Code Above Country? How North Korean Hackers Won the Tornado Cash Ruling and Why Congress Must Rewrite the Playbook
Treasury Retreats: The Legal Quicksand of Regulating Immutable Code
In a remarkable reversal that sends ripples through the cryptocurrency industry, the U.S. Treasury Department has officially lifted sanctions against Tornado Cash, the cryptocurrency “mixer” service that became the center of a fierce legal and philosophical battle over governmental authority in the digital age. This capitulation comes four months after the Fifth Circuit Court of Appeals eviscerated the legal foundation of the Treasury’s sanctions regime as applied to immutable blockchain code.
When Property Isn’t Property
The crux of the Fifth Circuit’s ruling exposes the fundamental incompatibility between decades-old financial regulation frameworks and cutting-edge blockchain technology. Writing for the court, Judge Don Willett – a Trump appointee with a flair for the pointed phrase – determined that Tornado Cash’s immutable smart contracts simply do not qualify as “property” under the International Emergency Economic Powers Act (IEEPA).
“Immutable smart contracts are not property because they are not capable of being owned,” Judge Willett wrote, in what amounts to a devastating critique of the Office of Foreign Assets Control’s (OFAC) understanding of blockchain fundamentals. “More than one thousand volunteers participated in a ‘trusted setup ceremony’ to ‘irrevocably remove the option for anyone to update, remove, or otherwise control those lines of code.'”
The court’s reasoning centered on a simple but profound observation: you cannot block what nobody owns or controls. The Fifth Circuit applied basic principles – that property must be capable of ownership and generally includes “the right to exclude others” – to determine that self-executing and unownable code falls outside regulatory grasp.
OFAC’s Square Peg, Blockchain’s Round Hole
Treasury’s defeat highlights the precarious intellectual foundations of its approach. OFAC’s creative interpretation attempted to stretch regulatory definitions beyond recognition, arguing that smart contracts were equivalent to traditional contracts or services. The court dismissed both contentions with a mixture of legal precision and barely concealed contempt.
OFAC’s claim that immutable smart contracts qualify as “contracts of any nature whatsoever” collapsed under the weight of basic contract law. As Judge Willett noted: “Unilateral or not, contracts require ‘[a]n agreement between two or more parties.'” With immutable smart contracts, “there is no party with which to contract.” The court’s demolition of OFAC’s “vending machine” analogy was particularly pointed, noting that unlike vending machines, Tornado Cash has no control over its immutable code – it cannot “unplug” it.
Similarly, the court rejected OFAC’s “services” argument, distinguishing between tools that provide services and services themselves. “The immutable smart contracts ‘provide… services’; they are not services themselves,” the court reasoned, adding that services typically involve “human effort” which is absent in autonomous code.
The Money Laundering Machine Dilemma
While the Fifth Circuit’s legal reasoning may be technically sound, it creates a troubling vacuum in the international fight against illicit finance. Let’s be clear: Tornado Cash has functioned as an extraordinarily effective money laundering machine. According to research by the Royal United Services Institute, North Korean actors laundered more than $1 billion through Tornado Cash prior to its designation, including proceeds from the Qubit hack and Horizon Bridge theft. When a platform processes this volume of illicitly acquired funds, dismissing regulatory authority based on the technicality that code isn’t “property” feels like missing the forest for the trees.
The court’s reasoning – however legally precise – creates an untenable situation where tools explicitly designed to facilitate anonymity and obfuscate financial trails become untouchable by the very authorities tasked with preventing financial crimes. This leaves Treasury in the absurd position of watching known criminal actors launder billions through identifiable channels while lacking the legal framework to intervene. When North Korean hackers funnel stolen funds through Tornado Cash to finance weapons programs, the absence of a contract party becomes a troublingly academic distinction.
The Regulatory Abyss
The Treasury’s retreat exposes a gaping regulatory void that current legislation cannot bridge. Crafted during the Carter administration, IEEPA lacks the sophistication to address code that, once unleashed on a blockchain, becomes ownerless and perpetual. As the court acknowledged: “Perhaps Congress will update IEEPA… to target modern technologies like crypto-mixing software. Until then… OFAC overstepped its congressionally defined authority.”
This dilemma places Treasury in an impossible position. Secretary Scott Bessent’s statement betrays this tension, acknowledging the “enormous opportunities for innovation” while simultaneously expressing “deep concern” about North Korean exploitation of digital assets.
