by Benjamin Gruenstein, Evan Norris, and Daniel Barabander

Introduction

On August 23, 2023, the U.S. Attorney’s Office for the Southern District of New York announced the unsealing of an indictment against Roman Storm and Roman Semenov charging, among other things, conspiracy to operate an unlicensed money transmitting business in connection with their role as founders of Tornado Cash, from at least March 2022 until August 8, 2022.[1]  A significant focus of the indictment is the “secret note” that customers used when depositing to and withdrawing from Tornado Cash, a “mixing service” that the indictment alleges “combined multiple unique features to execute anonymous financial transactions in various cryptocurrencies for its customers.”  (¶¶ 1, 15, 18, 24.)  However, despite allegations that the secret note was transmitted through various components of Tornado Cash that the founders controlled when a customer withdrew funds, in reality, the customer never relinquished control over the secret note.  Rather, she sent only a “proof” that revealed nothing about the secret note and could only be validated by the smart contract to send funds directly from the smart contract to the customer.  In this way, the founders may have exercised “necessary” control over funds, meaning that when the customer used Tornado Cash, components of the system the founders allegedly controlled may have been necessary to send the message to transfer the value in that particular transaction.  However, based on our review of how the secret note worked during the period when the founders are alleged to have conspired to operate a money transmission business, the founders did not exercise “sufficient” control, meaning these components could not have transferred value independently from the customer.  This is because Tornado Cash and its founders had no ability during this period to access the secret note to dictate how funds would be transferred.  

This distinction between types of control is critical.  Under the U.S. Department of the Treasury’s Financial Crimes Enforcement Network’s (“FinCEN”) non-binding 2019 guidance, a “money transmitter” must have “total independent control” over customer funds to qualify as such, which we interpret based on our review of the guidance to require both “necessary” and “sufficient” control.[2]  Without access to a customer’s secret note, the Tornado Cash founders could not have had the requisite control over customer funds to qualify as a money transmitter under FinCEN’s 2019 guidance.[3]

Legal Background

The criminal statute that is the object of Count Two of the Tornado Cash indictment, conspiracy to operate an unlicensed money transmitting business, 18 U.S.C. § 1960(b)(l), provides that a party operates an unlicensed money transmitting business if, among other things, it fails to register with FinCEN when required to do so under the Bank Secrecy Act and FinCEN regulations.  A “money transmitter” is defined under FinCEN regulations as:  (a) a “person that provides money transmission services” or (b) any “other person engaged in the transfer of funds.”[4] While the term “engaged in the transfer of funds” is not defined, the term “money transmission services” is defined as “the acceptance of currency, funds, or other value that substitutes for currency from one person and the transmission of currency, funds, or other value that substitutes for currency to another location or person by any means.”

In 2019, FinCEN published a detailed, 30-page guidance, “Application of FinCEN’s Regulations to Certain Business Models Involving Convertible Virtual Currencies,” the most substantive analysis the agency has provided to date regarding Web 3 systems.  The guidance describes various crypto business models and sets forth the agency’s view as to whether they involve money transmission services.  While FinCEN’s determinations are largely facts and circumstances specific to various business models, its analysis regarding one such business model—wallet providers—stands out in that it goes beyond particular facts and circumstances to define a principle of what money transmission generally means.  This principle is whether the party exercises “total independent control” over the value being transmitted.[5]

We go into more detail in the working paper as to why we believe total independent control constitutes both “necessary” and “sufficient” control over customer funds.[6] While the notion of total independent control is discussed in the context of describing wallet providers as a business model, that should not limit its applicability to wallet providers.  As FinCEN makes clear, the “guidance applies to any business model that fits the same key facts and circumstances described in the guidance, regardless of its label” because “[t]he regulatory interpretation of the [Bank Secrecy Act] obligations of persons that act as intermediaries between the owner of the value and the value itself is not technology-dependent.”[7] 

As we next discuss, it is unclear how the founders could operate a money transmission business under this guidance because, based on our review, at no point during the relevant period did Tornado Cash, or the founders through it, exercise total independent control over customer funds.

Applying the 2019 FinCEN Guidance to Tornado Cash

Tornado Cash operates as a “mixer” for customers to anonymize ownership of crypto assets.  A customer can deposit funds into smart contracts, either by calling the smart contracts directly or using the Tornado Cash user interface (“UI”).  As the indictment alleges, other customers also can deposit into these smart contracts, meaning their assets are “commingled” in the smart contract.  (¶ 50.)  As the indictment further alleges, as part of the deposit process, the customer generates a “secret note,” which is not shared with any other party or the smart contract into which the customer deposits.  (¶ 15.)

