Author: Huang Wenjing, Compliance Consultant at Mankiw (Shenzhen) Law Firm; Xu Xiaohui, attorney at Mankiw LLP in Shanghai Tornado Cash: Privacy Defender or Money Laundering Tool? Tornado Cash, a decentralized currency mixing protocol running on the Ethereum blockchain, was once widely used for its strong privacy protection features, which also made it a thorn in the side of regulators. In August 2022, the U.S. Treasury Department's Office of Foreign Assets Control (OFAC) added Tornado Cash to its SDN List, accusing it of being used for money laundering, specifically by the North Korean hacker group Lazarus Group, to process over $1 billion in illicit funds. This move marked the first time the United States had sanctioned an on-chain project, and it shook the entire crypto industry. However, on March 21, 2025, things took a turn for the better. The U.S. Treasury Department abruptly withdrew its sanctions order, removing the blacklist label from Tornado Cash and all associated addresses. This decision wasn't entirely unexpected. As early as November 2024, the U.S. Court of Appeals for the Fifth Circuit had already issued a cold response to the Treasury Department, finding that Tornado Cash's core smart contract did not meet the definition of "property" and that the sanctions were an unauthorized act. But the lifting of sanctions doesn't mean the developers are off the hook. Alexey Pertsev was sentenced to five years and four months in prison for money laundering by a Dutch court in May 2024, while Roman Storm, based in the United States, remains mired in legal turmoil. This lawsuit has sparked a debate: should open-source code authors be held liable for the misuse of their tools? The Solana Policy Institute provided $500,000 in funding for Storm and Pertsev's legal defense, emphasizing that "writing code is not a crime." Ethereum founder Vitalik Buterin and others have also raised funds for their defense, demonstrating the crypto community's high level of interest in this case. Roman Storm: Charged with money laundering, jury remains undecided In August 2023, Roman Storm was indicted by US prosecutors on eight counts, including money laundering, sanctions violations, and operating an unregistered money transmission business. On July 14, 2025, Storm's trial began in Manhattan, New York. Although the jury failed to reach a unanimous verdict on the money laundering and sanctions violations charges, resulting in those charges being dismissed or pending, Storm was still convicted of conspiracy to operate an unregistered money transmission business and faces a maximum sentence of five years. This ruling sparked widespread debate. Some argued that Storm, as a technology developer, should enjoy the right to free speech and should not be held responsible for the misuse of the decentralized tool he created. Others argued that while Storm could not control every detail of the protocol's use, if he knew the tool was widely used for illegal activities and failed to control it, he should be held accountable for its misuse. Technology is not guilty: the boundary between law and morality The slogan "Technology is innocent" is quite popular in the open source community and among believers in decentralization. The logic behind it is simple: the tool itself is neutral, and the guilt lies with the people who use it. Many countries, particularly the United States, generally consider technology developers to be creators entitled to free speech, meaning the code they write shouldn't automatically be held liable for abuse. For example, under Section 230 of the Communications Decency Act, internet service providers are generally not liable for the actions of users on their platforms. While this provision primarily applies to internet platforms, it offers similar protections to developers of decentralized protocols, assuming they don't directly engage in illegal conduct. However, not all countries fully embrace this concept. For example, in the Netherlands, Tornado Cash developer Alexey Pertsev was sentenced for allegedly aiding money laundering. Dutch courts have held that open source software developers may bear some liability for the misuse of their tools. This reflects the varying perspectives and understandings of technological liability across different jurisdictions. Determination of money laundering crime In the United States, money laundering is typically prosecuted under the Money Laundering Control Act. Under the Act, money laundering involves the illegal transfer of funds through banks or other financial institutions to conceal, disguise, or legitimize illicit proceeds. The elements of money laundering primarily include the illicit origin of the funds and the various transactions conducted to conceal their source. "Knowing" Standard Most jurisdictions require "knowledge that the funds were proceeds of crime" as a subjective requirement for money laundering offenses, meaning the defendant must have known that the activities they participated in involved the transfer of illegal funds. If the defendant was completely unaware of the illicit source of the funds, they generally cannot be found guilty of money laundering intent, and the United States is no exception. However, in certain circumstances, even without clear evidence of "knowledge" that the funds were derived from illegal sources, they may still be held liable for money laundering if they can prove reasonable suspicion or willful disregard of the illicit source of the funds. For example, Section 1956 of the Money Laundering Control Act explicitly states that any person who "knows or has reasonable cause to know" that a financial transaction involves illegal funds may be considered to have participated in money laundering. This means that even if there is no direct evidence that the defendant "knew" that the source of the funds was illegal, as long as there are obvious