Tornado Cash Co-Founders Accused of Helping Cybercriminals Launder Stolen Crypto
Clients of Tornado Cash included the Lazarus Group—a Democratic People’s Republic of Korea-sponsored cybercriminal organization
Two men who helped create a service that blurs cryptocurrency transaction histories are facing federal charges after they allegedly conspired to launder money for criminal actors, violate U.S. government sanctions, and operate an unlicensed money transmitting business.
Washington state resident Roman Storm and Russian national Roman Semenov, two founders of the cryptocurrency mixer Tornado Cash, stand accused of helping move over $1 billion in virtual currency for criminal actors.
These clients included the Lazarus Group—a Democratic People’s Republic of Korea-sponsored cybercriminal organization sanctioned by the U.S. Department of the Treasury in 2019.
“The charges in the indictment arise from the defendants’ alleged creation, operation, and promotion of Tornado Cash, a cryptocurrency mixer that facilitated more than $1 billion in money laundering transactions and laundered hundreds of millions of dollars for the Lazarus Group,” the Justice Department wrote in an August 23 press release. Investigative efforts by the FBI New York Field Office and IRS-Criminal Investigation made the indictment possible.
According to the recently unsealed indictment, the duo had full knowledge that bad actors were using their services—and, consequently, understood they were violating sanctions—but decided to turn a blind eye to the money laundering.
How Cryptocurrency Mixers Work
Whenever someone carries out a cryptocurrency transaction, proof of that transaction is encoded into the currency itself. This digital ledger, known as the blockchain, lets crypto users verify the legitimacy—or lack thereof—of transactions by viewing a record of the cryptocurrency wallets that virtual tokens originated from and moved to. However, the blockchain doesn’t name the owners of the cryptocurrency wallets involved in transactions.
Cryptocurrency mixers like Tornado Cash further enhance the level of anonymity by muddying these transaction histories.
To better understand the way a cryptocurrency mixer works, imagine a bank that’s open 24/7. When you use the bank, instead of getting an account of your own, you’re able to make a deposit into one massive, shared account.
Because your money isn’t kept separately from everyone else’s, when you deposit funds, you receive a code that can be used to get it back out later. You can keep that code to yourself or share it with someone you know so that they can pick up the money instead. The choice is yours, but, in either case, the transaction can be carried out anonymously.
The bank tracks how much money enters and leaves the shared account to ensure that no one’s funds get stolen—because the bank would be liable. But it doesn’t track who put in or removed money from the shared account, when they did so, or why.
This is a dramatized example of how a law-abiding citizen could theoretically use a cryptocurrency mixer—which acts as a shared storage unit for virtual currency—to move their tokens in an anonymous, decentralized way.
“It kind of breaks that chain in the transaction history, which is really how you trace cryptocurrency within the blockchain as you see how it moves from wallet to wallet to wallet,” explained Assistant Special Agent in Charge Paul Roberts, who leads the FBI New York Field Office’s Complex Financial Crimes Branch.
Know Your Customer (KYC) and Bank Secrecy Act (or BSA) rules enforced by the Treasury Department’s Financial Crimes Enforcement Network require that cryptocurrency mixers know who exactly is using their services and how, Roberts noted. He likened these rules to the identification requirements and mandatory forms associated with opening a new bank account.
However, Tornado Cash ignored these rules, and the company’s posture allowed criminal actors and organizations like the Lazarus Group to launder money through the service.
“Tornado Cash should have been registered as a money services business and should have been requiring people who are using their service to register those forms,” Roberts said. A criminal syndicate wouldn’t likely admit to opening an account with nefarious intentions, but required paperwork could have at least raised a red flag about the account holder’s identity, Roberts added. And, in theory, Storm and Semenov could have stopped the money laundering before it started.
To further complicate matters, even though the Lazarus Group wasn’t required to complete paperwork to use Tornado Cash, Storm and Semenov still knew they were using their service—and allowed them to do so.
“[Storm and Semenov] implemented a change in the service so that they could make a public announcement that they were compliant with sanctions, but in their private chats, they agreed that this change would be ineffective,” the Justice Department wrote. “They then continued to operate the Tornado Cash service and facilitate hundreds of millions of dollars in further sanctions-violating transactions, helping the Lazarus Group to transfer criminal proceeds from a cryptocurrency wallet that had been designated by the Office of Foreign Assets Control as blocked property.”
These actions collectively led to their indictment on charges related to money laundering, defying sanctions, and operating an unlicensed company.
Holding Cryptocurrency Companies Accountable
FBI Director Christopher Wray said news of the indictment “should remind criminal organizations everywhere in the world that they are neither untraceable nor anonymous.”
“You can’t hide from us behind a keyboard—whether you’re a hacker or facilitator,” Director Wray said, adding that the Bureau will continue to take down the infrastructure that criminal actors use to carry out and make money from their crimes—and to hold their accomplices accountable.
Even though Storm and Semenov chose to let criminal actors use Tornado Cash, the Justice Department noted that cybercrime victims alerted the duo to their suspicions about the Lazarus Group’s use of the service.
If members of the public suspect that a cryptocurrency service of any kind is being manipulated by bad cyber actors, Roberts says they should contact the FBI.
You can’t hide from us behind a keyboard—whether you’re a hacker or facilitator.
FBI Director Christopher Wray
“A big component of all financial crime cases we work is to try to recover the funds on behalf of the victims,” he said. “If you come to the FBI, we’re going to do what we can with that information.”
And while Roman Storm was taken into federal custody on August 23 in Washington state, the FBI is seeking the public’s help to locate Roman Semenov, who remains at large.
To submit a tip about Semenov’s whereabouts—or to alert the FBI to possible cybercrimes involving cryptocurrency—you should contact the Bureau by calling 1-800-CALL-FBI (225-5324) or visiting tips.fbi.gov. No piece of information is too small to make a difference, and you can submit tips anonymously.
