The U.S. government sanctioned open-source crypto software Tornado Cash. The tech industry is watching nervously.

How do you ban an open-source software project and make it stick?

“They weren’t just sanctioning a specific entity or user like from, in this case, North Korea,” said Seth For Privacy, the pseudonym of a privacy educator whose work focuses on the cryptocurrency ecosystem.

“Instead, they’re sanctioning the entire tool, the entire open-source tool of decentralized smart contracts on [the cryptocurrency] Ethereum,” he said. “They went after the entire tool itself that had been used by an entity that was sanctioned. So that was a big, big shift from previously where normally sanctions are targeting an entity using a tool.”

How did we get here?

The Treasury Department added Tornado Cash to the sanctions list — known as the Specially Designated Nationals and Blocked Persons List (SDN list) — for allegedly facilitating millions of dollars in cryptocurrency transactions to the North Korean government at the hands of government-affiliated hackers.

In its statement, the Treasury Department said Tornado Cash “has been used to launder more than $7 billion worth of virtual currency since its creation in 2019. This includes over $455 million stolen by the Lazarus Group,” a state-sponsored North Korean hacking group that was sanctioned by the U.S. in 2019, which the department described as the largest-known virtual currency heist to date.

“Despite public assurances otherwise, Tornado Cash has repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis and without basic measures to address its risks,” said Undersecretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson in a statement. “Treasury will continue to aggressively pursue actions against mixers that launder virtual currency for criminals and those who assist them.”

Contrary to popular belief, few cryptocurrency transactions are private.

Public blockchains, which can be thought of as digital ledgers, keep a record of all transactions. While cryptocurrency wallets or alphanumeric addresses where funds are sent are pseudonymous, the people behind them can be identified.

Indeed, people publicly post their wallet addresses online, and blockchain analytics or analysis companies like Chainalysis and Elliptic have made whole business models off of opening up the curtains and tracking cryptocurrency transactions.

They do things like identify, categorize and track addresses in real time, using modeling and visual representations to track changes on a blockchain and identify behaviors. In a sense, they follow the money.

Tornado Cash is a mixer, meaning that it helps obfuscate the origins and destinations of cryptocurrency transactions and makes them harder to trace, even for law enforcement. People can send funds to a smart contract on the Ethereum blockchain, which then mixes the funds, which are then withdrawn from another address. That contract address was on the sanctions list even though no one owns it; it’s merely a series of ones and zeros executing a task.

Detractors of the mixer service argue that it’s used solely by criminals for money laundering. Proponents tout the privacy-preserving function, which is also used by a significant number of law-abiding people.

“While we and many others have been working alongside both sides in the aisle in a positive direction on crypto and privacy, this move blindsided everyone,” said Josh Swihart, senior vice president of growth, product strategy and regulatory affairs at Electric Coin Company, creators and supporters of the anonymity-enhancing cryptocurrency Zcash.

“Trade laws require GitHub to restrict users and customers identified as Specially Designated Nationals (SDNs) or other denied or blocked parties, or that may be using GitHub on behalf of blocked parties,” said a GitHub spokesperson in a statement. “At the same time, GitHub’s vision is to be the global platform for developer collaboration. We examine government sanctions thoroughly to be certain that users and customers are not impacted beyond what is required by law.”

The impact to open source

The move to sanction a tool, rather than, for example, a cryptocurrency wallet address directly affiliated with a national security threat, has sent shock waves through the cryptocurrency community.

“The implications of [the Treasury Department] adding the Tornado Cash protocol to the sanction list was actually greater for the world beyond crypto than for crypto itself,” said Omid Malekan, an adjunct professor at Columbia Business School who teaches courses on crypto and blockchain.

The U.S. government “took the drastic step of sanctioning an open-source, decentralized protocol — specifically actually adding the Ethereum addresses of the smart contracts where the code lives,” along with the addresses to access the service, he said.

That effectively criminalizes the act of seeking financial privacy, Malekan said, and opens up a can of worms around open source — such as whether the government will charge someone who wrote code because a criminal later used that code.

Seth For Privacy said there may also be risks for users of the Tornado Cash service. He wonders what will happen with any of their funds that interacted with Tornado Cash and whether that money would be subject to criminal action.

Authorities said multiple arrests could not be ruled out.

A slippery slope

“There are 10,000 vanilla reasons why somebody would want to use Tornado Cash for something completely mundane in a way that is not remotely criminal or illicit,” he said.

Hailey Lennon, a shareholder at the law firm Anderson Kill’s Technology, Media and Distributed Systems Group, said the further sanctions regimes get from a direct connection to helping terrorists and covering the source of funds, the more you get “toward developers and open source that gets really sticky.”

She also pointed out that there is a tension between national security and privacy in this case, with national security used as a justification for intruding on privacy. Similar debates play out around encrypted communications, for example.

“When 9/11 happened, it gave the Patriot Act sharper teeth,” she said. “It changed the way we travel and how financial institutions surveil transactions.”

“I think the main things for a project to be prepared for when building their project is to make sure it’s built for adversarial environments,” said Seth for Privacy. “Not assuming that the current environment will last forever, or that their tool itself will always be considered above board and OK.”