suspicious circumstances or negligent behavior, the court can still find him or her suspected of money laundering. The "knowledge" problem of Tornado Cash developers In the Tornado Cash case, whether the developers met the "knowing" standard became a key question in determining whether they should be held accountable for money laundering. According to the US prosecutors' charges, Tornado Cash's developers were accused of "intentionally" creating a tool that allowed anonymous transfers, facilitating money laundering. However, the defense argued that as developers of a decentralized protocol, they had no control or knowledge of the specific ways it could be abused. In determining whether a developer meets the “knowing” requirement, the court may consider the following factors: 1. Purpose of the Technical Tool: As an open-source, decentralized protocol, Tornado Cash was theoretically designed to enhance user privacy, not specifically for money laundering. However, whether the court can determine that the developers should have foreseen the potential for illegal activities when designing the tool remains a controversial issue. 2. Public Information and Warnings: If the developer or the community is aware that the tool is frequently used for illegal transactions but still does not take any measures to stop or warn, the court may find that the developer has the subjective intent of "knowing" or willful neglect. 3. Developers’ Conduct and Responsibility: U.S. prosecutors may argue that if Tornado Cash developers had sufficient knowledge of the potential misuse of their tool or failed to implement necessary constraints or monitoring on the tool’s anonymity, they could be deemed to have “knowingly” used the tool for money laundering. These factors, from different perspectives, have ignited a discussion about the responsibilities of developers in designing decentralized financial instruments. While the technology itself isn't inherently criminal, defining developer liability for its misuse is a complex and multifaceted issue. As the case progresses, how the law balances innovation and compliance may influence the future direction of blockchain technology. Conclusion: Who will bear the cost of innovation? The Tornado Cash case transcends the fate of individual developers; it is defining the boundaries of the entire decentralized finance industry. If even the authors of open source code can be jailed for the illegal activities of their users, who will dare to innovate? Conversely, if anonymity tools are allowed to flourish unchecked, won't criminal activity become even more rampant? This case is likely to be a bellwether for the future—its outcome will not only determine Storm's fate but also set a standard for the entire crypto community's code of conduct. On the balance between privacy and compliance, how will technology, law, and society find a compromise? Perhaps the answer, like blockchain itself, still awaits consensus.Author: Huang Wenjing, Compliance Consultant at Mankiw (Shenzhen) Law Firm; Xu Xiaohui, attorney at Mankiw LLP in Shanghai Tornado Cash: Privacy Defender or Money Laundering Tool? Tornado Cash, a decentralized currency mixing protocol running on the Ethereum blockchain, was once widely used for its strong privacy protection features, which also made it a thorn in the side of regulators. In August 2022, the U.S. Treasury Department's Office of Foreign Assets Control (OFAC) added Tornado Cash to its SDN List, accusing it of being used for money laundering, specifically by the North Korean hacker group Lazarus Group, to process over $1 billion in illicit funds. This move marked the first time the United States had sanctioned an on-chain project, and it shook the entire crypto industry. However, on March 21, 2025, things took a turn for the better. The U.S. Treasury Department abruptly withdrew its sanctions order, removing the blacklist label from Tornado Cash and all associated addresses. This decision wasn't entirely unexpected. As early as November 2024, the U.S. Court of Appeals for the Fifth Circuit had already issued a cold response to the Treasury Department, finding that Tornado Cash's core smart contract did not meet the definition of "property" and that the sanctions were an unauthorized act. But the lifting of sanctions doesn't mean the developers are off the hook. Alexey Pertsev was sentenced to five years and four months in prison for money laundering by a Dutch court in May 2024, while Roman Storm, based in the United States, remains mired in legal turmoil. This lawsuit has sparked a debate: should open-source code authors be held liable for the misuse of their tools? The Solana Policy Institute provided $500,000 in funding for Storm and Pertsev's legal defense, emphasizing that "writing code is not a crime." Ethereum founder Vitalik Buterin and others have also raised funds for their defense, demonstrating the crypto community's high level of interest in this case. Roman Storm: Charged with money laundering, jury remains undecided In August 2023, Roman Storm was indicted by US prosecutors on eight counts, including money laundering, sanctions violations, and operating an unregistered money transmission business. On July 14, 2025, Storm's trial began in Manhattan, New York. Although the jury failed to reach a unanimous verdict on the money laundering and sanctions violations charges, resulting in those charges being dismissed or pending, Storm was still convicted of conspiracy to operate an unregistered money transmission business and faces a maximum sentence of five years. This ruling sparked widespread debate. Some argued that Storm, as a technology developer, should enjoy the right to free speech and should not be held responsible for the misuse of the decentralized tool he created. Others argued that while Storm could not control every detail of the protocol's use, if he knew the tool was widely