On August 6th, 2025, following a four-week trial, a jury found Roman Storm, the founder of a crypto mixing service called Tornado Cash, guilty of conspiracy to operate an unlicensed money transmitting business. The jury was deadlocked and unable to reach a verdict on the two more serious charges against Storm: conspiracy to commit money laundering, and conspiracy to violate sanctions. The Tornado Cash case has been closely watched due to its implications for cryptocurrency regulation and the use of privacy-enhancing technologies in financial transactions.
Tornado Cash provides an open-source protocol frequently referred to as a “mixer,” which breaks the link between senders and recipients of cryptocurrency in order to enhance privacy. Essentially, the protocol allows users to anonymize cryptocurrency transactions by obscuring the source, recipient, and general movement of the assets that flow through it. It relies on immutable smart contracts, which are essentially one-party contracts between users and the platform, for the movement of assets. Crucially, neither Tornado Cash nor its founders ever directly took custody of users’ funds, and the creators had no discretionary control over the platform’s use. It was governed by a Decentralized Autonomous Organization (“DAO”), wherein users who own Tornado Cash Tokens vote to make decisions on behalf of the platform.
Supporters hail Tornado Cash for making great strides in the privacy—and, correspondingly, safety—associated with cryptocurrency. As Storm’s defense team highlighted, this is crucial for various types of users, like high-net-worth individuals, or activists, who have legitimate concerns that their safety may be jeopardized by traceable transactions.
Law enforcement and regulatory bodies, however, are still trying to figure out what to do with technology that permits substantial amounts of currency to move with minimal, if any, accountability or oversight. Anti-Money Laundering (“AML”) and Know Your Customer (“KYC”) laws and regulations, and Financial Crimes Enforcement Network (“FinCEN”) registration and other requirements, exist to protect against the harms that flow from criminal actors’ use of financial services to prevent enforcement authorities from tracing proceeds of criminal activity. The problem is that the legal and regulatory framework in place now was not designed for today’s technology. As the Tornado Cash verdict demonstrates, this leaves enforcement bodies trying to fit a square peg in a round hole where they perceive that harm has been caused by digital asset technology. The result is further uncertainty regarding what obligations developers have to moderate and regulate users—a function that would not be possible with Tornado Cash’s model—and what liabilities may follow if they fail or refuse to do so.
In this case, the government sought to hold Roman liable for when criminal actors utilized the platform after he created it, and after he gave up any ability to control or regulate its use. The jury’s inability to reach a verdict on the two more serious charges—conspiracy to commit money laundering and conspiracy to commit sanctions violations—likely reflects a deep divide regarding who should be held responsible for harms perpetuated in the digital assets space. On one hand, it is difficult to prove that Roman conspired to commit money laundering or sanctions violations when there was no relationship between Roman and the illicit actors. Roman developed the platform they later used, but he had no control over it by the time they used it, and neither the platform itself nor its creators ever took custody of the assets at issue. On the other hand, it was reasonably predictable that the platform would be used for illicit purposes. From a prevention-focused perspective, Tornado Cash’s creators were in a better position than anyone else to deter wrongdoers from using the platform. But that does not mean that they could be held criminally liable for failing to do so.
This month’s jury verdict highlights the challenges in doing so. The one count on which Storm was convicted, conspiracy to operate an unlicensed money transmitting business, did not require the jury to find that Storm had any ties to illicit funds or hackers. Moreover, while Roman was convicted for his decision not to register Tornado Cash as a money transmitting business, there are substantial questions that will surely be raised on appeal. Can Roman actually be liable for “operating” a money transmitting business that he designed in such a way that he had no operational control over it? And, can Tornado Cash itself be considered a “money transmitter” when it never actually takes custody of funds?
The outcome does not, however, clear creators of mixers like Tornado Cash, or creators in the digital asset space generally, of concerns for regulatory and criminal liability. First, while the count for operation of an unlicensed money transmitting business is the least serious of the counts, it is still a criminal conviction, for which Storm could face up to five years of in prison. Further, the jury did not acquit Storm. It was deadlocked. This means that some members of the jury believed the government had proven its case against Storm on those counts. And the claims were at least determined legally sufficient to go through to trial. The lack of an acquittal indicates that future cases with similar, slightly altered facts, could lead to more serious convictions than we saw here.
In short, the outcome does little, if anything, to resolve the uncertainty that pervades this space. Individuals or entities involved in the creation or operation of tools for digital asset users should exercise caution and consult counsel regarding whether they should register as a money transmitting business, and what steps they may be required to take with respect to AML or KYC laws and regulations. Unless and until new legislation is passed to address these questions, the law is likely to remain murky regarding how the current rules apply to operators in the digital asset space. The Tornado Cash verdict shows that juries may be willing to accept theories of liability that hold creators of these platforms accountable under traditional financial services regulations when the tools and platforms they create are ultimately used by criminal actors.
[View source.]
