Privacy has taken another hit with the conviction of Tornado Cash developer Roman Storm.
A Manhattan jury found him guilty of operating an "unlicensed money transmitting business," based on the idea that the software he helped build functioned like a financial service. The jury could not agree on the more serious charges of money laundering and sanctions violations, but the single conviction is still significant.
This case challenges how the law defines and responds to open source code. Tornado Cash is not a company, nor does it hold or move user funds. It is a set of smart contracts on Ethereum that let users break the link between the wallets they use to send and receive funds. These contracts were deployed in a way that made them unchangeable. The private keys were destroyed. No one, including the developers, could modify or shut down the system.
A money transmitting business typically holds and transfers funds on behalf of customers. At no point did Tornado Cash or its developers do this.
The protocol gave users a tool that enabled them to mask the public trail of their transactions by depositing into a shared pool and later withdrawing without revealing the source.
The case focused heavily on North Korean hackers using the protocol to move stolen funds. But others testified that they used the tool for legitimate purposes, including donating to humanitarian causes, preserving privacy in repressive regimes, and protecting activists from surveillance.
The bigger issue is whether software developers can be held criminally responsible for what other people do with tools they create. If someone uses a car as a getaway vehicle in a robbery, we don’t prosecute the manufacturer who built the car. Responsibility should fall on those who commit the acts, not those who build general purpose infrastructure.
Storm's defence argued that the team had already taken steps to limit abuse. They added a sanctions screening oracle built by Chainalysis to the public interface, which blocked flagged wallet addresses from interacting with the app. This was one of the few actions available, given the immutable nature of the contracts. Even so, prosecutors claimed they should have done more, and that Storm conspired to operate a financial service without authorisation.
To secure the conviction, the government needed to prove intent. They had to show that Storm knowingly operated a money transmitting business, despite the absence of custody, accounts, or control over user funds. They argued that because he was aware that bad actors were using the tool, he was complicit.
This interpretation of the law creates a dangerous precedent. It opens the door to charging developers for building privacy tools that are later used in ways they cannot control.
Roman Storm now faces up to five years in prison. The outcome of this case will be watched closely by developers, privacy advocates, and anyone building open source infrastructure. It raises urgent questions about whether it is still safe to publish permissionless code in a world where intent can be inferred from other people's actions.
What happens next will determine the fate of a developer, test the legal boundaries around publishing open source code, and reveal just how far the state is willing to go to punish software it cannot control.
The fight over the future of digital freedom continues.
Brilliant reporting on this case from @nprofile1q... and @npub12apcw....
https://bitcoinmagazine.com/news/tornado-cash-trial-concludes-roman-storm-found-guilty-of-one-of-three-counts
@nevent1qqs...
A Manhattan jury found him guilty of operating an "unlicensed money transmitting business," based on the idea that the software he helped build functioned like a financial service. The jury could not agree on the more serious charges of money laundering and sanctions violations, but the single conviction is still significant.
This case challenges how the law defines and responds to open source code. Tornado Cash is not a company, nor does it hold or move user funds. It is a set of smart contracts on Ethereum that let users break the link between the wallets they use to send and receive funds. These contracts were deployed in a way that made them unchangeable. The private keys were destroyed. No one, including the developers, could modify or shut down the system.
A money transmitting business typically holds and transfers funds on behalf of customers. At no point did Tornado Cash or its developers do this.
The protocol gave users a tool that enabled them to mask the public trail of their transactions by depositing into a shared pool and later withdrawing without revealing the source.
The case focused heavily on North Korean hackers using the protocol to move stolen funds. But others testified that they used the tool for legitimate purposes, including donating to humanitarian causes, preserving privacy in repressive regimes, and protecting activists from surveillance.
The bigger issue is whether software developers can be held criminally responsible for what other people do with tools they create. If someone uses a car as a getaway vehicle in a robbery, we don’t prosecute the manufacturer who built the car. Responsibility should fall on those who commit the acts, not those who build general purpose infrastructure.
Storm's defence argued that the team had already taken steps to limit abuse. They added a sanctions screening oracle built by Chainalysis to the public interface, which blocked flagged wallet addresses from interacting with the app. This was one of the few actions available, given the immutable nature of the contracts. Even so, prosecutors claimed they should have done more, and that Storm conspired to operate a financial service without authorisation.
To secure the conviction, the government needed to prove intent. They had to show that Storm knowingly operated a money transmitting business, despite the absence of custody, accounts, or control over user funds. They argued that because he was aware that bad actors were using the tool, he was complicit.
This interpretation of the law creates a dangerous precedent. It opens the door to charging developers for building privacy tools that are later used in ways they cannot control.
Roman Storm now faces up to five years in prison. The outcome of this case will be watched closely by developers, privacy advocates, and anyone building open source infrastructure. It raises urgent questions about whether it is still safe to publish permissionless code in a world where intent can be inferred from other people's actions.
What happens next will determine the fate of a developer, test the legal boundaries around publishing open source code, and reveal just how far the state is willing to go to punish software it cannot control.
The fight over the future of digital freedom continues.
Brilliant reporting on this case from @nprofile1q... and @npub12apcw....
https://bitcoinmagazine.com/news/tornado-cash-trial-concludes-roman-storm-found-guilty-of-one-of-three-counts
@nevent1qqs...