used for illegal activities and failed to control it, he should be held accountable for its misuse. Technology is not guilty: the boundary between law and morality The slogan "Technology is innocent" is quite popular in the open source community and among believers in decentralization. The logic behind it is simple: the tool itself is neutral, and the guilt lies with the people who use it. Many countries, particularly the United States, generally consider technology developers to be creators entitled to free speech, meaning the code they write shouldn't automatically be held liable for abuse. For example, under Section 230 of the Communications Decency Act, internet service providers are generally not liable for the actions of users on their platforms. While this provision primarily applies to internet platforms, it offers similar protections to developers of decentralized protocols, assuming they don't directly engage in illegal conduct. However, not all countries fully embrace this concept. For example, in the Netherlands, Tornado Cash developer Alexey Pertsev was sentenced for allegedly aiding money laundering. Dutch courts have held that open source software developers may bear some liability for the misuse of their tools. This reflects the varying perspectives and understandings of technological liability across different jurisdictions. Determination of money laundering crime In the United States, money laundering is typically prosecuted under the Money Laundering Control Act. Under the Act, money laundering involves the illegal transfer of funds through banks or other financial institutions to conceal, disguise, or legitimize illicit proceeds. The elements of money laundering primarily include the illicit origin of the funds and the various transactions conducted to conceal their source. "Knowing" Standard Most jurisdictions require "knowledge that the funds were proceeds of crime" as a subjective requirement for money laundering offenses, meaning the defendant must have known that the activities they participated in involved the transfer of illegal funds. If the defendant was completely unaware of the illicit source of the funds, they generally cannot be found guilty of money laundering intent, and the United States is no exception. However, in certain circumstances, even without clear evidence of "knowledge" that the funds were derived from illegal sources, they may still be held liable for money laundering if they can prove reasonable suspicion or willful disregard of the illicit source of the funds. For example, Section 1956 of the Money Laundering Control Act explicitly states that any person who "knows or has reasonable cause to know" that a financial transaction involves illegal funds may be considered to have participated in money laundering. This means that even if there is no direct evidence that the defendant "knew" that the source of the funds was illegal, as long as there are obvious suspicious circumstances or negligent behavior, the court can still find him or her suspected of money laundering. The "knowledge" problem of Tornado Cash developers In the Tornado Cash case, whether the developers met the "knowing" standard became a key question in determining whether they should be held accountable for money laundering. According to the US prosecutors' charges, Tornado Cash's developers were accused of "intentionally" creating a tool that allowed anonymous transfers, facilitating money laundering. However, the defense argued that as developers of a decentralized protocol, they had no control or knowledge of the specific ways it could be abused. In determining whether a developer meets the “knowing” requirement, the court may consider the following factors: 1. Purpose of the Technical Tool: As an open-source, decentralized protocol, Tornado Cash was theoretically designed to enhance user privacy, not specifically for money laundering. However, whether the court can determine that the developers should have foreseen the potential for illegal activities when designing the tool remains a controversial issue. 2. Public Information and Warnings: If the developer or the community is aware that the tool is frequently used for illegal transactions but still does not take any measures to stop or warn, the court may find that the developer has the subjective intent of "knowing" or willful neglect. 3. Developers’ Conduct and Responsibility: U.S. prosecutors may argue that if Tornado Cash developers had sufficient knowledge of the potential misuse of their tool or failed to implement necessary constraints or monitoring on the tool’s anonymity, they could be deemed to have “knowingly” used the tool for money laundering. These factors, from different perspectives, have ignited a discussion about the responsibilities of developers in designing decentralized financial instruments. While the technology itself isn't inherently criminal, defining developer liability for its misuse is a complex and multifaceted issue. As the case progresses, how the law balances innovation and compliance may influence the future direction of blockchain technology. Conclusion: Who will bear the cost of innovation? The Tornado Cash case transcends the fate of individual developers; it is defining the boundaries of the entire decentralized finance industry. If even the authors of open source code can be jailed for the illegal activities of their users, who will dare to innovate? Conversely, if anonymity tools are allowed to flourish unchecked, won't criminal activity become even more rampant? This case is likely to be a bellwether for the future—its outcome will not only determine Storm's fate but also set a standard for the entire crypto community's code of conduct. On the balance between privacy and compliance, how will technology, law, and society find a compromise? Perhaps the answer, like blockchain itself, still awaits consensus.