Alexey Pertzev’s Tornado Cash and the Debate on Developer Accountability

12 MIN READ
alexey pertsev

Like any other right, the right to privacy is not free — even in the digital world, it often comes at the price of freedom.

Alexey Pertzev, the 31-year-old Russian national who co-created Tornado Cash, was recently sentenced to spend 64 months in a Dutch prison for facilitating money laundering through his decentralized crypto mixer. The court’s decision came years after his August 2022 arrest in Amsterdam, triggered by U.S. sanctions that accused Tornado Cash for enabling over $1 billion in illicit transactions, including proceeds from major cyberattacks.

This case cuts right to the heart of the intersection of crypto and privacy, highlighting where we draw the line on developer accountability.

What is Tornado Cash?

Tornado Cash is a trustless crypto tumbler that can privatize crypto transactions without relying on any centralized entity.

On a typical blockchain like Bitcoin or Ethereum, every transaction is publicly visible and can be traced back to its source. All of your BTC transaction records are available to anyone who knows your wallet address. Tumblers change this dynamic by allowing cryptocurrency users to digitally entangle their transactions with many others, making it nearly impossible to tell where any single payment came from or where it is headed.

What really sets Tornado Cash apart from traditional, fully-legal tumblers is that it’s totally decentralized. There is no middleman to go through and no central point of control. Plus, being built on Ethereum, the service enjoys some of the highest levels of security possible. In fact, Tornado Cash continues to operate to this day, despite still being sanctioned by the U.S. Department of the Treasury.

“Hiding” funds was a simple process from the users’ POV.

  1. Deposit: Users fund Tornado Cash's smart contract, which is something like a vault in the Ethereum blockchain.
  2. Mix: The smart contract is a simple yet robust mixing protocol, and using it is a simple, point-and-click process.
  3. Withdrawal: Users withdraw their fresh, “new” crypto to an external wallet like their favorite exchange.

The Privacy Tech Behind Tornado Cash

Of course, what goes on behind the scenes is much more complicated. The actual tech that made Tornado Cash possible depended on a few specialty elements:

  1. Zero-Knowledge Proof Tornado Cash uses something called Zero-Knowledge Proofs (ZKPs) in order to create a private, yet verifiable, system. ZPKs are very distinct digital keys for proofless mixing. Instead of having a centralized authority that verifies transactions, the smart contract can use ZPKs for verification.

The minute somebody puts money into Tornado Cash, it generates a “fingerprint” (ZPK) tied only to the deposit. The smart contract will then take that fingerprint and make a log showing that you have deposited something without giving away what or who.

  1. The Nullifier Key Tornado Cash prevents double spending by using a nullifier key, a one-time-use code that allows you to withdraw only once. Each deposit to Tornado Cash creates a fresh, one-use key that is noted but kept hidden. Then, when you withdraw, the system "nullifies" this key, meaning it is marked as used. The neat trick is that the system can mark this key as "used" without ever showing who used it, meaning it keeps your identity anonymous.
  2. Merkle TreesTornado Cash is also using a Merkle Tree system to keep track of everyone's deposits. You can picture a Merkle tree as a wide-reaching family tree where every branch contains a snippet of information about it. The way that Tornado Cash uses the tree is to map deposit "fingerprints" in a way that allows the system to quickly confirm transactions without having to load the entire list of deposits. This structure does two main things: verifies transactions in real-time, checks whether deposits and withdrawals are valid. It organizes deposits in such a way that every withdrawal can be linked to a deposit, without revealing who is behind it.
  3. Private WithdrawalsWhen you're ready to withdraw, Tornado Cash uses your unique "fingerprint" along with your ZKP to prove you own funds in the pool without revealing your deposit details. It's like using a highly specific but invisible two-step password. The system checks your deposit, confirms the withdrawal, and nullifies your unique identifier, meaning you cannot withdraw again.

What Was Tornado Cash Used For?

Before being sanctioned, Tornado Cash not only afforded privacy but also entailed a sort of regulatory conundrum — especially as it began to lure illicit activity from all over the world. But before we get to that, it serves many legitimate purposes, especially for people who really value financial privacy in a transparent, often surveilled world of blockchain transactions.

