WEBVTT 1 00:00:00.480 --> 00:00:03.360 Anna Delaney: Hello, welcome to Sound Off. I'm Anna Delaney. In 2 00:00:03.360 --> 00:00:06.960 early August, OFAC sanctioned virtual currency mix Tornado 3 00:00:06.960 --> 00:00:09.930 Cash, which has been used to launder more than $7 billion 4 00:00:10.230 --> 00:00:14.400 worth of virtual currency since its creation in 2019. In this 5 00:00:14.400 --> 00:00:17.130 episode of Sound Off, we'll be exploring the challenges of 6 00:00:17.130 --> 00:00:20.010 sanctioning open-source software, and what it all means, 7 00:00:20.010 --> 00:00:23.100 more generally, the device space. And at this point, I'd 8 00:00:23.100 --> 00:00:26.730 like to welcome our resident crypto expert, Ari Redbord, a 9 00:00:26.730 --> 00:00:29.580 former Treasury Department's senior adviser, and now the 10 00:00:29.580 --> 00:00:32.850 legal and government affairs lead at the blockchain analytics 11 00:00:32.850 --> 00:00:36.360 firm TRM Labs. Great to see you again, Ari. Thank you very much 12 00:00:36.360 --> 00:00:37.230 for joining us. 13 00:00:37.570 --> 00:00:39.070 Ari Redbord: Anna, it was great to join you. Thank you so much 14 00:00:39.070 --> 00:00:39.640 for having me. 15 00:00:40.240 --> 00:00:42.820 Anna Delaney: So Ari, as I mentioned, we've seen the recent 16 00:00:42.850 --> 00:00:46.210 sanctioning of Tornado Cash, which follows the sanctioning of 17 00:00:46.210 --> 00:00:51.340 Bitcoin mixer Blender.io in May this year. What's different 18 00:00:51.370 --> 00:00:53.620 about the Tornado Cash sanctions? 19 00:00:54.080 --> 00:00:55.760 Ari Redbord: Now, that's a great way to kick things off. And 20 00:00:55.790 --> 00:00:58.070 there are significant differences. And I would even go 21 00:00:58.070 --> 00:01:00.500 as far as to sort of call Tornado Cash and this recent 22 00:01:00.500 --> 00:01:05.480 sanctions exceptional. And look, I think on the one hand, you 23 00:01:05.480 --> 00:01:10.070 know, the Tornado Cash sanctions are an extension of Blender.io, 24 00:01:10.100 --> 00:01:13.760 right? This is the US Treasury Department, for national 25 00:01:13.760 --> 00:01:17.870 security reasons, going after essentially a money laundering 26 00:01:17.870 --> 00:01:21.410 concern used by North Korea to launder, you know, what TRM 27 00:01:21.410 --> 00:01:25.790 says, is about a billion dollars in hacked or stolen funds. And 28 00:01:25.790 --> 00:01:27.950 as we know, those hacked or stolen funds, when it comes to 29 00:01:27.950 --> 00:01:31.790 North Korea, will be used to fund weapons' proliferation and 30 00:01:31.790 --> 00:01:35.360 other destabilizing activities. So, in that respect, it's an 31 00:01:35.360 --> 00:01:40.760 extension of prior sanctions. But what's exceptional is this 32 00:01:40.760 --> 00:01:43.640 is really the first time that the US Treasury Department has 33 00:01:43.640 --> 00:01:47.450 also gone after open-source software. This is not sort of 34 00:01:47.450 --> 00:01:51.020 the typical entity or person that is added to the sanctions 35 00:01:51.020 --> 00:01:55.040 list - the SDN list kept by OFAC - this is essentially 36 00:01:55.160 --> 00:01:59.330 open-source software. And it was open-source software that was 37 00:01:59.330 --> 00:02:02.300 being used by North Korea. But there's lots of software that is 38 00:02:02.300 --> 00:02:06.410 used for malicious purposes. And the real question is sort of 39 00:02:06.590 --> 00:02:09.350 where do we go from here? I think the other thing that 40 00:02:09.350 --> 00:02:14.150 really makes it exceptional is that unlike, you know, smaller 41 00:02:14.300 --> 00:02:18.410 crypto services were really sort of illicit actors in the space, 42 00:02:19.460 --> 00:02:24.710 