use of phillips screwdrivers in general. This is nonsense. The measure is against a tool certainly but it is a particular tool rather than all tools of that type. In other words, to take the screwdriver analogy, the sanctions are against a screwdriver that was found at the scene of a crime with blood dripping down the side of it, not against all screwdrivers in existence.

Recently, we have seen a Tornado Cash developer being prosecuted in Holland. The Crypto community are claiming (without any evidence) that the reason for the prosecution is that the assailant wrote code for Tornado Cash. No-one knows the details of that particular case, but the press release from the Dutch police didn’t mention prosecuting the assailant for writing code. The press release rather mentioned facilitating money laundering. The quote is as follows: “[h]e is suspected of involvement in concealing criminal financial flows and facilitating money laundering through the mixing of cryptocurrencies through the decentralized Ethereum mixing service Tornado Cash”. This makes no mention of the criminal activity being writing code. If he is being prosecuted for submitting pull requests to Github and had no direct involvement in facilitating money laundering then yes there would be a question of their being an infringement of someone’s freedom of expression.

This is a complete red herring. Writing source code in Javascript or whatever language is a matter of freedom of expression. But Tornado Cash is not running in code, it is running in bytecode on nodes in a distributed system. Put simply, bytecode talks to microprocessors, if it is speech it is not human speech, it would be machine speech. Machines are not entitled to the protection of free speech last time I checked.  In other words, it is fine to say I have the right to freedom of expression in writing source code on Github. But once that code is compiled into a ‘unstoppable’ smart contract that the thing created is no longer speech, it becomes a ‘tool’. A tool is a thing not words. Although this distinction appears to be a technicality, it is a nonsensical argument to say that an object, and non-human language is free speech. 

Recently, we have seen a Tornado Cash developer being prosecuted in Holland. The Crypto community are claiming (without any evidence) that the reason for the prosecution is that the assailant wrote code for Tornado Cash. No-one knows the details of that particular case, but the press release from the Dutch police didn’t mention prosecuting the assailant for writing code. The press release rather mentioned facilitating money laundering. The quote is as follows: “[h]e is suspected of involvement in concealing criminal financial flows and facilitating money laundering through the mixing of cryptocurrencies through the decentralized Ethereum mixing service Tornado Cash”. This makes no mention of the criminal activity being writing code. If he is being prosecuted for submitting pull requests to Github and had no direct involvement in facilitating money laundering then yes there would be a question of there being an infringement of someone’s freedom of expression.

That said, we should also remember that freedom of expression is not an absolute right. In the EU context, freedom of expression is protected by the Charter of Fundamental Rights which is largely an enactment of the European Convention of Human Rights. Neither acts state that freedom of expression is an absolute right. In fact, all rights largely conflict with one another and conflict with the public interest. It is more a question of whether the government interference was within the public interest or not. For that, Holland has some discretion as to how that public interest is defined. National security is an obvious public interest used to justify human rights interferences. Also, there has to be a consideration as to whether the governmental measures are proportionate in the circumstances. I wouldn’t want to speculate but it is unlikely that the activity of prosecuting someone for simply writing code is a proportionate measure. 

There are other misinterpretations by the crypto community in my view. The first is the assertion that Tornado Cash is not an ‘organization’ and cannot be the subject of sanctions. This is a complete fallacy. Al Qaeda was not a public listed company with recognised board members. This did not prevent it being labeled as a sanctions target. I doubt formalities as to the type of entity concerned has any relevance. For that matter, Tornado Cash can be labeled simply an unincorporated entity with anonymous partners – which is the default legal categorisation for any DAO.  

Lastly, we have touched on the question of Tornado Cash being a tool. Some have presented an analogy to a phillips screwdriver saying that the measure of adding Tornado Cash to the SDN list was akin to banning the use of phillips screwdrivers in general. This is nonsense. The measure is against a tool certainly but it is a particular tool rather than all tools of that type. In other words, to take the screwdriver analogy, the sanctions are against a screwdriver that was found at the scene of a crime with blood dripping down the side of it, not against all screwdrivers in existence.

Vaziri is a prominent Lawyer that has experience in all things crypto.

SN:The possible use of hacked funds to finance nuclear weapons in DPRK is a strong motivation for OFAC to sanction Tornado Cash; however, it does seem to highlight other weaknesses in the crypto world as Tornado Cash is arguably ‘only’ a crypto mixer, the DPRK would need more than a mixer to convert or make large payments in crypto, therefore. could we also look at sanctions against Tornado Cash as a sign of powerlessness from regulators who struggle to fight money laundering and fraud in the cryptocurrency space in general?

