Developers and operators of decentralized privacy protocols are still vulnerable to potential US sanctions enforcement despite Tornado Cash smart contracts being removed from the sanctions list by the Treasury Department’s Office of Foreign Assets Control (OFAC) in March. The Fifth Circuit Court of Appeals ruled that Tornado Cash’s smart contracts do not constitute property under the International Emergency Economic Powers Act (IEEPA). However, the Treasury continues to assert broad discretion over mutable protocols and developers associated with them, suggesting that they may still be targeted for sanctions in the future.
The Treasury’s response to the Van Loon v. Department of Treasury ruling indicates that it does not view the court’s decision as limiting its authority to sanction decentralized technologies. Even though OFAC removed Tornado Cash’s smart contracts from its Specially Designated Nationals (SDN) list, it framed the action as discretionary and reserved the ability to reimpose sanctions if conditions change. The agency’s decision to retain sanctions on Roman Semenov, a Tornado Cash co-founder, demonstrates the Treasury’s ongoing enforcement strategy, highlighting the broader implications for developers of DeFi protocols and privacy applications.
The Tornado Cash case has highlighted the ambiguity in OFAC’s designation standards, particularly in relation to cyber-related threats and North Korea sanctions. The Treasury’s expansive authority to designate entities supporting cybercrime or the North Korean regime has introduced legal uncertainty when applied to decentralized software and anonymous users. OFAC has not clearly defined how it distinguishes between these frameworks in practice, leaving developers unsure of potential liability for indirectly enabling sanctioned behavior.
Despite the removal of Tornado Cash’s smart contracts from the sanctions list, the US District Court is yet to issue a final ruling on the matter. The outcome of this decision could impact the Treasury’s ability to sanction other smart contracts or DeFi protocols in the future. In the meantime, privacy tool developers and decentralized protocol contributors operate in a regulatory gray zone, where the risk of designation or criminal charges may depend more on their software’s perceived uses than on any intent.
The Treasury’s approach to the Tornado Cash case indicates a reluctance to establish a judicial precedent and a preference for discretionary actions over setting clear regulatory boundaries. The lack of detailed guidance on evaluating liability for those indirectly connected to sanctioned behavior further complicates the legal landscape for developers in the DeFi space. The government’s continued enforcement stance suggests that sanctions-related exposure remains a significant concern for the industry, underscoring the need for clearer regulatory frameworks and guidelines for decentralized technologies.