Tornado Cash is used by regular users who are looking to enhance 43 00:02:24.710 --> 00:02:29.120 privacy in a more and more open financial system. And I think 44 00:02:29.120 --> 00:02:33.050 that's really where this sort of interesting paradox lies. And 45 00:02:33.050 --> 00:02:36.380 the real key for regulators and really the crypto space is how 46 00:02:36.380 --> 00:02:39.860 do we stop illicit actors from taking advantage of 47 00:02:39.860 --> 00:02:43.550 decentralized protocols? But at the same time, you know, not 48 00:02:43.550 --> 00:02:47.660 affect regular legitimate users who need a degree of privacy, 49 00:02:47.660 --> 00:02:50.300 right? I mean, I don't want anyone to see every credit card 50 00:02:50.300 --> 00:02:53.990 transaction I do, and it's very much sort of the same reason 51 00:02:53.990 --> 00:02:55.910 that they're using these types of services. 52 00:02:56.230 --> 00:02:59.290 Anna Delaney: Right. Well, let's talk more about the difficulties 53 00:02:59.290 --> 00:03:02.530 and sanctioning Tornado Cash. As you said, it's open source, 54 00:03:02.560 --> 00:03:06.340 decentralized by design, and exists on a globally distributed 55 00:03:06.340 --> 00:03:08.320 ledger. What are the challenges? 56 00:03:09.080 --> 00:03:11.510 Ari Redbord: Yeah, I mean, the challenges are great. First of 57 00:03:11.510 --> 00:03:14.180 all, sort of, you know, the purpose of sanctions is 58 00:03:14.180 --> 00:03:18.740 essentially to stop conduct or to punish conduct, right? And 59 00:03:18.740 --> 00:03:20.990 that is potentially very difficult when it comes to 60 00:03:21.020 --> 00:03:24.620 open-source protocols, right? I mean, there are, you can 61 00:03:24.620 --> 00:03:30.920 essentially copy, paste and create, you know, Hurricane Cash 62 00:03:31.970 --> 00:03:36.020 tomorrow. And I think that is obviously a really huge issue, 63 00:03:36.080 --> 00:03:39.200 although I will say that OFAC has been dealing with that for 64 00:03:39.200 --> 00:03:41.690 years, you know, when you go after one shell company, or the 65 00:03:41.690 --> 00:03:44.630 Department of Justice or any global law enforcement entity, 66 00:03:44.930 --> 00:03:49.040 you go after one shell company and another pops up, you know, 67 00:03:49.040 --> 00:03:52.370 we sort of, we talk about whack-a-mole in sort of the law 68 00:03:52.370 --> 00:03:55.580 enforcement space - the carnival game - and that's very much what 69 00:03:55.580 --> 00:03:58.220 this is like. So on the one hand, it's very, very difficult, 70 00:03:58.220 --> 00:04:02.990 because when it is just code, it's easy to create again, but 71 00:04:02.990 --> 00:04:06.800 then really, I think, also is the key of how do you provide 72 00:04:06.800 --> 00:04:12.020 guidance that speaks to sort of regular users - this is what you 73 00:04:12.020 --> 00:04:16.940 can and cannot do vis-a-vis Tornado Cash, but then also to 74 00:04:17.090 --> 00:04:22.400 crypto entities like centralized exchanges or DeFi protocols or 75 00:04:22.430 --> 00:04:28.190 stable coin issuers? How should they mitigate risk related to 76 00:04:28.190 --> 00:04:30.710 these recent sanctions, and at TRM, that's very much sort of 77 00:04:30.710 --> 00:04:33.890 what we're working with clients really throughout the crypto 78 00:04:33.890 --> 00:04:37.610 space to figure out, sort of, well, really to provide the data 79 00:04:37.730 --> 00:04:40.490 that they need to make risk-based decisions. 