AV:Yes absolutely, decentralized systems make it more difficult for law enforcement. As said, before they could shut down servers of the accused and the job would be done. But now they have to take a different approach to enforcement. This different approach is to criminalize usage of the tool. This is a strong deterrent and renders the tool practically useless for legitimate users. For criminals, there would be no point continuing to use the tool, as for them to launder effectively they need a clean source of funds to launder with.

The issue with a new approach to enforcement is that it will always have unintended consequences and collateral damage. This is understandable to an extent. In this case one of the unintended consequences was that some would use the measure to taint the wallets of high profile Ethereum users. 

The collateral damage here is that there are a number of legitimate users in the past of Tornado Cash that used the service and will now struggle to cash out. In general, sanctions are not retroactive but an Exchange is going to treat any transaction with a Tornado Cash association as extremely high risk regardless of the timeline in question. Also, all users of Tornado Cash are now encumbered with the administrative process of having to request a license from OFAC to be able to move their assets. This entails significant reporting and will take time to process anylicense request.

SN:What measures would you recommend to increase effectiveness of KYC and AML procedures by cryptocurrency service providers? Do you see evidence of growing issues and do you feel new regulatory frameworks, like MiCA in Europe, can tackle these issues?

AV: 

Basically, crypto as an industry needs to clean its act up and start taking compliance seriously. 

The “we hate KYC” and anti-government positioning is just ruining the chances that crypto could potentially challenge the incumbent financial system. 

In fact, decentralization radicalisation will have a reserve effect; the crackdown will be harder from governments and the regulations will become even more stringent or may even result in the complete banning of crypto by certain countries. This essentially means that crypto will go deeper underground and become more niche. 

A tool like Tornado Cash seems like a fun and cool defi project for crypto founders. It is great that there is experimentation in crypto. But when the tool is used for large scale money laundering then the reaction from the crypto community should be more about how the tool could be made compliant rather than a political face off with the establishment. 

One thing that should be getting clearer is that authorities will ‘look through’ the veil of decentralization to prosecute sanctions violations. 

Crypto projects, regardless of whether they are decentralized in nature, that are not doing KYC and KYT are opening themselves up to fraud, AML abuse and sanctions violations. Having KYC in place is such a basic control to prevent misuse.

The “we hate KYC” and anti-government positioning is just ruining the chances that crypto could potentially challenge the incumbent financial system.

In fact, decentralization radicalisation will have a reverse effect; the crackdown will be harder from governments and the regulations will become even more stringent or may even result in the complete banning of crypto by certain countries. This essentially means that crypto will go deeper underground and become more niche.

A tool like Tornado Cash seems like a fun and cool defi project for crypto founders. It is great that there is experimentation in crypto. But when the tool is used for large scale money laundering then the reaction from the crypto community should be more about how the tool could be made compliant rather than a political face off with the establishment.

One thing that should be getting clearer is that authorities will ‘look through’ the veil of decentralization to prosecute sanctions violations. Crypto projects, regardless of whether they are decentralized in nature, that are not doing KYC and KYT are opening themselves up to fraud, AML abuse and sanctions violations. Having KYC in place is such a basic control to prevent misuse.

SN:Do you feel main actors such as cryptocurrency exchanges are following less strict/as strict/ or stricter rules when it comes to KYC and AML than non-crypto fintech firms or banks?

Vaziri’s Company -Blockpass

AV:For 10 years crypto businesses have been able to provide services on the basis that they are not regulated. This has been good for some of the businesses to allow them, largely through regulatory arbitrage, to scale globally. The first regime that was put in place was a basic VASP regime to mitigate money laundering abuse. 

I don’t think crypto is yet in a position that it is regulated to the same extent as traditional financial services. There is still some flexibility in how it operates its business. Although countries have introduced regulations, as a result of FATF guidance, to register VASPs and subject them to an AML regime, this is only part of the risk associated with a crypto business. Consumer protection mandates prudential controls to protect client money, for that, there is little standardization on how that should be handled from a regulatory point of view

SN:What was your motivation to co-found Blockpass and how does it help tackling the challenges of money laundering with cryptocurrency?

AV: The motivation was to link crypto wallets to real world identities in a manner that protects the data of the user but results in crypto becoming compliant in a non-custodial form. In 2015, I wrote an article on how the Estonian ID system could be used to link a bitcoin crypto address to a verified identity. This was prescient and no doubt it will now become mandatory in crypto. 

