November 8, 2022

OFAC Redesignates Privacy-Enhancing Virtual Currency Protocol

Michael T. Gershberg Commentary by Michael T. Gershberg

OFAC redesignated a privacy-enhancing virtual currency mixing service that utilizes smart contracts ("the protocol") "for its role in enabling malicious cyber activities, which ultimately support the Democratic People’s Republic of Korea's ("DPRK") WMD program."

As previously covered, OFAC initially sanctioned the protocol under the cyber-related sanctions program for enabling a DPRK state-sponsored cyber hacking group to obfuscate $455 million in stolen funds. OFAC redesignated the entity under the DPRK sanctions program as well, and said that the new designation supersedes the previous designation in its entirety.

Specifically, OFAC sanctioned the protocol for providing material support to (i) the DPRK and its WMD program and (ii) cyber activities that pose a threat to national security, foreign policy, economic health or financial stability of the United States. OFAC said that bad actors used smart contracts offered by the protocol to "obfuscate the source of funds derived from cyber heists."

OFAC also issued one new FAQ relating to the redesignation to clarify the "person" sanctioned pursuant to EO 13722 ("Blocking Property of the Government of North Korea and the Workers' Party of Korea, and Prohibiting Certain Transactions With Respect to North Korea") and amended three FAQs to account for the new designation.


In response to criticism that Tornado Cash is not an "entity" that may be sanctioned under statutory authorities, OFAC provided additional identifying information. OFAC noted that Tornado Cash's "organizational structure" consists of its founders and other developers who launched the protocol, as well as the decentralized autonomous organization ("DAO") responsible for governance.

However, OFAC has not sanctioned any of these individuals or DAO members. While OFAC may have reasonable arguments for its statutory authority to designate Tornado Cash, it is still unclear how far this asset freeze extends, including the applicability of the sanctions to the constituent parts of Tornado Cash's "organizational structure."

Accordingly, many questions remain regarding OFAC's interpretation and enforcement of sanctions targeting software protocols.

Email me about this