What is the impact of the U.S. OFAC's long-arm jurisdiction on the Ethereum network?

Original Author: JP Koning

Original Compilation: Luffy, Foresight News

The largest cryptocurrency exchange in the United States, Coinbase, is publicly processing Ethereum transactions involving Tornado Cash, a blockchain infrastructure that was sanctioned by the U.S. government last year for providing mixing services to North Korea. According to Tornado alerts, Coinbase has verified 686 Tornado-related transactions in the past two weeks.

The table includes the number of blocks proposed by each validator, where all transactions interacting with Tornado Cash contracts or TORN tokens (deposits or withdrawals) are shown. Source: Toni Wahrstätter

This is awkward for all parties involved.

First, it is embarrassing for the regulatory agency, the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC). OFAC explicitly states that individuals within the U.S. cannot transact with sanctioned entities unless they have a license. However, the largest cryptocurrency exchange in the U.S. is interacting with the sanctioned entity Tornado Cash without a license.

OFAC could look the other way and pretend that nothing unusual is happening, which is essentially what it has done so far. But since these interactions are clearly recorded on the blockchain, everyone can see the violations occurring. Ultimately, OFAC will have to confront this issue and make some tough decisions, some of which may ultimately harm companies like Coinbase and the Ethereum network.

The entire incident is also awkward for the cryptocurrency industry. After much of the ecosystem was destroyed by fraud and bankruptcy in 2022, cryptocurrency finds itself in the crosshairs of a cultural war and widespread prohibition. It desperately needs social license, yet leading companies in the cryptocurrency space choose to go against one of the key pillars of U.S. defense.

Meanwhile, Coinbase's main competitor in the U.S., Kraken, has taken a completely different approach to dealing with Tornado Cash. As shown in the table above, compared to Coinbase's 686 transactions, Kraken processed 0 Tornado Cash-related transactions in the past two weeks. This differing approach to handling sanctioned transactions only highlights the awkward nature of cryptocurrency's "compliance" with sanction laws.

Before diving deeper, we need to understand some basics. For those confused about cryptocurrency, here’s a quick explanation of why Coinbase interacts with Tornado Cash while Kraken does not.

What is Validation?

First, Coinbase and Kraken operate many different businesses. Their most well-known business is providing a marketplace where people can deposit funds to buy and sell crypto tokens.

I suspect both companies are very careful to ensure their trading platforms avoid any intersection with Tornado Cash. For example, if someone tries to deposit funds related to Tornado into Coinbase, I am sure Coinbase would quickly freeze those transactions, which is exactly what OFAC requires it to do. Cryptocurrency exchanges have previously run into trouble for dealing with sanctioned entities: last year, Kraken was penalized by OFAC for allowing an Iranian user to process 826 transactions.

But the issue here is not with these companies' trading platforms. The interaction between Coinbase and Tornado Cash occurs in adjacent business areas. Let’s look at how the validation services of Coinbase and Kraken operate.

Suppose Sunil lives in India and wants to transact on the Ethereum network, such as depositing some ETH into Tornado Cash. He first inputs the instruction into his MetaMask wallet. The order will be broadcast to the Ethereum network for validation, and a small fee or tip will be paid. Validators are responsible for receiving large batches of pending transactions, one of which is Sunil's Tornado Cash deposit, and proposing confirmations to the Ethereum network in the form of "blocks." As a reward, validators earn the tips left by traders.

The largest validators are those who hold a significant amount of ETH (the native token of the Ethereum network). Since Kraken and Coinbase hold millions of customers' ETH, they have become two of the most important providers of Ethereum validation services. According to the Ethereum staking dashboard, Coinbase accounts for 14% of global validation transactions, while Kraken accounts for 3%. Therefore, even though Sunil is not actually depositing any cryptocurrency into Coinbase's trading platform, he may ultimately interact with Coinbase through its block proposals and validation services.

Validators can choose which transactions to include in their blocks. This explains the difference between the two exchanges, with Kraken choosing to exclude transactions like Sunil's Tornado Cash deposit, while Coinbase includes all transactions related to Tornado Cash in its proposed blocks, earning the associated transaction fees in the process.

In summary, Coinbase operates its exchange in a manner compliant with OFAC regulations, but its validation services operate differently from Kraken. Next, we need to add another important part to the story. What does OFAC need to do?

OFAC is Searching for Answers

For those unfamiliar with how the U.S. sanctions mechanism works, a significant part of OFAC's job is to blacklist foreign individuals and organizations deemed to undermine U.S. national security or foreign policy objectives. These blacklisted entities are referred to as SDNs (specially designated nationals). U.S. citizens and companies cannot deal with SDNs without a license.

OFAC also implements comprehensive sanctions. These measures prevent U.S. individuals or businesses from interacting with countries like Iran.

OFAC discloses a range of useful information about each designated individual or entity, including the SDN's name, aliases, addresses, nationality, passport, tax ID, place of birth, and date of birth. U.S. individuals and companies should take steps to check this information against every counterparty they transact with to ensure they are not dealing with an SDN. They must also be aware of U.S. comprehensive sanctions to avoid inadvertently interacting with entire sanctioned groups, such as all Iranians, as failing to comply with these regulations can lead to fines or imprisonment.