80 00:04:41.560 --> 00:04:44.140 Anna Delaney: So it seems that you have further questions. It's 81 00:04:44.140 --> 00:04:48.130 interesting that how this move has drawn criticism from the 82 00:04:48.190 --> 00:04:52.180 crypto space. Crypto leaders say that they're unsure what they 83 00:04:52.180 --> 00:04:55.300 need to do to stay on the right side of the law. And you've been 84 00:04:55.300 --> 00:05:00.070 quoted this week. You've been quoted for describing the 85 00:05:00.070 --> 00:05:02.740 vagueness of the sanctions announcement as 86 00:05:02.770 --> 00:05:06.760 uncharacteristic. So I'd love to know more, but also, what 87 00:05:06.760 --> 00:05:09.400 further questions you have? What clarity do you want? 88 00:05:09.000 --> 00:05:12.090 Ari Redbord: Yeah, I'm not sure vague is fair. And if I said 89 00:05:12.090 --> 00:05:17.100 that - I did say that, I assume - I don't know that vague is 90 00:05:17.100 --> 00:05:20.310 fair. But I think what is definitely fair is that the 91 00:05:20.340 --> 00:05:24.750 crypto industry, the crypto economy, is in need of guidance, 92 00:05:24.750 --> 00:05:28.050 here from regulators, really for a number of reasons. One, I 93 00:05:28.050 --> 00:05:29.880 think it's pretty clear to anyone sort of, you know, who 94 00:05:29.880 --> 00:05:33.060 thinks about these issues that regular users who have had 95 00:05:33.060 --> 00:05:38.070 inadvertent or, you know, unsolicited transactions with 96 00:05:38.100 --> 00:05:42.510 sanctioned addresses, okay, are not going to be the target of 97 00:05:42.510 --> 00:05:46.200 enforcement actions by OFAC. You know, for example, we've seen 98 00:05:46.200 --> 00:05:49.290 what we call these dusting attacks, where people have sent 99 00:05:49.290 --> 00:05:53.550 small amounts of crypto to known, you know, famous 100 00:05:53.580 --> 00:05:56.400 individuals, people whose addresses are known to sort of 101 00:05:56.400 --> 00:05:59.670 make a statement. Now, I think the reality is, we all know, 102 00:05:59.790 --> 00:06:02.340 certainly having spent a number of years at Treasury, that 103 00:06:02.340 --> 00:06:05.130 Treasury does not use its enforcement authorities to go 104 00:06:05.130 --> 00:06:07.740 after individuals in the space. But I think we need guidance 105 00:06:07.740 --> 00:06:11.430 that says that, you know, that just makes that very clear. But 106 00:06:11.430 --> 00:06:15.750 much more importantly, the guidance needs to go to 107 00:06:15.750 --> 00:06:18.780 cryptocurrency businesses to DeFi protocols to say, "Hey, 108 00:06:19.020 --> 00:06:21.630 this is what, these are the types of addresses you should 109 00:06:21.630 --> 00:06:26.040 and should not block." Because I think what we're seeing here is, 110 00:06:26.070 --> 00:06:29.610 you know, users who are being blocked for having some sort of 111 00:06:29.610 --> 00:06:34.200 transaction history or transacting with Tornado Cash in 112 00:06:34.200 --> 00:06:37.830 a less than meaningful way. And, you know, I think on the one 113 00:06:37.830 --> 00:06:42.300 hand, it is very clear that if the address is on the sanctions 114 00:06:42.300 --> 00:06:46.050 list, if it is one of those 45 addresses that is listed by OFAC 115 00:06:46.050 --> 00:06:49.140 associated with Tornado Cash, that it should be blocked. 116 00:06:49.710 --> 00:06:53.850 Because if you're a US person or entity, you are prohibited from 117 00:06:54.000 --> 00:06:57.930 transacting with those addresses. The real gray area, 118 00:06:58.200 --> 00:07:01.290 the area that we need sort of more granular understanding on, 119 00:07:01.530 --> 00:07:08.880 is that secondary sort of exposure, you know, have you 120 00:07:08.880 --> 00:07:12.000 transacted as an address with one of those sanctioned 121 00:07:12.000 --> 00:07:13.620 entities. And I think that's what we're looking to get 122 00:07:13.620 --> 00:07:18.300 guidance on, not just for the individuals affected, but for 123 00:07:18.540 --> 00:07:20.580 the entities and how they should mitigate risk. 124 00:07:21.870 --> 00:07:25.860 Anna Delaney: And this incident has rattled the security versus 125 00:07:25.860 --> 00:07:29.010 privacy debate. Where do the goals of fighting cybercrime 126 00:07:29.040 --> 00:07:32.400 end? And where do people's privacy rights need to begin in 127 00:07:32.400 --> 00:07:35.550 the context of these new technologies? How do we get that 128 00:07:35.550 --> 00:07:36.300 balance right? 