The Tornado Cash Sanctions and the Fight for Code
The US Treasury sanctioned Tornado Cash — a privacy protocol on Ethereum. Not a company. Not a person. A smart contract. The precedent is extraordinary: the government has declared that interacting with open-source code is a sanctionable offence.
The Tornado Cash Sanctions and the Fight for Code
On August 8th, the US Treasury's Office of Foreign Assets Control (OFAC) added Tornado Cash to its Specially Designated Nationals list — the same sanctions list used for terrorist organisations, drug cartels, and hostile foreign governments. The designation makes it illegal for any US person to interact with Tornado Cash's smart contracts, and it requires any US entity that holds assets associated with Tornado Cash to freeze them.
The action was unprecedented. Tornado Cash is not a company. It does not have employees, officers, or a bank account. It is a set of smart contracts deployed on Ethereum — open-source code that anyone can read, anyone can deploy, and no one controls. Sanctioning it raises fundamental questions about the limits of government authority over code, speech, and permissionless technology.
What Tornado Cash Does
Tornado Cash is a privacy protocol that breaks the on-chain link between a sender and a receiver. Users deposit ETH or tokens into a smart contract pool and later withdraw them to a different address, using a zero-knowledge proof to demonstrate that they are entitled to withdraw without revealing which deposit is theirs. The result is transaction privacy — the ability to use Ethereum without every transaction being publicly traceable.
The protocol has legitimate uses. Individuals who want financial privacy — a right that is taken for granted in the traditional financial system — can use Tornado Cash to prevent their entire financial history from being visible to anyone who knows their Ethereum address. Businesses can use it to prevent competitors from monitoring their on-chain activity. And activists, journalists, and dissidents in authoritarian countries can use it to protect themselves from government surveillance.
It also has illegitimate uses. The Lazarus Group — a North Korean state-sponsored hacking operation — used Tornado Cash to launder hundreds of millions of dollars stolen from crypto protocols. This is the justification the Treasury cited for the sanctions.
The Precedent
The sanctions set a dangerous precedent. If the government can sanction a smart contract — code that is deployed on a decentralised network and cannot be modified or shut down — then the government can effectively criminalise the use of any open-source privacy tool. The implications extend beyond crypto to any technology that provides privacy or anonymity.
The crypto community's response was swift and alarmed. Coin Center, the crypto policy think tank, filed a legal challenge arguing that the sanctions exceed OFAC's statutory authority. The argument is that OFAC can sanction persons and entities — not code. A smart contract is not a person. It does not have agency. It cannot comply with sanctions. And sanctioning it effectively punishes users for interacting with software, which raises First Amendment concerns about the government's ability to restrict access to code.
The Immediate Fallout
The immediate effects were chilling. GitHub removed Tornado Cash's repository. Circle froze USDC held in Tornado Cash contracts. Aave, dYdX, and other DeFi protocols blocked addresses associated with Tornado Cash. And Alexei Pertsev — one of Tornado Cash's developers — was arrested in the Netherlands, charged with facilitating money laundering.
The arrest of a developer for writing open-source code is the most alarming aspect of the enforcement action. If developers can be held criminally liable for how others use their code, the implications for open-source software development are severe — not just in crypto, but across the entire technology industry.
My View
The Tornado Cash sanctions represent the most significant confrontation between crypto and government authority since Bitcoin's creation. The outcome will determine whether privacy is a right that can be exercised on blockchain networks or a privilege that the government can revoke. It will determine whether developers can write and publish open-source code without fear of criminal liability. And it will determine whether decentralised protocols are subject to the same sanctions framework as companies and individuals.
These are not crypto-specific questions. They are fundamental questions about the relationship between technology, privacy, and state power. The answers will shape not just crypto, but the future of the open internet.
The Tornado Cash sanctions are not about money laundering. They are about whether the government can sanction code — and by extension, whether privacy on open networks is a right or a crime. The answer to that question matters far beyond crypto.