Legal Uses of Tornado Cash

For many law-abiding citizens, privacy is not a preference but a must. Tornado Cash has been useful in:

  • Everyday Crypto Holders: These are casual users who just want to keep their financial activities private, much like traditional banking secures personal account information.
  • Journalists: Reporters in politically restrictive regions may use Tornado Cash to lock in funding from anonymous donors or to protect sources without exposing financial trails that could put them at risk.
  • Political Dissidents: Activists or dissidents in authoritarian regimes often face scrutiny or punishment for opposing state policies. Tornado Cash provides a secure way to manage funds and receive support without being tracked by the government.
  • Privacy Advocates: Some technologically savvy people are just aware of their right to privacy and would want to keep their transactions unlinked from easily traceable records.

Illicit Uses of Tornado Cash

Though it didn’t start out that way, Tornado Cash quickly became darknet criminals’ favorite way to “clean” stolen or illicitly obtained cryptocurrency. This practice is akin to money laundering in the crypto sphere. The service made it nearly impossible for authorities to track the source of funds for some of the world’s largest criminal enterprises. Here are some notable examples of Tornado Cash’s client list:

  • The $625 Million Axie Infinity Hack: In one of the largest cryptocurrency thefts to have ever occurred, hackers broke into the Axie Infinity network and stole hundreds of millions, laundering much of it through Tornado Cash to obscure the trail.
  • The Harmony Bridge Heist: Hackers targeted the Harmony blockchain bridge in 2022, siphoning off about $100 million in assets. A large portion of those funds were sent via Tornado Cash, so it would be hard for authorities to recover them or trace their source.
  • Nomad Heist: Over $190 million was carted away from the Nomad crypto bridge. In this case, hackers successfully got away with it, in part due to the privacy features of Tornado Cash.
  • Lazarus Group: A notorious North Korean hacking collective with ties to the regime, Lazarus Group, is said to have scammed and stolen over $2 billion in various cyberattacks, a large portion of which was funneled through Tornado Cash to launder proceeds and evade detection. Their involvement in high-profile cryptocurrency hacks and use of Tornado Cash is what jump started the government inquiry.

alexey

The Arrest of Alexey Pertzev

In August 2022, the U.S. Treasury sanctioned Tornado Cash, naming it as a key player in high-profile money laundering. Days later, Dutch authorities arrested Alexey Pertzev, alleging his direct involvement in these activities. By November, his initial bail was denied, with officials citing risks of him fleeing Amsterdam or interfering with the investigation.

In March 2023, Pertzev’s defense argued that Tornado Cash was an open-source, decentralized platform beyond his control, comparing it to a public utility. Despite this, the court again denied bail in February 2024, citing similar concerns. Pertzev’s legal team appealed in April, arguing that Tornado Cash’s decentralized nature absolved developers from liability for user actions.

However, on May 14, 2024, Pertzev was convicted and sentenced to 64 months in prison for facilitating around $1.2 billion in money laundering. His final attempt for supervised release was denied in June, marking the conclusion of a case that reverberated throughout the crypto world.

Let's briefly examine the arguments put forth at trial, as well as what happened leading up to it.

Chronology

August 8, 2022 Tornado Cash sanctioned by the U.S.

  • August 10, 2022 Pertzev arrested in Amsterdam
  • November 2022 Initial bail request is denied
  • March 2023 Pertzev petitions the court to be released under surveillance
  • February 2024 Pertzev's bail is again denied due to flight risk
  • May 14, 2024 Pertzev is sentenced to 64 months in prison
  • June 2024 Court denies last appeal for bai

The Legal Debate Over Alexey Pertzev

The legal defense for Pertzev argued that since Tornado Cash is an open-source, decentralized tool of automated design, neither he nor any other developers can actually control how users utilize it. His lawyers compared Tornado Cash to a public utility or an all-purpose tool that was misused by some for illicit purposes, saying Pertzev could not be responsible for the autonomous operation of the platform and the actions of independent users. They said criminal liability for such decentralized, open-source development would also chill the development of privacy-preserving technologies.

However, the Dutch court rejected these arguments for three reasons.