129 00:07:36.870 --> 00:07:39.480 Ari Redbord: So you're asking the easy questions, today. We'll 130 00:07:39.480 --> 00:07:43.830 get into religion and politics in a moment, I'm sure. Look, and 131 00:07:43.890 --> 00:07:47.580 the answer is this has really become, at least since 911, 132 00:07:47.700 --> 00:07:50.700 probably significantly before, this has been the conversation 133 00:07:50.700 --> 00:07:53.670 of our time, right? You know, this issue of privacy versus 134 00:07:53.670 --> 00:07:57.000 security. And I think the reality is that there's always 135 00:07:57.000 --> 00:07:59.820 going to have to be a balancing. And as a society, we're going to 136 00:07:59.820 --> 00:08:02.700 have to decide how far we're willing to go or what rights 137 00:08:02.700 --> 00:08:06.480 we're willing to give up in exchange for that security. I 138 00:08:06.480 --> 00:08:11.460 will say this. Look, the reality is the crypto economy does not 139 00:08:11.460 --> 00:08:15.630 survive if people do not have trust in it, if we don't build 140 00:08:15.630 --> 00:08:19.740 that trust layer for it. I'm not going to put funds in a DeFi 141 00:08:19.980 --> 00:08:24.030 protocol, in a centralized exchange, if I think those funds 142 00:08:24.030 --> 00:08:28.380 are going to be hacked. I think that we have to stop threat 143 00:08:28.380 --> 00:08:32.850 actors, you know, Russian cybercriminals or Lazarus group 144 00:08:32.850 --> 00:08:37.620 out of North Korea, from using funds to using crypto to fund 145 00:08:37.620 --> 00:08:42.570 destabilizing activity. But, you know, at the same time, we are 146 00:08:42.570 --> 00:08:46.740 moving more and more to an open financial system. And look, you 147 00:08:46.740 --> 00:08:51.300 know, my employer someday - doesn't today, admittedly - will 148 00:08:51.300 --> 00:08:55.320 pay me in crypto. They will have my wallet address. I don't want 149 00:08:55.320 --> 00:08:58.950 my employer, as much as I love them, to be watching every 150 00:08:59.400 --> 00:09:03.270 transaction that I do. So you're going to want some degree of 151 00:09:03.270 --> 00:09:06.600 privacy in your transactions. And I think this question of 152 00:09:06.600 --> 00:09:10.290 balancing that you're getting to will really continue to be the 153 00:09:10.290 --> 00:09:14.160 question of our time, you know, it'll happen, it'll happen at 154 00:09:14.160 --> 00:09:17.760 airports, like it always has, but it will also happen on 155 00:09:17.760 --> 00:09:20.850 blockchains. And I think that's sort of the moment that we're 156 00:09:20.850 --> 00:09:23.910 moving toward, and maybe we'll look back at these Tornado Cash 157 00:09:23.910 --> 00:09:26.400 sanctions and say that this was the beginning of this really 158 00:09:26.400 --> 00:09:28.530 robust debate in the crypto space. 159 00:09:28.000 --> 00:09:32.200 Anna Delaney: Well, it's very interesting times. Indeed. Thank 160 00:09:32.200 --> 00:09:35.440 you very much Ari for joining us. Very informative, as always. 161 00:09:35.470 --> 00:09:36.610 Ari Redbord: Thank you so much for having me, Anna. 162 00:09:37.210 --> 00:09:39.910 Anna Delaney: I've been speaking with Ari Redbord of TRM labs and 163 00:09:39.910 --> 00:09:41.680 for ISMG, I'm Anna Delaney.