On March 4, 2024, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) made a pivotal decision: it officially delisted Tornado Cash from the Specially Designated Nationals and Blocked Persons List (SDN List). This move follows the U.S. Court of Appeals for the Fifth Circuit ruling that OFAC exceeded its legal authority by sanctioning the decentralized privacy protocol in 2022. The legal and regulatory implications of this decision will ripple far beyond Tornado Cash, affecting crypto founders, protocol developers, DAOs, privacy advocates, and investors alike.
In this post, we break down:
- What the Fifth Circuit decided and why it matters
- What the Treasury said in response
- The future of sanctions enforcement in decentralized systems
- The implications for founders building in Web3
- How this ruling ties into broader crypto policy—and what might come next
Background: Why Was Tornado Cash Sanctioned in the First Place?
Tornado Cash is a decentralized, non-custodial privacy protocol built on Ethereum. It allows users to break the on-chain link between source and destination wallets, improving transaction privacy. Importantly, the protocol is fully autonomous and runs on smart contracts that cannot be altered or taken down by any single entity.
In August 2022, OFAC placed Tornado Cash on the SDN List, alleging it was used to launder more than $1 billion in illicit proceeds, including funds linked to North Korea’s Lazarus Group. This move was widely criticized as regulatory overreach, targeting code and software rather than identifiable persons or legal entities.
OFAC’s action raised constitutional and statutory questions about whether it could lawfully designate a decentralized protocol with no central control. It also sparked concerns about due process and the potential chilling effect on developers working on open-source blockchain infrastructure.
What the Fifth Circuit Said
In a landmark ruling, the Fifth Circuit Court of Appeals held that OFAC exceeded its statutory authority under the International Emergency Economic Powers Act (IEEPA) by sanctioning Tornado Cash. Specifically, the court found that:
- Smart contracts are not “property” of Tornado Cash: Since the protocol is decentralized and the smart contracts operate autonomously, OFAC could not classify the open-source code as property owned or controlled by a foreign national.
- Tornado Cash is not a foreign “entity”: The court rejected OFAC’s attempt to designate Tornado Cash as an “entity” under U.S. sanctions law. Because the DAO and its contributors do not operate as a legally recognized association or company, the court concluded it was improper to impose blanket sanctions.
- Due process matters: The court noted that sanctioning a decentralized project with no clear owner deprived individuals—like the plaintiffs—of meaningful notice and opportunity to contest the designation.
This decision significantly narrows OFAC’s authority to designate open-source protocols and non-custodial software under existing sanctions laws.
OFAC’s Response: Delisting Tornado Cash
Shortly after the court’s decision, OFAC issued an official notice confirming the removal of Tornado Cash from the SDN List, signaling a direct response to the Fifth Circuit’s ruling. You can read the Treasury Department’s full statement here.
In its delisting announcement, OFAC emphasized that while Tornado Cash is no longer designated, the agency will continue targeting illicit actors who misuse privacy tools for unlawful purposes. The Treasury made clear that this decision does not signal a retreat from sanctions enforcement in the crypto space.
This nuanced position highlights the agency’s challenge: how to effectively deter money laundering and national security threats without overreaching into the realm of lawful, constitutionally protected innovation.
What This Means for Web3 Founders and Developers
This ruling sets a powerful precedent for builders of decentralized protocols, but it doesn’t eliminate all legal risk. Here’s what founders and developers should take away from the Tornado Cash case:
1. Code is speech—but legal gray areas remain
The Fifth Circuit reaffirmed the First Amendment protection for publishing open-source code. However, the court didn’t address all the legal nuances around deploying or interacting with autonomous software, especially if the software is later misused by sanctioned individuals.
2. Entity structuring still matters
Although Tornado Cash was not deemed an “entity,” that outcome hinged on its specific facts. DAOs or projects that do operate like traditional associations—or hold treasury funds collectively—may still be exposed to sanctions risk.
Founders should evaluate whether their project might inadvertently meet the legal definition of a partnership or unincorporated association.
3. Transparency and documentation matter
The court’s ruling relied heavily on documentation and factual evidence indicating that Tornado Cash operated in a decentralized manner, with no individual or group capable of altering its smart contracts or exercising centralized control. Founders should maintain clear documentation showing how governance works, who can change the code (if anyone), and what level of control developers have post-deployment.
This is especially important when facing potential enforcement actions or inquiries from regulators.
4. Be mindful of user activity—but don’t claim control
Founders of decentralized apps must walk a fine line. While it’s prudent to deter illicit use (e.g., through frontend warnings or compliance partnerships), taking too much responsibility for how users interact with a protocol may suggest control—which could backfire legally.
Investors Should Take Note Too
Crypto investors, particularly those backing privacy infrastructure and DeFi projects, should understand the implications of this ruling as it marks a potential shift in regulatory focus from protocol design to user conduct:
- Legal risk is shifting from protocol to user: The ruling indicates regulators may begin focusing more on end-user behavior rather than protocol design itself.
- Due diligence needs to evolve: Investors must ask: who controls the protocol? Is there an upgradable admin key? What’s the DAO’s governance structure? Transparency on decentralization is no longer optional.
- Precedent matters—but it’s jurisdiction-specific: While this is a strong decision in favor of decentralization, it applies only within the Fifth Circuit’s jurisdiction. Projects with global reach must still consider how other regulators may interpret these facts.
Where This Leaves OFAC and Crypto Sanctions Policy
OFAC’s challenge moving forward is threading the needle between targeting bad actors without infringing on the rights of developers, DAO members, and users of decentralized technology.
This decision likely compels Treasury to rethink how it crafts designations in the decentralized world. It may also encourage more targeted sanctions focused on individual wallets, rather than sweeping designations of protocols or smart contracts.
For a related case study on overbroad sanctions, see Veritas Global’s coverage of the Tornado Cash ruling here.
The outcome also aligns with ongoing industry advocacy efforts by groups like Coin Center, which argued that the designation improperly targeted immutable software.
What Might Come Next?
In the wake of the Tornado Cash decision, legal observers anticipate several near-term developments that could reshape the regulatory landscape for decentralized technology:
- New OFAC guidance on decentralized protocols: Treasury may issue new compliance guidance to clarify when a protocol or DAO becomes sanctionable.
- Further litigation: Other sanctioned DeFi projects may use this precedent to challenge their own designations.
- Congressional action: Lawmakers could propose new legislation specifically addressing crypto privacy tools and clarifying OFAC’s powers.
This case may also shape the future of how courts evaluate agency enforcement in Web3—especially as developers build more autonomous, censorship-resistant platforms.
Final Thoughts
The delisting of Tornado Cash marks a turning point in the intersection of crypto law, sanctions enforcement, and decentralized tech. It signals that regulators must respect the technical and legal boundaries of decentralized protocols, and that courts are willing to defend those boundaries when tested.
But founders, developers, and investors shouldn’t assume the coast is clear. Legal structuring, documentation, and thoughtful governance design remain essential for minimizing risk while building innovative Web3 infrastructure.
At Veritas Global, we work with builders, investors, and privacy advocates to design compliant DAO structures, respond to regulatory inquiries, and build resilient governance frameworks for decentralized systems.
Need help navigating the new legal landscape after Tornado Cash? Contact us today to learn how we can help you protect your protocol, team, and community while staying true to the principles of decentralization.