1. Knowledge of Criminal Use

The court considered that evidence presented showed Pertzev and his co-developers were aware of the fact that Tornado Cash was used by criminals but did not implement anti-abuse mechanisms to deter such activity. The internal communications between developers indicated an awareness of illegal activity, pointing to implicit support by inaction.

2. Lack of Preventative Measures

The court said it believed the design of Tornado Cash explicitly attracted bad actors due to a lack of traceability features and anti-abuse mechanisms, proving it was designed to obscure illicit funds​. Not implementing these features was an indication of intentions to enable criminal use, which set Tornado Cash apart from otherwise neutral tools that happen to attract misuse.

3. Uncooperative Response to Authorities

They pointed out a history of Pertzev's unwillingness to cooperate with law enforcement in several prominent hacks, such as the $625 million Axie Infinity hack, where Tornado Cash was used to launder the funds stolen. Apparently, authorities reached out to the developer for help with the case, but he declined. Such inaction only further highlighted its business model—a platform that exists for criminal utility—and now Tornado Cash is finally condemned to be an instrument made for criminal use. So it’s not difficult to see the court considered a refusal to address criminal activity that is facilitated by Tornado Cash​.

Of course, the legal case was only half the battle.

The Court of Public Opinion Did Not Find Pertzev Guilty

After his arrest, Alexey Pertzev became something of a cause célèbre within the privacy and crypto community, which saw his case as one defending open-source development and privacy rights in blockchain technology. Days after Pertzev's arrest, more than 50 people demonstrated in Amsterdam's Dam Square to show opposition to his detention.

Here are some of the other high-profile, public efforts to shed light on the case and help set Pertzev free:

  • Ethereum co-founder Vitalik Buterin, a strong privacy proponent, donated $110,000 to Pertzev's legal fund.
  • Privacy researcher Ameen Soleimani launched an NFT collection with proceeds going to Pertzev's legal defense.
  • Arbitrum DAO has proposed funding his and fellow Tornado Cash developer Roman Storm's defense with nearly $1.3 million worth of ARB tokens to cover the legal fees and help raise awareness.
  • Other campaigns, like the "Defend Alexey" fundraiser on Juicebox, brought in more money to pay for his legal defense.

On social media, privacy advocates and NGO's also voiced strong disagreement with the court’s decision:

  • Alexandre Stachtchenko: "Enough is enough. It is time for this KYC and surveillance nonsense to come to an end before it consumes democracy itself."
  • Ameen Soleimani: "It's time to stand with Alexey and fight for what is right."
  • Edward Snowden: "If you can help, please help. Privacy isn't a crime.”
  • Electronic Frontier Foundation (EFF): EFF said that prosecuting developers like Pertzev could set a dangerous precedent for open-source software and potentially stifle innovation in privacy-preserving technologies.
  • Coin Center: This cryptocurrency research and advocacy group was quoted saying that “a distinction needs to be made” between the creation of privacy tools and their potential misuse.

Of course, Pertzev wasn’t the first privacy advocate to be imprisoned for their code…

Was Coding Ever Free?

The persecution of Alexey Pertzev inspired many to follow in his footsteps, but he is probably not the last privacy advocate to be jailed for writing controversial code. He certainly wasn’t the first. Here are just some of the other cases:

Aaron Swartz and JSTOR Downloads (2011-2013)

Swartz was charged in 2011 with using MIT's network to download millions of academic articles from JSTOR, intending to make them available to the public. Federal prosecutors indicted him on 13 felony counts, including wire fraud and Computer Fraud and Abuse Act violations, carrying a maximum of 35 years in prison. Whereas JSTOR declined to press the charges, U.S.

Attorney’s office pursued the case, igniting global debates on internet freedom and access to information. Tragically, Swartz died by suicide in 2013 before the case concluded.

Marcus Hutchins and the Kronos Malware (2017-2019)

Cybersecurity researcher Marcus Hutchins, who helped put an end to the WannaCry ransomware attack, was later arrested on charges of creating and distributing malware named Kronos, which would purloin banking credentials. Hutchins pleaded guilty to two charges and, having already served the equivalent of time, had the court acknowledge his substantial contribution to cybersecurity and how hard it can be to draw legal lines between research and malicious intent.

