In the Netherlands, open source software developers are now responsible for how their software is used.
Today a Dutch court convicted Alexei Burtsev, a 31-year-old Russian citizen living in the Netherlands and one of the developers of the Ethereum-based privacy tool Tornado Cash, of money laundering: he was sentenced to 64 months in prison. The fact that Burtsev never held any cryptocurrency flowing through Tornado Cash — or could even control how the smart contract worked — was considered irrelevant by the jury, because he contributed to the development of the software.
In line with Dutch prosecutor Martijn Borlage, the court ruled that Tornado Cash was essentially run like a trading company, run by PepperSec, the company founded and managed by Burtsev and his co-founders Roman Storm and Roman Semenov. Rather than simply publishing the code, the trio benefited financially from obfuscating illicit funds through the tools they built, the judges said.
Specifically, the justices ruled that Burtsev was personally responsible for laundering over $1 billion in stolen ETH, including by North Korean hackers known as the Lazarus Group. Although Burtsev was unable to prevent this from happening after launching their program, the fact that he helped launch a program that enabled it in the first place, without including the necessary measures to prevent it, was considered sufficient reason to find him guilty.
“Tornado Cash operates in the same manner as Defendant and its co-founders developed Tornado Cash,” the judges wrote. “So the process is entirely their responsibility.”
Tornado Cash
Tornado Cash is a smart contract on the Ethereum blockchain. Users can send ETH to the Tornado Cash smart contract, giving them the ability to withdraw an equal amount of ETH from the same contract. Since there was no way to link the entry and exit of ETH to Tornado Cash, the smart contract served as a privacy tool, allowing users to obfuscate their transaction history.
Besides the Tornado Cash smart contract itself, PepperSec helped develop tools that gave users easy access to the smart contract, most notably the graphical user interface (GUI). This part of the mixing infrastructure in turn relied on a separate smart contract, which facilitated the payment of withdrawal fees through private entities called “recyclers,” and was managed through a DAO (decentralized autonomous organization) and the associated TORN token.
According to the judges, the DAO did not make a meaningful difference: PepperSec was in practice still responsible for the operation of the GUI and how the relay system worked.
The Tornado Cash smart contract itself today operates completely independently of PepperSec, and is in fact still in operation. Neither Pertsev nor PepperSec ever “touched” any of the ETH passing through the Tornado Cash smart contract; That is, they never took any money. They just built a program that Ethereum users use to mix their ETH with other users, and they were unable to prevent this from happening.
Until now, it was generally assumed that this would exempt developers from applying anti-money laundering measures, but this assumption has been dropped today.
Greater importance
The ruling could have far-reaching consequences for open source software development in general, including Bitcoin software development, at least in the Netherlands.
In Bitcoin, two of the most popular mixing services are operated by companies: Wasabi Wallet and Samurai Wallet. While PepperSec claimed that its operations were technically decentralized through a DAO, Wasabi Wallet and Samurai Wallet operate more straightforwardly, providing centralized coordination through a dedicated server. Since PepperSec could be responsible for how users use Tornado Cash, it makes sense that Wasabi Wallet and Samurai Wallet would be as well.
In line with this, the US Department of Justice recently indicted the founders and developers of Samourai Wallet, Keonne Rodriguez and William “TDevD” Hill, on allegations of money laundering and running an unlicensed money transmitter. Although these arrests were made on the instructions of the US Department of Justice, today's ruling in the Netherlands may offer a glimpse of what is to come in the United States. Wasabi Wallet announced, shortly after Samourai Wallet's arrest, that it would cease operations of its mixing service later this month.
Furthermore, based on today's ruling, developers who develop privacy tools without a central coordinator in the Netherlands could be held accountable if their tools are used for illicit purposes, for example. Money laundering.
Meanwhile, Burtsev's colleagues at PepperSec, Storm and Semenov, were indicted in the US last year, with the former (who is based in the US) awaiting trial in September.
Burtsev has the option of appealing the ruling. If he does, he will have to wait for that appeal from prison, where he was detained immediately after the sentencing.
The ruling can be read in full (in Dutch). here.