Cyber-related Sanctions

Cyber-related Sanctions

1079

Answer

For transactions involving Tornado Cash that were initiated prior to its designation on August 8, 2022 but not completed by the date of designation, U.S. persons or persons conducting transactions within U.S. jurisdiction may request a specific license from OFAC to engage in transactions involving the subject virtual currency.  U.S. persons should be prepared to provide, at a minimum, all relevant information regarding these transactions with Tornado Cash, including the wallet addresses for the remitter and beneficiary, transaction hashes, the date and time of the transaction(s), as well as the amount(s) of virtual currency.  OFAC would have a favorable licensing policy towards such applications, provided that the transaction did not involve other sanctionable conduct.

In order to apply for a specific license to complete a transaction or withdraw virtual currency involving Tornado Cash that was deposited prior to its designation, or to engage in other transactions or dealings with Tornado Cash, you are encouraged to file a licensing request by visiting the following link: https://home.treasury.gov/policy-issues/financial-sanctions/ofac-license-application-page.

Date Released
September 13, 2022

1078

Answer

OFAC is aware of reports following the designation of Tornado Cash that certain U.S. persons may have received unsolicited and nominal amounts of virtual currency or other virtual assets from Tornado Cash, a practice commonly referred to as “dusting.”  Technically, OFAC’s regulations would apply to these transactions.  To the extent, however, these “dusting” transactions have no other sanctions nexus besides Tornado Cash, OFAC will not prioritize enforcement against the delayed receipt of initial blocking reports and subsequent annual reports of blocked property from such U.S. persons.

For guidance related to filing an initial and annual report of blocked property, please see FAQs 49, 50, and 646, respectively, and 31 C.F.R. § 501.603.  Please note that the annual filing requirement for 2022 applies only to persons holding blocked property as of June 30 of this year.

Date Released
September 13, 2022

1077

Answer

No.  U.S. persons are prohibited from engaging in transactions involving Tornado Cash, including through the virtual currency wallet addresses that OFAC has identified.  If U.S. persons were to initiate or otherwise engage in a transaction with Tornado Cash, including or through one of its wallet addresses, such a transaction would violate U.S. sanctions prohibitions, unless exempt or authorized by OFAC.

Date Released
September 13, 2022

1076

Answer

On August 8, 2022, OFAC designated the entity Tornado Cash for facilitating the laundering of proceeds of cybercrimes, including those committed by the Lazarus Group, a North Korea state-sponsored hacking group that was sanctioned in 2019.  As described in FAQs 561 and 562, OFAC may include as identifiers on the Specially Designated Nationals and Blocked Persons List (SDN List) specific virtual currency wallet addresses associated with blocked persons.  As part of the SDN List entry for Tornado Cash, OFAC included as identifiers certain virtual currency wallet addresses associated with Tornado Cash, as well as the URL address for Tornado Cash’s website.  The Tornado Cash website has since been deleted from the Internet, but it currently remains available through certain Internet archives.

While engaging in any transaction with Tornado Cash or its blocked property or interests in property is prohibited for U.S. persons, interacting with open-source code itself, in a way that does not involve a prohibited transaction with Tornado Cash, is not prohibited.  For example, U.S. persons would not be prohibited by U.S. sanctions regulations from copying the open-source code and making it available online for others to view, as well as discussing, teaching about, or including open-source code in written publications, such as textbooks, absent additional facts.  Similarly, U.S. persons would not be prohibited by U.S. sanctions regulations from visiting the Internet archives for the Tornado Cash historical website, nor would they be prohibited from visiting the Tornado Cash website if it again becomes active on the Internet.

Date Released
September 13, 2022

452

Answer

As with all financial sanctions programs Treasury administers, these measures will be implemented in accordance with domestic law and our international obligations.

Date Released
April 1, 2015

489

Answer

No. This authority does not target American whistleblower activity or constitutionally protected activity. The E.O. defines misappropriation to be the “taking or obtaining by improper means, without permission or consent, or under false pretenses.” Importantly, to be eligible for sanctions under this provision, an individual or entity must not only “misappropriate” information, but it must also do so with the purpose or effect of interfering with or undermining election processes or institutions.

Date Released
December 29, 2016

451

Answer

The United States’ whole-of-government strategy to combat cyber threats draws from a broad range of tools and authorities to respond to the growing and evolving threat posed by malicious cyber actors. Similar to our approach to global threats from terrorists, narcotics traffickers, and transnational criminal organizations, we will use financial sanctions in the fight against malicious cyber actors as a complement to existing tools, including diplomatic outreach and law enforcement authorities.

Date Released
April 1, 2015

450

Answer

No. These sanctions are designed to target those actors whose malicious cyber-enabled conduct is reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States. These measures are not intended to target victims of such activities, including the unwitting owners of compromised computers.

For more information about best practices for securing home networks and engaging in responsible online behavior, visit the Federal Trade Commission’s website at OnGuardOnline.gov.

Date Released
April 1, 2015

449

Answer

The measures in this order are designed to address the threat posed by individuals and entities engaged in significant malicious cyber-enabled activities that have the purpose or effect of causing specific enumerated harms. These measures are not designed to prevent or interfere with legitimate network defense or maintenance activities performed by computer security experts and companies as part of the normal course of business on their own systems, or systems they are otherwise authorized to manage.

Date Released
April 1, 2015

448

Answer

The measures in this order are directed against significant malicious cyber-enabled activities that have the purpose or effect of causing specific enumerated harms, and are not designed to prevent or interfere with legitimate cyber-enabled academic, business, or non-profit activities. The U.S. government supports efforts by researchers, cybersecurity experts, and network defense specialists to identify, respond to, and repair vulnerabilities that could be exploited by malicious actors.

Similarly, these measures are not intended to target persons engaged in legitimate activities to ensure and promote the security of information systems, such as penetration testing and other methodologies, or to prevent or interfere with legitimate cyber-enabled activities undertaken to further academic research or commercial innovation as part of computer security-oriented conventions, competitions, or similar “good faith” events

Date Released
April 1, 2015