Ross Ulbricht and the Silk Road (2013-2015)

Ulbricht created the Silk Road under his pseudonym, "Dread Pirate Roberts," a dark web marketplace where users could anonymously trade goods, often drugs. He was arrested in 2013, charged with facilitation in large-scale drugs trafficking and other criminal activities on the site. Ulbricht was found guilty on all counts, including trafficking in drugs and conspiracy, and was sentenced to double life imprisonment.

Matthew Keys and the Los Angeles Times Hack (2013-2016)

Journalist Matthew Keys was indicted after he allegedly provided Anonymous with login information to change an article on the Los Angeles Times website. The changes were quite minor; he was nonetheless charged under the Computer Fraud and Abuse Act for a sentence of two years in prison. This case certainly brought out the wide-reaching extent of the CFAA, raising questions about the appropriateness of punishments for digital actions.

The Ethical Debate Rages On

The moral and ethical arguments for or against punishing developers like Alexey Pertzev for creating privacy-focused technologies like Tornado Cash are complex and multilayered. Before making any moral judgements, it’s paramount to understand at least the surface-level version of each side of the debate.

Arguments For Holding Developers Accountable

  • Misuse Responsibility: Proponents would insist that the development of privacy tools, without some preventative measures, is tantamount to tacitly encouraging illicit activity. This is clearly demonstrated when mixing services like Tornado Cash are used by cybercriminals such as North Korea's Lazarus Group to launder the proceeds from hacks. Therefore developers need to consider misuse and design features to preclude it to some extent. This would ultimately mean we need to hold developers accountable for their tools being used to provide anonymity to criminals, on par with standards in other fields that have protections against misuse, like a type of crypto KYC.
  • Public Safety and Regulatory Compliance: Supporters ask the question: why should privacy tools be exempt from existing laws that govern financial regulation? Prosecution of developers for knowing or negligent assistance in illicit finance is meant to establish lines of responsibility that exist in most comparable circumstances.
  • Prevention Through Accountability: The prosecution of developers for tools that enable criminal activities will send a message to deter future projects which could exploit loopholes in the regulatory oversight of these platforms. This approach is a twist on the oldest, most reliable law enforcement trick in the book — set an example to deter more crime than can ever be realistically punished.

Arguments Against Punishing Developers for Code Creation

  • Code as free speech: Privacy advocates will point out that programming is a form of expression comparable to free speech, and prosecution of developers for their code can create a chilling effect on innovation. They hold the argument that making developers liable for creating neutral technology—especially open-source projects like Tornado Cash—is going to stifle open-source development and discourage improvements in privacy tech, already sensitive to regulatory pressures.
  • Legitimate Uses and Privacy Rights: The argument here is a straightforward, classically utilitarian one. Privacy advocates note that privacy mixers, such as Tornado Cash, have many legitimate uses other than money laundering. They help dissidents, journalists, and people in oppressive regimes with privacy and financial protection. Prosecution of developers may spell a limitation in the accessibility of these tools, thus risking creating more harm than justice.
  • Unpredictable Use and Developer Intent: It is unreasonable to hold developers liable for how another party uses their tools. This may be the strongest and simplest argument on the list. Think about it — a screwdriver is a tool too. But if a criminal attacks someone with a screwdriver we don’t arrest Henry F. Phillips for inventing it, do we? Once a tool is released into the open-source ecosystem, developers lose control over how it’s deployed, making it difficult to foresee all potential abuses.

In Closing

In the end, Alexey Pertzev’s Tornado Cash fiasco isn’t just about one developer—it’s about the direction of digital freedom, privacy rights, and whether we’re heading toward a future where devs have to think twice about the implications of their code. As crypto keeps evolving, this balance between privacy and accountability will be something we’ll be hashing out for a long time.

Pertzev’s conviction raises big, age-old questions: Is justice more important than freedom? Should devs be responsible for how people use their code, or does that kill innovation for anyone trying to build privacy tools? And if someone gets jailed just for writing decentralized code, what does that mean for the next wave of innovation?

The debate is ongoing, and we encourage you to become a part of it. Join the PlasBit community and share your thoughts with the rest of us!