Unfortunately, not every Tornado user is a criminal. Caught in the crossfire between criminals and regulators are many ordinary crypto users.
Tornado appeals to those who don’t want their transactions and wallet addresses easily identifiable on Ethereum’s public ledger. Thus, Tornado, a crypto mixing service, spins several transactions together; this obscures the flow of funds from wallet to wallet. Now Tornado users are at risk of criminal prosecution for using the service. Many consider this a violation of their privacy rights. As Stacks cofounder, Muneeb Ali, put it, “Privacy tools are for every American.”
To concerned crypto industry insiders, Tornado’s takedown is the latest move within a pattern of new crypto regulations. This year alone, the US, UK, EU, UAE and Singapore have enacted crypto reforms. Many fear that regulatory overreaches will end all forms of privacy and lead to dystopian surveillance states.
To fight the ban, one clever troll has been using Tornado to 'dust' celebrity crypto wallets with Tornado-tied funds. The implication being that regulators will now have infinitely more wallets to monitor—a seemingly impossible task.
Though it is reasonable to fear over-regulation, many are not considering that the Treasury Department may be working in the public’s best interest. There is an existential threat to crypto out there that is MUCH bigger than regulation. The largest, most profitable, most dangerous hacking group in the world has used Tornado to launder $7 billion dollars: The Lazarus Group.
The Lazarus Group is part of North Korea’s military. Their goal is to hack and extract funds from any and all possible targets on the internet. Lazarus operations are a critical source of funds for their pariah state’s nuclear program. Previous victims of Lazarus include Sony Pictures in 2014 and the NHS in 2017; lately, the North Korean hacker collective has focused on stealing crypto.
Stealing Crypto is the most effective way that Lazarus can bring money into North Korea’s coffers—Tornado was a big part of that. In previous hacking efforts, the Lazarus Group’s biggest difficulty was not stealing money, it was laundering money. In a conventional attack on a bank—like Lazarus’s $1,000,000,000 e-heist from Bangladesh Bank—the international banking community was often able to freeze funds before they were cashed out and placed into North Korea’s direct control. In the Bangladesh bank case, quick moves ensured only $81M of the stolen $1B was lost in the incident. Safeguards like these do not exist for Crypto. Therefore, crypto presents a double opportunity for Lazarus: funds are easy to steal AND easy to launder.
Lazarus’ list of crypto victims is long. From smaller attacks on Coinlink, Bithumb, Nicehash, Youbit, to the massive $615M exploit of Axie Infinity’s Ronin network, no-one in crypto is safe from Lazarus. And unfortunately, mixers like Tornado make recovering stolen funds nearly impossible. Thus, many have voiced cautious support for the Treasury Department’s ban on Tornado Cash.
Messari founder, Ryan Selkis, voiced concerns about privacy but lamented living “in a world where North Korea can effectively seize 10% of M1 through bridge hacks.” Author Mark Jeffrey commented, “Post exploit, it’s usually Tornado and gone. So I’m a bit conflicted, but I have to support this.”
The debate as to whether Tornado’s ban is a positive step to fight hackers, or a negative precedent that guts privacy, will only be settled as time passes. One thing is clear, privacy protocols enable the shadiest actors in the crypto space. These shady actors are what attract the attention of regulators. It’s possible that a successful campaign against Lazarus may loosen the regulatory landscape of crypto’s future. Regardless of regulatory implications, Lazarus is largely responsible for the mainstream perception that crypto is ‘risky and full of scams.’ There are many positive externalities that would come from the elimination of the Lazarus threat. In the meantime, a lot of little fish are caught in the Treasury Department’s Tornado-sized net.