Developers and operators of decentralized privacy protocols in the United States continue to face potential sanctions enforcement, despite the recent developments involving Tornado Cash and the Treasury Department’s Office of Foreign Assets Control (OFAC). While Tornado Cash’s smart contracts were removed from OFAC’s sanctions list in March, there are still concerns regarding the broader implications for mutable protocols and developers associated with them.
A report published by the DeFi Education Fund highlighted that the Fifth Circuit Court of Appeals ruling, which stated that Tornado Cash’s immutable smart contracts do not constitute property under the International Emergency Economic Powers Act (IEEPA), does not necessarily limit the Treasury’s authority to sanction decentralized technologies. The Treasury’s response to the Van Loon v. Department of Treasury ruling indicates that it still retains discretion over mutable components and protocol developers.
Despite the removal of Tornado Cash’s smart contracts from the Specially Designated Nationals (SDN) list, OFAC has made it clear that it could reimpose sanctions if conditions change. This discretionary action suggests that developers of DeFi protocols and privacy applications could still face legal exposure if their tools are used by sanctioned entities.
The case of Roman Semenov, a co-founder of Tornado Cash, is a prime example of the Treasury’s enforcement strategy. While Semenov was removed from the Cyber-Related sanctions list, he remains designated under the North Korean Sanctions Program. The Treasury alleges that Semenov “materially assisted” the government of North Korea by developing a decentralized protocol used by North Korean-linked hackers, even though there was no direct or intentional contact.
The lack of clear standards for OFAC’s designation criteria under Executive Orders 13694 and 13722 has created legal ambiguity for developers of decentralized software and anonymous users. The Treasury has not specified how it differentiates between cyber-related threats and support for the North Korean regime, making it challenging for developers to predict their legal exposure.
While the delisting of Tornado Cash’s smart contracts provided temporary relief for the DeFi community, the government’s continued enforcement stance indicates that sanctions-related exposure persists. Developers and contributors to privacy tools and decentralized protocols must navigate a regulatory gray zone, where the perceived uses of their software could dictate their risk of being designated or criminally charged.
As the US District Court awaits to issue a final ruling on the matter, the outcome could have far-reaching implications for the future of decentralized technologies and the Treasury’s authority to sanction smart contracts and DeFi protocols. Until then, the regulatory landscape remains uncertain, highlighting the need for developers to tread carefully in this evolving space.