The Treasury Department’s Office of Foreign Assets Control (OFAC) identified the following entities: the Tornado Cash organization on GitHub, the tornado.cash website, RPC nodes run by Ethereum infrastructure providers Alchemy and Infura, $USDC on Tornado Cash contracts at CirclePay, and about 40 Ethereum blockchain addresses that provide virtual currency mixing under the Tornado Cash smart contract application.
Based on its interpretation of those sanctions, Microsoft-owned GitHub shut down the user accounts of three individuals who contributed code to the project and removed the Tornado Cash account along with the source code in the repository.
Though none of the three developers were added to the OFAC’s SDN list by name, they appear to be wanted by financial crime investigators: one of the three, Tornado Cash developer Alexey Pertsev, was subsequently arrested in Amsterdam by the Dutch police.
Forks of the open source Tornado Cash software have remained on GitHub and on Monday, Matthew Green, a cryptography professor at Johns Hopkins University, published another fork of the software with the support of the Electronic Frontier Foundation (EFF).
Both Green and Kurt Opsahl, deputy executive director and general counsel of the EFF, previously expressed concern over GitHub’s removal of the source code, arguing that code is speech and that GitHub has suppressed speech by disabling the Tornado Cash repository.
Green says the fork he published exists to test whether removal code is ever the appropriate response to sanctions. He says that if GitHub takes the code down, the EFF will challenge that decision in court.
“In my work as a researcher and instructor at Johns Hopkins, I’ve made extensive use of the Tornado Cash and Tornado Nova source code to teach concepts related to cryptocurrency privacy and zero-knowledge technology,” Green wrote in an explanatory note on his tornado-repo repositories.
“My students have built amazing projects from the code. The loss or decreased availability of this source code will be harmful to the scientific and technical communities.”
He also said he objects to GitHub’s decision to remove the Tornado Cash repo, a decision he attributes to GitHub’s risk mitigation based on the OFAC order. The problem is that the OFAC order is not clear.
Let’s get some clarity
As the EFF explains in a blog post, the OFAC refers to “Tornado Cash” both as a technology and a sanctioned entity. It’s the name of the open source project published to GitHub account, of a smart contract application running autonomously on the Ethereum blockchain, a website, and some set of people involved with making the currency-mixing software.
The EFF said it has asked the OFAC to clarify what it means by “Tornado Cash” but as of Tuesday, a spokesperson said, the organization’s heard back. The Register also reached out to the Treasury Department for comment and we’ve also not yet received a reply.
The advocacy organization acknowledges that the government has a legitimate interest in taking action against ransomware and foreign hacking groups, but argues those interests are not served by making the Tornado Cash source code unavailable. The EFF said its primary concern is GitHub’s decision to take down the Tornado Cash repo and the accounts of the project’s main contributors.
“While GitHub has its own right to decide what goes on its platform, the disappearance of this source code from GitHub after the government action raised the specter of government action chilling the publication of this code,” the group said.
The Register asked GitHub to comment on what Green has done and on whether GitHub intends to take the Tornado Cash fork(s) down.
A GitHub spokesperson replied with a link to the company’s Trade Control Policy and a response that didn’t answer those questions.
“GitHub’s vision is to be the global platform for developer collaboration, and we strive to make open source code as broadly accessible as possible while adhering to US trade laws,” a spokesperson said in an emailed statement. “We examine government sanctions thoroughly to be certain that users and customers are not impacted beyond what is required by law.” ®