OFAC Sanctions Tornado Cash: what this means for ransomware payments

Written by: Lisa Forte

Categorized: Cyber Resilience

OFAC Sanctions Tornado Cash: what this means for ransomware payments

In early August the U.S Treasury’s Office of Foreign Assets Control (OFAC) sanctioned another popular cryptocurrency mixer called “Tornado Cash”. This mixer was sanctioned because of its apparent role in laundering over $455 million in cryptocurrency for the Lazarus Group. It has been used in other major cryptocurrency heists too. What does this mean for the payment of ransoms now?

What is Tornado Cash?

Tornado Cash is a mixer that has been built on the Ethereum blockchain. Essentially a mixer takes in crypto from all different people, mixes it up and pays it out to other wallets at set times and denominations. It’s a great way to hide who is moving what funds. Tornado Cash is essentially doing this but with a slight difference to other mixing services. It is a smart contract mixer. This is basically code that sets the parameters in which specific actions will happen. For instance, you send your crypto to Tornado Cash, they give you a note that you can then use to withdraw your crypto to a new address.

Claims on how much crypto has been received by Tornado Cash vary but sit around the $7-8 billion mark. Not all of this will be illegitimate but the scale certainly raised eyebrows at the OFAC!

Why were they sanctioned?

Probably a multitude of reasons but likely the so called “straw that broke the camels back” was the theft of over $600 million of cryptocurrency from Ronin Bridge protocol. This was attributed to Lazarus Group who are in turn attributed to North Korea. Many argue that this has become a popular tactic by the Lazarus Group and North Korea to get around the sanctions imposed upon it.

The sanctions are most definitely a move to make OFAC look like they are being proactive and taking action against crypto crime and money laundering. In their press release at the they made it clear that the expectation was that such services need to implement controls to catch and stop money laundering.

Crypto Trolls and Dusting

Soon after the OFAC press release small transactions from Tornado Cash were being sent to celebrities, crypto influencers and others a practice known as “dusting”. Some of the people being sent this “trolling” crypto were the CEO of Coinbase, Jimmy Fallon and Snoop Dogg.

Technically, on paper at least, all of these people receiving said funds would be in violation of the OFAC sanctions. Now it seems reasonable that the OFAC will view these situations as sort of crypto trolling but the bigger concern, I think, is how do individuals who aren’t celebrities prove that they weren’t involved in breaking sanctions and their wallets were dusted? Chainalysis claim that there were 300 outgoing transactions from Tornado Cash between the 8th August and the 11th alone.

Effect of sanctions

This week a 29yr old man was arrested by Dutch authorities in connection with Tornado Cash but this is likely a drop in the ocean for enforcement really.

Here is the real crux of the issue with enforcement. As Tornado Cash is a smart contract mixer (essentially code) in theory it can run in perpetuity. It isn’t a centralised service that you can just shut down. It isn’t a “person” you can sanction easily. In fact, according to Coin Desk Tornado Cash was still processing transactions the day after the sanctions “it processed over $2 million worth of cryptocurrency transactions. The code itself cannot be stopped”.

Many crypto reporters and industry notables comment on how the Tornado Cash code is “unstoppable”. Without an ability to update the code that is correct. However, and perhaps making the situation even harder for OFAC is the fact that it is accessible by anyone with an Ethereum address. This makes it permissionless and means it can’t be censored. So yes, you can sanction it, ban it, whatever you want but how do you actually enforce that to any meaningful level? Anyone can send funds from Tornado Cash to anyone else with an Ethereum account thus enlisting them in potential criminal activity. Which is what the trolling or “dusting” mentioned earlier was all about no doubt.

So this puts the onus back on users to ensure they are compliant with sanctions. Let’s be honest we are talking just about legitimate activity here because I deeply doubt this will send ripples through the illicit crypto world. You need to be sure that the crypto you are sending isn’t going somewhere that is sanctioned and that becomes more complicated with smart contracts. There are companies, like Chainalysis or TRM labs, that provide such visibility.

Of course some of the crypto community have taken a dim view of this action by the OFAC. Claiming it is an act of censorship and damages innocent users’ privacy. They are claiming the effect is profound and undermines the foundations of the entire concept.

What does this mean for cyber and ransom payments?

Well this decision by the OFAC has pros and cons. It will definitely cause waves but possibly not much more than that. It is extremely hard to enforce in any meaningful way which highlights problems we have already seen with these technologies and are likely to continue seeing.

Clearly illegitimate users of this and similar services are likely not to be too concerned at this point. Their money laundering antics are probably safe for now, sadly.

It does raise another interesting question that’s linked to this issue around ransom payments though.

There is, on paper at least an increasing level of requirement to “know who you are paying” when it comes to ransoms. A bit like KYC (Know Your Customer) but with someone who just attacked you. In theory this places a high burden on victims. However, “knowing” who the crypto funds are going to is still a bit of a fairy-tale for most companies. The fact is actually most who pay probably don’t know. But should we do more due diligence? If you are writing or fine tuning your ransomware plans perhaps consider onboarding one of these crypto firms such as TRM or Chainalysis. It should be something you consider to give you at least some visibility and reassurance over avoiding violating sanctions.

Now with this OFAC decision it’s not just sanctioned countries (such as North Korea) or sanctioned people (such as Russian oligarchs) or sanctioned groups (such as terrorist organisations) that we have to be sure we aren’t paying but also now sanctioned crypto addresses, tools and services too. There are two potential long term outcomes from this 1) it is ignored and the payment of ransoms continues but is driven more underground or 2) it is more complicated to ascertain who the recipient is and so people cease paying ransoms.

Given the state of ransomware, the threat it poses, the anonymity provided by crypto platforms and the lack of effective “bite” these sanctions can have I would imagine, sadly, the former is more likely.

The Ransomware Task Force identified visibility on the crypto platforms and visibility on payments of ransoms full stop as a big issue in tackling the threat posed by ransomware groups. These OFAC sanctions likely won’t make this situation better but the recommendations made by the RTF hold more hope for being disruptive.

Maybe these sanctions will create a chilling effect for crypto services that until now have turned a blind eye. I doubt that the services who know their main “customers” are criminals will lose much sleep over this. I think one thing it does highlight is the magnitude of issues we now face when it comes to balancing suppressing crime, protecting consumers and maintaining the cryptocurrency ethos of decentralisation and privacy. These sanctions show us just how at odds these things actually are.

Find out how Red Goat can help you prepare for a cyber incident

 

Related Content

Menu