Fri. Nov 22nd, 2024

In the Netherlands, open source developers are now liable for how their software is used.

Alexey Pertsev, a 31-year old Russian national living in the Netherlands and one of the developers of the Ethereum-based privacy tool Tornado Cash, was today found guilty of money laundering by the Dutch court: he’s been sentenced to 64 months in prison. The fact that Pertsev never held custody of any cryptocurrency flowing through Tornado Cash — or could even control how the smart contract operated — was deemed irrelevant by the panel of judges, as he did contribute to the development of the software.

In line with Dutch public prosecutor Martine Boerlage, the court ruled that Tornado Cash was essentially ran like a business, operated by PepperSec, the company founded and operated by Pertsev and his two co-founders Roman Storm and Roman Semenov. Rather than just publishing code, the judges said, the trio benefited financially from the obfuscation of illicit funds through the tools they built.

Specifically, the judges ruled that Pertsev was personally responsible for the laundering of well over a billion US dollars worth of stolen ETH, including by North Korean hackers known as the Lazarus Group. Even though Pertsev could not stop this from happening after their software was released, the fact that he helped release software that enabled this in the first place, without including measures to prevent it, was deemed reason enough to consider him guilty.

“Tornado Cash functions in the way the defendant and its co-founders developed Tornado Cash,” wrote the judges. “So the operation is completely their responsibility.”

Tornado Cash

Tornado Cash is a smart contract on the Ethereum blockchain. Users can send ETH to the Tornado Cash smart contract, which gives them the ability to withdraw an equal amount of ETH from the same contract. Because there is no way to link ETH going into and coming out of Tornado Cash, the smart contract served as a privacy tool, allowing users to obfuscate their transaction history.

Besides the Tornado Cash smart contract itself, PepperSec helped develop tools that gave users easy access to the smart contract, most notably, a graphical user interface (GUI). This part of the mixing infrastructure, in turn, relied on a separate smart contract, which facilitated the payment of withdrawal fees through special entities called “relayers”, and was managed through a DAO (decentralized autonomous organization) and the associated TORN token.

According to the judges, the DAO did not make a meaningful difference: PepperSec was in practice still responsible for the operation of the GUI and how the relayer system functioned.

The Tornado Cash smart contract itself today operates fully independently of PepperSec, and is in fact still operational. Pertsev or PepperSec never actually “touched” any of the ETH going through the Tornado Cash smart contract; that is, they never took custody of any funds. They merely built software that Ethereum users utilized to mix their own ETH with other users, and could not stop this from happening.

So far, it had generally been assumed that this would exempt the developers from applying anti-money laundering measures— this assumption was struck down today.

Greater Relevance

The judgment could have far-reaching consequences for open source software development in general, including Bitcoin software development, at least in the Netherlands.

In Bitcoin, two of the most popular mixing services have been operated by companies: Wasabi Wallet and Samourai Wallet. Whereas PepperSec claimed that its operations were technically decentralized through a DAO, Wasabi Wallet and Samourai Wallet operated more straightforwardly, offering centralized coordination through a dedicated server. As PepperSec can be held responsible for how users use Tornado Cash, Wasabi Wallet and Samourai Wallet can logically be as well.

In line with this, Samourai Wallet founders and developers Keonne Rodriguez and William “TDevD” Hill were recently indicted by the US Department of Justice on allegations of money laundering and running an unlicensed money transmitter. Although these arrests were made on instruction of the Department of Justice (DOJ) in the United States, today’s ruling in the Netherlands may offer a glimpse of what is to come in the US. Wasabi Wallet, shortly after the Samourai Wallet arrests, announced it will cease operations of their mixing service later this month.

Moreover, based on today’s judgment, it’s viable that even developers who develop privacy tools without a centralized coordinator could in the Netherlands be held accountable if their tools are used for illicit purposes, ie. money laundering.

Pertsev’s PepperSec colleagues Storm and Semenov, meanwhile, have also been indicted in the United States last year, with the former (who resides in the US) awaiting trial in September

Pertsev does have the option to appeal the verdict. If he does, he will have to await this appeal from jail, as he was immediately taken into custody after the verdict.

The full verdict (in Dutch) can be read here.