While Coinbase seems to have chosen to ignore OFAC's requirements in its validation services, Kraken has not and has incorporated the SDN list into the internal logic of its validation services. However, Kraken has only done this in a limited way, as I will show below.

Five years ago, OFAC began including known cryptocurrency addresses of SDNs in its SDN data array. To date, OFAC has released about 600 cryptocurrency wallet addresses, including around 150 Ethereum addresses, a significant portion of which are related to Tornado Cash. Kraken uses this list of 150 addresses as a basis for excluding certain transactions from blocks.

Among members of the cryptocurrency community, this behavior is sometimes described as creating "OFAC-compliant blocks." Crypto theorists argue that it undermines the core values of Ethereum's openness and resistance to censorship. While Kraken's approach may seem like a compliant method for proposing blocks, that is not the case.

OFAC-Compliant Blocks

Currently, Kraken's block validation process only clears transactions involving about 150 Ethereum wallets explicitly mentioned by OFAC, including Tornado Cash addresses. However, many SDNs associated with these 150 wallets may have already adjusted by acquiring new wallets. Kraken has not taken any steps to identify what these new wallets are, so it is almost certain that it will process these SDN transactions in its blocks. This would violate OFAC policy.

There are about 12,000 SDNs on OFAC's list, most of which have not been explicitly linked to specific Ethereum wallets by OFAC. But that does not mean these entities do not have such wallets. To achieve compliance, Kraken needs to scan the entire list of 12,000 SDNs and verify that none are included in Kraken blocks. Similarly, it appears that it has not done this.

Compliance with OFAC is not just about cross-checking the SDN list. Remember, OFAC also imposes comprehensive sanctions on countries like Iran, prohibiting any U.S. entity from dealing with ordinary Iranians. Since Kraken's proposed blocks only exclude about 150 Ethereum addresses mentioned by OFAC, it is almost certain that it will allow transactions from Iranians to enter its proposed blocks. This is ironic, as the violation for which Kraken was penalized last year was allowing Iranians to use its trading platform. Clearly, Kraken has developed one policy regarding Iran for its exchange and another for its block proposal service.

Coinbase's complete disregard for OFAC's policies now makes more sense. Perhaps not complying at all and retaining the claim that sanctions laws do not apply to validation is better than insufficient compliance while defaulting to OFAC's jurisdiction over validation. As part of this strategy, Coinbase may attempt to argue that validation is not a financial service but rather a "transmission of informational materials," which is not subject to sanctions laws.

After beginning to move toward compliance, the only way for Kraken's validation business to come close to full compliance with sanction laws is to adopt the same exhaustive processes that its own cryptocurrency exchange complies with. This means painstakingly collecting and verifying IDs of all potential traders, cross-checking against OFAC's requirements, and only proposing blocks consisting of transactions approved by an internal address list going forward. By adopting this comprehensive approach to validating transactions, Kraken would now be closer to compliance. For OFAC, its awkward situation would be alleviated.

OFAC Policy Decisions Are Not Simple

However, this approach has its downsides. For Kraken, the cost of validating IDs for block inclusion purposes is high. I suspect the company may be forced to stop offering validation services. Even if Kraken and Coinbase launch KYC processes that comply with OFAC requirements to assemble blocks, most Ethereum transactions may flow to offshore validators that do not check IDs because they are unregulated and not required to comply with OFAC policies.

Thus, the transactions that OFAC wants to prevent will still occur.

Complicating matters, by shifting validation outside U.S. territory, U.S. national security agencies will destroy the nascent "U.S. Ethereum nexus," which they could have used as a tool to project American power abroad. If you're curious what this means, consider how New York currently leverages its relationships with New York correspondent banks to implement U.S. overseas policy. The Ethereum network based in San Francisco would be its crypto version, provided it is not expelled.

To prevent validation from occurring in other regions outside the U.S., the government could combine the requirement for domestic block validators to implement KYC with a second requirement that all U.S. individuals and companies submit all Ethereum transactions to compliant validators. This would bring U.S. Ethereum transactions back to domestic soil and into the arms of Coinbase and Kraken.

But this is a complex chess game, and you can understand why OFAC has been hesitant.

On the other hand, OFAC cannot stall forever. Certainly, cryptocurrency is still niche. But OFAC is an agency with a democratic mandate to enforce laws, and those laws are clearly being violated. It cannot "play neglect." Sanctions are a matter of national security, which adds urgency to the issue.

One option is for OFAC to provide U.S. blockchain validators with explicit sanctions law exceptions in the form of special licenses. But this raises questions of technological neutrality and equal treatment under the law. Why should Coinbase and Kraken be allowed to accept sanctioned participants into their financial networks while other network operators like Visa or American Express cannot enjoy the same exemptions?

This is not just a fairness issue. By stripping the blockchain, OFAC may inadvertently stimulate the financial industry to shift toward blockchain-based validation, as this has become the least regulated and therefore cheapest technological solution for deploying various financial services. By then, OFAC will find itself managing much less, as a significant portion of funds will now be located within OFAC-designated areas.

I do not envy OFAC officials. They have a tough decision to make. Meanwhile, Coinbase continues to process Tornado Cash transactions every hour.