Urgently Needed: New Legal Paradigms for DeFi
The Tornado Cash case demonstrates why we desperately need new legal frameworks built specifically for decentralized finance. The current approach – attempting to retrofit pre-internet legislation to govern blockchain technology – is fundamentally flawed and doomed to produce more regulatory failures.
What might a more effective approach look like? First, Congress could create a new category of “digital financial infrastructure” that explicitly includes immutable smart contracts, regardless of whether they fit traditional definitions of property or services. Second, lawmakers could establish a regulatory regime that focuses on effects and outcomes rather than ownership structures – if a protocol facilitates more than a certain threshold of illicit transactions, it could trigger compliance obligations or restrictions regardless of its technical classification. Third, legislation could impose liability on developers who deploy code with the demonstrable intent to facilitate illegal activity, even if they subsequently remove themselves from operational control.
Without such innovation, we face a bleak choice between hamstringing legitimate technological advancement and allowing bad actors to exploit regulatory blind spots with impunity. The current vacuum effectively gives a free pass to immutable financial tools that process billions in stolen funds – an outcome neither the architects of IEEPA nor reasonable crypto advocates could possibly have intended.
Technological Reality Trumps Regulatory Fiction
The Treasury’s failed attempt to regulate immutable code represents more than a procedural setback – it’s a confrontation with technological reality. Distributed ledger technology creates digital artifacts that exist beyond traditional ownership paradigms, challenging core assumptions about regulatory control.
As Judge Willett pointedly concluded: “We readily recognize the real-world downsides of certain uncontrollable technology falling outside of OFAC’s sanctioning authority… But we must uphold the statutory bargain struck (or mis-struck) by Congress, not tinker with it.”
This philosophical stance – that courts interpret rather than create law – reveals the fundamental impotence of current regulatory frameworks in the face of genuinely decentralized technology. Treasury’s concession acknowledges that blockchain can create digital structures resistant to traditional regulatory tools.
Beyond Law’s Reach?
The implications extend far beyond Tornado Cash. If unalterable code deployed to a public blockchain sits outside IEEPA’s reach, what other digital constructs might evade regulatory frameworks built for a pre-blockchain world? The Treasury’s surrender suggests a tacit recognition that some aspects of blockchain technology may fundamentally rewrite the relationship between regulation and innovation.
As the government regroups, Congress faces the daunting task of crafting legislation sophisticated enough to address legitimate national security concerns without smothering the technological revolution that blockchain represents. The Fifth Circuit’s ruling – and Treasury’s subsequent retreat – make clear that attempting to force new technological paradigms into outdated legal frameworks is a strategy doomed to fail.
In the meantime, Treasury’s delisting serves as a reminder that in the collision between immutable code and malleable regulation, technological reality may hold the winning hand – but the resulting legal vacuum benefits only those exploiting these tools for nefarious purposes. When North Korean hackers can leverage an immutable smart contract to fund weapons programs while authorities stand helplessly by, citing contract law technicalities, something is fundamentally broken in our approach to governing digital finance.
The challenge now falls to legislators to craft regulatory frameworks that can address the unique characteristics of blockchain technology while preserving the innovation that makes it valuable. Until then, we’re left with the disturbing reality that some of the most sophisticated money laundering tools in history may simply be beyond the reach of existing law – a situation that benefits neither national security nor the legitimate advancement of financial technology.
LI: https://www.linkedin.com/in/robert-nogacki-7503491a5/
Founder and Managing Partner of Skarbiec Law Firm, recognized by Dziennik Gazeta Prawna as one of the best tax advisory firms in Poland (2023, 2024). Legal advisor with 19 years of experience, serving Forbes-listed entrepreneurs and innovative start-ups. One of the most frequently quoted experts on commercial and tax law in the Polish media, regularly publishing in Rzeczpospolita, Gazeta Wyborcza, and Dziennik Gazeta Prawna. Author of the publication “AI Decoding Satoshi Nakamoto. Artificial Intelligence on the Trail of Bitcoin’s Creator” and co-author of the award-winning book “Bezpieczeństwo współczesnej firmy” (Security of a Modern Company). LinkedIn profile: 18 500 followers, 4 million views per year. Awards: 4-time winner of the European Medal, Golden Statuette of the Polish Business Leader, title of “International Tax Planning Law Firm of the Year in Poland.” He specializes in strategic legal consulting, tax planning, and crisis management for business.
