Roman Storm, co-founder of the Tornado Cash cryptocurrency mixing protocol, was convicted today by a Manhattan jury of conspiracy to operate an unlicensed money-transmitting business. The jury found that Tornado Cash processed more than $1 billion in identifiable criminal proceeds — including funds stolen by North Korea’s Lazarus Group — while Storm knowingly failed to implement any anti-money laundering controls or register the service with FinCEN.
The jury deadlocked on the two more serious charges: conspiracy to commit money laundering and conspiracy to violate the International Emergency Economic Powers Act. Prosecutors have not yet indicated whether they will seek a retrial on those counts.
The Tornado Cash saga has been one of the most legally complex and politically charged cases in cryptocurrency history, spanning three years, three branches of government, and a landmark appellate decision.
The protocol launched in 2019 as an Ethereum-based mixing service that severed the on-chain link between depositing and withdrawing addresses, providing privacy for legitimate users but also, inevitably, for criminals. By the time OFAC sanctioned the protocol in August 2022 — a first-of-its-kind action targeting autonomous smart contract code rather than a person or entity — Tornado Cash had processed approximately $7 billion in total deposits. Of that, at least $455 million was attributable to the Lazarus Group’s theft from the Ronin Bridge.
The OFAC designation prompted immediate backlash from the crypto industry and civil liberties organisations, who argued that sanctioning open-source code — which no single entity controls — was both legally unprecedented and constitutionally troubling. In Van Loon v. Department of the Treasury, decided in November 2024, the Fifth Circuit agreed, holding that immutable smart contracts are not “property” under IEEPA because they cannot be owned or controlled by a foreign national. Treasury delisted Tornado Cash from the SDN list in March 2025.
But the criminal case against Storm proceeded on a different theory. DOJ did not charge Storm with violating sanctions. It charged him with operating a money-transmitting business — a theory that does not depend on whether the protocol is “property” or whether it can be sanctioned, but on whether Storm knowingly transmitted funds without a licence and without AML controls.
The evidence showed that Storm was aware of the criminal use. Internal messages revealed that the founders discussed Lazarus Group transactions and debated — then rejected — implementing any screening mechanism. Storm also allegedly profited from the protocol through a relayer system that earned fees on each transaction.
Co-founder Alexey Pertsev was convicted in the Netherlands in May 2024 on money laundering charges related to his role in Tornado Cash; a third co-founder, Roman Semenov, remains charged in the U.S. and is believed to be in Russia.
The unresolved question of developer liability
The Tornado Cash case is the most important legal confrontation between decentralised technology and financial regulation since the creation of Bitcoin. And the split verdict — conviction on the transmitter count, deadlock on the laundering and sanctions counts — perfectly captures the unresolved tension.
As someone who holds both crypto investigation certifications and AML qualifications, I see legitimate arguments on both sides — which is exactly what makes this case so consequential.
The prosecution’s position is straightforward: if you build a tool that you know is being used to launder hundreds of millions in criminal proceeds, and you choose not to implement any controls or register as a money-services business, you are operating an unlicensed money transmitter. The jury agreed on that count. The fact that the tool is a smart contract rather than a traditional service does not exempt its creators from regulatory obligations.
The defence’s position is equally clear: open-source code, once deployed on an immutable blockchain, operates autonomously. The developers cannot freeze funds, block addresses, or reverse transactions. Holding them criminally liable for what third parties do with software they wrote sets a precedent that could criminalise the creation of any privacy-preserving technology.
The jury’s deadlock on the more serious charges suggests that at least some jurors found the developer-liability theory uncomfortable when extended to money laundering conspiracy and sanctions evasion. The transmitter count was easier because it focuses on what Storm failed to do (register, implement KYC/AML) rather than what the protocol did.
For the compliance community, the practical takeaway is that building a financial tool with no AML controls and no registration is itself a crime — regardless of the underlying technology. The harder question — whether developers can be held liable for the downstream criminal use of autonomous code they created — remains open.