While the indictment contains many technical details, it does not fully describe the important next step—the withdrawal process—from a technical perspective.  To do that, we reviewed the public smart contract code, a summary of which follows.[8]

To withdraw her funds, the customer calls a function on the smart contract she deposited into either directly, using the UI, or through a party called a “relayer” (which increases anonymity).  To do so, the customer utilizes a “zero knowledge proof.”[9]  A zero knowledge proof is a cryptographic protocol used to prove something is true without revealing any information as to why it is true.  Zero knowledge proofs have a “prover,” who is trying to prove something is true, and a “verifier,” who is verifying that the thing is true.  During the withdrawal process, the customer acts as the prover and the smart contract acts as the verifier.  The customer runs a “proving algorithm” which uses cryptography to generate a “proof,” a value that reveals nothing about the secret note.  The customer runs this proving algorithm on her local device, passing in the secret note and other “public” inputs, such as her destination address (the address to which to withdraw).  These public values are bound to the proof, so if any party were to change any of these values the proof will fail verification.  Because the proving algorithm is run on the customer’s device, the secret note is never shared with another party in generating the proof.  This proof is then sent to the smart contract, which runs a “verifying algorithm.”  The verifying algorithm uses cryptography to determine whether the proof is valid for the other “public” inputs (such as the customer’s destination address), which prevents these inputs from being changed (and the proof remaining valid) by any party in possession of the proof.  The verification algorithm cryptographically guarantees that the customer knows a secret note that was used when depositing (without revealing anything about which deposit was the customer’s).  Again, the information about the secret note is not revealed in the proof. 

From this description it is clear that, contrary to certain of the allegations in the indictment,[10] the customer never shares the secret note with any other party or the smart contract.  Rather, it is the proof that the customer shares with the smart contract and it is the proof that the smart contract validates when the customer wants to withdraw her assets.  In fact, the customer can send the proof to the smart contract directly, through the UI, or using a relayer.  Along with the proof, the customer will send values that are inextricably intertwined with the proof and cannot be changed and still permit the withdrawal of funds, including the customer’s destination address.

This point is fundamental because, without access to customers’ secret notes, the founders could not have total independent control of the value during the period in which they are charged with conspiring to operate an unlicensed money transmission business.[11]  This is because (1) the valid proof required to unlock and transfer the funds could only be generated by the customer with the secret note, which the founders did not have access to; (2) the proof revealed nothing about the secret note; and (3) the proof was only valid for the values specified by the customer, including the destination address the customer set.  This means that the founders had at most necessary control over the value being transferred—meaning that when the customer used Tornado Cash, components that the founders allegedly controlled may have been necessary to send the message to transfer the value in that particular transaction—but not sufficient control—meaning the founders could not have transferred value independently from the customer.  Thus, the founders lacked the “total independent control” we believe is required under FinCEN’s 2019 guidance for a party to be a money transmitter.

Conclusion

While FinCEN’s 2019 guidance is not binding on FinCEN or the Department of Justice, and does not have the force of law, it remains the best resource to consult from the agency that promulgated the rules defining a money transmitter to understand, from the agency’s perspective, what those rules mean in the context of crypto assets.  And the guidance establishes “total independent control” as the feature underpinning money transmission analysis in decentralized systems.  Understanding how the secret note functions—and its distinction from a proof—shows that the founders exercised some, but not “total,” control over customer funds.  If the government is going to be bound by FinCEN guidance, it remains to be seen whether and how it will be able to establish that the founders exercised both necessary and sufficient control over funds, and thus that they conspired to operate an unlicensed money transmitting business.

Footnotes

[1] This post is an abridged version of a recent working paper published by the International Academy of Financial Crime Litigators.  See Benjamin Gruenstein, Evan Norris, & Daniel Barabander, Secret Notes And Anonymous Coins: Examining FinCEN’s 2019 Guidance On Money Transmitters In The Context Of The Tornado Cash Indictment, The International Academy of Financial Crime Litigators (Sept. 1, 2023), https://www.cravath.com/a/web/qyCBWVBLEMsqxPHtd9ykoc/87ntut/the-international-academy-of-financial-crime-litigators.pdf.

[2] FinCEN, FIN-2019-G001 Application of FinCEN’s Regulations to Certain Business Models Involving Convertible Virtual Currencies (May 9, 2019) 16–17, https://www.fincen.gov/sites/default/files/2019-05/FinCEN%20Guidance%20CVC%20FINAL%20508.pdf [hereinafter FinCEN 2019 Guidance].

[3] This analysis could change if the founders controlled the smart contracts themselves.  However, during the relevant period for the unlicensed money transmitting business charge, the indictment alleges that the founders had relinquished control over the smart contracts.  (¶ 26.) 

[4] 31 C.F.R. § 1010.100(ff)(5)(i).

[5] FinCEN 2019 Guidance at 16–17.

[6] See supra note 1.

[7] FinCEN 2019 Guidance at 15.

[8] The working paper provides the relevant code snippets and cites the specific smart contract we reviewed.  See supra note 1.

[9]  For a detailed technical explanation of how zero knowledge proofs function, see David J. Kappos, Sasha Rosenthal-Larrea, Carys J. Webb & Daniel M. Barabander, Zero-Knowledge Proofs, Cravath Tech Explainers, https://www.cravath.com/a/web/sfNP12H6cmYa73WctnCCqa/8azMYJ/cravath-tech-explainer-zkps.pdf.

[10] The indictment alleges that during the withdrawal process the “UI sen[ds] the secret note to a smart contract” (¶ 18), the “relayer transmit[s] the secret note to the Tornado Cash smart contract” (¶ 24), and that the smart contract “validate[s] the secret note” (¶ 18).

[11] See supra note 3.

Benjamin Gruenstein and Evan Norris are Partners and Daniel Barabander is an Associate at Cravath, Swaine & Moore LLP. This post was originally published on the firm’s blog.

The views, opinions and positions expressed within all posts are those of the author(s) alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of the New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this site and will not be liable any errors, omissions or representations. The copyright or this content belongs to the author(s) and any liability with regards to infringement of intellectual property rights remains with the author(s).