The Travel Rule is the first attempt to challenge anonymous non-custodial ownership. In the future, non-custodial ownership without KYC will not be possible. When that is true there needs to be a system that allows a user to link their wallet to their KYC so that they can prove they are the owner of that wallet. But the system needs to be devised in a manner that the user’s data is protected. 

There are other motivations at play here. I personally want to make it easy and cost effective to comply with regulations. Buying compliance software is complicated and expensive. We have tried to make it as easy and cost effective as possible. When there is a low barrier then we hope that compliance won’t be such a headache for founders. 

Blockpass provides a full-suite KYC product. We cover proof of identity authentication, face match, sanction screening, proof of address verification, automated remediation and crypto AML screening. There is no compromise on the level of KYC provided and at a fraction of the cost offered in the market. All of this is done from one portal with no set up required and no setup fee. We also provide a zero knowledge KYC solution referred to as On-chain KYC. This solution allows defi projects to just check if a crypto wallet has been KYC’d without collecting the underlying data and allows the defi project to geoblock certain sanctioned jurisdictions – in other words, the project can comply with sanctions requirements without having to collect data on users. 


The key aspect of Blockpass is the reusable nature of the KYC. Once a user is verified they can re-share their KYC profile to other defi projects.

The Travel Rule is the first attempt to challenge anonymous non-custodial ownership. In the future, non-custodial ownership without KYC will not be possible. When that is true there needs to be a system that allows a user to link their wallet to their KYC so that they can prove they are the owner of that wallet. But the system needs to be devised in a manner that the user’s data is protected.

There are other motivations at play here. I personally want to make it easy and cost effective to comply with regulations. Buying compliance software is complicated and expensive. We have tried to make it as easy and cost effective as possible. When there is a low barrier then we hope that compliance won’t be such a headache for founders.

Blockpass provides a full-suite KYC product. We cover proof of identity authentication, face match, sanction screening, proof of address verification, automated remediation and crypto AML screening. There is no compromise on the level of KYC provided and at a fraction of the cost offered in the market. All of this is done from one portal with no set up required and no setup fee. We also provide a zero knowledge KYC solution referred to as On-chain KYC. This solution allows defi projects to just check if a crypto wallet has been KYC’d without collecting the underlying data and allows the defi project to geoblock certain sanctioned jurisdictions — in other words, the project can comply with sanctions requirements without having to collect data on users.

The key aspect of Blockpass is the reusable nature of the KYC. Once a user is verified they can re-share their KYC profile to other defi projects.

SN:You are welcome to elaborate on additional points you feel are important to this discussion, thank you.

AV: I think it is worthwhile pointing out new areas of regulatory challenges that can be anticipated.

It is likely that the validation of transactions involving sanctioned parties will be the next area of conflict between crypto and regulators. Validation is designed within crypto to be a neutral process. The regulatory positioning of validators is that of ISPs which have enjoyed a safe harbor from prosecution. However, the difference between validators and an ISP is that an ISP only enjoys a safe harbor defense if it is unaware of the abuse. When an ISP has been made aware of an abuse then it needs to take steps to take down the material in question to continue to benefit from the defense.

Once crypto addresses are subject to sanctions that are publicly available then the validators will be aware at that stage. To continue to validate sanctioned transactions would, in principle, not benefit from any safe harbor. This debate relates to both proof of work and proof of stake systems. Both consensus systems involve miners/stakers selecting transactions from a mempool to validate so the selection of a sanctioned transaction would be a sanctions violation.

The consequence of this discussion will result most likely in two types of blockchain networks in the future: ones that are compliant and ones that are not. At the moment, only privacy coins have been targeted as being non-compliant. For instances, regulated exchanges have refused to list privacy coins such as Zcash for this reason.

There are amazing innovations within crypto but every aspect of the industry needs to level-up on compliance. If it can do that it can start to distance itself from scams, ponzis, market manipulation, securities fraud and sanctions violations and start to become a true contentor to replace SWIFT, VISA and all financial incumbents.

Web3 (the so-called evolution of the internet with the enablement of blockchain technology) cannot become a dystopian, anarchist metaverse designed to promote lawlessness and chaos all in the name of decentralization. This is as much a nightmare scenario as a centralized ‘Facebook’ metaverse, tracking, harvesting and leveraging every fraction of data on users. There has to be a level of compromise and responsibility taken here.

We at Solanews are grateful to Mr. Vaziri for his time and can’t wait to speak to him again for more insight on web3 and crypto

Leave a Reply